WiredWX Christian Hobby Weather Tools
Would you like to react to this message? Create an account in a few clicks or log in to continue.

WiredWX Christian Hobby Weather ToolsLog in

 


Windows Protection Suite

2 posters

descriptionWindows Protection Suite EmptyWindows Protection Suite15th September 2009, 4:48 am

more_horiz
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:46:57 AM, on 9/15/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\Atiptaxx.exe
C:\WINDOWS\system32\qttask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\All Users\Application Data\be05e\WI748.exe
C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\default\Desktop\winlogon.scr

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?c=3c00&s=consumer&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=3c00&s=searchbar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=3c00&s=searchbar&LC=0409
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - URLSearchHook: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)
O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getavplusnow.com
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
O1 - Hosts: 64.86.17.32 google.ae
O1 - Hosts: 64.86.17.32 google.as
O1 - Hosts: 64.86.17.32 google.at
O1 - Hosts: 64.86.17.32 google.az
O1 - Hosts: 64.86.17.32 google.ba
O1 - Hosts: 64.86.17.32 google.be
O1 - Hosts: 64.86.17.32 google.bg
O1 - Hosts: 64.86.17.32 google.bs
O1 - Hosts: 64.86.17.32 google.ca
O1 - Hosts: 64.86.17.32 google.cd
O1 - Hosts: 64.86.17.32 google.com.gh
O1 - Hosts: 64.86.17.32 google.com.hk
O1 - Hosts: 64.86.17.32 google.com.jm
O1 - Hosts: 64.86.17.32 google.com.mx
O1 - Hosts: 64.86.17.32 google.com.my
O1 - Hosts: 64.86.17.32 google.com.na
O1 - Hosts: 64.86.17.32 google.com.nf
O1 - Hosts: 64.86.17.32 google.com.ng
O1 - Hosts: 64.86.17.32 google.ch
O1 - Hosts: 64.86.17.32 google.com.np
O1 - Hosts: 64.86.17.32 google.com.pr
O1 - Hosts: 64.86.17.32 google.com.qa
O1 - Hosts: 64.86.17.32 google.com.sg
O1 - Hosts: 64.86.17.32 google.com.tj
O1 - Hosts: 64.86.17.32 google.com.tw
O1 - Hosts: 64.86.17.32 google.dj
O1 - Hosts: 64.86.17.32 google.de
O1 - Hosts: 64.86.17.32 google.dk
O1 - Hosts: 64.86.17.32 google.dm
O1 - Hosts: 64.86.17.32 google.ee
O1 - Hosts: 64.86.17.32 google.fi
O1 - Hosts: 64.86.17.32 google.fm
O1 - Hosts: 64.86.17.32 google.fr
O1 - Hosts: 64.86.17.32 google.ge
O1 - Hosts: 64.86.17.32 google.gg
O1 - Hosts: 64.86.17.32 google.gm
O1 - Hosts: 64.86.17.32 google.gr
O1 - Hosts: 64.86.17.32 google.ht
O1 - Hosts: 64.86.17.32 google.ie
O1 - Hosts: 64.86.17.32 google.im
O1 - Hosts: 64.86.17.32 google.in
O1 - Hosts: 64.86.17.32 google.it
O1 - Hosts: 64.86.17.32 google.ki
O1 - Hosts: 64.86.17.32 google.la
O1 - Hosts: 64.86.17.32 google.li
O1 - Hosts: 64.86.17.32 google.lv
O1 - Hosts: 64.86.17.32 google.ma
O1 - Hosts: 64.86.17.32 google.ms
O1 - Hosts: 64.86.17.32 google.mu
O1 - Hosts: 64.86.17.32 google.mw
O1 - Hosts: 64.86.17.32 google.nl
O1 - Hosts: 64.86.17.32 google.no
O1 - Hosts: 64.86.17.32 google.nr
O1 - Hosts: 64.86.17.32 google.nu
O1 - Hosts: 64.86.17.32 google.pl
O1 - Hosts: 64.86.17.32 google.pn
O1 - Hosts: 64.86.17.32 google.pt
O1 - Hosts: 64.86.17.32 google.ro
O1 - Hosts: 64.86.17.32 google.ru
O1 - Hosts: 64.86.17.32 google.rw
O1 - Hosts: 64.86.17.32 google.sc
O1 - Hosts: 64.86.17.32 google.se
O1 - Hosts: 64.86.17.32 google.sh
O1 - Hosts: 64.86.17.32 google.si
O1 - Hosts: 64.86.17.32 google.sm
O1 - Hosts: 64.86.17.32 google.sn
O1 - Hosts: 64.86.17.32 google.st
O1 - Hosts: 64.86.17.32 google.tl
O1 - Hosts: 64.86.17.32 google.tm
O1 - Hosts: 64.86.17.32 google.tt
O1 - Hosts: 64.86.17.32 google.us
O1 - Hosts: 64.86.17.32 google.vu
O1 - Hosts: 64.86.17.32 google.ws
O1 - Hosts: 64.86.17.32 google.co.ck
O1 - Hosts: 64.86.17.32 google.co.id
O1 - Hosts: 64.86.17.32 google.co.il
O1 - Hosts: 64.86.17.32 google.co.in
O1 - Hosts: 64.86.17.32 google.co.jp
O1 - Hosts: 64.86.17.32 google.co.kr
O1 - Hosts: 64.86.17.32 google.co.ls
O1 - Hosts: 64.86.17.32 google.co.ma
O1 - Hosts: 64.86.17.32 google.co.nz
O1 - Hosts: 64.86.17.32 google.co.tz
O1 - Hosts: 64.86.17.32 google.co.ug
O1 - Hosts: 64.86.17.32 google.co.uk
O1 - Hosts: 64.86.17.32 google.co.za
O1 - Hosts: 64.86.17.32 google.co.zm
O1 - Hosts: 64.86.17.32 google.com
O1 - Hosts: 64.86.17.32 google.com.af
O1 - Hosts: 64.86.17.32 google.com.ag
O2 - BHO: (no name) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Accelerator Plugin - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\PROGRA~1\PEOPLE~1\PRPL_I~1.DLL (file missing)
O2 - BHO: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL (file missing)
O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Windows Protection Suite] "C:\WINDOWS\All Users\Application Data\be05e\WI748.exe" /s /d
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: VZAccess Manager.lnk = C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=altavista&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=altavista&c=3c00&LC=0409 (file missing)
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=3c00&LC=0409 (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL (file missing)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)
O9 - Extra button: (no name) - {2863ACA1-9AA0-4432-8CFE-88C12B3B2E5E} - file://C:\PROGRAM FILES\UPROMISE_REMINDU\Sy1050\Tp1050\scri1050a.htm (file missing) (HKCU)
O9 - Extra button: (no name) - {B48798CE-A2E0-4918-BC00-0F72FBA708E2} - file://C:\PROGRAM FILES\UPROMISE_REMIND_U\UpromisesRemindU\UpromisetRemindU\uproC0.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .swf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
O12 - Plugin for .wmv: C:\Program Files\Windows Media Player\NPDSPLAY.DLL
O12 - Plugin for .wvx: C:\Program Files\Windows Media Player\NPDSPLAY.DLL
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversInitialSetup1.0.0.8.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,75/mcinsctl.cab
O16 - DPF: {5F03EAB4-1AD5-11D4-AE99-0050DAC24E8F} - http://www.iwon.com/ct/in_wn/iwonslot1,0,1,5.cab
O16 - DPF: {70522FA0-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/ct/pm3/iwonpm_12_1,0,2,5.cab
O16 - DPF: {BAB7B1B6-1FA2-41A2-A0A2-2CF82ACC3CA8} - http://www.topmoxie.com/external/builds/upromise/upro1050_310.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,17/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC3AD504-9991-4E0E-9D3F-34056F8BB167}: NameServer = 66.174.95.44 66.174.92.14
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O24 - Desktop Component 0: (no name) - http://ak.imgfarm.com/images/today/pet/021104pet_lg.jpg
O24 - Desktop Component 1: (no name) - http://i1img.com/images/today/user/073002user_lg.jpg

--
End of file - 12526 bytes

descriptionWindows Protection Suite EmptyRe: Windows Protection Suite15th September 2009, 8:11 am

more_horiz
Hi

Windows Protection Suite Mbamicontw5 Please download Malwarebytes Anti-Malware from here.

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

descriptionWindows Protection Suite EmptyRe: Windows Protection Suite17th September 2009, 3:21 pm

more_horiz
DragonMaster Jay-
I am typing this from a local library computer to update you on what I have been trying to do. At this point I cannot perform the above instructions due to the WPS freezing out or blanking out anything I try. Over and over.

What I did finally succeed in doing was to get the MWBM screen to come up and scan for stuff. It found 843 infected files. I did copy the log and have tried to at least email via copy/paste that to you but I cannot upload that as an attachment to my yahoo mail as the WPS freezes that up and blocks it everytime.

(I think it has messed with my browser and internet provider programs. I'm guessing. It's a mess.)

I tried 5 cycles of trying to remove the files using the MWBM and the WPS interfered each time. It comes up, won't x out, and freezes the process about 5 dots into the measure line. Then it is all totally frozen for a long time then it just disappears from the screen. Everything-MWBM and WPS graphics.

I am at my wit's end. I will keep trying to email you a copy of the log if that will help. I am able to check my emails on my cell phone and reply to you on this public computer.

Should I throw my laptop into the Ohio River? I am seriously visualizing it....HELP!

descriptionWindows Protection Suite EmptyRe: Windows Protection Suite18th September 2009, 12:55 am

more_horiz
Hi

Please transfer this from another computer, to the infected machine. Also, I recommend to print these instructions, if possible. This will make it easier to work on the infected machine.

Please download ComboFixWindows Protection Suite Combofix by sUBs
Link 1: Forospyware.com or Link 2: BleepingComputer.com

Please save the file to your Desktop, but rename it first:

Windows Protection Suite Cf110
Windows Protection Suite Cf210

Important information about ComboFix

Before the download:
  • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
  • It is important to rename ComboFix before the download.
  • Please do not rename ComboFix to other names, but only the one indicated.

After the download:
  • Close any open browsers.
  • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
  • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.

Running ComboFix:
  • Double click on svchost.exe & follow the prompts.
  • It will attempt to install the Recovery Console:

Windows Protection Suite Cf410
Windows Protection Suite Cf510

  • When ComboFix finishes, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" in your next reply.


Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

descriptionWindows Protection Suite EmptyRe: Windows Protection Suite19th September 2009, 5:21 am

more_horiz
ComboFix 09-09-17.04 - default 09/19/2009 0:04:41.1.1 - NTFSx86
Running from: C:\Documents and Settings\default\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\default\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Protection Suite.lnk
C:\Documents and Settings\default\Application Data\Windows Protection Suite
C:\Documents and Settings\default\Application Data\Windows Protection Suite\Instructions.ini
C:\Documents and Settings\default\Desktop\Windows Protection Suite.lnk
C:\Documents and Settings\default\Start Menu\Programs\Windows Protection Suite.lnk
C:\Documents and Settings\default\Start Menu\Windows Protection Suite.lnk
C:\Program Files\iWin Games\iWinGamesHookIE.dll
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\1.bin\F3BKGERR.JPG
C:\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
C:\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3WALLPP.DAT
C:\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
C:\Program Files\MyWebSearch\bar\Cache\009B72A5.SA
C:\Program Files\MyWebSearch\bar\Cache\009B8F2B
C:\Program Files\MyWebSearch\bar\Cache\009B9652.bin
C:\Program Files\MyWebSearch\bar\Cache\files.ini
C:\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S
C:\Program Files\MyWebSearch\bar\Game\CHESS.F3S
C:\Program Files\MyWebSearch\bar\Game\REVERSI.F3S
C:\Program Files\MyWebSearch\bar\Settings\prevcfg.htm
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\Program Files\MyWebSearch\bar\Settings\settings.htm
C:\WINDOWS\All Users\Application Data\WINSPSys
C:\WINDOWS\All Users\Application Data\WINSPSys\winps.cfg
C:\WINDOWS\COUPON~1.DLL
C:\WINDOWS\CouponBarIE.dll
C:\WINDOWS\cpbrkpie.ocx
C:\WINDOWS\Installer\351932.msi
C:\WINDOWS\MMGSvc.ocx
C:\WINDOWS\patch.exe
C:\WINDOWS\start.exe
C:\WINDOWS\system\oeminfo.ini
C:\WINDOWS\Web\default.htt

C:\WINDOWS\system32\comres.dll . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-08-19 to 2009-09-19 )))))))))))))))))))))))))))))))
.

2009-09-16 20:12:45 . 2009-09-16 20:12:45 16384 ----atw- C:\WINDOWS\system32\Perflib_Perfdata_298.dat
2009-09-13 14:36:40 . 2002-12-11 21:34:42 208896 ----a-w- C:\WINDOWS\system32\wmpns.dll
2009-09-13 13:46:41 . 2009-09-13 13:46:43 0 d-----w- C:\WINDOWS\winsxs
2009-09-13 12:03:34 . 2009-09-13 12:03:34 0 d-----w- C:\Program Files\Java
2009-09-13 01:18:19 . 2009-09-13 01:18:19 16384 ----atw- C:\WINDOWS\system32\Perflib_Perfdata_22c.dat
2009-09-12 23:01:01 . 2009-09-12 23:01:01 16384 ----atw- C:\WINDOWS\system32\Perflib_Perfdata_2a8.dat
2009-09-12 22:16:06 . 2009-09-12 22:16:06 16384 ----atw- C:\WINDOWS\system32\Perflib_Perfdata_20c.dat
2009-08-22 14:18:35 . 2000-03-21 04:55:50 118784 ----a-w- C:\WINDOWS\system32\vbalNCSM6.dll
2009-08-22 14:18:35 . 1999-02-19 12:54:26 40960 ----a-w- C:\WINDOWS\system32\SSubTmr6.dll
2009-08-22 14:18:14 . 2009-08-23 00:56:13 0 d-----w- C:\Program Files\eGames

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-19 04:17:03 . 2008-10-10 00:45:31 0 d---a-w- C:\Program Files\iWin Games
2009-09-13 13:46:56 . 2003-04-16 09:02:57 0 d---a-w- C:\Program Files\Common Files\Adobe
2009-09-13 12:03:53 . 2008-11-10 17:26:55 411368 ----a-w- C:\WINDOWS\system32\deploytk.dll
2009-08-18 17:26:41 . 2009-08-17 16:47:41 0 d-----w- C:\WINDOWS\All Users\Application Data\STOPzilla!
2009-08-18 17:17:03 . 2009-08-17 16:51:11 0 d-----w- C:\WINDOWS\All Users\Application Data\SITEguard
2009-08-18 16:21:15 . 2009-08-18 16:20:57 960 ----a-w- C:\WINDOWS\system32\drivers\kgpcpy.cfg
2009-08-17 21:44:05 . 2009-08-17 21:44:05 16384 ----atw- C:\WINDOWS\system32\Perflib_Perfdata_254.dat
2009-08-17 16:47:42 . 2009-08-17 16:47:42 0 d-----w- C:\Program Files\Common Files\iS3
2009-08-17 13:51:21 . 2009-08-16 04:23:19 0 d---a-w- C:\WINDOWS\All Users\Application Data\TEMP
2009-08-17 13:32:12 . 2009-08-17 13:12:33 0 d-----w- C:\Documents and Settings\default\Application Data\GetRightToGo
2009-08-16 02:27:33 . 2009-08-16 02:27:33 0 d-----w- C:\Documents and Settings\default\Application Data\Malwarebytes
2009-08-16 02:27:05 . 2009-08-16 02:27:05 0 d-----w- C:\WINDOWS\All Users\Application Data\Malwarebytes
2009-08-14 19:01:34 . 2009-08-14 03:59:53 0 d-sh--w- C:\WINDOWS\All Users\Application Data\be05e
2009-08-07 19:40:14 . 2009-08-07 19:40:14 0 d-----w- C:\WINDOWS\All Users\Application Data\Verizon Wireless
2009-08-07 19:25:30 . 2008-10-24 17:42:26 0 d-----w- C:\Program Files\Novatel Wireless
2009-08-07 19:23:39 . 2009-08-07 19:23:39 0 d-----w- C:\Program Files\Verizon Wireless
2009-08-05 05:04:36 . 2009-08-05 05:04:36 90164 ----a-w- C:\WINDOWS\system32\atl.dll
2009-07-27 11:27:30 . 2003-06-18 12:00:00 81168 ----a-w- C:\WINDOWS\system32\fontsub.dll
2009-07-27 11:27:30 . 2003-06-18 12:00:00 165136 ----a-w- C:\WINDOWS\system32\t2embed.dll
2009-07-13 13:13:26 . 2009-07-13 13:13:26 78608 ----a-w- C:\WINDOWS\system32\avifil32.dll
2009-07-13 06:18:36 . 2008-10-26 05:33:45 233472 ----a-w- C:\WINDOWS\system32\wmpdxm.dll
2009-07-10 16:49:14 . 2002-08-29 11:06:02 601088 ----a-w- C:\WINDOWS\system32\INETCOMM.DLL
2009-07-10 16:49:10 . 2002-08-29 11:06:02 47616 ----a-w- C:\WINDOWS\system32\INETRES.DLL
2009-07-10 16:49:06 . 2002-08-29 11:06:14 229376 ----a-w- C:\WINDOWS\system32\MSOEACCT.DLL
2009-07-10 16:49:02 . 2002-08-29 11:06:14 91136 ----a-w- C:\WINDOWS\system32\MSOERT2.DLL
2009-07-10 16:47:58 . 2002-08-29 11:14:40 44032 ----a-w- C:\WINDOWS\system32\MSIDENT.DLL
2009-06-26 15:53:10 . 2009-06-26 15:53:10 576512 ----a-w- C:\WINDOWS\system32\WININET.DLL
2008-10-23 22:04:42 . 2000-06-21 10:03:58 21952 ---h--w- C:\Program Files\folder.htt
2008-09-12 19:52:42 . 2006-06-29 09:07:14 11942 ----a-w- C:\Program Files\uninstal.log
.

------- Sigcheck -------

[-] 2002-11-26 23:03:32 . 36678803A8030EE9A771935CFC1848BD . 52224 . . [9.0.1.56] . . C:\WINDOWS\SYSTEM32\mspmsnsv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Protection Suite"="C:\WINDOWS\All Users\Application Data\be05e\WI748.exe" [2009-08-14 03:59:24 2400256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2003-05-19 07:38:04 26112]
"QuickTime Task"="C:\WINDOWS\system32\qttask.exe" [2004-06-03 17:28:18 98304]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2009-09-13 12:03:56 149280]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 21:10:28 35696]
"Synchronization Manager"="mobsync.exe" - C:\WINDOWS\SYSTEM32\mobsync.exe [2003-06-18 12:00:00 111376]
"AtiPTA"="Atiptaxx.exe" - C:\WINDOWS\SYSTEM32\atiptaxx.exe [2000-06-19 23:10:40 167936]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-06-18 12:00:00 186640]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe"
"SpyKiller"=C:\Program Files\SpyKiller\spykiller.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TaskMonitor"=C:\WINDOWS\taskmon.exe
"ESS Daemon"=C:\WINDOWS\ESSD.exe
"AtiPTA"=Atiptaxx.exe
"Service Connection"=c:\cpqs\bwtools\sccenter.exe
"OEMCLEANUP"=C:\WINDOWS\OPTIONS\oemreset.exe /o
"SMSystemAnalyzer"="C:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe"
"AlogServEXE"=C:\Program Files\McAfee\McAfee VirusScan\AlogServ.exe
"AvconsoleEXE"=C:\Program Files\McAfee\McAfee VirusScan\avconsol.exe /minimize
"KodakCCS"=C:\Program Files\Common Files\KODAK\KODAK_DR\KodakCCS.exe --pdr: "C:\Program Files\Common Files\KODAK\KODAK_DR\dcmnter.pdr"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"SchedulingAgent"=mstask.exe
"SSDPSRV"=C:\WINDOWS\SYSTEM\ssdpsrv.exe
"*StateMgr"=C:\WINDOWS\System\Restore\StateMgr.exe
"ATIPOLAB"=ati2evxx.exe
"VsecomrEXE"=C:\Program Files\McAfee\McAfee VirusScan\VSEcomR.EXE
"VsStatEXE"=C:\Program Files\McAfee\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING

R2 V7;V7;C:\WINDOWS\SYSTEM32\DRIVERS\V7.sys [10/23/2008 6:26:41 PM 7196]
R3 ati2mtai;ati2mtai;C:\WINDOWS\SYSTEM32\DRIVERS\ati2mtai.sys [10/24/2008 2:46:45 PM 293163]
R3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;C:\WINDOWS\SYSTEM32\DRIVERS\nwusbser2.sys [5/9/2008 11:08:40 AM 174336]
R3 solo;ESS Solo Audio Driver (WDM);C:\WINDOWS\SYSTEM32\DRIVERS\solo.sys [10/23/2008 1:53:21 PM 63024]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mLocal Page = C:\WINDOWS\SYSTEM\blank.htm
mSearch Bar = hxxp://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=3c00&s=searchbar&LC=0409
IE: {{06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=3c00&LC=0409
IE: {{06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=3c00&LC=0409
IE: {{06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=altavista&c=3c00&LC=0409
IE: {{06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=3c00&LC=0409
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
LSP: %SystemRoot%\system32\msafd.dll
DPF: DirectAnimation Java Classes - file://C:\WINDOWS\SYSTEM\dajava.cab
DPF: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversInitialSetup1.0.0.8.cab
DPF: {5F03EAB4-1AD5-11D4-AE99-0050DAC24E8F} - hxxp://www.iwon.com/ct/in_wn/iwonslot1,0,1,5.cab
DPF: {70522FA0-4656-11D5-B0E9-0050DAC24E8F} - hxxp://cc.iwon.com/ct/pm3/iwonpm_12_1,0,2,5.cab
DPF: {BAB7B1B6-1FA2-41A2-A0A2-2CF82ACC3CA8} - hxxp://www.topmoxie.com/external/builds/upromise/upro1050_310.cab
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)
BHO-{00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
BHO-{A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)
Toolbar-{07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
Toolbar-SITEguard - (no file)
WebBrowser-{07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
WebBrowser-{5BED3930-2E9E-76D8-BACC-80DF2188D455} - (no file)
WebBrowser-{A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)
AddRemove-HijackThis - C:\Documents and Settings\default\Desktop\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-19 00:22:41
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(104)
C:\WINDOWS\system32\wzcdlg.dll
C:\WINDOWS\system32\WZCSAPI.DLL
.
Completion time: 2009-09-19 0:28:24
ComboFix-quarantined-files.txt 2009-09-19 04:28:20

Pre-Run: 9,810,913,792 bytes free
Post-Run: 10,030,608,896 bytes free

195 --- E O F --- 2009-04-01 05:24:49

descriptionWindows Protection Suite EmptyRe: Windows Protection Suite19th September 2009, 7:52 am

more_horiz
Hi

Re-running ComboFix to remove infections:

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    Folder::
    C:\WINDOWS\All Users\Application Data\be05e
    C:\Program Files\Common Files\iS3
  4. Save this as CFScript.txt, in the same location as ComboFix.exe

    Windows Protection Suite Cf010

  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


==

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    Code:


    :filefind
    scecli.dll
    netlogon.dll
    eventlog.dll
    comres.dll


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

==

In your next reply, please include the ComboFix log and the SystemLook log.

descriptionWindows Protection Suite EmptyRe: Windows Protection Suite19th September 2009, 3:24 pm

more_horiz
I completed the first part, though it went a bit differently. I dragged the CFScript.txt icon to the CF icon on the desktop and then Combo Fix restarted itself again and ran. So I have here the copy of the text from that second run:

ComboFix 09-09-18.02 - default 09/19/2009 10:59.3.1 - NTFSx86
Running from: c:\documents and settings\default\Desktop\svchost.exe.exe
Command switches used :: c:\documents and settings\default\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\default\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Protection Suite.lnk
c:\documents and settings\default\Application Data\Windows Protection Suite
c:\documents and settings\default\Desktop\Windows Protection Suite.lnk
c:\documents and settings\default\Start Menu\Programs\Windows Protection Suite.lnk
c:\documents and settings\default\Start Menu\Windows Protection Suite.lnk
c:\program files\Common Files\iS3
c:\program files\Common Files\iS3\Anti-Spyware\sgdfull.rsf
c:\windows\All Users\Application Data\be05e
c:\windows\All Users\Application Data\be05e\72.mof
c:\windows\All Users\Application Data\be05e\BackUp\VZAccess Manager.lnk
c:\windows\All Users\Application Data\be05e\WI748.exe
c:\windows\All Users\Application Data\be05e\WINPS.ico
c:\windows\All Users\Application Data\be05e\WINSPSys\vd952342.bd
c:\windows\All Users\Application Data\be05e\working.log
c:\windows\All Users\Application Data\WINSPSys
c:\windows\All Users\Application Data\WINSPSys\winps.cfg

-- Previous Run --

-- Previous Run --

c:\windows\system32\comres.dll . . . is infected!!

--------

c:\windows\system32\comres.dll . . . is infected!!

--------

c:\windows\system32\comres.dll . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-08-19 to 2009-09-19 )))))))))))))))))))))))))))))))
.

2009-09-19 14:11 . 2009-09-19 14:11 16384 ----atw- c:\windows\system32\Perflib_Perfdata_2a0.dat
2009-09-13 14:36 . 2002-12-11 21:34 208896 ----a-w- c:\windows\system32\wmpns.dll
2009-09-13 13:46 . 2009-09-13 13:46 -------- d-----w- c:\windows\winsxs
2009-09-13 12:03 . 2009-09-13 12:03 -------- d-----w- c:\program files\Java
2009-09-13 01:18 . 2009-09-13 01:18 16384 ----atw- c:\windows\system32\Perflib_Perfdata_22c.dat
2009-09-12 23:01 . 2009-09-12 23:01 16384 ----atw- c:\windows\system32\Perflib_Perfdata_2a8.dat
2009-08-22 14:18 . 2000-03-21 04:55 118784 ----a-w- c:\windows\system32\vbalNCSM6.dll
2009-08-22 14:18 . 1999-02-19 12:54 40960 ----a-w- c:\windows\system32\SSubTmr6.dll
2009-08-22 14:18 . 2009-08-23 00:56 -------- d-----w- c:\program files\eGames

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-19 04:17 . 2008-10-10 00:45 -------- d---a-w- c:\program files\iWin Games
2009-09-13 13:46 . 2003-04-16 09:02 -------- d---a-w- c:\program files\Common Files\Adobe
2009-09-13 12:03 . 2008-11-10 17:26 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-18 17:26 . 2009-08-17 16:47 -------- d-----w- c:\windows\All Users\Application Data\STOPzilla!
2009-08-18 17:17 . 2009-08-17 16:51 -------- d-----w- c:\windows\All Users\Application Data\SITEguard
2009-08-18 16:21 . 2009-08-18 16:20 960 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-08-17 21:44 . 2009-08-17 21:44 16384 ----atw- c:\windows\system32\Perflib_Perfdata_254.dat
2009-08-17 13:51 . 2009-08-16 04:23 -------- d---a-w- c:\windows\All Users\Application Data\TEMP
2009-08-17 13:32 . 2009-08-17 13:12 -------- d-----w- c:\documents and settings\default\Application Data\GetRightToGo
2009-08-16 02:27 . 2009-08-16 02:27 -------- d-----w- c:\documents and settings\default\Application Data\Malwarebytes
2009-08-16 02:27 . 2009-08-16 02:27 -------- d-----w- c:\windows\All Users\Application Data\Malwarebytes
2009-08-07 19:40 . 2009-08-07 19:40 -------- d-----w- c:\windows\All Users\Application Data\Verizon Wireless
2009-08-07 19:25 . 2008-10-24 17:42 -------- d-----w- c:\program files\Novatel Wireless
2009-08-07 19:23 . 2009-08-07 19:23 -------- d-----w- c:\program files\Verizon Wireless
2009-08-05 05:04 . 2009-08-05 05:04 90164 ----a-w- c:\windows\system32\atl.dll
2009-07-27 11:27 . 2003-06-18 12:00 81168 ----a-w- c:\windows\system32\fontsub.dll
2009-07-27 11:27 . 2003-06-18 12:00 165136 ----a-w- c:\windows\system32\t2embed.dll
2009-07-13 13:13 . 2009-07-13 13:13 78608 ----a-w- c:\windows\system32\avifil32.dll
2009-07-13 06:18 . 2008-10-26 05:33 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-10 16:49 . 2002-08-29 11:06 601088 ----a-w- c:\windows\system32\INETCOMM.DLL
2009-07-10 16:49 . 2002-08-29 11:06 47616 ----a-w- c:\windows\system32\INETRES.DLL
2009-07-10 16:49 . 2002-08-29 11:06 229376 ----a-w- c:\windows\system32\MSOEACCT.DLL
2009-07-10 16:49 . 2002-08-29 11:06 91136 ----a-w- c:\windows\system32\MSOERT2.DLL
2009-07-10 16:47 . 2002-08-29 11:14 44032 ----a-w- c:\windows\system32\MSIDENT.DLL
2009-06-26 15:53 . 2009-06-26 15:53 576512 ------w- c:\windows\system32\WININET.DLL
2008-10-23 22:04 . 2000-06-21 10:03 21952 ---h--w- c:\program files\folder.htt
2008-09-12 19:52 . 2006-06-29 09:07 11942 ----a-w- c:\program files\uninstal.log
.

------- Sigcheck -------

[-] 2002-11-26 23:03 . 36678803A8030EE9A771935CFC1848BD . 52224 . . [9.0.1.56] . . c:\windows\SYSTEM32\mspmsnsv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Protection Suite"="c:\windows\All Users\Application Data\be05e\WI748.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2003-05-19 26112]
"QuickTime Task"="c:\windows\system32\qttask.exe" [2004-06-03 98304]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-13 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Synchronization Manager"="mobsync.exe" - c:\windows\SYSTEM32\mobsync.exe [2003-06-18 111376]
"AtiPTA"="Atiptaxx.exe" - c:\windows\SYSTEM32\atiptaxx.exe [2000-06-19 167936]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-06-18 186640]

c:\documents and settings\default\Start Menu\Programs\Startup\
VZAccess Manager.lnk - c:\program files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe [2009-8-7 1787184]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe"
"SpyKiller"=c:\program files\SpyKiller\spykiller.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TaskMonitor"=c:\windows\taskmon.exe
"ESS Daemon"=c:\windows\ESSD.exe
"AtiPTA"=Atiptaxx.exe
"Service Connection"=c:\cpqs\bwtools\sccenter.exe
"OEMCLEANUP"=c:\windows\OPTIONS\oemreset.exe /o
"SMSystemAnalyzer"="c:\program files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe"
"AlogServEXE"=c:\program files\McAfee\McAfee VirusScan\AlogServ.exe
"AvconsoleEXE"=c:\program files\McAfee\McAfee VirusScan\avconsol.exe /minimize
"KodakCCS"=c:\program files\Common Files\KODAK\KODAK_DR\KodakCCS.exe --pdr: "c:\program files\Common Files\KODAK\KODAK_DR\dcmnter.pdr"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"SchedulingAgent"=mstask.exe
"SSDPSRV"=c:\windows\SYSTEM\ssdpsrv.exe
"*StateMgr"=c:\windows\System\Restore\StateMgr.exe
"ATIPOLAB"=ati2evxx.exe
"VsecomrEXE"=c:\program files\McAfee\McAfee VirusScan\VSEcomR.EXE
"VsStatEXE"=c:\program files\McAfee\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING

R2 V7;V7;c:\windows\SYSTEM32\DRIVERS\V7.sys [10/23/2008 6:26 PM 7196]
R3 ati2mtai;ati2mtai;c:\windows\SYSTEM32\DRIVERS\ati2mtai.sys [10/24/2008 2:46 PM 293163]
R3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\SYSTEM32\DRIVERS\nwusbser2.sys [5/9/2008 11:08 AM 174336]
R3 solo;ESS Solo Audio Driver (WDM);c:\windows\SYSTEM32\DRIVERS\solo.sys [10/23/2008 1:53 PM 63024]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - IPNAT
*NewlyCreated* - RASAUTO
*NewlyCreated* - SHAREDACCESS
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mLocal Page = c:\windows\SYSTEM\blank.htm
mSearch Bar = hxxp://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=3c00&s=searchbar&LC=0409
IE: {{06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=3c00&LC=0409
IE: {{06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=3c00&LC=0409
IE: {{06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=altavista&c=3c00&LC=0409
IE: {{06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=3c00&LC=0409
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
LSP: %SystemRoot%\system32\msafd.dll
TCP: {AC3AD504-9991-4E0E-9D3F-34056F8BB167} = 66.174.95.44 66.174.92.14
DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversInitialSetup1.0.0.8.cab
DPF: {5F03EAB4-1AD5-11D4-AE99-0050DAC24E8F} - hxxp://www.iwon.com/ct/in_wn/iwonslot1,0,1,5.cab
DPF: {70522FA0-4656-11D5-B0E9-0050DAC24E8F} - hxxp://cc.iwon.com/ct/pm3/iwonpm_12_1,0,2,5.cab
DPF: {BAB7B1B6-1FA2-41A2-A0A2-2CF82ACC3CA8} - hxxp://www.topmoxie.com/external/builds/upromise/upro1050_310.cab
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)
BHO-{00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
BHO-{A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)
Toolbar-{07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
Toolbar-SITEguard - (no file)
WebBrowser-{07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
WebBrowser-{5BED3930-2E9E-76D8-BACC-80DF2188D455} - (no file)
WebBrowser-{A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-19 11:13
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(240)
c:\windows\system32\wzcdlg.dll
c:\windows\system32\WZCSAPI.DLL

- - - - - - - > 'explorer.exe'(708)
c:\windows\AppPatch\AcLayers.DLL
c:\windows\system32\SHDOCVW.DLL
.
Completion time: 2009-09-19 11:19
ComboFix-quarantined-files.txt 2009-09-19 15:19
ComboFix2.txt 2009-09-19 14:42
ComboFix3.txt 2009-09-19 04:28

Pre-Run: 10,022,586,880 bytes free
Post-Run: 10,025,497,088 bytes free

181 --- E O F --- 2009-04-01 05:24

descriptionWindows Protection Suite EmptyRe: Windows Protection Suite19th September 2009, 3:31 pm

more_horiz
Here is what System Look found. I ran this with the internet browser open. If I SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 11:26 on 19/09/2009 by default (Administrator - Elevation successful)

========== filefind ==========

Searching for "scecli.dll"
C:\WINDOWS\$NtUpdateRollupPackUninstall$\scecli.dll -----c 114448 bytes [16:25 25/10/2008] [12:00 18/06/2003] FF11B32A906D75CD96957B66E318DAD0
C:\WINDOWS\ERDNT\cache\scecli.dll --a--- 114448 bytes [04:24 19/09/2009] [19:39 12/01/2005] 6FCCE1622E75C7DC46509F7EC4B314A3
C:\WINDOWS\SYSTEM32\dllcache\scecli.dll --a--c 114448 bytes [12:00 18/06/2003] [19:39 12/01/2005] 6FCCE1622E75C7DC46509F7EC4B314A3
C:\WINDOWS\SYSTEM32\scecli.dll ------ 114448 bytes [19:39 12/01/2005] [19:39 12/01/2005] 6FCCE1622E75C7DC46509F7EC4B314A3

Searching for "netlogon.dll"
C:\WINDOWS\$NtUpdateRollupPackUninstall$\netlogon.dll -----c 371984 bytes [16:25 25/10/2008] [12:00 18/06/2003] 11B91C26925F56F577089FF88AA0BEC0
C:\WINDOWS\ERDNT\cache\NETLOGON.DLL --a--- 366864 bytes [04:24 19/09/2009] [11:54 08/04/2005] BE8FC3C74AB5212CD4067E8973764AD6
C:\WINDOWS\SYSTEM32\dllcache\NETLOGON.DLL --a--c 366864 bytes [12:00 18/06/2003] [11:54 08/04/2005] BE8FC3C74AB5212CD4067E8973764AD6
C:\WINDOWS\SYSTEM32\NETLOGON.DLL ------ 366864 bytes [11:54 08/04/2005] [11:54 08/04/2005] BE8FC3C74AB5212CD4067E8973764AD6

Searching for "eventlog.dll"
C:\WINDOWS\$NtUpdateRollupPackUninstall$\eventlog.dll -----c 47888 bytes [16:24 25/10/2008] [12:00 18/06/2003] 5738D5804F61A1D30D86FA24DEE56E0C
C:\WINDOWS\ERDNT\cache\EVENTLOG.DLL --a--- 49424 bytes [04:24 19/09/2009] [11:54 08/04/2005] E7F03344AE103B02135C20112B557051
C:\WINDOWS\SYSTEM32\dllcache\EVENTLOG.DLL --a--c 49424 bytes [12:00 18/06/2003] [11:54 08/04/2005] E7F03344AE103B02135C20112B557051
C:\WINDOWS\SYSTEM32\EVENTLOG.DLL ------ 49424 bytes [11:54 08/04/2005] [11:54 08/04/2005] E7F03344AE103B02135C20112B557051

Searching for "comres.dll"
No files found.

-=End Of File=-need to rerun with all shut down, please let me know. Thank you for all your help!

descriptionWindows Protection Suite EmptyRe: Windows Protection Suite19th September 2009, 6:49 pm

more_horiz
Hi

Re-running ComboFix to remove infections:

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    Folder::
    c:\windows\All Users\Application Data\STOPzilla!
    c:\windows\All Users\Application Data\SITEguard
    c:\program files\SpyKiller

    DirLook::
    c:\windows\All Users\Application Data\be05e
  4. Save this as CFScript.txt, in the same location as ComboFix.exe

    Windows Protection Suite Cf010

  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


==
Please download comres.dll and save it to your Desktop.

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

Please navigate to c:\windows\system32 and delete this file: comres.dll (if exists)

Then, leave the System32 directory up, and then move the clean comres.dll from your Desktop to your System32 folder.
==


In your next reply, please include the ComboFix log and a fresh HijackThis log. Also, please tell me how your computer is running and if the file move operation was successful.

descriptionWindows Protection Suite EmptyRe: Windows Protection Suite20th September 2009, 5:08 am

more_horiz
Here is the first part, the CF log. I've forgotten how to run "HiJack This" Do you have a link to it?

ComboFix 09-09-18.02 - default 09/20/2009 0:43.6.1 - NTFSx86
Running from: c:\documents and settings\default\Desktop\svchost.exe.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\All Users\Application Data\SITEguard
c:\windows\All Users\Application Data\SITEguard\siteguard.db
c:\windows\All Users\Application Data\STOPzilla!
c:\windows\All Users\Application Data\STOPzilla!\modules_scanned.db
c:\windows\All Users\Application Data\STOPzilla!\modules_scanned.db.bak
c:\windows\All Users\Application Data\STOPzilla!\scanner.log
c:\windows\All Users\Application Data\STOPzilla!\sgdefs.db
c:\windows\All Users\Application Data\STOPzilla!\sgdwc.db
c:\windows\All Users\Application Data\STOPzilla!\userdata.db
c:\windows\All Users\Application Data\STOPzilla!\zilla5.log

-- Previous Run --

-- Previous Run --

-- Previous Run --

-- Previous Run --

-- Previous Run --

c:\windows\system32\comres.dll . . . is infected!!

--------

c:\windows\system32\comres.dll . . . is infected!!

--------

c:\windows\system32\comres.dll . . . is infected!!

--------

c:\windows\system32\comres.dll . . . is infected!!

--------

c:\windows\system32\comres.dll . . . is infected!!

--------

c:\windows\system32\comres.dll . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-08-20 to 2009-09-20 )))))))))))))))))))))))))))))))
.

2009-09-20 03:21 . 2009-09-20 03:50 -------- d-----w- C:\svchost.exe26357s
2009-09-19 14:50 . 2009-09-20 03:21 -------- d-----w- C:\svchost.exe
2009-09-19 14:11 . 2009-09-19 14:11 16384 ----atw- c:\windows\system32\Perflib_Perfdata_2a0.dat
2009-09-13 14:36 . 2002-12-11 21:34 208896 ----a-w- c:\windows\system32\wmpns.dll
2009-09-13 13:46 . 2009-09-13 13:46 -------- d-----w- c:\windows\winsxs
2009-09-13 12:03 . 2009-09-13 12:03 -------- d-----w- c:\program files\Java
2009-09-13 01:18 . 2009-09-13 01:18 16384 ----atw- c:\windows\system32\Perflib_Perfdata_22c.dat
2009-09-12 23:01 . 2009-09-12 23:01 16384 ----atw- c:\windows\system32\Perflib_Perfdata_2a8.dat
2009-08-22 14:18 . 2000-03-21 04:55 118784 ----a-w- c:\windows\system32\vbalNCSM6.dll
2009-08-22 14:18 . 1999-02-19 12:54 40960 ----a-w- c:\windows\system32\SSubTmr6.dll
2009-08-22 14:18 . 2009-08-23 00:56 -------- d-----w- c:\program files\eGames

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-19 04:17 . 2008-10-10 00:45 -------- d---a-w- c:\program files\iWin Games
2009-09-13 13:46 . 2003-04-16 09:02 -------- d---a-w- c:\program files\Common Files\Adobe
2009-09-13 12:03 . 2008-11-10 17:26 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-18 16:21 . 2009-08-18 16:20 960 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-08-17 21:44 . 2009-08-17 21:44 16384 ----atw- c:\windows\system32\Perflib_Perfdata_254.dat
2009-08-17 13:51 . 2009-08-16 04:23 -------- d---a-w- c:\windows\All Users\Application Data\TEMP
2009-08-17 13:32 . 2009-08-17 13:12 -------- d-----w- c:\documents and settings\default\Application Data\GetRightToGo
2009-08-16 02:27 . 2009-08-16 02:27 -------- d-----w- c:\documents and settings\default\Application Data\Malwarebytes
2009-08-16 02:27 . 2009-08-16 02:27 -------- d-----w- c:\windows\All Users\Application Data\Malwarebytes
2009-08-07 19:40 . 2009-08-07 19:40 -------- d-----w- c:\windows\All Users\Application Data\Verizon Wireless
2009-08-07 19:25 . 2008-10-24 17:42 -------- d-----w- c:\program files\Novatel Wireless
2009-08-07 19:23 . 2009-08-07 19:23 -------- d-----w- c:\program files\Verizon Wireless
2009-08-05 05:04 . 2009-08-05 05:04 90164 ----a-w- c:\windows\system32\atl.dll
2009-07-27 11:27 . 2003-06-18 12:00 81168 ----a-w- c:\windows\system32\fontsub.dll
2009-07-27 11:27 . 2003-06-18 12:00 165136 ----a-w- c:\windows\system32\t2embed.dll
2009-07-13 13:13 . 2009-07-13 13:13 78608 ----a-w- c:\windows\system32\avifil32.dll
2009-07-13 06:18 . 2008-10-26 05:33 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-10 16:49 . 2002-08-29 11:06 601088 ----a-w- c:\windows\system32\INETCOMM.DLL
2009-07-10 16:49 . 2002-08-29 11:06 47616 ----a-w- c:\windows\system32\INETRES.DLL
2009-07-10 16:49 . 2002-08-29 11:06 229376 ----a-w- c:\windows\system32\MSOEACCT.DLL
2009-07-10 16:49 . 2002-08-29 11:06 91136 ----a-w- c:\windows\system32\MSOERT2.DLL
2009-07-10 16:47 . 2002-08-29 11:14 44032 ----a-w- c:\windows\system32\MSIDENT.DLL
2009-06-26 15:53 . 2009-06-26 15:53 576512 ------w- c:\windows\system32\WININET.DLL
2008-10-23 22:04 . 2000-06-21 10:03 21952 ---h--w- c:\program files\folder.htt
2008-09-12 19:52 . 2006-06-29 09:07 11942 ----a-w- c:\program files\uninstal.log
.

------- Sigcheck -------

[-] 2002-11-26 23:03 . 36678803A8030EE9A771935CFC1848BD . 52224 . . [9.0.1.56] . . c:\windows\SYSTEM32\mspmsnsv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Protection Suite"="c:\windows\All Users\Application Data\be05e\WI748.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2003-05-19 26112]
"QuickTime Task"="c:\windows\system32\qttask.exe" [2004-06-03 98304]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-13 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Synchronization Manager"="mobsync.exe" - c:\windows\SYSTEM32\mobsync.exe [2003-06-18 111376]
"AtiPTA"="Atiptaxx.exe" - c:\windows\SYSTEM32\atiptaxx.exe [2000-06-19 167936]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-06-18 186640]

c:\documents and settings\default\Start Menu\Programs\Startup\
VZAccess Manager.lnk - c:\program files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe [2009-8-7 1787184]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe"
"SpyKiller"=c:\program files\SpyKiller\spykiller.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TaskMonitor"=c:\windows\taskmon.exe
"ESS Daemon"=c:\windows\ESSD.exe
"AtiPTA"=Atiptaxx.exe
"Service Connection"=c:\cpqs\bwtools\sccenter.exe
"OEMCLEANUP"=c:\windows\OPTIONS\oemreset.exe /o
"SMSystemAnalyzer"="c:\program files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe"
"AlogServEXE"=c:\program files\McAfee\McAfee VirusScan\AlogServ.exe
"AvconsoleEXE"=c:\program files\McAfee\McAfee VirusScan\avconsol.exe /minimize
"KodakCCS"=c:\program files\Common Files\KODAK\KODAK_DR\KodakCCS.exe --pdr: "c:\program files\Common Files\KODAK\KODAK_DR\dcmnter.pdr"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"SchedulingAgent"=mstask.exe
"SSDPSRV"=c:\windows\SYSTEM\ssdpsrv.exe
"*StateMgr"=c:\windows\System\Restore\StateMgr.exe
"ATIPOLAB"=ati2evxx.exe
"VsecomrEXE"=c:\program files\McAfee\McAfee VirusScan\VSEcomR.EXE
"VsStatEXE"=c:\program files\McAfee\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING

R2 V7;V7;c:\windows\SYSTEM32\DRIVERS\V7.sys [10/23/2008 6:26 PM 7196]
R3 ati2mtai;ati2mtai;c:\windows\SYSTEM32\DRIVERS\ati2mtai.sys [10/24/2008 2:46 PM 293163]
R3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\SYSTEM32\DRIVERS\nwusbser2.sys [5/9/2008 11:08 AM 174336]
R3 solo;ESS Solo Audio Driver (WDM);c:\windows\SYSTEM32\DRIVERS\solo.sys [10/23/2008 1:53 PM 63024]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - IPNAT
*NewlyCreated* - RASAUTO
*NewlyCreated* - SHAREDACCESS
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mLocal Page = c:\windows\SYSTEM\blank.htm
mSearch Bar = hxxp://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=3c00&s=searchbar&LC=0409
IE: {{06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=3c00&LC=0409
IE: {{06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=3c00&LC=0409
IE: {{06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=altavista&c=3c00&LC=0409
IE: {{06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=3c00&LC=0409
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
LSP: %SystemRoot%\system32\msafd.dll
DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversInitialSetup1.0.0.8.cab
DPF: {5F03EAB4-1AD5-11D4-AE99-0050DAC24E8F} - hxxp://www.iwon.com/ct/in_wn/iwonslot1,0,1,5.cab
DPF: {70522FA0-4656-11D5-B0E9-0050DAC24E8F} - hxxp://cc.iwon.com/ct/pm3/iwonpm_12_1,0,2,5.cab
DPF: {BAB7B1B6-1FA2-41A2-A0A2-2CF82ACC3CA8} - hxxp://www.topmoxie.com/external/builds/upromise/upro1050_310.cab
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)
BHO-{00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
BHO-{A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)
Toolbar-{07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
Toolbar-SITEguard - (no file)
WebBrowser-{07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
WebBrowser-{5BED3930-2E9E-76D8-BACC-80DF2188D455} - (no file)
WebBrowser-{A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-20 00:56
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(240)
c:\windows\system32\wzcdlg.dll
c:\windows\system32\WZCSAPI.DLL

- - - - - - - > 'explorer.exe'(1084)
c:\windows\AppPatch\AcLayers.DLL
c:\windows\system32\SHDOCVW.DLL
.
Completion time: 2009-09-20 1:02
ComboFix-quarantined-files.txt 2009-09-20 05:02
ComboFix2.txt 2009-09-20 04:16
ComboFix3.txt 2009-09-20 03:49
ComboFix4.txt 2009-09-19 15:19
ComboFix5.txt 2009-09-20 04:29

Pre-Run: 10,023,986,176 bytes free
Post-Run: 10,025,342,464 bytes free

184 --- E O F --- 2009-04-01 05:24

descriptionWindows Protection Suite EmptyRe: Windows Protection Suite20th September 2009, 5:32 pm

more_horiz
Hi

Jotti File Submission:
  • Please go to Jotti's malware scan

  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:

    • C:\svchost.exe


  • Click on the submit button

  • Please post the results in your next reply. (Address of page (URL))


Please do the same for this file: C:\svchost.exe26357s

When you get the first result, copy and paste it to Notepad, then go to do the second scan. Post both URLS back here.

descriptionWindows Protection Suite EmptyRe: Windows Protection Suite20th September 2009, 5:51 pm

more_horiz
I haven't completed the second part of your previous instruction yet.

I do not know how to run "HiJack This" and need that link first. Thanks.

descriptionWindows Protection Suite EmptyRe: Windows Protection Suite20th September 2009, 5:58 pm

more_horiz
Hi

That is okay. I need the files above scanned, please, before I decide what is best to continue with. No big deal, let's move on with my latest instruction.

descriptionWindows Protection Suite EmptyRe: Windows Protection Suite20th September 2009, 7:00 pm

more_horiz
Ok. You might want to see this. I just completed the part about download comresdll. And run ComboFix When I went to the win\sys32 folder I could NOT find a file called comresdll.

So I did drag the desktop file of that into the win\sys32 folder like instructed and then ran ComboFix. Here is the result from the notepad:



09-09-18.02 - default 09/20/2009 14:20.7.1 - NTFSx86 MINIMAL
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.127.62 [GMT -4]
Running from: c:\documents and settings\default\Desktop\svchost.exe.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

-- Previous Run --

-- Previous Run --

-- Previous Run --

-- Previous Run --

-- Previous Run --

-- Previous Run --

c:\windows\system32\comres.dll . . . is infected!!

--------

c:\windows\system32\comres.dll . . . is infected!!

--------

c:\windows\system32\comres.dll . . . is infected!!

--------

c:\windows\system32\comres.dll . . . is infected!!

--------

c:\windows\system32\comres.dll . . . is infected!!

--------

c:\windows\system32\comres.dll . . . is infected!!

--------

.
((((((((((((((((((((((((( Files Created from 2009-08-20 to 2009-09-20 )))))))))))))))))))))))))))))))
.

2009-09-20 18:17 . 2009-09-20 18:17 16384 ----atw- c:\windows\system32\Perflib_Perfdata_17c.dat
2009-09-20 05:14 . 2009-09-20 05:14 792064 ----a-w- c:\windows\system32\comres.dll
2009-09-20 03:21 . 2009-09-20 03:50 -------- d-----w- C:\svchost.exe26357s
2009-09-19 14:50 . 2009-09-20 03:21 -------- d-----w- C:\svchost.exe
2009-09-13 14:36 . 2002-12-11 21:34 208896 ----a-w- c:\windows\system32\wmpns.dll
2009-09-13 13:46 . 2009-09-13 13:46 -------- d-----w- c:\windows\winsxs
2009-09-13 12:03 . 2009-09-13 12:03 -------- d-----w- c:\program files\Java
2009-09-12 23:01 . 2009-09-12 23:01 16384 ----atw- c:\windows\system32\Perflib_Perfdata_2a8.dat
2009-08-22 14:18 . 2000-03-21 04:55 118784 ----a-w- c:\windows\system32\vbalNCSM6.dll
2009-08-22 14:18 . 1999-02-19 12:54 40960 ----a-w- c:\windows\system32\SSubTmr6.dll
2009-08-22 14:18 . 2009-08-23 00:56 -------- d-----w- c:\program files\eGames

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-19 04:17 . 2008-10-10 00:45 -------- d---a-w- c:\program files\iWin Games
2009-09-13 13:46 . 2003-04-16 09:02 -------- d---a-w- c:\program files\Common Files\Adobe
2009-09-13 12:03 . 2008-11-10 17:26 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-18 16:21 . 2009-08-18 16:20 960 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-08-17 21:44 . 2009-08-17 21:44 16384 ----atw- c:\windows\system32\Perflib_Perfdata_254.dat
2009-08-17 13:51 . 2009-08-16 04:23 -------- d---a-w- c:\windows\All Users\Application Data\TEMP
2009-08-17 13:32 . 2009-08-17 13:12 -------- d-----w- c:\documents and settings\default\Application Data\GetRightToGo
2009-08-16 02:27 . 2009-08-16 02:27 -------- d-----w- c:\documents and settings\default\Application Data\Malwarebytes
2009-08-16 02:27 . 2009-08-16 02:27 -------- d-----w- c:\windows\All Users\Application Data\Malwarebytes
2009-08-07 19:40 . 2009-08-07 19:40 -------- d-----w- c:\windows\All Users\Application Data\Verizon Wireless
2009-08-07 19:25 . 2008-10-24 17:42 -------- d-----w- c:\program files\Novatel Wireless
2009-08-07 19:23 . 2009-08-07 19:23 -------- d-----w- c:\program files\Verizon Wireless
2009-08-05 05:04 . 2009-08-05 05:04 90164 ----a-w- c:\windows\system32\atl.dll
2009-07-27 11:27 . 2003-06-18 12:00 81168 ----a-w- c:\windows\system32\fontsub.dll
2009-07-27 11:27 . 2003-06-18 12:00 165136 ----a-w- c:\windows\system32\t2embed.dll
2009-07-13 13:13 . 2009-07-13 13:13 78608 ----a-w- c:\windows\system32\avifil32.dll
2009-07-13 06:18 . 2008-10-26 05:33 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-10 16:49 . 2002-08-29 11:06 601088 ----a-w- c:\windows\system32\INETCOMM.DLL
2009-07-10 16:49 . 2002-08-29 11:06 47616 ----a-w- c:\windows\system32\INETRES.DLL
2009-07-10 16:49 . 2002-08-29 11:06 229376 ----a-w- c:\windows\system32\MSOEACCT.DLL
2009-07-10 16:49 . 2002-08-29 11:06 91136 ----a-w- c:\windows\system32\MSOERT2.DLL
2009-07-10 16:47 . 2002-08-29 11:14 44032 ----a-w- c:\windows\system32\MSIDENT.DLL
2009-06-26 15:53 . 2009-06-26 15:53 576512 ------w- c:\windows\system32\WININET.DLL
2008-10-23 22:04 . 2000-06-21 10:03 21952 ---h--w- c:\program files\folder.htt
2008-09-12 19:52 . 2006-06-29 09:07 11942 ----a-w- c:\program files\uninstal.log
.

------- Sigcheck -------

[-] 2002-11-26 23:03 . 36678803A8030EE9A771935CFC1848BD . 52224 . . [9.0.1.56] . . c:\windows\SYSTEM32\mspmsnsv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Protection Suite"="c:\windows\All Users\Application Data\be05e\WI748.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2003-05-19 26112]
"QuickTime Task"="c:\windows\system32\qttask.exe" [2004-06-03 98304]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-13 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Synchronization Manager"="mobsync.exe" - c:\windows\SYSTEM32\mobsync.exe [2003-06-18 111376]
"AtiPTA"="Atiptaxx.exe" - c:\windows\SYSTEM32\atiptaxx.exe [2000-06-19 167936]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-06-18 186640]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe"
"SpyKiller"=c:\program files\SpyKiller\spykiller.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TaskMonitor"=c:\windows\taskmon.exe
"ESS Daemon"=c:\windows\ESSD.exe
"AtiPTA"=Atiptaxx.exe
"Service Connection"=c:\cpqs\bwtools\sccenter.exe
"OEMCLEANUP"=c:\windows\OPTIONS\oemreset.exe /o
"SMSystemAnalyzer"="c:\program files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe"
"AlogServEXE"=c:\program files\McAfee\McAfee VirusScan\AlogServ.exe
"AvconsoleEXE"=c:\program files\McAfee\McAfee VirusScan\avconsol.exe /minimize
"KodakCCS"=c:\program files\Common Files\KODAK\KODAK_DR\KodakCCS.exe --pdr: "c:\program files\Common Files\KODAK\KODAK_DR\dcmnter.pdr"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"SchedulingAgent"=mstask.exe
"SSDPSRV"=c:\windows\SYSTEM\ssdpsrv.exe
"*StateMgr"=c:\windows\System\Restore\StateMgr.exe
"ATIPOLAB"=ati2evxx.exe
"VsecomrEXE"=c:\program files\McAfee\McAfee VirusScan\VSEcomR.EXE
"VsStatEXE"=c:\program files\McAfee\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING

R2 V7;V7;c:\windows\system32\drivers\V7.sys [2000-03-09 7196]
R3 ati2mtai;ati2mtai;c:\windows\system32\DRIVERS\ati2mtai.sys [2000-11-28 293163]
R3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\DRIVERS\nwusbser2.sys [2008-05-09 174336]
R3 solo;ESS Solo Audio Driver (WDM);c:\windows\system32\drivers\solo.sys [1999-11-08 63024]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - HIDUSB
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mLocal Page = c:\windows\SYSTEM\blank.htm
mSearch Bar = hxxp://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=3c00&s=searchbar&LC=0409
IE: {{06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=3c00&LC=0409
IE: {{06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=3c00&LC=0409
IE: {{06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=altavista&c=3c00&LC=0409
IE: {{06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=3c00&LC=0409
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
LSP: %SystemRoot%\system32\msafd.dll
DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversInitialSetup1.0.0.8.cab
DPF: {5F03EAB4-1AD5-11D4-AE99-0050DAC24E8F} - hxxp://www.iwon.com/ct/in_wn/iwonslot1,0,1,5.cab
DPF: {70522FA0-4656-11D5-B0E9-0050DAC24E8F} - hxxp://cc.iwon.com/ct/pm3/iwonpm_12_1,0,2,5.cab
DPF: {BAB7B1B6-1FA2-41A2-A0A2-2CF82ACC3CA8} - hxxp://www.topmoxie.com/external/builds/upromise/upro1050_310.cab
.
- - - - ORPHANS REMOVED - - - -

BHO-{00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
BHO-{A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)
Toolbar-SITEguard - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-20 14:31
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(160)
c:\windows\system32\wzcdlg.dll
c:\windows\system32\WZCSAPI.DLL

- - - - - - - > 'explorer.exe'(304)
c:\windows\AppPatch\AcLayers.DLL
c:\windows\system32\SHDOCVW.DLL
.
Completion time: 2009-09-20 14:35
ComboFix-quarantined-files.txt 2009-09-20 18:35
ComboFix2.txt 2009-09-20 05:02
ComboFix3.txt 2009-09-20 04:16
ComboFix4.txt 2009-09-20 03:49
ComboFix5.txt 2009-09-20 18:16

Pre-Run: 10,042,439,168 bytes free
Post-Run: 10,058,910,720 bytes free

165 --- E O F --- 2009-04-01 05:24
oading the comres.dll file and then going to safe mode.

Last edited by Whimscycle on 20th September 2009, 7:03 pm; edited 1 time in total (Reason for editing : typo)

descriptionWindows Protection Suite EmptyRe: Windows Protection Suite20th September 2009, 7:29 pm

more_horiz
Please do the following.

DragonMaster Jay wrote:

Jotti File Submission:
  • Please go to Jotti's malware scan

  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:

    • C:\svchost.exe


  • Click on the submit button

  • Please post the results in your next reply. (Address of page (URL))


Please do the same for this file: C:\svchost.exe26357s

When you get the first result, copy and paste it to Notepad, then go to do the second scan. Post both URLS back here.

descriptionWindows Protection Suite EmptyRe: Windows Protection Suite20th September 2009, 7:34 pm

more_horiz
DMJay-
I went to Jotti's MW Scan and it said my IE was outdated. I uploaded FireFox and made it my browser and came back on-line to Jotti's.

I tried to upload the file from C\ and to copy and past into the box. Nothing would take. It would not allow me to type in the box or upload into it.

Interestingly, I noticed a "Windows Protection Suite" tab on the FireFox toolbar across the top! Sheesh! I had not seen that on my computer since yesterday. Am I screwed again?

What to do next?

descriptionWindows Protection Suite EmptyRe: Windows Protection Suite20th September 2009, 7:44 pm

more_horiz
Hi

Windows Protection Suite Icon13 Please close all anti virus, anti malware and any other open programs/windows so they do not interfere with the running of RootRepeal.

  • Please download RootRepeal.zip from here.
  • Extract the program file to your Desktop.
  • Run the program RootRepeal.exe and go to the Report tab and click on the Scan button.
    Windows Protection Suite Nclahc

  • Select ALL of the checkboxes and then click OK and it will start scanning your system.
    Windows Protection Suite 2j5lb6
  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  • When done, click on Save Report
  • Save it to the Desktop.
  • Please copy/paste the contents of the report in your next reply.
Windows Protection Suite Icon13 NOTE! Please remove any e-mail address in the RootRepeal report (if present).

descriptionWindows Protection Suite EmptyRe: Windows Protection Suite20th September 2009, 10:44 pm

more_horiz
Multiple attempts to download and run RootRepeal were unsuccessful. I used IE not FireFox to do this. (WPS still shows up on FireFox)

There were "error" messages that would not allow it to open and run.

descriptionWindows Protection Suite EmptyRe: Windows Protection Suite20th September 2009, 10:55 pm

more_horiz
Hi

Windows Protection Suite Rooter Rooter Rootkit Detector - Download

Download Rooter.exe to your desktop

  1. Double click it to start the tool.
  2. A Notepad file containing the report will open, also found at
    %systemdrive%(usually C:)\Rooter.txt. Post that log in your next reply.

descriptionWindows Protection Suite EmptyRe: Windows Protection Suite20th September 2009, 11:15 pm

more_horiz
Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows 2000 . (5.0.2195) Service Pack 4
[32_bits] - x86 Family 6 Model 8 Stepping 6, GenuineIntel
.
Error OpenService (wscsvc) : 1060
[SharedAccess] RUNNING (state:4)
.
Internet Explorer 6.0.2800.1106
Mozilla Firefox 3.5.3 (en-US)
.
A:\ [Removable]
C:\ [Fixed-NTFS] .. ( Total:0 Go - Free:0 Go )
D:\ [Fixed-FAT32] .. ( Total:2 Go - Free:1 Go )
E:\ [CD_Rom]
F:\ [Removable]
.
Scan : 19:11.25
Path : C:\Documents and Settings\default\Desktop\Rooter.exe
User : default ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (8)
______ \SystemRoot\System32\smss.exe (200)
______ \??\C:\WINDOWS\system32\csrss.exe (220)
______ \??\C:\WINDOWS\system32\winlogon.exe (240)
______ C:\WINDOWS\system32\services.exe (268)
______ C:\WINDOWS\system32\lsass.exe (280)
______ C:\WINDOWS\system32\svchost.exe (452)
______ C:\WINDOWS\system32\spoolsv.exe (480)
______ C:\WINDOWS\system32\Ati2evxx.exe (512)
______ C:\WINDOWS\system32\svchost.exe (528)
______ C:\WINDOWS\system32\regsvc.exe (564)
______ C:\WINDOWS\system32\MSTask.exe (596)
______ C:\WINDOWS\System32\WBEM\WinMgmt.exe (672)
______ C:\WINDOWS\system32\svchost.exe (696)
______ C:\WINDOWS\system32\svchost.exe (736)
______ C:\WINDOWS\Explorer.EXE (992)
______ C:\Program Files\Real\RealPlayer\RealPlay.exe (960)
______ C:\WINDOWS\system32\Atiptaxx.exe (932)
______ C:\WINDOWS\system32\qttask.exe (880)
______ C:\Program Files\Java\jre6\bin\jusched.exe (1084)
______ C:\Documents and Settings\default\Desktop\Rooter.exe (384)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
----------------------\\ Scheduled Tasks
.
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\SA.DAT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 19:11.59
.
C:\Rooter$\Rooter_1.txt - (20/09/2009 | 19:11.59)

descriptionWindows Protection Suite EmptyRe: Windows Protection Suite20th September 2009, 11:24 pm

more_horiz
Hi

HijackThis

  • Please download: HijackThis Installer to your Desktop. On the download page, click "Download HijackThis Installer".
  • Double Click the HijackThis icon, located on your Desktop.
  • By Default, it will install to: C:\Program Files\Trend Micro\HijackThis
    It will also create a shortcut on your Desktop.
  • Accept the license agreement.
  • Click Do a System Scan and Save a Logfile.
  • Please post the log in your next reply.

descriptionWindows Protection Suite EmptyRe: Windows Protection Suite20th September 2009, 11:48 pm

more_horiz
It wouldn't let me go all the way with the scan. It said I had too many hi-jacked domains. Here is what it produced:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:43:47 PM, on 9/20/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\Atiptaxx.exe
C:\WINDOWS\system32\qttask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=3c00&s=searchbar&LC=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getavplusnow.com
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
O1 - Hosts: 64.86.17.32 google.ae
O1 - Hosts: 64.86.17.32 google.as
O1 - Hosts: 64.86.17.32 google.at
O1 - Hosts: 64.86.17.32 google.az
O1 - Hosts: 64.86.17.32 google.ba
O1 - Hosts: 64.86.17.32 google.be
O1 - Hosts: 64.86.17.32 google.bg
O1 - Hosts: 64.86.17.32 google.bs
O1 - Hosts: 64.86.17.32 google.ca
O1 - Hosts: 64.86.17.32 google.cd
O1 - Hosts: 64.86.17.32 google.com.gh
O1 - Hosts: 64.86.17.32 google.com.hk
O1 - Hosts: 64.86.17.32 google.com.jm
O1 - Hosts: 64.86.17.32 google.com.mx
O1 - Hosts: 64.86.17.32 google.com.my
O1 - Hosts: 64.86.17.32 google.com.na
O1 - Hosts: 64.86.17.32 google.com.nf
O1 - Hosts: 64.86.17.32 google.com.ng
O1 - Hosts: 64.86.17.32 google.ch
O1 - Hosts: 64.86.17.32 google.com.np
O1 - Hosts: 64.86.17.32 google.com.pr
O1 - Hosts: 64.86.17.32 google.com.qa
O1 - Hosts: 64.86.17.32 google.com.sg
O1 - Hosts: 64.86.17.32 google.com.tj
O1 - Hosts: 64.86.17.32 google.com.tw
O1 - Hosts: 64.86.17.32 google.dj
O1 - Hosts: 64.86.17.32 google.de
O1 - Hosts: 64.86.17.32 google.dk
O1 - Hosts: 64.86.17.32 google.dm
O1 - Hosts: 64.86.17.32 google.ee
O1 - Hosts: 64.86.17.32 google.fi
O1 - Hosts: 64.86.17.32 google.fm
O1 - Hosts: 64.86.17.32 google.fr
O1 - Hosts: 64.86.17.32 google.ge
O1 - Hosts: 64.86.17.32 google.gg
O1 - Hosts: 64.86.17.32 google.gm
O1 - Hosts: 64.86.17.32 google.gr
O1 - Hosts: 64.86.17.32 google.ht
O1 - Hosts: 64.86.17.32 google.ie
O1 - Hosts: 64.86.17.32 google.im
O1 - Hosts: 64.86.17.32 google.in
O1 - Hosts: 64.86.17.32 google.it
O1 - Hosts: 64.86.17.32 google.ki
O1 - Hosts: 64.86.17.32 google.la
O1 - Hosts: 64.86.17.32 google.li
O1 - Hosts: 64.86.17.32 google.lv
O1 - Hosts: 64.86.17.32 google.ma
O1 - Hosts: 64.86.17.32 google.ms
O1 - Hosts: 64.86.17.32 google.mu
O1 - Hosts: 64.86.17.32 google.mw
O1 - Hosts: 64.86.17.32 google.nl
O1 - Hosts: 64.86.17.32 google.no
O1 - Hosts: 64.86.17.32 google.nr
O1 - Hosts: 64.86.17.32 google.nu
O1 - Hosts: 64.86.17.32 google.pl
O1 - Hosts: 64.86.17.32 google.pn
O1 - Hosts: 64.86.17.32 google.pt
O1 - Hosts: 64.86.17.32 google.ro
O1 - Hosts: 64.86.17.32 google.ru
O1 - Hosts: 64.86.17.32 google.rw
O1 - Hosts: 64.86.17.32 google.sc
O1 - Hosts: 64.86.17.32 google.se
O1 - Hosts: 64.86.17.32 google.sh
O1 - Hosts: 64.86.17.32 google.si
O1 - Hosts: 64.86.17.32 google.sm
O1 - Hosts: 64.86.17.32 google.sn
O1 - Hosts: 64.86.17.32 google.st
O1 - Hosts: 64.86.17.32 google.tl
O1 - Hosts: 64.86.17.32 google.tm
O1 - Hosts: 64.86.17.32 google.tt
O1 - Hosts: 64.86.17.32 google.us
O1 - Hosts: 64.86.17.32 google.vu
O1 - Hosts: 64.86.17.32 google.ws
O1 - Hosts: 64.86.17.32 google.co.ck
O1 - Hosts: 64.86.17.32 google.co.id
O1 - Hosts: 64.86.17.32 google.co.il
O1 - Hosts: 64.86.17.32 google.co.in
O1 - Hosts: 64.86.17.32 google.co.jp
O1 - Hosts: 64.86.17.32 google.co.kr
O1 - Hosts: 64.86.17.32 google.co.ls
O1 - Hosts: 64.86.17.32 google.co.ma
O1 - Hosts: 64.86.17.32 google.co.nz
O1 - Hosts: 64.86.17.32 google.co.tz
O1 - Hosts: 64.86.17.32 google.co.ug
O1 - Hosts: 64.86.17.32 google.co.uk
O1 - Hosts: 64.86.17.32 google.co.za
O1 - Hosts: 64.86.17.32 google.co.zm
O1 - Hosts: 64.86.17.32 google.com
O1 - Hosts: 64.86.17.32 google.com.af
O1 - Hosts: 64.86.17.32 google.com.ag
O2 - BHO: (no name) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Accelerator Plugin - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\PROGRA~1\PEOPLE~1\PRPL_I~1.DLL (file missing)
O2 - BHO: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Windows Protection Suite] "C:\WINDOWS\All Users\Application Data\be05e\WI748.exe" /s /d
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: VZAccess Manager.lnk = C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=altavista&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=altavista&c=3c00&LC=0409 (file missing)
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=3c00&LC=0409 (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL (file missing)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)
O9 - Extra button: (no name) - {2863ACA1-9AA0-4432-8CFE-88C12B3B2E5E} - file://C:\PROGRAM FILES\UPROMISE_REMINDU\Sy1050\Tp1050\scri1050a.htm (file missing) (HKCU)
O9 - Extra button: (no name) - {B48798CE-A2E0-4918-BC00-0F72FBA708E2} - file://C:\PROGRAM FILES\UPROMISE_REMIND_U\UpromisesRemindU\UpromisetRemindU\uproC0.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .swf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
O12 - Plugin for .wmv: C:\Program Files\Windows Media Player\NPDSPLAY.DLL
O12 - Plugin for .wvx: C:\Program Files\Windows Media Player\NPDSPLAY.DLL
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversInitialSetup1.0.0.8.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,75/mcinsctl.cab
O16 - DPF: {5F03EAB4-1AD5-11D4-AE99-0050DAC24E8F} - http://www.iwon.com/ct/in_wn/iwonslot1,0,1,5.cab
O16 - DPF: {70522FA0-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/ct/pm3/iwonpm_12_1,0,2,5.cab
O16 - DPF: {BAB7B1B6-1FA2-41A2-A0A2-2CF82ACC3CA8} - http://www.topmoxie.com/external/builds/upromise/upro1050_310.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,17/mcgdmgr.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O24 - Desktop Component 0: (no name) - http://ak.imgfarm.com/images/today/pet/021104pet_lg.jpg
O24 - Desktop Component 1: (no name) - http://i1img.com/images/today/user/073002user_lg.jpg

--
End of file - 11933 bytes

descriptionWindows Protection Suite EmptyRe: Windows Protection Suite21st September 2009, 12:54 am

more_horiz
Hi

This should help with the browser issues:

(Please do not click any links in this post, as they are harmful can download more malware on to your system automatically)

Please re-open HijackThis and scan. Check the boxes next to all the entries listed below.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getavplusnow.com
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
O1 - Hosts: 64.86.17.32 google.ae
O1 - Hosts: 64.86.17.32 google.as
O1 - Hosts: 64.86.17.32 google.at
O1 - Hosts: 64.86.17.32 google.az
O1 - Hosts: 64.86.17.32 google.ba
O1 - Hosts: 64.86.17.32 google.be
O1 - Hosts: 64.86.17.32 google.bg
O1 - Hosts: 64.86.17.32 google.bs
O1 - Hosts: 64.86.17.32 google.ca
O1 - Hosts: 64.86.17.32 google.cd
O1 - Hosts: 64.86.17.32 google.com.gh
O1 - Hosts: 64.86.17.32 google.com.hk
O1 - Hosts: 64.86.17.32 google.com.jm
O1 - Hosts: 64.86.17.32 google.com.mx
O1 - Hosts: 64.86.17.32 google.com.my
O1 - Hosts: 64.86.17.32 google.com.na
O1 - Hosts: 64.86.17.32 google.com.nf
O1 - Hosts: 64.86.17.32 google.com.ng
O1 - Hosts: 64.86.17.32 google.ch
O1 - Hosts: 64.86.17.32 google.com.np
O1 - Hosts: 64.86.17.32 google.com.pr
O1 - Hosts: 64.86.17.32 google.com.qa
O1 - Hosts: 64.86.17.32 google.com.sg
O1 - Hosts: 64.86.17.32 google.com.tj
O1 - Hosts: 64.86.17.32 google.com.tw
O1 - Hosts: 64.86.17.32 google.dj
O1 - Hosts: 64.86.17.32 google.de
O1 - Hosts: 64.86.17.32 google.dk
O1 - Hosts: 64.86.17.32 google.dm
O1 - Hosts: 64.86.17.32 google.ee
O1 - Hosts: 64.86.17.32 google.fi
O1 - Hosts: 64.86.17.32 google.fm
O1 - Hosts: 64.86.17.32 google.fr
O1 - Hosts: 64.86.17.32 google.ge
O1 - Hosts: 64.86.17.32 google.gg
O1 - Hosts: 64.86.17.32 google.gm
O1 - Hosts: 64.86.17.32 google.gr
O1 - Hosts: 64.86.17.32 google.ht
O1 - Hosts: 64.86.17.32 google.ie
O1 - Hosts: 64.86.17.32 google.im
O1 - Hosts: 64.86.17.32 google.in
O1 - Hosts: 64.86.17.32 google.it
O1 - Hosts: 64.86.17.32 google.ki
O1 - Hosts: 64.86.17.32 google.la
O1 - Hosts: 64.86.17.32 google.li
O1 - Hosts: 64.86.17.32 google.lv
O1 - Hosts: 64.86.17.32 google.ma
O1 - Hosts: 64.86.17.32 google.ms
O1 - Hosts: 64.86.17.32 google.mu
O1 - Hosts: 64.86.17.32 google.mw
O1 - Hosts: 64.86.17.32 google.nl
O1 - Hosts: 64.86.17.32 google.no
O1 - Hosts: 64.86.17.32 google.nr
O1 - Hosts: 64.86.17.32 google.nu
O1 - Hosts: 64.86.17.32 google.pl
O1 - Hosts: 64.86.17.32 google.pn
O1 - Hosts: 64.86.17.32 google.pt
O1 - Hosts: 64.86.17.32 google.ro
O1 - Hosts: 64.86.17.32 google.ru
O1 - Hosts: 64.86.17.32 google.rw
O1 - Hosts: 64.86.17.32 google.sc
O1 - Hosts: 64.86.17.32 google.se
O1 - Hosts: 64.86.17.32 google.sh
O1 - Hosts: 64.86.17.32 google.si
O1 - Hosts: 64.86.17.32 google.sm
O1 - Hosts: 64.86.17.32 google.sn
O1 - Hosts: 64.86.17.32 google.st
O1 - Hosts: 64.86.17.32 google.tl
O1 - Hosts: 64.86.17.32 google.tm
O1 - Hosts: 64.86.17.32 google.tt
O1 - Hosts: 64.86.17.32 google.us
O1 - Hosts: 64.86.17.32 google.vu
O1 - Hosts: 64.86.17.32 google.ws
O1 - Hosts: 64.86.17.32 google.co.ck
O1 - Hosts: 64.86.17.32 google.co.id
O1 - Hosts: 64.86.17.32 google.co.il
O1 - Hosts: 64.86.17.32 google.co.in
O1 - Hosts: 64.86.17.32 google.co.jp
O1 - Hosts: 64.86.17.32 google.co.kr
O1 - Hosts: 64.86.17.32 google.co.ls
O1 - Hosts: 64.86.17.32 google.co.ma
O1 - Hosts: 64.86.17.32 google.co.nz
O1 - Hosts: 64.86.17.32 google.co.tz
O1 - Hosts: 64.86.17.32 google.co.ug
O1 - Hosts: 64.86.17.32 google.co.uk
O1 - Hosts: 64.86.17.32 google.co.za
O1 - Hosts: 64.86.17.32 google.co.zm
O1 - Hosts: 64.86.17.32 google.com
O1 - Hosts: 64.86.17.32 google.com.af
O1 - Hosts: 64.86.17.32 google.com.ag
O2 - BHO: (no name) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: Accelerator Plugin - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\PROGRA~1\PEOPLE~1\PRPL_I~1.DLL (file missing)
O2 - BHO: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversInitialSetup1.0.0.8.cab
O16 - DPF: {5F03EAB4-1AD5-11D4-AE99-0050DAC24E8F} - http://www.iwon.com/ct/in_wn/iwonslot1,0,1,5.cab
O16 - DPF: {70522FA0-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/ct/pm3/iwonpm_12_1,0,2,5.cab
O16 - DPF: {BAB7B1B6-1FA2-41A2-A0A2-2CF82ACC3CA8} - http://www.topmoxie.com/external/builds/upromise/upro1050_310.cab
O24 - Desktop Component 0: (no name) - http://ak.imgfarm.com/images/today/pet/021104pet_lg.jpg
O24 - Desktop Component 1: (no name) - http://i1img.com/images/today/user/073002user_lg.jpg

Now close all windows other than HijackThis, then click Fix Checked. Close HijackThis.


Please reboot your computer and post a new HijackThis log here in your next reply.

descriptionWindows Protection Suite EmptyRe: Windows Protection Suite21st September 2009, 3:40 am

more_horiz
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:36:38 PM, on 9/20/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\Atiptaxx.exe
C:\WINDOWS\system32\qttask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=3c00&s=searchbar&LC=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getavplusnow.com
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
O1 - Hosts: 64.86.17.32 google.ae
O1 - Hosts: 64.86.17.32 google.as
O1 - Hosts: 64.86.17.32 google.at
O1 - Hosts: 64.86.17.32 google.az
O1 - Hosts: 64.86.17.32 google.ba
O1 - Hosts: 64.86.17.32 google.be
O1 - Hosts: 64.86.17.32 google.bg
O1 - Hosts: 64.86.17.32 google.bs
O1 - Hosts: 64.86.17.32 google.ca
O1 - Hosts: 64.86.17.32 google.cd
O1 - Hosts: 64.86.17.32 google.com.gh
O1 - Hosts: 64.86.17.32 google.com.hk
O1 - Hosts: 64.86.17.32 google.com.jm
O1 - Hosts: 64.86.17.32 google.com.mx
O1 - Hosts: 64.86.17.32 google.com.my
O1 - Hosts: 64.86.17.32 google.com.na
O1 - Hosts: 64.86.17.32 google.com.nf
O1 - Hosts: 64.86.17.32 google.com.ng
O1 - Hosts: 64.86.17.32 google.ch
O1 - Hosts: 64.86.17.32 google.com.np
O1 - Hosts: 64.86.17.32 google.com.pr
O1 - Hosts: 64.86.17.32 google.com.qa
O1 - Hosts: 64.86.17.32 google.com.sg
O1 - Hosts: 64.86.17.32 google.com.tj
O1 - Hosts: 64.86.17.32 google.com.tw
O1 - Hosts: 64.86.17.32 google.dj
O1 - Hosts: 64.86.17.32 google.de
O1 - Hosts: 64.86.17.32 google.dk
O1 - Hosts: 64.86.17.32 google.dm
O1 - Hosts: 64.86.17.32 google.ee
O1 - Hosts: 64.86.17.32 google.fi
O1 - Hosts: 64.86.17.32 google.fm
O1 - Hosts: 64.86.17.32 google.fr
O1 - Hosts: 64.86.17.32 google.ge
O1 - Hosts: 64.86.17.32 google.gg
O1 - Hosts: 64.86.17.32 google.gm
O1 - Hosts: 64.86.17.32 google.gr
O1 - Hosts: 64.86.17.32 google.ht
O1 - Hosts: 64.86.17.32 google.ie
O1 - Hosts: 64.86.17.32 google.im
O1 - Hosts: 64.86.17.32 google.in
O1 - Hosts: 64.86.17.32 google.it
O1 - Hosts: 64.86.17.32 google.ki
O1 - Hosts: 64.86.17.32 google.la
O1 - Hosts: 64.86.17.32 google.li
O1 - Hosts: 64.86.17.32 google.lv
O1 - Hosts: 64.86.17.32 google.ma
O1 - Hosts: 64.86.17.32 google.ms
O1 - Hosts: 64.86.17.32 google.mu
O1 - Hosts: 64.86.17.32 google.mw
O1 - Hosts: 64.86.17.32 google.nl
O1 - Hosts: 64.86.17.32 google.no
O1 - Hosts: 64.86.17.32 google.nr
O1 - Hosts: 64.86.17.32 google.nu
O1 - Hosts: 64.86.17.32 google.pl
O1 - Hosts: 64.86.17.32 google.pn
O1 - Hosts: 64.86.17.32 google.pt
O1 - Hosts: 64.86.17.32 google.ro
O1 - Hosts: 64.86.17.32 google.ru
O1 - Hosts: 64.86.17.32 google.rw
O1 - Hosts: 64.86.17.32 google.sc
O1 - Hosts: 64.86.17.32 google.se
O1 - Hosts: 64.86.17.32 google.sh
O1 - Hosts: 64.86.17.32 google.si
O1 - Hosts: 64.86.17.32 google.sm
O1 - Hosts: 64.86.17.32 google.sn
O1 - Hosts: 64.86.17.32 google.st
O1 - Hosts: 64.86.17.32 google.tl
O1 - Hosts: 64.86.17.32 google.tm
O1 - Hosts: 64.86.17.32 google.tt
O1 - Hosts: 64.86.17.32 google.us
O1 - Hosts: 64.86.17.32 google.vu
O1 - Hosts: 64.86.17.32 google.ws
O1 - Hosts: 64.86.17.32 google.co.ck
O1 - Hosts: 64.86.17.32 google.co.id
O1 - Hosts: 64.86.17.32 google.co.il
O1 - Hosts: 64.86.17.32 google.co.in
O1 - Hosts: 64.86.17.32 google.co.jp
O1 - Hosts: 64.86.17.32 google.co.kr
O1 - Hosts: 64.86.17.32 google.co.ls
O1 - Hosts: 64.86.17.32 google.co.ma
O1 - Hosts: 64.86.17.32 google.co.nz
O1 - Hosts: 64.86.17.32 google.co.tz
O1 - Hosts: 64.86.17.32 google.co.ug
O1 - Hosts: 64.86.17.32 google.co.uk
O1 - Hosts: 64.86.17.32 google.co.za
O1 - Hosts: 64.86.17.32 google.co.zm
O1 - Hosts: 64.86.17.32 google.com
O1 - Hosts: 64.86.17.32 google.com.af
O1 - Hosts: 64.86.17.32 google.com.ag
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Windows Protection Suite] "C:\WINDOWS\All Users\Application Data\be05e\WI748.exe" /s /d
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: VZAccess Manager.lnk = C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=altavista&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=altavista&c=3c00&LC=0409 (file missing)
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=3c00&LC=0409 (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL (file missing)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)
O9 - Extra button: (no name) - {2863ACA1-9AA0-4432-8CFE-88C12B3B2E5E} - file://C:\PROGRAM FILES\UPROMISE_REMINDU\Sy1050\Tp1050\scri1050a.htm (file missing) (HKCU)
O9 - Extra button: (no name) - {B48798CE-A2E0-4918-BC00-0F72FBA708E2} - file://C:\PROGRAM FILES\UPROMISE_REMIND_U\UpromisesRemindU\UpromisetRemindU\uproC0.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .swf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
O12 - Plugin for .wmv: C:\Program Files\Windows Media Player\NPDSPLAY.DLL
O12 - Plugin for .wvx: C:\Program Files\Windows Media Player\NPDSPLAY.DLL
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,75/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,17/mcgdmgr.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 10970 bytes

descriptionWindows Protection Suite EmptyRe: Windows Protection Suite21st September 2009, 4:29 am

more_horiz
Unfortunately, after reviewing a file that I asked you to scan Let me think , it shows a dangerous trojan is residing on your computer which has a backdoor functionality. It is possible that a remote attacker has already breached your computer. If you do any banking or other financial transactions on the computer, or if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, your computer is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the Operating System.

Visit the following sites for more information on internet theft and when to reformat!
How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.

If you have any questions before making a final decision, please feel free to ask.

Please let me know if you would like to continue with trying to clean your computer.

Instead, if you decide to format and reinstall, please disconnect your computer from the Internet immediately.

descriptionWindows Protection Suite EmptyRe: Windows Protection Suite21st September 2009, 3:33 pm

more_horiz
Wow! Well, that is that.

I am now on a library computer in town as my own computer won't even do anything past start-up and display of the desktop.

Everything is frozen. My internet provider opens up at boot, but I cannot even click on it. I can't even get it to shut down so I had to pull the plug on it to turn it off.

The computer is almost 10 years old. I was planning to get another one real soon and have this one used for only games and word processing, not the internet. Now I am thinking this would be a waste of money to install an operating system on this and repair it.

This computer came stock with Win ME. When I enrolled in internet service through my cell phone company to use an "air card" they uninstalled ME and installed Win 2000. It never seemed "right" after that.

My thought is that I saw no evidence of any installed anti-virus, anti-ad/spyware, anti-malware, etc. on it.

Is that verifiable by what you see when you view these files? (that is my first question)

The other question is for future...which/what programs do I need to put in place on my next laptop to avert a disaster like this? What do you recommend?

Thank you for all your help...

descriptionWindows Protection Suite EmptyRe: Windows Protection Suite21st September 2009, 6:02 pm

more_horiz
Hi

I do not see any evidence of any security programs. Here is what I usually recommend:

Software recommendations

Antivirus

1) Antivir PersonalEditionClassic
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition
-Anti-virus program for Windows.
-The home edition is freeware for noncommercial user.
3) AVG Anti-Virus Free Edition
- Free edition of the AVG anti-virus program for Windows.
- Available for single computer use for home and non commercial use.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.

Firewall

  • Tallemu Online Armor: the free version is just as good as the premium. I have linked you to the free version.
  • Comodo Firewall: the free version is just as good as the premium. I have linked you to the free version. The optional security suite enhances the firewall by 40% increase. If you would like to install the suite that includes antivirus, then remove your old antivirus first.
  • PC Tools Firewall Plus: free and excellent firewall.


AntiSpyware

  • SpywareBlaster
    SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found here.
  • Spybot - Search & Destroy.
    Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).


NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Securing your computer

  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.


Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:

descriptionWindows Protection Suite EmptyRe: Windows Protection Suite

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum