Newbie
I have a problem with both FireFox and IE when I go to google the links are redirected, some pages dont load all the way and say on status bar as done (you have to refresh the page to load proporly),Internet to slow and when I download a file it only doenloads part of that file.Ex 54mg files only downloads 3mgs. What is the problem and what should I do?
Dedicated Member
Welcome,
Please download and install the latest version of HijackThis v2.0.2:
CLICK HERE to download the HijackThis Installer:TrendSecure | Download TrendMicro HijackThis
1. Save HJTInstall.exe to your desktop.
2. Double-click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit -> Select All" then click on "Edit -> Copy" to copy the entire contents of the log.
8. Come back here to this thread and paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
Newbie
Thanks for the the help
Here is what came up
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:43:22 PM, on 10/19/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16757)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\IObit\Advanced SystemCare 3 Beta\AWC.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\AT&T\Self Support Tool\ATTTray.exe
C:\Windows\System32\wpcumi.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:8181
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {E8249E69-A809-4544-832F-64EB65747A92} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SBC_McciTrayApp] C:\Program Files\AT&T\Self Support Tool\ATTTray.exe
O4 - HKLM\..\Run: [WPCUMI] C:\Windows\system32\WpcUmi.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\System32\msconfig.exe" /auto
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - topsoftwarefeed.com (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - topsoftwarefeed.com (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...tup1.0.1.0.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01...PUplden-us.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://perlyzul.spaces.live.com/Phot...PUplden-us.cab
O23 - Service: User Profile Service (ProfSvc) - Unknown owner - C:\Program Files\TinyProxy\TinyProxy.exe
--
End of file - 6210 bytes
Dedicated Member
Thanks for that.
Good ol' myspace and facebook, that is how you got one of the infections you got.
Please follow instructions exactly as given, very important that you do.
Visit this page below to familiarize yourself to the tool below and download from one of the links provided.
A guide and tutorial on using ComboFix
If you have previously downloaded ComboFix,please delete that version now.
It is IMPORTANT that it is saved directly to your desktop
Close any open browsers.
Disconnect from the Internet.
Please do not re-connect your machine back to the Internet until Combofix has completely finished.
Disable your antivirus program and any realtime malware scanners and script blockers now
How To Disable
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.
Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Re-enable your anti-virus and re-connect back to the internet and post the combofix log.
*Note*
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.
ComboFix SHOULD NOT be used unless requested by a forum helper.
New hijackthis log also please.
Newbie
oh ok
here you go
ComboFix 08-10-22.02 - Familia Hernandez 2008-10-22 18:55:19.1 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.90 [GMT -5:00]
Running from: C:\Users\Familia Hernandez\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\Helper
C:\Program Files\Video Add-on
C:\Program Files\Video Add-on\ot.ico
C:\Program Files\Video Add-on\ts.ico
C:\Windows\fmark2.dat
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_iprip
((((((((((((((((((((((((( Files Created from 2008-09-23 to 2008-10-23 )))))))))))))))))))))))))))))))
.
2008-10-19 18:43 . 2008-10-19 18:43 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-18 10:05 . 2008-10-18 10:09 <DIR> d-------- C:\Users\Familia Hernandez\Incomplete
2008-10-16 07:39 . 2008-09-17 23:35 3,505,208 --a------ C:\Windows\System32\ntkrnlpa.exe
2008-10-16 07:39 . 2008-09-17 23:35 3,470,904 --a------ C:\Windows\System32\ntoskrnl.exe
2008-10-16 07:39 . 2008-09-17 21:03 2,027,520 --a------ C:\Windows\System32\win32k.sys
2008-10-16 07:39 . 2008-08-25 20:12 290,304 --a------ C:\Windows\System32\drivers\srv.sys
2008-10-15 21:01 . 2008-10-15 21:01 <DIR> d----c--- C:\Users\All Users\{51019853-129C-4EDE-9030-D5FD7BBD9AD0}
2008-10-15 21:01 . 2008-10-15 21:01 <DIR> d----c--- C:\ProgramData\{51019853-129C-4EDE-9030-D5FD7BBD9AD0}
2008-10-15 21:01 . 2008-10-15 21:01 <DIR> dr-h----- C:\AHCache
2008-10-15 19:29 . 2008-10-15 19:29 <DIR> d-------- C:\Users\All Users\Avg8
2008-10-15 19:29 . 2008-10-15 19:29 <DIR> d-------- C:\ProgramData\Avg8
2008-10-15 18:53 . 2008-10-15 18:53 <DIR> d-------- C:\Users\All Users\Trend Micro
2008-10-15 18:53 . 2008-10-15 18:53 <DIR> d-------- C:\ProgramData\Trend Micro
2008-10-15 17:28 . 2008-10-15 17:28 <DIR> d-------- C:\Users\Familia Hernandez\AppData\Roaming\Malwarebytes
2008-10-15 17:27 . 2008-10-15 17:27 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-10-15 17:27 . 2008-10-15 17:27 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-10-15 08:58 . 2008-10-15 08:58 <DIR> d-------- C:\Program Files\AVG
2008-10-09 13:38 . 2008-10-09 13:38 <DIR> d-------- C:\Program Files\TinyProxy
2008-10-09 13:38 . 2008-10-09 13:38 174 --a------ C:\TinyProxy.bat
2008-10-09 13:38 . 2008-10-09 13:38 173 --a------ C:\msnstart.bat
2008-10-09 13:37 . 2008-10-09 13:37 26,624 --a------ C:\Windows\bolivar19.exe
2008-10-09 13:37 . 2008-10-09 13:37 310 --a------ C:\6533366543.bat
2008-10-05 22:17 . 2008-10-05 22:17 0 --ah----- C:\Windows\System32\drivers\Msft_User_ZuneDriver_0 1_07_00.Wdf
2008-10-05 22:12 . 2008-10-05 22:12 0 --ah----- C:\Windows\System32\drivers\MsftWdf_Kernel_01007_C oinstaller_Critical.Wdf
2008-10-05 22:12 . 2008-10-05 22:12 0 --ah----- C:\Windows\System32\drivers\Msft_Kernel_WinUSB_010 07.Wdf
2008-10-05 22:01 . 2008-03-21 17:41 503,864 --a------ C:\Windows\System32\drivers\Wdf01000.sys
2008-10-05 22:01 . 2008-03-21 17:41 35,896 --a------ C:\Windows\System32\drivers\WdfLdr.sys
2008-10-05 22:01 . 2008-03-21 17:41 3 --a------ C:\Windows\System32\drivers\MsftWdf_Kernel_01007_I nbox_Critical.Wdf
2008-10-05 21:55 . 2008-03-25 22:30 305,152 --a------ C:\Windows\System32\WUDFx.dll
2008-10-05 21:55 . 2008-03-25 22:30 181,248 --a------ C:\Windows\System32\WUDFPlatform.dll
2008-10-05 21:55 . 2008-03-25 22:30 142,336 --a------ C:\Windows\System32\WUDFHost.exe
2008-10-05 21:55 . 2008-03-25 22:30 87,552 --a------ C:\Windows\System32\WUDFCoinstaller.dll
2008-10-05 21:55 . 2008-03-25 20:13 83,328 --a------ C:\Windows\System32\drivers\WUDFRd.sys
2008-10-05 21:55 . 2008-03-25 22:30 55,296 --a------ C:\Windows\System32\WUDFSvc.dll
2008-10-05 21:55 . 2008-03-25 20:13 51,200 --a------ C:\Windows\System32\drivers\WUDFPf.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-10-18 15:05 --------- d-----w C:\Users\Familia Hernandez\AppData\Roaming\LimeWire
2008-10-16 13:31 --------- d-----w C:\Program Files\Windows Mail
2008-10-16 13:23 --------- d-----w C:\ProgramData\Microsoft Help
2008-10-16 01:51 --------- d-----w C:\Program Files\AviSynth 2.5
2008-10-16 01:39 --------- d-----w C:\Program Files\Google
2008-10-16 01:39 --------- d-----w C:\Program Files\Common Files\DVDVideoSoft
2008-10-16 01:37 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-10-16 01:15 --------- d-----w C:\Program Files\DVDVideoSoft
2008-10-14 22:23 --------- d-----w C:\Users\Familia Hernandez\AppData\Roaming\Move Networks
2008-10-11 00:50 --------- d-----w C:\Program Files\Zune
2008-10-02 03:49 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-09-21 23:03 --------- d-----w C:\ProgramData\DVD Shrink
2008-09-21 23:00 --------- d-----w C:\Program Files\Elaborate Bytes
2008-09-21 22:57 --------- d-----w C:\ProgramData\Elaborate Bytes
2008-09-13 21:50 --------- d-----w C:\Users\Familia Hernandez\AppData\Roaming\DMCache
2008-09-13 17:17 --------- d-----w C:\Users\Familia Hernandez\AppData\Roaming\IDM
2008-09-13 16:31 --------- d-----w C:\Program Files\Common Files\AOL
2008-09-13 02:01 --------- d-----w C:\Users\Familia Hernandez\AppData\Roaming\IObit
2008-09-13 02:01 --------- d-----w C:\Program Files\IObit
2008-09-09 00:25 --------- d-----w C:\Program Files\Metal Gear Solid
2008-09-01 14:04 --------- d-----w C:\Users\Familia Hernandez\AppData\Roaming\Ahead
2008-09-01 14:04 --------- d-----w C:\ProgramData\Ahead
2008-08-27 13:59 --------- d-----w C:\Program Files\LimeWire
2008-07-31 03:34 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-07-31 03:34 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-07-31 03:34 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-07-31 03:34 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-07-30 23:32 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2007-12-03 15:53 16,384 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\ Local\Microsoft\Windows\History\History.IE5\index. dat
2007-12-03 15:53 32,768 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\ Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-12-03 15:53 16,384 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\ Roaming\Microsoft\Windows\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SBC_McciTrayApp"="C:\Program Files\AT&T\Self Support Tool\ATTTray.exe" [2007-06-06 986208]
"WPCUMI"="C:\Windows\system32\WpcUmi.exe" [2006-11-02 176128]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 813912]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"MSConfig"="C:\Windows\System32\msconfig.exe" [2006-11-02 222208]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [BU]
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\S tart Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-01-10 147456]
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system]
"LogonHoursAction"= 2 (0x2)
"DontDisplayLogonHoursWarnings"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-15 21:02 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmartRAM]
C:\Program Files\IObit\Advanced WindowsCare 3 Beta\Sup_SmartRAM.exe [BU]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
--a------ 2008-09-12 18:46 160160 c:\Program Files\Zune\ZuneLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2732014026-4117499387-2253924763-1000]
"EnableNotificationsRef"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\FirewallRules]
"TCP Query User{5BE435FF-1DB8-41AB-9066-AE2C518B9BE4}C:\\program files\\java\\jre1.6.0_03\\bin\\java.exe"= UDP:C:\program files\java\jre1.6.0_03\bin\java.exe:Java(TM) Platform SE binary
"UDP Query User{06485440-6567-4FFE-9626-DCDF8B7F7400}C:\\program files\\java\\jre1.6.0_03\\bin\\java.exe"= TCP:C:\program files\java\jre1.6.0_03\bin\java.exe:Java(TM) Platform SE binary
"{55567BBF-6FB4-49E3-843D-C6D8BD5ED82E}"= Profile=Public|C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{47382A53-66D3-4CB3-B973-4AE2043A1D3C}"= Profile=Public|C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{1FD298A6-6149-4591-A2AC-E52FEB3B573B}C:\\program files\\java\\jre1.6.0_03\\bin\\javaw.exe"= Disabled:UDP:C:\program files\java\jre1.6.0_03\bin\javaw.exe:Java(TM) Platform SE binary
"UDP Query User{504DB203-3CD2-49F7-921F-90D11CCBF4F3}C:\\program files\\java\\jre1.6.0_03\\bin\\javaw.exe"= Disabled:TCP:C:\program files\java\jre1.6.0_03\bin\javaw.exe:Java(TM) Platform SE binary
"{F533DBF5-DC9A-423D-BE3C-53F2253DFE48}"= Disabled:C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{9C4C12FD-B088-4E23-988A-CA147DF8696F}"= Disabled:C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{6297E14F-081C-40ED-9AC8-D81A29A78A62}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{FA1B39A9-1254-4B9F-AE82-2F490B765365}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{B12AFD39-BF79-4583-B7E9-840F6A1116DD}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"TCP Query User{129C29B1-FF39-41ED-B781-669C120CC8A6}C:\\program files\\myspace\\im\\myspaceim.exe"= UDP:C:\program files\myspace\im\myspaceim.exe:MySpace Instant Messenger
"UDP Query User{F37A89A0-8774-4580-BBF1-7F6719EC1AD6}C:\\program files\\myspace\\im\\myspaceim.exe"= TCP:C:\program files\myspace\im\myspaceim.exe:MySpace Instant Messenger
"TCP Query User{5F7167B4-1726-4287-9E5B-9BF6A90BD0D5}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{7A1DDB38-2DD4-4B77-98D0-5085963BEA4B}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"{A5FA5ADF-BBA9-4718-A96A-C4374DBD6059}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{33F3A5CB-DBAD-4979-8629-BF2836914388}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{D8DD6C47-1CAF-415F-84CB-BF7E47164C0E}"= UDP:C:\Program Files\AIM6\aim6.exe:AIM
"{BD9ED1E3-BB8D-4876-AFB7-25AA9FC45844}"= TCP:C:\Program Files\AIM6\aim6.exe:AIM
"{E975E7FF-F022-4CAD-B85C-94DBC2B9E179}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{77ECBB81-D03D-4951-B723-7C87C807B50E}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{B80F54E9-45C4-4FA8-A997-18D67082A3BD}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{B091B123-A618-4FEB-902A-B81CC8026DC6}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{030DC9B1-7379-43BA-B2E8-5D3BCE7C0283}"= C:\Program Files\MySpace\IM\MySpaceIM.exe:MySpaceIM
"{6ADC71C9-6A70-46E0-8521-F6181CF14217}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{1364282C-6E91-426D-A3A4-E581855A5F4E}C:\\users\\familia hernandez\\appdata\\local\\yahoo!\\messenger for vista\\yahoo.messenger.ymapp.exe"= UDP:C:\users\familia hernandez\appdata\local\yahoo!\messenger for vista\yahoo.messenger.ymapp.exe:yahoo.messenger.ym app.exe
"UDP Query User{7923B83E-1C04-452A-B98E-DDE4133DD1DD}C:\\users\\familia hernandez\\appdata\\local\\yahoo!\\messenger for vista\\yahoo.messenger.ymapp.exe"= TCP:C:\users\familia hernandez\appdata\local\yahoo!\messenger for vista\yahoo.messenger.ymapp.exe:yahoo.messenger.ym app.exe
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\RestrictedServices\Configurable\System]
"Rip-Listener-1"= TCP:520|%SystemRoot%\System32\svchost.exe|Svc=ipri p:@iprip.dll,-200|
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|S vc=DFSR:Allow inbound TCP traffic|
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\StandardProfile]
"EnableFirewall"= 0 (0x0)
R2 User Profile Service (ProfSvc) ;User Profile Service (ProfSvc) ;C:\Program Files\TinyProxy\TinyProxy.exe [2008-10-09 12032]
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atik mdag.sys [2007-09-29 3154944]
S3 MREMP50;MREMP50 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS [2007-01-19 19712]
S3 MRESP50;MRESP50 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS [2007-01-19 18304]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:\Windows\system32\ZuneWlanCfgSvc.exe [2008-09-12 245664]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
ipripsvc REG_MULTI_SZ iprip
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{4f700011-9c86-11dc-a839-0019d1515a32}]
\shell\AutoRun\command - J:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder
2008-10-23 C:\Windows\Tasks\AWC Startup.job
- C:\Program Files\IObit\Advanced SystemCare 3 Beta\AWC.exe [2008-09-26 00:41]
2008-10-22 C:\Windows\Tasks\User_Feed_Synchronization-{07B4A7CB-ACF0-4786-91F0-BC8A4B298943}.job
- C:\Windows\system32\msfeedssync.exe [2006-11-02 04:45]
2008-10-23 C:\Windows\Tasks\User_Feed_Synchronization-{C20D5A22-2ECE-4EB6-9AB3-1E60548FC9BB}.job
- C:\Windows\system32\msfeedssync.exe [2006-11-02 04:45]
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/
R1 -: HKCU-Internet Settings,ProxyOverride = *.local;<local>
R1 -: HKCU-Internet Settings,ProxyServer = http=127.0.0.1:8181
.
************************************************** ************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-22 19:09:50
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\audiodg.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\System32\CISVC.EXE
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
.
************************************************** ************************
.
Completion time: 2008-10-22 19:14:44 - machine was rebooted [Familia Hernandez]
ComboFix-quarantined-files.txt 2008-10-23 00:14:31
ComboFix2.txt 2008-10-15 22:20:41
Pre-Run: 110,149,165,056 bytes free
Post-Run: 109,986,504,704 bytes free
207 --- E O F --- 2008-10-19 1614
and
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:29:44 PM, on 10/22/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16757)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\IObit\Advanced SystemCare 3 Beta\AWC.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\AT&T\Self Support Tool\ATTTray.exe
C:\Windows\System32\wpcumi.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:8181
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SBC_McciTrayApp] C:\Program Files\AT&T\Self Support Tool\ATTTray.exe
O4 - HKLM\..\Run: [WPCUMI] C:\Windows\system32\WpcUmi.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\System32\msconfig.exe" /auto
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01...PUplden-us.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://perlyzul.spaces.live.com/Phot...PUplden-us.cab
O23 - Service: User Profile Service (ProfSvc) - Unknown owner - C:\Program Files\TinyProxy\TinyProxy.exe
--
End of file - 5193 bytes
Dedicated Member
Open notepad(Must be NotePad) and copy/paste the text in the quotebox below into it:NOT THE WORD QUOTE
Save this as CFScript
File::
C:\TinyProxy.bat
C:\msnstart.bat
C:\Windows\bolivar19.exe
C:\6533366543.bat
Folder::
C:\Program Files\TinyProxy
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
