Adware, malware, spyware, hijacker discussion and information

[Gain Knowledge]  [Install Prevention]  [Maintain Security]  [Spyware Removal Help]


It is currently Sat May 25, 2013 11:50 am

Board index » HiJackThis! Log Assessment-Spyware Help » Countermeasures: HijackThis! Spyware Help

All times are UTC - 7 hours


Forum rules


ATTN:!! Only users pre-approved by TeMerc may offer help and assistance in malware removal. Any and all unauthorized posts will be removed without notice. Please read this thread for proper HijackThis! installation.



Post new topic This topic is locked, you cannot edit posts or make further replies.  Page 1 of 1
  [ 20 posts ] 
  Print view Previous topic | Next topic 
Author Message
lorijean
 Post subject: Sillydl Virus
PostPosted: Thu Jul 29, 2010 5:07 pm 
Offline

Joined: Wed Jul 28, 2010 2:40 pm
Posts: 11
Random webpages open automatically when I am browsing the net and my computer is running pretty slow and grinding/chugging a lot. I ran Malwarebytes Anti-Malware and it came up clean. My antivirus (CA antivirus) found 12 infected files but will not clean or quarantine them. The virus is called Sillydl. Don't know if this has anything to do with the websites opening automatically but something is definitely amiss. Can you help?



IP:
top
Top
 Profile Send private message  
 
TeMerc
 Post subject: Re: Sillydl Virus
PostPosted: Thu Jul 29, 2010 5:35 pm 
Offline
Site Admin
Site Admin
User avatar

Joined: Fri Jan 28, 2005 5:16 pm
Posts: 15966
Location: PHX, AZ
Thanks and welcome to Temerc Internet Countermeasures.

If you've run a scan with Malwarebytes' Anti-Malware, please paste the latest scan log which is located in the 'logs' tab of the Malwarebytes' Anti-Malware interface.

Open Malwarebytes' Anti-Malware>>Click the 'Logs' tab
Select log from date, they're named mbam-log-2009-xx-xx [10-11-12].txt
Then click the 'Open' button. You can then select 'Save as...' from the File menu and save it to your desktop.

Step 2- Lets also collect some more info off the system to see if we can spot additional offending files.

Download RSIT from the link below and save it to your desktop.
32bit:
http://images.malwareremoval.com/random/RSIT.exe
64bit:
http://images.malwareremoval.com/random/RSITx64.exe

Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open.

Please paste the contents of LOG.txt (<<will be maximized-displayed on desktop)
***DO NOT SEND INFO.TXT... if I need it I will ask specifically for it.***

_________________
Image


IP:
top
Top
 Profile Send private message  
 
lorijean
 Post subject: Re: Sillydl Virus
PostPosted: Fri Jul 30, 2010 10:14 am 
Offline

Joined: Wed Jul 28, 2010 2:40 pm
Posts: 11
Logfile of random's system information tool 1.08 (written by random/random)
Run by Lori Murphy at 2010-07-30 10:12:29
Microsoft Windows XP Professional Service Pack 3
System drive C: has 117 GB (79%) free of 148 GB
Total RAM: 1022 MB (45% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:13:01 AM, on 7/30/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Lori Murphy\Local Settings\Temporary Internet Files\Content.IE5\NFJ1412J\RSIT[1].exe
C:\Program Files\trend micro\Lori Murphy.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dell.myway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se6087.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 7416575421
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CaCCProvSP - Unknown owner - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 8251 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\CAAntiSpywareScan_Daily as Lori Murphy at 10 06 AM.job
C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-2427054801-186204622-397276720-1006.job
C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-2427054801-186204622-397276720-1007.job
C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-2427054801-186204622-397276720-1006.job
C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-2427054801-186204622-397276720-1007.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2010-06-16 61888]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
DriveLetterAccess - C:\WINDOWS\system32\dla\tfswshx.dll [2005-05-31 118844]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-05-03 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-05-03 79648]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ehTray"=C:\WINDOWS\ehome\ehtray.exe [2005-09-29 67584]
"SigmatelSysTrayApp"=C:\WINDOWS\stsystra.exe [2005-03-22 339968]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2005-08-05 344064]
"ISUSPM Startup"=C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe [2005-06-10 249856]
"ISUSScheduler"=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2005-06-10 81920]
"MimBoot"=C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe [2006-01-18 8192]
"dla"=C:\WINDOWS\system32\dla\tfswctrl.exe [2005-05-31 122941]
"cctray"=C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe [2009-07-30 177392]
"QOELOADER"=C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe [2008-05-20 14088]
"CAVRID"=C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe [2010-06-04 226640]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2009-11-11 417792]
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2009-08-13 177440]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2010-06-16 40368]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2010-06-09 976832]
"SunJavaUpdateSched"=C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-02-18 248040]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"OM2_Monitor"=C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe [2009-11-25 95632]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe [2006-02-09 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe [2005-02-23 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe [2009-11-12 141600]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
C:\Program Files\Digital Line Detect\DLG.exe [2003-10-29 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^dlbcserv.lnk]
C:\Program Files\Dell Photo Printer 720\dlbcserv.exe [2005-01-08 315392]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-02-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\procexp90.Sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\WINDOWS\system32\ZoneLabs\vsmon.exe"="C:\WINDOWS\system32\ZoneLabs\vsmon.exe:*:Enabled:TrueVector Service"
"C:\WINDOWS\system32\LEXPPS.EXE"="C:\WINDOWS\system32\LEXPPS.EXE:*:Disabled:LEXPPS.EXE"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Disabled:Bonjour"
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Disabled:AOL"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Disabled:AOL"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2010-07-30 10:12:29 ----D---- C:\rsit
2010-07-27 15:56:46 ----D---- C:\Qoobox
2010-07-26 15:42:21 ----ASH---- C:\hiberfil.sys
2010-07-15 17:59:13 ----D---- C:\Program Files\Eusing Free Registry Cleaner

======List of files/folders modified in the last 1 months======

2010-07-30 10:13:01 ----D---- C:\Program Files\Trend Micro
2010-07-30 10:12:40 ----D---- C:\WINDOWS\Prefetch
2010-07-30 10:11:24 ----D---- C:\WINDOWS\Temp
2010-07-30 09:52:29 ----D---- C:\WINDOWS\system32
2010-07-30 09:52:29 ----D---- C:\WINDOWS
2010-07-30 09:47:09 ----A---- C:\WINDOWS\ModemLog_Conexant D850 56K V.9x DFVc Modem.txt
2010-07-30 09:45:35 ----D---- C:\WINDOWS\Registration
2010-07-29 17:13:57 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-07-29 15:55:39 ----D---- C:\WINDOWS\system32\CatRoot2
2010-07-28 14:21:18 ----SHD---- C:\System Volume Information
2010-07-28 14:21:18 ----D---- C:\WINDOWS\system32\Restore
2010-07-26 15:17:21 ----A---- C:\WINDOWS\ntbtlog.txt
2010-07-23 15:29:54 ----A---- C:\WINDOWS\dellstat.ini
2010-07-19 18:33:10 ----D---- C:\Program Files\Windows Live Safety Center
2010-07-19 16:07:16 ----HD---- C:\WINDOWS\inf
2010-07-15 17:59:13 ----D---- C:\Program Files

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 drvmcdb;drvmcdb; C:\WINDOWS\system32\drivers\drvmcdb.sys [2005-04-22 88352]
R0 PxHelp20;PxHelp20; C:\WINDOWS\System32\Drivers\PxHelp20.sys [2005-04-25 20640]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 sscdbhk5;sscdbhk5; C:\WINDOWS\system32\drivers\sscdbhk5.sys [2005-05-13 5627]
R1 ssrtln;ssrtln; C:\WINDOWS\system32\drivers\ssrtln.sys [2005-05-13 23545]
R1 VETEFILE;VET File Scan Engine; C:\WINDOWS\system32\drivers\VETEFILE.sys [2010-06-03 746216]
R1 VETFDDNT;VET Floppy Boot Sector Monitor; C:\WINDOWS\system32\drivers\VETFDDNT.sys [2009-12-01 21488]
R1 VET-FILT;VET File System Filter; C:\WINDOWS\system32\drivers\VET-FILT.sys [2009-12-01 26352]
R1 VETMONNT;VET File Monitor; C:\WINDOWS\system32\drivers\VETMONNT.sys [2009-12-01 32240]
R1 VET-REC;VET File System Recognizer; C:\WINDOWS\system32\drivers\VET-REC.sys [2009-12-01 21104]
R2 drvnddm;drvnddm; C:\WINDOWS\system32\drivers\drvnddm.sys [2005-04-21 40544]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2003-04-09 11043]
R2 tfsnboio;tfsnboio; C:\WINDOWS\system32\dla\tfsnboio.sys [2005-05-31 25725]
R2 tfsncofs;tfsncofs; C:\WINDOWS\system32\dla\tfsncofs.sys [2005-05-31 34845]
R2 tfsndrct;tfsndrct; C:\WINDOWS\system32\dla\tfsndrct.sys [2005-05-31 4125]
R2 tfsndres;tfsndres; C:\WINDOWS\system32\dla\tfsndres.sys [2005-05-31 2241]
R2 tfsnifs;tfsnifs; C:\WINDOWS\system32\dla\tfsnifs.sys [2005-05-31 86876]
R2 tfsnopio;tfsnopio; C:\WINDOWS\system32\dla\tfsnopio.sys [2005-05-31 15069]
R2 tfsnpool;tfsnpool; C:\WINDOWS\system32\dla\tfsnpool.sys [2005-05-31 6365]
R2 tfsnudf;tfsnudf; C:\WINDOWS\system32\dla\tfsnudf.sys [2005-05-31 98716]
R2 tfsnudfa;tfsnudfa; C:\WINDOWS\system32\dla\tfsnudfa.sys [2005-05-31 100605]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2005-08-04 1273344]
R3 E100B;Intel(R) PRO Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2004-10-14 155648]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2009-05-18 26600]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2003-11-17 1042432]
R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys [2003-11-17 212224]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 STHDA;High Definition Audio Driver (WDM) - SigmaTel CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2005-06-14 180864]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 VETEBOOT;VET Boot Scan Engine; C:\WINDOWS\system32\drivers\VETEBOOT.sys [2010-06-03 130280]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2003-11-17 680704]
S3 bvrp_pci;bvrp_pci; C:\WINDOWS\system32\drivers\bvrp_pci.sys []
S3 MHNDRV;MHN driver; C:\WINDOWS\system32\DRIVERS\mhndrv.sys [2004-08-10 11008]
S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2009-08-28 40448]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys []
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2008-04-13 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2008-04-13 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2008-04-13 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2008-04-13 43008]
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2008-04-13 40960]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2008-04-13 42240]
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-10 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-08-28 144672]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 CAISafe;CAISafe; C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe [2007-08-20 144960]
R2 ehRecvr;Media Center Receiver Service; C:\WINDOWS\eHome\ehRecvr.exe [2006-10-09 237568]
R2 ehSched;Media Center Scheduler Service; C:\WINDOWS\eHome\ehSched.exe [2005-08-05 102912]
R2 ITMRTSVC;CA Pest Patrol Realtime Protection Service; C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe [2007-01-04 280080]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2010-04-12 153376]
R2 LexBceS;LexBce Server; C:\WINDOWS\system32\LEXBCES.EXE [2004-03-04 311296]
R2 McrdSvc;Media Center Extender Service; C:\WINDOWS\ehome\mcrdsvc.exe [2005-08-05 99328]
R2 VETMSGNT;VET Message Service; C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe [2010-06-04 238928]
R3 CaCCProvSP;CaCCProvSP; C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe [2009-07-30 214256]
R3 PPCtlPriv;PPCtlPriv; C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [2007-08-16 189704]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2005-08-04 380928]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-11-12 545568]
S3 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
S3 MHN;MHN; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
S3 NetSvc;Intel NCS NetService; C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe [2004-11-19 147456]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-13 267776]

-----------------EOF-----------------



IP:
top
Top
 Profile Send private message  
 
lorijean
 Post subject: Re: Sillydl Virus
PostPosted: Fri Jul 30, 2010 10:19 am 
Offline

Joined: Wed Jul 28, 2010 2:40 pm
Posts: 11
Here is my Malwarebytes log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4368

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/29/2010 3:11:50 PM
mbam-log-2010-07-29 (15-11-50).txt

Scan type: Quick scan
Objects scanned: 188214
Time elapsed: 24 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



IP:
top
Top
 Profile Send private message  
 
TeMerc
 Post subject: Re: Sillydl Virus
PostPosted: Fri Jul 30, 2010 10:23 am 
Offline
Site Admin
Site Admin
User avatar

Joined: Fri Jan 28, 2005 5:16 pm
Posts: 15966
Location: PHX, AZ
Thanks for the logs.

I see you've run ComboFix recently, please send me that log.

Also, send me the specific details of the CA detection, the file path or registry path

_________________
Image


IP:
top
Top
 Profile Send private message  
 
lorijean
 Post subject: Re: Sillydl Virus
PostPosted: Fri Jul 30, 2010 3:34 pm 
Offline

Joined: Wed Jul 28, 2010 2:40 pm
Posts: 11
Here are the file names from CA Antivirus.......could not paste so hopefully I got it right and it will help. I'm not sure where to find the log for Combofix. I started it but not sure what it was supposed to do and it seemed like nothing happened with it. Nothing popped up on the screen after it started. Sorry, I am not super computer savvy.

C:\Documents and Settings\Lori Murphy\Application Data\Sun\Java\Deployment\cache\6.0\21\418417d5-4da91549 <dev/s/AdgredY.class>(Java/SillyDlJava.P)

C:\Documents and Settings\Lori Murphy\Application Data\Sun\Java\Deployment\cache\6.0\21\418417d5-4da91549 <dev/s/DyesyasZ.class>(Java/SillyDlJava.Q)

C:\Documents and Settings\Lori Murphy\Application Data\Sun\Java\Deployment\cache\6.0\21\418417d5-4da91549 <dev/s/LoaderX.class>(Java/SillyDlJava.R)

C:\Documents and Settings\Michael Murphy\Application Data\Sun\Java\Deployment\cache\6.0\46\2ef6a5ae-1dd9506b <dev/s/Bavarian.class>(Java/SillyDlJava.O)

C:\Documents and Settings\Michael Murphy\Application Data\Sun\Java\Deployment\cache\6.0\46\2ef6a5ae-1dd9506b <dev/s/Saxonia.class>(Java/SillyDlJava.N)

C:\Documents and Settings\Michael Murphy\Application Data\Sun\Java\Deployment\cache\6.0\46\2ef6a5ae-1dd9506b <dev/s/Silezia.class>(Java/SillyDlJava.M)

C:\WINDOWS\Temp\jar_cache4864711046883547165.tmp <quote/Mailvue.class> (Java/SillyDl.HKD)

C:\WINDOWS\Temp\jar_cache4864711046883547165.tmp <quote/Skypeqd.class> (Java/SillyDl.HKE)

C:\WINDOWS\Temp\jar_cache4864711046883547165.tmp <quote/Twitters.class> (Java/SillyDl.HKF)

C:\WINDOWS\Temp\jar_cache635010053411314838.tmp <quote/Mailvue.class> (Java/SillyDl.HKD)

C:\WINDOWS\Temp\jar_cache635010053411314838.tmp <quote/Skypeqd.class> (Java/SillyDl.HKE)

C:\WINDOWS\Temp\jar_cache635010053411314838.tmp <quote/Twitters.class> (Java/SillyDl.HKF)



IP:
top
Top
 Profile Send private message  
 
TeMerc
 Post subject: Re: Sillydl Virus
PostPosted: Fri Jul 30, 2010 4:47 pm 
Offline
Site Admin
Site Admin
User avatar

Joined: Fri Jan 28, 2005 5:16 pm
Posts: 15966
Location: PHX, AZ
Thanks, the temp files may be legit, but we can clean them out.

Download TFC, a temp files\folder cleaner from the link below:
http://oldtimer.geekstogo.com/TFC.exe
Save it to your desktop.

Print these instructions. Save any unsaved work. TFC will close ALL open programs... including your browser!
Double click on TFC.exe to run it.

TFC will begin cleaning up the "temp" files... it may take only a few seconds or it could be several minutes, depending on the amount of temp files found.
If prompted to reboot... click Yes.

The others in Java may all be false\positives though. I suggest you uninstall all versions of Java installed via the Add or Remove Programs applet, then reinstall from Java.

The ComboFix log should be at c:\combofix.txt

_________________
Image


IP:
top
Top
 Profile Send private message  
 
lorijean
 Post subject: Re: Sillydl Virus
PostPosted: Sat Jul 31, 2010 10:03 am 
Offline

Joined: Wed Jul 28, 2010 2:40 pm
Posts: 11
Hi!

I cleaned the temp files and removed all Java. Ran my Antivirus and Malwarebytes' both came up clean. I am still getting pop up ads that say, "warning errors were detected in your computer registry" and still have websites opening automatically. Can not find the combofix log anywhere.
Thank you so much, by the way!



IP:
top
Top
 Profile Send private message  
 
TeMerc
 Post subject: Re: Sillydl Virus
PostPosted: Sat Jul 31, 2010 11:14 pm 
Offline
Site Admin
Site Admin
User avatar

Joined: Fri Jan 28, 2005 5:16 pm
Posts: 15966
Location: PHX, AZ
Thanks, let's look a bit deeper using the tool below.

Download the Avenger zip file below & save to desktop:

http://swandog46.geekstogo.com/avenger2/download.php

Unzip it. (right click> choose "extract all"> follow wizard to extract files.)
Avenger folder should open for you.
If unzipped properly -- Avenger icon looks like a sword.

Close as many running programs as possible including security software because you will be rebooting shortly.

Double click Avenger.exe & allow it to run.
Click OK to first prompt.
Have the following checked:
"check for rootkits"
Have the following UNchecked:
"Automatically disable all rootkits found"
Click "execute"
Click OK.
OK prompt about not having a script.
Windows will reboot.

Paste the resulting C:\Avenger.txt here.

_________________
Image


IP:
top
Top
 Profile Send private message  
 
lorijean
 Post subject: Re: Sillydl Virus
PostPosted: Sun Aug 01, 2010 2:53 pm 
Offline

Joined: Wed Jul 28, 2010 2:40 pm
Posts: 11
I tried to download Avenger twice. Both times as I started to save to Desktop I got a message, "cannot copy Avenger. access is denied" then right after my Antivirus screen popped up with an infection "Win32/crykee.A - reboot to remove"



IP:
top
Top
 Profile Send private message  
 
TeMerc
 Post subject: Re: Sillydl Virus
PostPosted: Sun Aug 01, 2010 4:37 pm 
Offline
Site Admin
Site Admin
User avatar

Joined: Fri Jan 28, 2005 5:16 pm
Posts: 15966
Location: PHX, AZ
lorijean wrote:
I tried to download Avenger twice. Both times as I started to save to Desktop I got a message, "cannot copy Avenger. access is denied" then right after my Antivirus screen popped up with an infection "Win32/crykee.A - reboot to remove"

Disable your antivirus software and then download it.

_________________
Image


IP:
top
Top
 Profile Send private message  
 
lorijean
 Post subject: Re: Sillydl Virus
PostPosted: Sun Aug 01, 2010 5:48 pm 
Offline

Joined: Wed Jul 28, 2010 2:40 pm
Posts: 11
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Completed script processing.

*******************

Finished! Terminate.



IP:
top
Top
 Profile Send private message  
 
TeMerc
 Post subject: Re: Sillydl Virus
PostPosted: Sun Aug 01, 2010 11:09 pm 
Offline
Site Admin
Site Admin
User avatar

Joined: Fri Jan 28, 2005 5:16 pm
Posts: 15966
Location: PHX, AZ
OK, thanks.

Lets run ComboFix from link below:
http://tinyurl.com/ycc4ls4

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

_________________
Image


IP:
top
Top
 Profile Send private message  
 
lorijean
 Post subject: Re: Sillydl Virus
PostPosted: Mon Aug 02, 2010 3:27 pm 
Offline

Joined: Wed Jul 28, 2010 2:40 pm
Posts: 11
ComboFix 10-08-02.01 - Lori Murphy 08/02/2010 15:15:45.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.473 [GMT -7:00]
Running from: c:\documents and settings\Lori Murphy\Desktop\ComboFix.exe
AV: CA Anti-Virus *On-access scanning enabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\3714047310.dat
c:\windows\system32\bszip.dll
C:\zip.exe

.
((((((((((((((((((((((((( Files Created from 2010-07-02 to 2010-08-02 )))))))))))))))))))))))))))))))
.

2010-08-02 21:56 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-08-02 21:56 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-08-02 05:03 . 2010-08-02 05:03 391 ----a-w- c:\windows\system32\~.vbs
2010-08-02 00:36 . 2010-08-02 00:36 574 ----a-w- C:\cleanup.bat
2010-07-30 17:12 . 2010-07-30 17:13 -------- d-----w- C:\rsit
2010-07-26 21:19 . 2010-07-26 21:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-26 21:15 . 2010-07-26 21:15 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-07-16 00:59 . 2010-07-19 03:02 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2010-07-10 00:24 . 2010-07-10 00:26 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-08 23:39 . 2010-07-08 23:39 552 ----a-w- c:\windows\system32\d3d8caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-31 04:22 . 2005-12-05 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-07-31 04:20 . 2005-12-05 00:08 -------- d-----w- c:\program files\Dell
2010-07-31 04:20 . 2005-12-04 23:55 -------- d-----w- c:\program files\Java
2010-07-30 20:45 . 2010-01-28 21:19 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-30 17:13 . 2005-12-05 00:11 -------- d-----w- c:\program files\Trend Micro
2010-07-30 17:11 . 2010-08-02 05:02 182390 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2010-07-20 01:33 . 2010-06-23 23:35 -------- d-----w- c:\program files\Windows Live Safety Center
2010-06-27 17:10 . 2010-06-26 19:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-06-26 19:07 . 2010-06-26 19:07 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-25 17:06 . 2010-06-25 03:28 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-25 17:03 . 2010-06-25 03:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-25 00:36 . 2005-08-17 02:54 -------- d-----w- c:\program files\GemMaster
2010-06-25 00:35 . 2005-12-05 00:08 -------- d-----w- c:\program files\WildTangent
2010-06-23 21:59 . 2010-06-02 23:06 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-14 14:31 . 2005-08-16 10:40 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-03 21:25 . 2010-06-03 21:25 746216 ----a-w- c:\windows\system32\drivers\vetefile.sys
2010-06-03 21:25 . 2010-06-03 21:25 130280 ----a-w- c:\windows\system32\drivers\veteboot.sys
2010-06-03 21:25 . 2009-07-08 23:55 1561896 ----a-w- c:\documents and settings\All Users\Application Data\CA\Consumer\AV\tmp\vete_tmp.dll
2010-05-31 15:37 . 2005-12-05 00:04 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-05-28 22:53 . 2010-05-28 22:53 4 ----a-w- c:\documents and settings\Lori Murphy\Application Data\ovczpx.dat
2010-05-25 06:28 . 2010-05-25 06:28 61440 ----a-w- c:\documents and settings\Michael Murphy\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-2c331788-n\decora-sse.dll
2010-05-25 06:28 . 2010-05-25 06:28 503808 ----a-w- c:\documents and settings\Michael Murphy\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7a9c2008-n\msvcp71.dll
2010-05-25 06:28 . 2010-05-25 06:28 499712 ----a-w- c:\documents and settings\Michael Murphy\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7a9c2008-n\jmc.dll
2010-05-25 06:28 . 2010-05-25 06:28 348160 ----a-w- c:\documents and settings\Michael Murphy\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7a9c2008-n\msvcr71.dll
2010-05-25 06:28 . 2010-05-25 06:28 12800 ----a-w- c:\documents and settings\Michael Murphy\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-2c331788-n\decora-d3d.dll
2010-05-25 01:11 . 2010-03-09 17:40 439816 ----a-w- c:\documents and settings\Lori Murphy\Application Data\Real\Update\setup3.10\setup.exe
2010-05-22 14:19 . 2010-05-22 14:19 61440 ----a-w- c:\documents and settings\Lori Murphy\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-546bb1a9-n\decora-sse.dll
2010-05-22 14:19 . 2010-05-22 14:19 503808 ----a-w- c:\documents and settings\Lori Murphy\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3b10fab2-n\msvcp71.dll
2010-05-22 14:19 . 2010-05-22 14:19 499712 ----a-w- c:\documents and settings\Lori Murphy\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3b10fab2-n\jmc.dll
2010-05-22 14:19 . 2010-05-22 14:19 348160 ----a-w- c:\documents and settings\Lori Murphy\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3b10fab2-n\msvcr71.dll
2010-05-22 14:19 . 2010-05-22 14:19 12800 ----a-w- c:\documents and settings\Lori Murphy\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-546bb1a9-n\decora-d3d.dll
2010-05-21 21:14 . 2010-06-24 22:24 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-06 10:41 . 2005-08-16 10:18 916480 ----a-w- c:\windows\system32\wininet.dll
2005-12-19 17:12 . 2005-12-10 01:52 56 --sh--r- c:\windows\system32\3D4927C2EE.sys
2010-02-16 17:00 . 2006-03-30 02:10 88 --sh--r- c:\windows\system32\EEC227493D.sys
2010-02-16 17:00 . 2005-12-10 01:52 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2009-11-26 95632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2006-01-18 8192]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2009-07-31 177392]
"QOELOADER"="c:\program files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [2008-05-20 14088]
"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2010-06-04 226640]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^dlbcserv.lnk]
backup=c:\windows\pss\dlbcserv.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
2006-02-09 22:34 106496 ----a-w- c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-02-23 22:19 53248 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-13 00:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [8/16/2007 9:10 PM 189704]
S2 MDMehRecvr;Machine Debug Manager MDMehRecvr; [x]
S2 NetDDEDcomLaunch;Network DDE NetDDEDcomLaunch; [x]
S2 NlaNetDDEDcomLaunch;Network Location Awareness (NLA) NlaNetDDEDcomLaunch; [x]
.
Contents of the 'Scheduled Tasks' folder

2010-06-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 00:57]

2010-07-29 c:\windows\Tasks\CAAntiSpywareScan_Daily as Lori Murphy at 10 06 AM.job
- c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe [2007-08-17 04:10]

2010-08-02 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2427054801-186204622-397276720-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

2010-08-02 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2427054801-186204622-397276720-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

2010-07-28 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2427054801-186204622-397276720-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

2010-05-31 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2427054801-186204622-397276720-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://dell.myway.com/
uInternet Settings,ProxyOverride = *.local
LSP: c:\windows\system32\VetRedir.dll
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-02 15:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(480)
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll
.
Completion time: 2010-08-02 15:24:25
ComboFix-quarantined-files.txt 2010-08-02 22:24

Pre-Run: 124,416,770,048 bytes free
Post-Run: 125,132,742,656 bytes free

- - End Of File - - BB3B68516664FAD9C8F5EDB3450C3823



IP:
top
Top
 Profile Send private message  
 
TeMerc
 Post subject: Re: Sillydl Virus
PostPosted: Tue Aug 03, 2010 11:34 am 
Offline
Site Admin
Site Admin
User avatar

Joined: Fri Jan 28, 2005 5:16 pm
Posts: 15966
Location: PHX, AZ
Thanks.

Please open Notepad then copy & paste all the following text located inside the code box.
Code:
File::
c:\windows\system32\3D4927C2EE.sys
c:\windows\system32\EEC227493D.sys

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe
Drag the .txt file into combofix.exe as displayed in this .gif image:
Image
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new MAlwarebytes scan please.

_________________
Image


IP:
top
Top
 Profile Send private message  
 
lorijean
 Post subject: Re: Sillydl Virus
PostPosted: Tue Aug 03, 2010 4:26 pm 
Offline

Joined: Wed Jul 28, 2010 2:40 pm
Posts: 11
ComboFix 10-08-03.01 - Lori Murphy 08/03/2010 15:09:05.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.561 [GMT -7:00]
Running from: c:\documents and settings\Lori Murphy\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Lori Murphy\Desktop\CFScript.txt
AV: CA Anti-Virus *On-access scanning enabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}

FILE ::
"c:\windows\system32\3D4927C2EE.sys"
"c:\windows\system32\EEC227493D.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\3D4927C2EE.sys
c:\windows\system32\EEC227493D.sys

.
((((((((((((((((((((((((( Files Created from 2010-07-03 to 2010-08-03 )))))))))))))))))))))))))))))))
.

2010-08-02 21:56 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-08-02 21:56 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-08-02 05:03 . 2010-08-02 05:03 391 ----a-w- c:\windows\system32\~.vbs
2010-08-02 00:36 . 2010-08-02 00:36 574 ----a-w- C:\cleanup.bat
2010-07-30 17:12 . 2010-07-30 17:13 -------- d-----w- C:\rsit
2010-07-26 21:19 . 2010-07-26 21:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-26 21:15 . 2010-07-26 21:15 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-07-16 00:59 . 2010-07-19 03:02 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2010-07-10 00:24 . 2010-07-10 00:26 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-08 23:39 . 2010-07-08 23:39 552 ----a-w- c:\windows\system32\d3d8caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-31 04:22 . 2005-12-05 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-07-31 04:20 . 2005-12-05 00:08 -------- d-----w- c:\program files\Dell
2010-07-31 04:20 . 2005-12-04 23:55 -------- d-----w- c:\program files\Java
2010-07-30 20:45 . 2010-01-28 21:19 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-30 17:13 . 2005-12-05 00:11 -------- d-----w- c:\program files\Trend Micro
2010-07-30 17:11 . 2010-08-02 05:02 182390 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2010-07-20 01:33 . 2010-06-23 23:35 -------- d-----w- c:\program files\Windows Live Safety Center
2010-06-27 17:10 . 2010-06-26 19:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-06-26 19:07 . 2010-06-26 19:07 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-25 17:06 . 2010-06-25 03:28 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-25 17:03 . 2010-06-25 03:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-25 00:36 . 2005-08-17 02:54 -------- d-----w- c:\program files\GemMaster
2010-06-25 00:35 . 2005-12-05 00:08 -------- d-----w- c:\program files\WildTangent
2010-06-23 21:59 . 2010-06-02 23:06 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-14 14:31 . 2005-08-16 10:40 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-03 21:25 . 2010-06-03 21:25 746216 ----a-w- c:\windows\system32\drivers\vetefile.sys
2010-06-03 21:25 . 2010-06-03 21:25 130280 ----a-w- c:\windows\system32\drivers\veteboot.sys
2010-06-03 21:25 . 2009-07-08 23:55 1561896 ----a-w- c:\documents and settings\All Users\Application Data\CA\Consumer\AV\tmp\vete_tmp.dll
2010-05-31 15:37 . 2005-12-05 00:04 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-05-28 22:53 . 2010-05-28 22:53 4 ----a-w- c:\documents and settings\Lori Murphy\Application Data\ovczpx.dat
2010-05-25 06:28 . 2010-05-25 06:28 61440 ----a-w- c:\documents and settings\Michael Murphy\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-2c331788-n\decora-sse.dll
2010-05-25 06:28 . 2010-05-25 06:28 503808 ----a-w- c:\documents and settings\Michael Murphy\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7a9c2008-n\msvcp71.dll
2010-05-25 06:28 . 2010-05-25 06:28 499712 ----a-w- c:\documents and settings\Michael Murphy\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7a9c2008-n\jmc.dll
2010-05-25 06:28 . 2010-05-25 06:28 348160 ----a-w- c:\documents and settings\Michael Murphy\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7a9c2008-n\msvcr71.dll
2010-05-25 06:28 . 2010-05-25 06:28 12800 ----a-w- c:\documents and settings\Michael Murphy\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-2c331788-n\decora-d3d.dll
2010-05-25 01:11 . 2010-03-09 17:40 439816 ----a-w- c:\documents and settings\Lori Murphy\Application Data\Real\Update\setup3.10\setup.exe
2010-05-22 14:19 . 2010-05-22 14:19 61440 ----a-w- c:\documents and settings\Lori Murphy\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-546bb1a9-n\decora-sse.dll
2010-05-22 14:19 . 2010-05-22 14:19 503808 ----a-w- c:\documents and settings\Lori Murphy\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3b10fab2-n\msvcp71.dll
2010-05-22 14:19 . 2010-05-22 14:19 499712 ----a-w- c:\documents and settings\Lori Murphy\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3b10fab2-n\jmc.dll
2010-05-22 14:19 . 2010-05-22 14:19 348160 ----a-w- c:\documents and settings\Lori Murphy\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3b10fab2-n\msvcr71.dll
2010-05-22 14:19 . 2010-05-22 14:19 12800 ----a-w- c:\documents and settings\Lori Murphy\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-546bb1a9-n\decora-d3d.dll
2010-05-21 21:14 . 2010-06-24 22:24 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-06 10:41 . 2005-08-16 10:18 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-16 17:00 . 2005-12-10 01:52 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2009-11-26 95632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2006-01-18 8192]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2009-07-31 177392]
"QOELOADER"="c:\program files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [2008-05-20 14088]
"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2010-06-04 226640]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^dlbcserv.lnk]
backup=c:\windows\pss\dlbcserv.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
2006-02-09 22:34 106496 ----a-w- c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-02-23 22:19 53248 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-13 00:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [8/16/2007 9:10 PM 189704]
S2 MDMehRecvr;Machine Debug Manager MDMehRecvr; [x]
S2 NetDDEDcomLaunch;Network DDE NetDDEDcomLaunch; [x]
S2 NlaNetDDEDcomLaunch;Network Location Awareness (NLA) NlaNetDDEDcomLaunch; [x]
.
Contents of the 'Scheduled Tasks' folder

2010-06-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 00:57]

2010-07-29 c:\windows\Tasks\CAAntiSpywareScan_Daily as Lori Murphy at 10 06 AM.job
- c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe [2007-08-17 04:10]

2010-08-03 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2427054801-186204622-397276720-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

2010-08-03 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2427054801-186204622-397276720-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

2010-07-28 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2427054801-186204622-397276720-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

2010-05-31 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2427054801-186204622-397276720-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://dell.myway.com/
uInternet Settings,ProxyOverride = *.local
LSP: c:\windows\system32\VetRedir.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-03 15:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1724)
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll
.
Completion time: 2010-08-03 15:15:26
ComboFix-quarantined-files.txt 2010-08-03 22:15
ComboFix2.txt 2010-08-02 22:24

Pre-Run: 125,085,974,528 bytes free
Post-Run: 125,123,911,680 bytes free

- - End Of File - - 2D1C444023BF84067CFF18C3248BA641



IP:
top
Top
 Profile Send private message  
 
lorijean
 Post subject: Re: Sillydl Virus
PostPosted: Tue Aug 03, 2010 4:27 pm 
Offline

Joined: Wed Jul 28, 2010 2:40 pm
Posts: 11
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4374

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/3/2010 3:27:34 PM
mbam-log-2010-08-03 (15-27-34).txt

Scan type: Quick scan
Objects scanned: 159319
Time elapsed: 11 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



IP:
top
Top
 Profile Send private message  
 
TeMerc
 Post subject: Re: Sillydl Virus
PostPosted: Tue Aug 03, 2010 11:48 pm 
Offline
Site Admin
Site Admin
User avatar

Joined: Fri Jan 28, 2005 5:16 pm
Posts: 15966
Location: PHX, AZ
Everything looks good, how's the system performing at this point?

_________________
Image


IP:
top
Top
 Profile Send private message  
 
lorijean
 Post subject: Re: Sillydl Virus
PostPosted: Wed Aug 04, 2010 2:06 pm 
Offline

Joined: Wed Jul 28, 2010 2:40 pm
Posts: 11
So far so good! Thank you for all of your help. Hopefully you won't be hearing from me again. : )



IP:
top
Top
 Profile Send private message  
 
TeMerc
 Post subject: Re: Sillydl Virus
PostPosted: Wed Aug 04, 2010 11:58 pm 
Offline
Site Admin
Site Admin
User avatar

Joined: Fri Jan 28, 2005 5:16 pm
Posts: 15966
Location: PHX, AZ
lorijean wrote:
So far so good! Thank you for all of your help. Hopefully you won't be hearing from me again. : )

Glad we could be of assistance.

Happy surfing!!
Tom :D

As your infection removal here in this forum has been completed, we hope you take the time to look around and get involved in some of the other forums. The forums grow and become even more helpful with input from all of our members. We can all help everyone together as a community.

And if we've helped you out and you'd like to contribute to the costs maintaining the site please use the PayPal button as displayed at the top of the page.
Image


This is 100% optional as all our help to you has always been free and will continue be free forever.

****This topic has been successfully resolved and is now locked. If the original user needs to have this thread re-opened please PM me

Any other users with similar problems please use the 'New Topic' button to begin a new thread.****
Tom\TeMerc

_________________
Image


IP:
top
Top
 Profile Send private message  
 
Display posts from previous:  Sort by  
Post new topic This topic is locked, you cannot edit posts or make further replies.  Page 1 of 1
  [ 20 posts ] 

Board index » HiJackThis! Log Assessment-Spyware Help » Countermeasures: HijackThis! Spyware Help

All times are UTC - 7 hours


Who is online

Users browsing this forum: No registered users and 0 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  

Who is online
Who is online In total there are 0 users online :: 0 registered, 0 hidden and 0 guests (based on users active over the past 5 minutes)
Most users ever online was 282 on Tue Sep 25, 2012 11:30 am

Users browsing this forum: No registered users and 0 guests

New posts    No new posts    Forum locked
cron
Powered by phpBB