View Full Version : Cannot Use Ctrl+Alt+Delete/Task Manager. Stuck with Command Service, Bar888/Smitfraud
Amethystine
2007-01-10, 11:37
I've tried to figure out whether or not I should post by seeing if there's a thread with the same problems as mine, but I can't tell if I should or not. So I'm just going to give it a shot and try posting.
As the title says, I can't use Task Manager anymore, which is what first alerted me that something was wrong. I also notice a bit of a refresh every 5 minutes or so, which coincides with a folder from C:\Program Files\Common Files named "{EC00B7F8-0477-1033-0329-040314010002}" being dumped into the Recycle Bin. (It begins to build up in there over time, as well.) The folder contains 2 files: "System.dll" and "Update" (update is an application, I'm not sure of the extension).
I have since gotten Spybot and used it many times (it runs on startup every time, now.) And it finds Command Service and Toolbar888-Smitfraud. It says it fixes Bar888 everytime, but says it can't fix Command and that I should restart my PC. But on the subsequent re-starts, it is still unable to deal with it, as well as finding Bar888 again.
I took the steps in the 'Before you Post' topic, and while in Safe Mode, Spybot couldn't get rid of 'Command' either.
Sorry for the long story, here are my logs:
eTrust Antivirus Web Scanner
Scan Results: 86382 files scanned. 17 viruses were detected.
File Infection Status Path
arc.zip-6c522c5b-5fce5073.zip>VerifierBug.class Java/ByteVerify!exploit infected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
arc.zip-6c522c5b-5fce5073.zip>Counter.class Java/ByteVerify!exploit infected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
arc.zip-6c522c5b-5fce5073.zip>Gummy.class Java/ByteVerify!exploit infected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
arc.zip-6c522c5b-5fce5073.zip>Beyond.class Java/ByteVerify!exploit infected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
arc.zip-6c522c5b-5fce5073.zip>Worker.class Java/Shinwow.M infected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
java.jar-678c1b03-29069d08.zip>GetAccess.class Java/ByteVerify!exploit infected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
java.jar-678c1b03-29069d08.zip>Installer.class Java/Shinwow.AZ infected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
java.jar-678c1b03-29069d08.zip>NewSecurityClassLoader.class Java/ByteVerify!exploit infected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
java.jar-678c1b03-29069d08.zip>NewURLClassLoader.class Java/ByteVerify!exploit infected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
load14.jar-5d2fff2a-5396e5c6.zip>Matrix.class Java/Shinwow.W infected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
load14.jar-5d2fff2a-5396e5c6.zip>Counter.class Java/ByteVerify!exploit infected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
load14.jar-5d2fff2a-5396e5c6.zip>Dummy.class Java/ByteVerify!exploit infected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
load14.jar-5d2fff2a-5396e5c6.zip>Parser.class Java/ByteVerify!exploit infected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
astr.exe Win32/Starphish.A infected C:\Documents and Settings\Colin\
p.zip Win32/Alcan.I!ZIP infected C:\Program Files\outlook\
p.zip>Setup.exe Win32/Alcan.I infected C:\Program Files\outlook\
v.tmp Win32/Alcan.I infected C:\Program Files\outlook\
It said 'cannot cure' for all of them once I tried to 'Cure Files'
----------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 5:54:40 AM, on 10/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\EPSON\ESM2\eEBSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Windows Media Connect 2\WMCCFG.exe
C:\iTunes\iTunesHelper.exe
C:\Program Files\outlook\outlook.exe
C:\WINDOWS\system32\winlog.exe
C:\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\hijackthis\HijackThis.exe
C:\Program Files\Common Files\{EC00B7F8-0477-1033-0329-040314010002}\Update.exe
F1 - win.ini: run= C:\WESTWOOD\C&C95\INSTICON.EXE
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [QuickTime Task] "C:\QuickTime6\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [{EC00B7F8-0477-1033-0329-040314010002}] "C:\Program Files\Common Files\{EC00B7F8-0477-1033-0329-040314010002}\Update.exe" mc-110-12-0000137
O4 - HKLM\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: EPSON Background Monitor.lnk = C:\EPSON\ESM2\STMS.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Q29saW4gUGFya3M\command.exe (file missing)
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000137 (file missing)
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\EPSON\ESM2\eEBSVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
Oddly enough, Bar888 wasn't in that scan. It normally appears in the 02 - BHOs.. although it might not be there right now because I JUST restarted and Spybot ran at startup and 'fixed' it. (Almost makes me want to go do things until it reappears, just to include it in the log for you guys. :sad: )
I also had an older version of Bearshare, which I (hopefully) got rid of the other day, when I saw it on that list of possibly infectious P2P programs.
Anyway, I hope I wasn't out of line, posting this here.
Angelfire777
2007-01-10, 12:06
*I noticed that you are not running any AntiVirus application. You could get infected immediately after we clean you up. Please download and install ONE of these:
» Avast! (http://www.asw.cz/eng/avast_4_home.html)
» AVG AntiVirus (http://free.grisoft.com/doc/5390/lng/us/tpl/v5#avg-anti-virus-free)
» AntiVir (http://www.free-av.com/)
*Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update. Do not use it yet!
*Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune
DO NOT USE IT YET!!
*Download combofix.exe (http://download.bleepingcomputer.com/sUBs/combofix.exe)
Do not use it yet!
*Please download Brute Force Uninstaller (http://www.merijn.org/files/bfu.zip).
Unzip it to it’s own Folder (c:\BFU)
RIGHT-CLICK HERE (http://metallica.geekstogo.com/alcanshorty.bfu) and choose "Save As" (in IE it's "Save Target As") in order to download Alcra Remover.
Save it in the folder you made earlier (c:\BFU).
Do not use it yet!
*Clear your Java Cache:
Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
It will say "Java Plug-in" under the icon.
Under Temporary Internet Files, click the Delete Files button.
There are three options in the window to clear the cache - Leave ALL 3 Checked
Downloaded Applets
Downloaded Applications
Other Files
Click OK on Delete Temporary Files Window.
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
Click OK to leave the Java Control Panel.
________________________________________
You may want to print these instructions here or save them in notepad since you'll work offline.
Reboot into Safe Mode.
To enter Safe Mode..
Click Start > Turn Off Computer > Restart > Tap F8 key just before Windows starts to load, > This will bring up a Menu > Use your keyboard to scroll to Safe Mode> Hit enter.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
Click Firefox at the top and choose:Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click
No at the prompt.
If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE:If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
*Open My Computer and navigate to the c:\BFU folder.
Start the Brute Force Uninstaller by doubleclicking BFU.exe.
In the 'Scriptline to execute' field, copy and paste:
c:\bfu\alcanshorty.bfu
Press Execute and let it do it’s job.
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.
*Please run AVG AntiSpyware, and run a full scan as follow:
IMPORTANT: Do not open any other windows or programs while AVG AntiSpyware is scanning, it may interfere with the scanning process.
Launch AVG AntiSpyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
AVG AntiSpyware will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save Report As" button in the lower left hand of the screen and save it to a text file on your system. (Make sure to remember where you saved that file, this is important).
Close AVG AntiSpyware.
* 1. Double click combofix.exe & follow the prompts.
2. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
On your next reply, please include a fresh HijackThis log, AVG antispyware log, combofix log and a description on how your machine is running.
Amethystine
2007-01-11, 02:33
Ok, so things are really looking up! (I think)
A few things to note: I accidently didn't get one of the three anti-virus programs until after going into Safe Mode and rebooting to make this post. That is, I got it about 3 minutes ago. :|
On the bright side, before going into Safe Mode to run those scans, I noticed that I could use Ctrl Alt Del to open Task Manager again and that Bar888 had stopped reappearing constantly and that folder that was popping up in the Recycle Bin stopped appearing in there, over and over.
Also, Windows downloaded an update and on the restart, it came up with this 'Windows Malicious Software Removal Tool' thing (which had an icon which was a Scrubby Brush and a Monitor being scrubbed). I wasn't ready to trust it, so I didn't let it run a scan. I was being paranoid about imitators, I guess.
The best part seems to be that upon Startup, SpyBot ran and only found Windows' Virus Protection OverRide (Which is from when I told Windows' Firewall/Virus Protection that 'I have a virus solution I will monitor myself'). Which is weird that Spybot would find it.
Also, the AVG AntiSpyware log is extremely huge (Like 10 posts worth). Should I actually post that many times?
----------------HijackThis Log-------------------
Logfile of HijackThis v1.99.1
Scan saved at 8:26:11 PM, on 10/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\AVG Anti-Spyware 7.5\guard.exe
C:\EPSON\ESM2\eEBSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Windows Media Connect 2\WMCCFG.exe
C:\iTunes\iTunesHelper.exe
C:\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe
F1 - win.ini: run= C:\WESTWOOD\C&C95\INSTICON.EXE
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [QuickTime Task] "C:\QuickTime6\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: EPSON Background Monitor.lnk = C:\EPSON\ESM2\STMS.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000137 (file missing)
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\EPSON\ESM2\eEBSVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
------------------------------------------------
Administrator - 07-01-10 19:54:54.57 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\Administrator\Desktop"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\cmd.com
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\tracert.com
C:\Program Files\outlook
C:\Program Files\Common Files\{3C00B7F8-0477-1033-0329-040314010002}
C:\Program Files\Common Files\{EC00B7F8-0477-1033-0329-040314010002}
C:\WINDOWS\Q29saW4gUGFya3M
((((((((((((((((((((((((((((((( Files Created from 2006-12-10 to 2007-01-10 ))))))))))))))))))))))))))))))))))
2007-01-10 17:48 <DIR> d-------- C:\bfu
2007-01-10 17:43 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-01-10 17:43 <DIR> d-------- C:\AVG Anti-Spyware 7.5
2007-01-08 20:00 <DIR> d-------- C:\Program Files\Ipwindows
2007-01-04 15:52 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2007-01-04 15:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-12-26 00:41 <DIR> d-------- C:\hijackthis
2006-12-15 10:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2006-12-15 10:50 <DIR> d-------- C:\Program Files\Common Files\Skype
2006-12-15 10:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-01-10 19:55 -------- d-------- C:\Program Files\Common Files
2006-12-21 15:04 12464 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2006-12-15 10:50 -------- d-------- C:\Program Files\Skype
2006-12-15 03:03 -------- d-------- C:\Program Files\Internet Explorer
2006-12-15 03:01 -------- d-------- C:\Program Files\Outlook Express
2006-12-15 03:01 -------- d-------- C:\Program Files\Common Files\System
2006-12-07 01:29 2374472 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-11-21 13:25 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-08 01:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-10-19 09:56 713216 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-13 08:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 08:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 08:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AdaptecDirectCD"="\"C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"Windows Media Connect 2"="\"C:\\Program Files\\Windows Media Connect 2\\WMCCFG.exe\" /StartQuiet"
"QuickTime Task"="\"C:\\QuickTime6\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\iTunes\\iTunesHelper.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"SpybotSnD"="\"C:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe\" /autocheck"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
@=""
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e4,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,10,03,00,00,15,01,00,00,e0,00,00,00,d6,00,\
00,00,01,00,00,00
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=hex:91,00,00,00
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
-----To be Continued with 'ComboFix Log: HijackThis Backups'-----------
Amethystine
2007-01-11, 02:34
~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
backup-20070110-064147-129
O4 - HKLM\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
backup-20070109-214759-848
R3 - Default URLSearchHook is missing
backup-20070109-214644-119
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20070109-214644-912
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20070106-191540-550
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20070106-191540-790
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20070105-004921-663
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20070105-004921-745
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20070105-000422-520
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20070105-000422-107
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20070105-000422-886
O4 - HKLM\..\Run: [{EC00B7F8-0477-1033-0329-040314010002}] "C:\Program Files\Common Files\{EC00B7F8-0477-1033-0329-040314010002}\Update.exe" mc-110-12-0000137
backup-20070104-190727-694
O4 - HKLM\..\Run: [{EC00B7F8-0477-1033-0329-040314010002}] "C:\Program Files\Common Files\{EC00B7F8-0477-1033-0329-040314010002}\Update.exe" mc-110-12-0000137
backup-20070104-190727-830
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20070104-190727-395
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20070104-164239-739
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20070104-164238-430
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20070104-002102-837
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20070104-002102-617
O4 - HKLM\..\Run: [{EC00B7F8-0477-1033-0329-040314010002}] "C:\Program Files\Common Files\{EC00B7F8-0477-1033-0329-040314010002}\Update.exe" mc-110-12-0000137
backup-20070104-002102-920
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20070102-030511-857
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20070102-030511-253
O4 - HKLM\..\Run: [{EC00B7F8-0477-1033-0329-040314010002}] "C:\Program Files\Common Files\{EC00B7F8-0477-1033-0329-040314010002}\Update.exe" mc-110-12-0000137
backup-20070102-030510-867
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20070101-233503-200
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20070101-233503-118
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20070101-233503-897
O4 - HKLM\..\Run: [{EC00B7F8-0477-1033-0329-040314010002}] "C:\Program Files\Common Files\{EC00B7F8-0477-1033-0329-040314010002}\Update.exe" mc-110-12-0000137
backup-20070101-180640-253
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20070101-180640-970
O4 - HKLM\..\Run: [{EC00B7F8-0477-1033-0329-040314010002}] "C:\Program Files\Common Files\{EC00B7F8-0477-1033-0329-040314010002}\Update.exe" mc-110-12-0000137
backup-20070101-180640-398
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20070101-142834-878
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20070101-142834-397
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20070101-142834-212
O4 - HKLM\..\Run: [{EC00B7F8-0477-1033-0329-040314010002}] "C:\Program Files\Common Files\{EC00B7F8-0477-1033-0329-040314010002}\Update.exe" mc-110-12-0000137
backup-20070101-012906-392
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20070101-012906-319
O4 - HKLM\..\Run: [{EC00B7F8-0477-1033-0329-040314010002}] "C:\Program Files\Common Files\{EC00B7F8-0477-1033-0329-040314010002}\Update.exe" mc-110-12-0000137
backup-20070101-012906-539
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20061231-201150-328
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20061231-201150-108
O4 - HKLM\..\Run: [{EC00B7F8-0477-1033-0329-040314010002}] "C:\Program Files\Common Files\{EC00B7F8-0477-1033-0329-040314010002}\Update.exe" mc-110-12-0000137
backup-20061231-201150-942
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20061231-170828-765
O4 - HKLM\..\Run: [{EC00B7F8-0477-1033-0329-040314010002}] "C:\Program Files\Common Files\{EC00B7F8-0477-1033-0329-040314010002}\Update.exe" mc-110-12-0000137
backup-20061231-170828-806
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20061231-170828-922
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20061231-155842-798
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20061231-155842-893
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20061231-155817-881
O4 - HKLM\..\Run: [{EC00B7F8-0477-1033-0329-040314010002}] "C:\Program Files\Common Files\{EC00B7F8-0477-1033-0329-040314010002}\Update.exe" mc-110-12-0000137
backup-20061230-181708-538
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
backup-20061230-181708-143
O4 - HKLM\..\Run: [{EC00B7F8-0477-1033-0329-040314010002}] "C:\Program Files\Common Files\{EC00B7F8-0477-1033-0329-040314010002}\Update.exe" mc-110-12-0000137
backup-20061230-181708-832
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20061230-181708-259
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20061230-002732-607
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20061230-002732-453
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20061230-002732-386
O4 - HKLM\..\Run: [{EC00B7F8-0477-1033-0329-040314010002}] "C:\Program Files\Common Files\{EC00B7F8-0477-1033-0329-040314010002}\Update.exe" mc-110-12-0000137
backup-20061230-002732-782
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
backup-20061229-124931-804
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20061229-124931-410
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20061229-124931-189
O4 - HKLM\..\Run: [{EC00B7F8-0477-1033-0329-040314010002}] "C:\Program Files\Common Files\{EC00B7F8-0477-1033-0329-040314010002}\Update.exe" mc-110-12-0000137
backup-20061229-124247-398
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20061229-124247-178
O4 - HKLM\..\Run: [{EC00B7F8-0477-1033-0329-040314010002}] "C:\Program Files\Common Files\{EC00B7F8-0477-1033-0329-040314010002}\Update.exe" mc-110-12-0000137
backup-20061229-124247-481
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20061229-120450-191
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20061229-120450-212
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20061229-114316-638
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20061229-114316-534
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20061229-114316-418
O4 - HKLM\..\Run: [{EC00B7F8-0477-1033-0329-040314010002}] "C:\Program Files\Common Files\{EC00B7F8-0477-1033-0329-040314010002}\Update.exe" mc-110-12-0000137
backup-20061229-102038-482
O4 - HKLM\..\Run: [{EC00B7F8-0478-1033-0329-040314010002}] "C:\Program Files\Common Files\{EC00B7F8-0478-1033-0329-040314010002}\Update.exe" mc-110-12-0000137
backup-20061229-102038-297
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
backup-20061229-102038-245
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20061229-102038-119
O4 - HKLM\..\Run: [{EC00B7F8-0477-1033-0329-040314010002}] "C:\Program Files\Common Files\{EC00B7F8-0477-1033-0329-040314010002}\Update.exe" mc-110-12-0000137
backup-20061229-102038-580
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20061229-014118-452
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20061229-014118-378
O4 - HKLM\..\Run: [{EC00B7F8-0477-1033-0329-040314010002}] "C:\Program Files\Common Files\{EC00B7F8-0477-1033-0329-040314010002}\Update.exe" mc-110-12-0000137
backup-20061229-014118-599
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20061229-012833-956
O4 - HKLM\..\Run: [{EC00B7F8-0477-1033-0329-040314010002}] "C:\Program Files\Common Files\{EC00B7F8-0477-1033-0329-040314010002}\Update.exe" mc-110-12-0000137
backup-20061229-012833-749
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20061229-012833-176
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20061229-003123-824
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
backup-20061229-002523-391
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20061229-002523-690
O4 - HKLM\..\Run: [{EC00B7F8-0477-1033-0329-040314010002}] "C:\Program Files\Common Files\{EC00B7F8-0477-1033-0329-040314010002}\Update.exe" mc-110-12-0000137
backup-20061229-002523-134
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20061228-215858-289
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
backup-20061228-215857-365
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
backup-20061228-215855-455
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
backup-20061228-215853-732
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\ICQLite\ICQLite.exe
backup-20061228-215851-792
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\ICQLite\ICQLite.exe
backup-20061228-215841-515
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\AIM95\aim.exe
backup-20061228-215841-925
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20061228-215841-355
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
backup-20061228-215841-809
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20061228-215841-872
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
backup-20061228-215841-597
O4 - HKLM\..\Run: [{EC00B7F8-0477-1033-0329-040314010002}] "C:\Program Files\Common Files\{EC00B7F8-0477-1033-0329-040314010002}\Update.exe" mc-110-12-0000137
backup-20061228-215841-987
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
backup-20061228-215841-655
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
backup-20061228-215841-317
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
backup-20061228-215841-324
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
backup-20061228-215841-688
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
backup-20061228-215841-720
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
backup-20061228-215841-898
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
backup-20061228-215841-908
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
backup-20061228-215841-647
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
backup-20061228-164519-596
O4 - HKLM\..\Run: [{EC00B7F8-0477-1033-0329-040314010002}] "C:\Program Files\Common Files\{EC00B7F8-0477-1033-0329-040314010002}\Update.exe" mc-110-12-0000137
backup-20061228-164519-816
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20061228-164519-588
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20061228-162334-407
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20061228-162334-283
O4 - HKLM\..\Run: [{EC00B7F8-0477-1033-0329-040314010002}] "C:\Program Files\Common Files\{EC00B7F8-0477-1033-0329-040314010002}\Update.exe" mc-110-12-0000137
backup-20061228-162334-503
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20061228-151959-976
O4 - HKLM\..\Run: [{EC00B7F8-0477-1033-0329-040314010002}] "C:\Program Files\Common Files\{EC00B7F8-0477-1033-0329-040314010002}\Update.exe" mc-110-12-0000137
backup-20061228-151959-279
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20061228-151959-196
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20061228-134938-517
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20061228-134938-297
O4 - HKLM\..\Run: [{EC00B7F8-0477-1033-0329-040314010002}] "C:\Program Files\Common Files\{EC00B7F8-0477-1033-0329-040314010002}\Update.exe" mc-110-12-0000137
backup-20061228-134938-600
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20061228-122720-824
O4 - HKLM\..\Run: [{EC00B7F8-0477-1033-0329-040314010002}] "C:\Program Files\Common Files\{EC00B7F8-0477-1033-0329-040314010002}\Update.exe" mc-110-12-0000137
backup-20061228-122720-670
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20061228-122720-631
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20061227-215046-921
O4 - HKLM\..\Run: [{EC00B7F8-0477-1033-0329-040314010002}] "C:\Program Files\Common Files\{EC00B7F8-0477-1033-0329-040314010002}\Update.exe" mc-110-12-0000137
backup-20061226-122451-936
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
backup-20061226-122023-397
O4 - HKLM\..\Run: [{EC00B7F8-0477-1033-0329-040314010002}] "C:\Program Files\Common Files\{EC00B7F8-0477-1033-0329-040314010002}\Update.exe" mc-110-12-0000137
backup-20061226-121439-976
O4 - HKLM\..\Run: [{EC00B7F8-0477-1033-0329-040314010002}] "C:\Program Files\Common Files\{EC00B7F8-0477-1033-0329-040314010002}\Update.exe" mc-110-12-0000137
backup-20061226-115720-329
O4 - HKLM\..\Run: [{EC00B7F8-0477-1033-0329-040314010002}] "C:\Program Files\Common Files\{EC00B7F8-0477-1033-0329-040314010002}\Update.exe" mc-110-12-0000137
backup-20061226-114736-220
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll (file missing)
backup-20061226-114736-855
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll (file missing)
backup-20061226-004849-113
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20061226-004849-196
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C00B~1\Bar888.dll
backup-20061226-004638-279
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
backup-20061226-004638-236
O4 - HKLM\..\Run: [{EC00B7F8-0477-1033-0329-040314010002}] "C:\Program Files\Common Files\{EC00B7F8-0477-1033-0329-040314010002}\Update.exe" mc-110-12-0000137
backup-20061226-004638-319
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
Completion time: 07-01-10 19:55:43.54
C:\ComboFix.txt ... 07-01-10 19:55
-----------------------------------------------------
As for how the PC is running, it seems completely back to normal. I'm really hopeful things are almost fixed, but I'm not going away until I do a follow-up and we make sure it's all overwith. :)
Amethystine
2007-01-11, 03:12
The reason the AVG Anti-Spyware Log is so big is that it's simply repeating lines like this:
C:\System Volume Information\_restore{27EB5E19-FC91-44D7-B6FA-C2DA96FE59AC}\RP1040\A0121059.exe -> Adware.Softomate : Cleaned with backup (quarantined).
Over and over, simply with ascending numbers right before the extension. I hesitate to post it (10 times over) because don't want to dump all that on you guys and I believe you only really need to know that they all say 'Cleaned with backup (quarantined)'.
I could simply post the logs with those repeating lines edited out, and a note that this or that line repeats thousands of times. I would make sure to include all unique parts of the log.
I probably sound like an idiot and apologize for being wishy-washy about this. If I just need to shut up and post 10 or so times to get the whole log up, let me know.
Angelfire777
2007-01-11, 11:25
A few things to note: I accidently didn't get one of the three anti-virus programs until after going into Safe Mode and rebooting to make this post. That is, I got it about 3 minutes ago.
No worries about that.
Also, Windows downloaded an update and on the restart, it came up with this 'Windows Malicious Software Removal Tool' thing (which had an icon which was a Scrubby Brush and a Monitor being scrubbed). I wasn't ready to trust it, so I didn't let it run a scan. I was being paranoid about imitators, I guess.
It's good that you are paranoid about those things but Windows Malicious Software removal tool is legit.
I could simply post the logs with those repeating lines edited out, and a note that this or that line repeats thousands of times. I would make sure to include all unique parts of the log.
I probably sound like an idiot and apologize for being wishy-washy about this. If I just need to shut up and post 10 or so times to get the whole log up, let me know.
Yes please do that for me if you can... By sorting it out, you'll be helping me a lot by saving a lot of my time..
Beofre we continue, please post the AVG AntiSpyware log that was sorted out.:bigthumb:
Amethystine
2007-01-11, 21:01
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 7:51:47 PM 10/01/2007
+ Scan result:
C:\Program Files\Ipwindows\ipwins.exe -> Adware.Maxifiles : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{27EB5E19-FC91-44D7-B6FA-C2DA96FE59AC}\RP1036\A0120425.exe -> Adware.Maxifiles : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{27EB5E19-FC91-44D7-B6FA-C2DA96FE59AC}\RP1046\A0123690.exe -> Adware.Maxifiles : Cleaned with backup (quarantined).
C:\Documents and Settings\Lauren\install.exe -> Adware.MaxSearch : Cleaned with backup (quarantined).
C:\Documents and Settings\Simone\install.exe -> Adware.MaxSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{27EB5E19-FC91-44D7-B6FA-C2DA96FE59AC}\RP1036\A0120399.dll -> Adware.MaxSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{27EB5E19-FC91-44D7-B6FA-C2DA96FE59AC}\RP1037\A0120549.exe -> Adware.MaxSearch : Cleaned with backup (quarantined).
*repeats previous line with exe or dll and ascending numbers*
C:\WINDOWS\system32\install.exe -> Adware.MaxSearch : Cleaned with backup (quarantined).
C:\hijackthis\backups\backup-20061228-122720-631.dll -> Adware.MaxSearch : Cleaned with backup (quarantined).
C:\hijackthis\backups\backup-20061228-134938-600.dll -> Adware.MaxSearch : Cleaned with backup (quarantined).
C:\hijackthis\backups\backup-20061228-151959-279.dll -> Adware.MaxSearch : Cleaned with backup (quarantined).
*repeats previous line with various numbers*
C:\System Volume Information\_restore{27EB5E19-FC91-44D7-B6FA-C2DA96FE59AC}\RP1047\A0124813.exe/VVSN.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Documents and Settings\Colin\Local Settings\Temp\temp.fr0131 -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Documents and Settings\Colin\Local Settings\Temp\temp.frF0BE -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{EC00B7F8-0477-1033-0329-040314010002}\Update.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-18\Dc1\system.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-18\Dc4\system.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-18\Dc5\system.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-18\Dc6\system.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-18\Dc7\system.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{27EB5E19-FC91-44D7-B6FA-C2DA96FE59AC}\RP1036\A0120348.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{27EB5E19-FC91-44D7-B6FA-C2DA96FE59AC}\RP1036\A0120350.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{27EB5E19-FC91-44D7-B6FA-C2DA96FE59AC}\RP1036\A0120352.dll -> Adware.Softomate : Cleaned with backup (quarantined).
*repeats previous line with exe or dll and ascending numbers*
C:\System Volume Information\_restore{27EB5E19-FC91-44D7-B6FA-C2DA96FE59AC}\RP1040\snapshot\MFEX-9.DAT -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{27EB5E19-FC91-44D7-B6FA-C2DA96FE59AC}\RP1041\A0121132.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{27EB5E19-FC91-44D7-B6FA-C2DA96FE59AC}\RP1041\A0121133.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{27EB5E19-FC91-44D7-B6FA-C2DA96FE59AC}\RP1041\A0121134.dll -> Adware.Softomate : Cleaned with backup (quarantined).
*repeats previous line with exe or dll and ascending numbers*
C:\System Volume Information\_restore{27EB5E19-FC91-44D7-B6FA-C2DA96FE59AC}\RP1043\snapshot\MFEX-1.DAT -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{27EB5E19-FC91-44D7-B6FA-C2DA96FE59AC}\RP1044\A0122401.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{27EB5E19-FC91-44D7-B6FA-C2DA96FE59AC}\RP1044\A0122402.exe -> Adware.Softomate : Cleaned with backup (quarantined).
*repeats previous line with exe or dll and ascending numbers*
C:\System Volume Information\_restore{27EB5E19-FC91-44D7-B6FA-C2DA96FE59AC}\RP1048\A0124891.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{27EB5E19-FC91-44D7-B6FA-C2DA96FE59AC}\RP1043\A0122369.dll -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{27EB5E19-FC91-44D7-B6FA-C2DA96FE59AC}\RP1043\A0122370.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{27EB5E19-FC91-44D7-B6FA-C2DA96FE59AC}\RP1049\A0124895.exe -> Backdoor.Rbot : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{27EB5E19-FC91-44D7-B6FA-C2DA96FE59AC}\RP1036\A0120398.exe -> Downloader.Agent.bca : Cleaned with backup (quarantined).
*repeats last line with ascending numbers*
C:\System Volume Information\_restore{27EB5E19-FC91-44D7-B6FA-C2DA96FE59AC}\RP1048\A0124827.exe -> Downloader.Agent.bca : Cleaned with backup (quarantined).
C:\WINDOWS\system32\svchosts.exe -> Downloader.Agent.bca : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{27EB5E19-FC91-44D7-B6FA-C2DA96FE59AC}\RP1036\A0120423.exe -> Downloader.PurityScan.dy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{27EB5E19-FC91-44D7-B6FA-C2DA96FE59AC}\RP1036\A0120426.dll -> Downloader.Small.ece : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{27EB5E19-FC91-44D7-B6FA-C2DA96FE59AC}\RP1036\A0120424.exe -> Dropper.DollarR.b : Cleaned with backup (quarantined).
:mozilla.30:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\9zc33gwp.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.32:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\9zc33gwp.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.33:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\9zc33gwp.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.7:C:\Documents and Settings\Simone\Application Data\Mozilla\Firefox\Profiles\rlyik0p8.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.16:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\9zc33gwp.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.22:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\9zc33gwp.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.23:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\9zc33gwp.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.14:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\9zc33gwp.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned.
:mozilla.15:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\9zc33gwp.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned.
:mozilla.19:C:\Documents and Settings\Simone\Application Data\Mozilla\Firefox\Profiles\rlyik0p8.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.20:C:\Documents and Settings\Simone\Application Data\Mozilla\Firefox\Profiles\rlyik0p8.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.24:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\9zc33gwp.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.25:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\9zc33gwp.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.26:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\9zc33gwp.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.27:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\9zc33gwp.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.28:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\9zc33gwp.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.29:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\9zc33gwp.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.21:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\9zc33gwp.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\System Volume Information\_restore{27EB5E19-FC91-44D7-B6FA-C2DA96FE59AC}\RP1042\A0122088.vbs -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\Q29saW4gUGFya3M\kZ6Puqb0o3IVuag.vbs -> Trojan.Small : Cleaned with backup (quarantined).
C:\Program Files\outlook\p.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup (quarantined).
C:\Program Files\outlook\v.tmp -> Worm.VB.dw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{27EB5E19-FC91-44D7-B6FA-C2DA96FE59AC}\RP1049\A0124894.exe -> Worm.VB.dw : Cleaned with backup (quarantined).
::Report end
There! Much shorter than 95 pages. :P The PC's been running fine, still.. although I have yet to restart it since my last post.
Angelfire777
2007-01-12, 14:50
Hi, I really appreciate you sorting out the log for me :)
*Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000137 (file missing)
Close your browsers and all open windows except for HijackThis, then click "Fix checked".
*Open notepad.
Copy and paste the text inside the Code Box below into Notepad
Choose File > Save As and under "Save as type", choose "All Files".
Type delservices.bat in the File name and save it to your desktop.
@echo off
sc stop "COM+ Messages"
sc delete "COM+ Messages"
Locate delservices.bat on your Desktop and double-click on it.
*Using Windows Explorer, find and delete these files:
C:\Documents and Settings\Colin\astr.exe
Delete the following folders:
C:\Program Files\Ipwindows
Empty your recycle bin.
Reboot your machine then post a final HijackThis log.
Amethystine
2007-01-13, 06:33
As for cutting that log down to size, you're welcome.
As for the instructions, I wasn't able to find 'astr.exe' (ran a search on the whole drive) and therefore couldn't delete it. Is it possible the AVG scan killed it? I saw it pop up and heal something yesterday, but I didn't catch what.
And the 'Delservices' file didn't appear to do much of anything (just flashed open a command box and disappeared), but I guess that's because it's only 3 lines of code. :}
I deleted Ipwindows, though, don't worry.
Here's the HiJackThis Log:
Logfile of HijackThis v1.99.1
Scan saved at 1:24:07 AM, on 13/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\EPSON\ESM2\eEBSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Windows Media Connect 2\WMCCFG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\iPod\bin\iPodService.exe
C:\hijackthis\HijackThis.exe
F1 - win.ini: run= C:\WESTWOOD\C&C95\INSTICON.EXE
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [QuickTime Task] "C:\QuickTime6\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: EPSON Background Monitor.lnk = C:\EPSON\ESM2\STMS.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\EPSON\ESM2\eEBSVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
I assume I can delete the 'Delservices.bat' file now, too?
Thanks again for your help.
Angelfire777
2007-01-13, 11:10
As for the instructions, I wasn't able to find 'astr.exe' (ran a search on the whole drive) and therefore couldn't delete it. Is it possible the AVG scan killed it? I saw it pop up and heal something yesterday, but I didn't catch what.
That's ok.
And the 'Delservices' file didn't appear to do much of anything (just flashed open a command box and disappeared), but I guess that's because it's only 3 lines of code. :}
That's normal.
I assume I can delete the 'Delservices.bat' file now, too?
Sure.
_____________________________
Congratulations! Your log looks clean!
This is a good time to clear your existing system restore points and establish a new clean restore point:
Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Select the More options tab
Choose the option to clean up system restore and OK it.
This will remove all restore points except the new one you just created.
______________________
Here are some free programs I recommend that could help you improve your pc's security.
Firewall Application - Although Windows Xp comes with a firewall, you should not rely on it because the Windows Firewall can only filter incoming data; outgoing traffic is not controlled, meaning that malware/viruses that are present in your computer can access the internet with no restrictions. There are several other Firewall that can protect you better by filtering incoming and outgoing data. Make sure you get only one of these.
» ZoneAlarm (http://www.zonelabs.com)
» Kerio (http://http//www.sunbelt-software.com/Kerio-Download.cfm)
Adaware
~You can download it from here (http://www.lavasoft.de)
~There is a tutorial on how to use Adaware properly here (http://forums.spywareinfo.com/index.php?showtopic=11150)
Install Spyware Guard
~You can download it from here (http://www.javacoolsoftware.com/spywareguard.html)
~You can read the tutorial on how to use Spyware Guard here (http://www.bleepingcomputer.com/tutorials/tutorial50.html)
Install SpyWare Blaster
~You can download it from here (http://www.javacoolsoftware.com/spywareblaster.html)
~You can read the tutorial on how to use Spyware Blaster here (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
Install WinPatrol
~You can download it from here (http://www.winpatrol.com/download.html)
~You can get some information about how WinPatrol works here (http://www.winpatrol.com/features.html)
Note: Make sure you update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
Please check out Tony Klein's article "How did I get infected in the first place?" (http://castlecops.com/t7736-So_how_did_I_get_infected_in_the_first_place.html)
Happy safe surfing!
Glad we could help, as the problem appears to be resolved this topic has been archived.
If you need it re-opened please send me a private message (pm) and provide a link to the thread; this applies only to the original topic starter.
Anyone else with similar problems please start a new topic.