View Full Version : Very Persistent: Smitfraud C. Toolbar888 infection . . . .
Hello busy techs...
Smitfraud and Vundo were removed from my system last October, but .... S&D still finds 3-4 BHO objects in the Registry on every search. I remove (fix) them and these reappear after every reboot and system restart. I do not have any uninstructed browser or detected malware activity.
S&D results:
----------------------------
Smitfraud-C.Toolbar888: User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-606747145-507921405-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C004DEC2-2623-438E-9CA2-C9043AB28508}
Smitfraud-C.Toolbar888: Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C004DEC2-2623-438e-9CA2-C9043AB28508}
Smitfraud-C.Toolbar888: User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-606747145-507921405-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C004DEC2-2623-438E-9CA2-C9043AB28508}\iexplore
------------------------------------
So it seems some kind of Root Kit still remains. AWG Anti SpyWare does not report anything but various adware tracking cookies. Here are the results from: SmitFraudfix. Rapport.txt
--------------------------
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="\"C:\\PROGRA~1\\Google\\Google Desktop Search\\GOEC62~1.DLL\""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
-----------------------------------------------------
I'll send a HJT log or any other you may require on request
Hope you can help get rid of these traces once and for all.
Thanks again
:spider:
Hi JO2757 and welcome to the Forums :)
Please post a HijackThis log to here: Click here (http://downloads.malwareremoval.com/HijackThis.exe) to download HijackThis.exe
Save HijackThis.exe to your desktop.
Create a new folder named HijackThis to your desktop. Move Hijackthis.exe into that folder.
Run HijackThis.exe
Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
Click Save to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
Here you go, thank for offering to help,. Please note the items BHO (no file) I've put in bold when checked and fixed always reappear following reboot. Same as with detection of SMITFraudC.ToolBar 888 in S&D. At the same time, S&D tea timer catches about 4 registry changes for Google Tool Bar and thats it???
Logfile of HijackThis v1.99.1
Scan saved at 21:57:11, on 27/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Quicken Online Backup\AgentSrv.EXE
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Home Cinema\PowerCinema\PCMService.exe
C:\WINDOWS\htpatch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\Program Files\Muiltmedia keyboard Utility\1.3\KbdAp32A.exe
C:\WINDOWS\Dit.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\WINDOWS\DitExp.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\system32\AWLGTSTA.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\ShopSafe\ShopSafe.exe
C:\WINDOWS\VM_STI.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\Program Files\VoipCheapCom\VoipCheapCom.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Quicken Online Backup\CBSysTray.exe
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\Program Files\BlueSoleil\BlueSoleil.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xe.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ShopSafe Browser Helper Object - {333F6B96-3992-4D58-A499-145A10FE48C3} - C:\WINDOWS\system32\BhoSSafe.dll
O2 - BHO: (no name) - {48FBBE96-9506-E289-8896-0BBCAA395149} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7D0BDFB8-2509-447B-AD0E-C7BEF92B3A13} - (no file)O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - (no file)
O2 - BHO: (no name) - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O2 - BHO: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Home Cinema\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard Utility\1.3\KbdAp32A.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [AWLGTSTA.exe] C:\WINDOWS\system32\AWLGTSTA.exe /START
O4 - HKLM\..\Run: [ShopSafe] C:\Program Files\ShopSafe\ShopSafe.exe /dontopenmycards
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [QuickenScheduledUpdates] C:\Program Files\QUICKEN USA 2006\bagent.exe
O4 - HKCU\..\Run: [VoipCheapCom] "C:\Program Files\VoipCheapCom\VoipCheapCom.exe" -nosplash -minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Online Backup TaskBar Icon.LNK = C:\Program Files\Quicken Online Backup\CBSysTray.exe
O4 - Global Startup: SmartUI.lnk = C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: GIC - https://www.ib.albb.co.uk/ebs/ie/classes.cab
O16 - DPF: SEAGULL J Walk Java Client 4_0C11 - http://www.rateexplorer.com/jwalk/jwalk_ie.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} -
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} -
O16 - DPF: {3D19135C-6D38-44AD-80F0-D9318F48726D} (BwOutlook.OutlookIntegrator) - http://appserver.dca.broadvoice.com/commpilot/customcontrols/BwOutlook.CAB
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} -
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} -
O16 - DPF: {630F2610-7654-11D1-83E3-0080C71A8794} (Interconnect Resources) - https://www.ib.albb.co.uk/ebs/ie/gic.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586-jc.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} -
O16 - DPF: {DBFECB3F-B78F-442E-AE46-4952E6F17545} (Bonusprint Image Uploader Version 3.5) - http://webalbum.bonusprint.com/ukipc01/downloads//ImageUploader3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{048558D7-796A-4C68-B023-E45B4D91449C}: NameServer = 208.67.220.220,208.67.222.222,192.168.1.254
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\msgrapp.8.0.0812.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\msgrapp.8.0.0812.00.dll
O20 - AppInit_DLLs: "C:\PROGRA~1\Google\Google Desktop Search\GOEC62~1.DLL"
O20 - Winlogon Notify: ddaba - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: winjvd32 - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Quicken Online Backup\AgentSrv.EXE
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\BlueSoleil\BTNtService.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
:fear:
Hi JO2757 :)
At first you need to disable a few realtime protections. These may interfere with our cleaning process.
We'll enable these when you're clean...
Disable AVG Anti-Spyware guard.
Open AVG Anti-Spyware
Click Shield
Click under "resident shield is"
Change it to inactive
Close the program
Disable Spybot S&D Teatimer.
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu select "Advanced Mode"
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
OK- thanks. Sorry for the delayed reply windowslive log in for hotmail is failing so I cannot access that email or server from this machine. Anyway I have run Vundofix before, and doing also again now to post you a log, but Vundo reports no infected files found. it is what sorted me out last October with help from short-media forums. I have also run Smitfix and every other fix related to smit fraud infections I can find at 3 times. Tea timer is now disabled as well as S&D IE browser protection: AVG Anti Spyware is now Freeware version so by default (Resident shield) is unavailible, even tough the start up entry AVG Anti-Spyware 7.5\guard.exe remains. I used HJT to remove those entries. New logs coming after reboot! :banghead:
Hi :)
Please delete any previous versions and download the latest version of VundoFix. It is updated very often.
Please let me know if the latest version doesn't find anything.
:bigthumb:
Its the latest ver but nothing foumd. After reboot however that might change, I'll let you know. TKS
Ok let me know :)
1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/combofix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Done ...here is the log!
Thanks for you help!
-------------------------
ComboFix 07.01.31 - Running from: "C:\Documents and Settings\James\Desktop"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\DOCUME~1\James\Application Data\Dxcknwrd.dll
C:\Program Files\Common Files\{3C534600-0A2E-2057-0813-03030217002c}
((((((((((((((((((((((((((((((( Files Created from 2007-01-02 to 2007-02-02 ))))))))))))))))))))))))))))))))))
2007-01-30 15:50 <DIR> d-------- C:\WINDOWS\LastGood
2007-01-29 15:34 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-01-25 16:36 <DIR> d-------- C:\DOCUME~1\James\DoctorWeb
2007-01-25 14:21 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-01-25 14:21 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-01-25 14:21 3,740 --a------ C:\WINDOWS\system32\tmp.reg
2007-01-25 13:59 <DIR> d-------- C:\Program Files\Safer Networking
2007-01-24 01:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Avg7
2007-01-24 01:00 <DIR> d-------- C:\DOCUME~1\James\Application Data\Comodo
2007-01-24 01:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Comodo
2007-01-23 23:57 94,424 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-01-23 23:57 90,112 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-01-23 23:57 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-01-23 23:57 689,280 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-01-23 23:57 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-01-23 23:57 31,560 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-01-23 23:57 23,352 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-01-23 23:57 <DIR> d-------- C:\Program Files\Avast4
2007-01-23 23:53 75,264 --a------ C:\WINDOWS\system32\drivers\cmdmon.sys
2007-01-23 23:53 51,328 --a------ C:\WINDOWS\system32\drivers\inspect.sys
2007-01-23 23:53 <DIR> d-------- C:\Program Files\Comodo
2007-01-23 23:44 <DIR> d-------- C:\Program Files\TweakNow RegCleaner Std
2007-01-23 17:30 <DIR> d-------- C:\Program Files\Common Files\Java
2007-01-19 12:53 51,056 --a------ C:\WINDOWS\system32\sirenacm.dll
2007-01-17 13:50 7,680 --a------ C:\WINDOWS\system32\LW400MON.DLL
2007-01-17 13:50 7,680 --a------ C:\WINDOWS\system32\DUO_D1MON.DLL
2007-01-16 18:02 <DIR> d-------- C:\Program Files\SatelliteTVforPC
2007-01-16 02:21 <DIR> d-------- C:\Program Files\TVUPlayer
2007-01-16 01:53 <DIR> d-------- C:\Program Files\TVAnts
2007-01-16 01:52 <DIR> d-------- C:\Program Files\TVto PC
2007-01-16 01:50 <DIR> d-------- C:\WINDOWS\uninstall
2007-01-10 03:06 <DIR> d-------- C:\WINDOWS\ie7updates
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-02-01 07:46 -------- d-------- C:\Program Files\quicken online backup
2007-01-31 15:45 -------- d-------- C:\Program Files\efax messenger plus 3.3
2007-01-31 00:40 -------- d-------- C:\DOCUME~1\James\Application Data\adobeum
2007-01-30 15:50 -------- d-------- C:\Program Files\msn messenger
2007-01-30 15:21 -------- d-------- C:\Program Files\google
2007-01-29 17:01 -------- d-------- C:\Program Files\dymo label
2007-01-29 13:38 -------- d-------- C:\Program Files\avg anti-spyware 7.5
2007-01-25 21:58 -------- d-------- C:\Program Files\quickbooks pro
2007-01-25 14:30 3623736 --a------ C:\WINDOWS\procexp.exe
2007-01-23 17:31 -------- d-------- C:\Program Files\java
2007-01-21 06:24 -------- d-------- C:\DOCUME~1\James\Application Data\bittorrent
2007-01-19 09:38 -------- d-------- C:\Program Files\bittorrent
2007-01-12 18:14 -------- d-------- C:\Program Files\voipcheapcom
2007-01-10 01:59 -------- d-------- C:\Program Files\auction sentry deluxe
2006-12-29 15:02 -------- d-------- C:\Program Files\quicken xg
2006-12-12 18:14 -------- d-------- C:\Program Files\windows media connect 2
2006-12-12 18:05 -------- d-------- C:\Program Files\windows media connect
2006-12-08 12:06 -------- d-------- C:\Program Files\messenger plus! live
2006-12-06 17:06 -------- d--h----- C:\Program Files\installshield installation information
2006-12-06 17:06 -------- d-------- C:\Program Files\sling media
2006-11-08 05:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"QuickenScheduledUpdates"="C:\\Program Files\\QUICKEN USA 2006\\bagent.exe"
"VoipCheapCom"="\"C:\\Program Files\\VoipCheapCom\\VoipCheapCom.exe\" -nosplash -minimized"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"WMPNSCFG"="C:\\Program Files\\Windows Media Player\\WMPNSCFG.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"PCMService"="\"C:\\Program Files\\Home Cinema\\PowerCinema\\PCMService.exe\""
"HTpatch"="C:\\WINDOWS\\htpatch.exe"
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"FLMOFFICE4DMOUSE"="C:\\Program Files\\Browser MOUSE\\mouse32a.exe"
"FLMK08KB"="C:\\Program Files\\Muiltmedia keyboard Utility\\1.3\\KbdAp32A.exe"
"Dit"="Dit.exe"
"ControlCenter2.0"="C:\\Program Files\\Brother\\ControlCenter2\\brctrcen.exe /autorun"
"AWLGTSTA.exe"="C:\\WINDOWS\\system32\\AWLGTSTA.exe /START"
"ShopSafe"="C:\\Program Files\\ShopSafe\\ShopSafe.exe /dontopenmycards"
"MSPY2002"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"BigDogPath"="C:\\WINDOWS\\VM_STI.EXE VIMICRO USB PC Camera"
"SoundMan"="SOUNDMAN.EXE"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"PCSuiteTrayApplication"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\LaunchApplication.exe -onlytray"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"COMODO Firewall Pro"="\"C:\\Program Files\\Comodo\\Firewall\\CPF.exe\" /background"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"GBPoll"=dword:00000002
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"=""C:\PROGRA~1\Google\Google Desktop Search\GOEC62~1.DLL""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=dword:00000001
"NoDispCPL"=dword:00000000
"NoDispAppearancePage"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispSettingsPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"DisableRegistryTools"=dword:00000000
"DisableTaskMgr"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWinKeys"=dword:00000000
"NoShellSearchButton"=dword:00000000
"NoFileAssociate"=dword:00000000
"NoFileMenu"=dword:00000000
"NoFolderOptions"=dword:00000000
"StartMenuLogoff"=dword:00000000
"NoSMHelp"=dword:00000000
"NoTrayContextMenu"=dword:00000000
"NoToolbarsOnTaskbar"=dword:00000000
"NoResolveTrack"=dword:00000001
"NoActiveDesktopChanges"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWinKeys"=dword:00000000
"NoShellSearchButton"=dword:00000000
"NoFileAssociate"=dword:00000000
"NoFileMenu"=dword:00000000
"NoFolderOptions"=dword:00000000
"NoFind"=dword:00000000
"NoRun"=dword:00000000
"NoClose"=dword:00000000
"NoCommonGroups"=dword:00000000
"StartMenuLogoff"=dword:00000000
"NoSMHelp"=dword:00000000
"NoTrayContextMenu"=dword:00000000
"NoToolbarsOnTaskbar"=dword:00000000
"NoCDBurning"=dword:00000000
"NoRecentDocsHistory"=dword:00000000
"ClearRecentDocsOnExit"=dword:00000000
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"NoThemesTab"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddaba
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjvd32
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
bthsvcs REG_MULTI_SZ BthServ\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_USNJSVC
~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
backup-20070129-142447-916
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast4\ashWebSv.exe" /service (file missing)
backup-20070129-142447-819
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
backup-20070129-142447-552
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
backup-20070129-142447-707
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Avast4\aswUpdSv.exe
backup-20070129-142447-102
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast4\ashMaiSv.exe" /service (file missing)
backup-20070129-142447-927
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
backup-20070127-220519-213
O2 - BHO: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
backup-20070127-220519-399
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
backup-20070127-220519-535
O2 - BHO: (no name) - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - (no file)
backup-20070127-220519-838
O2 - BHO: (no name) - {7D0BDFB8-2509-447B-AD0E-C7BEF92B3A13} - (no file)
backup-20070127-220519-755
O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - (no file)
backup-20070125-144043-838
O2 - BHO: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
backup-20070125-144043-996
O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - (no file)
backup-20070125-144043-811
O2 - BHO: (no name) - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - (no file)
backup-20070125-144043-633
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
backup-20070125-144043-601
O2 - BHO: (no name) - {7D0BDFB8-2509-447B-AD0E-C7BEF92B3A13} - (no file)
backup-20070125-144043-255
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
backup-20070125-144043-338
O2 - BHO: (no name) - {48FBBE96-9506-E289-8896-0BBCAA395149} - (no file)
backup-20070124-102428-638
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
backup-20070124-102405-136
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
backup-20070122-164047-133
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
backup-20070122-134902-467
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
backup-20070122-134902-107
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} -
backup-20070122-134902-991
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\NOD32\nod32krn.exe
backup-20070122-134902-911
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} -
backup-20070122-134902-481
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} -
backup-20070122-134902-319
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -
backup-20070122-134902-681
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} -
backup-20070122-134902-603
O2 - BHO: (no name) - {7D0BDFB8-2509-447B-AD0E-C7BEF92B3A13} - (no file)
backup-20070122-134902-778
O2 - BHO: (no name) - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - (no file)
backup-20070122-134902-623
O2 - BHO: (no name) - {48FBBE96-9506-E289-8896-0BBCAA395149} - (no file)
backup-20070122-134902-592
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
backup-20070122-134902-382
O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - (no file)
backup-20070122-134902-414
O2 - BHO: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
backup-20061111-100024-822
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
backup-20061111-095941-660
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
backup-20061111-095851-815
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
backup-20061111-095745-519
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/prequal/MotivePreQual.cab
backup-20061111-095745-883
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
backup-20061111-095745-653
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
backup-20061111-095745-382
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
backup-20061111-095745-586
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
backup-20061111-095744-811
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
backup-20061111-095744-443
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
backup-20061111-095744-902
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
backup-20061111-095744-703
O3 - Toolbar: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - (no file)
backup-20061111-095744-799
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
backup-20061111-095744-436
O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
backup-20061111-095744-614
O2 - BHO: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
backup-20061111-095744-467
O2 - BHO: (no name) - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - (no file)
backup-20061111-095744-832
O2 - BHO: (no name) - {48FBBE96-9506-E289-8896-0BBCAA395149} - C:\WINDOWS\system32\eeesojj.dll (file missing)
backup-20061111-095744-687
O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - (no file)
backup-20061013-010726-739
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
backup-20061012-033016-737
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
backup-20061012-032857-356
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
backup-20061012-032733-517
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
backup-20061012-013532-945
O20 - Winlogon Notify: winjvd32 - winjvd32.dll (file missing)
backup-20061012-013532-171
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
backup-20061012-013532-115
O20 - Winlogon Notify: ddaba - C:\WINDOWS\system32\ddaba.dll (file missing)
backup-20061012-013531-879
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
backup-20061012-013531-994
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
backup-20061012-013531-318
O2 - BHO: (no name) - {21BAC9C2-0B1D-4D07-846A-21B1C9E76098} - C:\WINDOWS\system32\ddaba.dll (file missing)
backup-20061012-013531-599
O2 - BHO: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{3C534600-0A2E-2057-0813-03030217002c}\MyToolBar.dll (file missing)
backup-20061012-013531-345
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\Spybot - Search & Destroy - Scheduled Task.job
C:\WINDOWS\tasks\SyncBackSE Group Run.job
Completion time: 07-02-02 12:05:28
Hi again, we'll continue :)
You should print these instructions or save these to a text file. Follow these instructions carefully.
Open AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.
==================
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list. Fix the O6 entries too if you haven't locked Internet Explorer settings.
O2 - BHO: (no name) - {48FBBE96-9506-E289-8896-0BBCAA395149} - (no file)
O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - (no file)
O2 - BHO: (no name) - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - (no file)
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O2 - BHO: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} -
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} -
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} -
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} -
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/instal...sinstaller.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} -
O20 - Winlogon Notify: ddaba - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: winjvd32 - C:\WINDOWS\
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
================
When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log
Hi Mr Jak,
Its been a while, ... the problem seemed to be sorted without anything appearing in S&D for over a week. But today I came to find that after a recent reboot S&D Automatic Scan had found and removed them again. Its seems to be some root kit somewhere, that is not always active.
--- Search result list ---
Smitfraud-C.Toolbar888: User settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-606747145-507921405-725345543-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C004DEC2-2623-438E-9CA2-C9043AB28508}
Smitfraud-C.Toolbar888: User settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-606747145-507921405-725345543-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C004DEC2-2623-438E-9CA2-C9043AB28508}\iexplore
-------------------------
AVG anti spyware is freeware version now. The automatic update and resident shield are n/a. I gues the entries remain, but this function is not availible. I will follow the rest of your steps and get back to you promptly.
Regards
James
Hi :)
Post the logs I requested when you're ready.
Yes you may update AVG manually and run a scan with it.
:bigthumb:
OK I cleaned the entries you suggested with HJT and followed your instructions in safe mode.
I'm showing clean now after reboot, but I also was all last week until today, when SMITFRAUD C.TOOLBAR888 showed up in S&D again with same brpwser enteries as always. The only difference that came to mind was that ran BIT TORRENT (5.05) yesterday. but did not download anything I was just doing a search. Then shut it down. I am not currently sending any feeds. ...anyway here are my reports.
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 15:51:49 10/02/2007
+ Scan result:
:mozilla.13:C:\RECYCLER\NPROTECT\00028125. -> TrackingCookie.2o7 : No action taken.
:mozilla.14:C:\RECYCLER\NPROTECT\00000722. -> TrackingCookie.2o7 : No action taken.
:mozilla.14:C:\RECYCLER\NPROTECT\00001788. -> TrackingCookie.2o7 : No action taken.
:mozilla.14:C:\RECYCLER\NPROTECT\00028125. -> TrackingCookie.2o7 : No action taken.
:mozilla.15:C:\RECYCLER\NPROTECT\00000722. -> TrackingCookie.2o7 : No action taken.
:mozilla.15:C:\RECYCLER\NPROTECT\00001788. -> TrackingCookie.2o7 : No action taken.
:mozilla.15:C:\RECYCLER\NPROTECT\00001845. -> TrackingCookie.2o7 : No action taken.
:mozilla.16:C:\RECYCLER\NPROTECT\00001845. -> TrackingCookie.2o7 : No action taken.
:mozilla.16:C:\RECYCLER\NPROTECT\00027999. -> TrackingCookie.2o7 : No action taken.
:mozilla.17:C:\RECYCLER\NPROTECT\00001787. -> TrackingCookie.2o7 : No action taken.
:mozilla.17:C:\RECYCLER\NPROTECT\00027999. -> TrackingCookie.2o7 : No action taken.
:mozilla.18:C:\RECYCLER\NPROTECT\00001787. -> TrackingCookie.2o7 : No action taken.
:mozilla.6:C:\RECYCLER\NPROTECT\00000317. -> TrackingCookie.2o7 : No action taken.
:mozilla.6:C:\RECYCLER\NPROTECT\00000323. -> TrackingCookie.2o7 : No action taken.
:mozilla.6:C:\RECYCLER\NPROTECT\00001266. -> TrackingCookie.2o7 : No action taken.
:mozilla.7:C:\RECYCLER\NPROTECT\00000317. -> TrackingCookie.2o7 : No action taken.
:mozilla.7:C:\RECYCLER\NPROTECT\00000323. -> TrackingCookie.2o7 : No action taken.
:mozilla.7:C:\RECYCLER\NPROTECT\00001266. -> TrackingCookie.2o7 : No action taken.
:mozilla.10:C:\RECYCLER\NPROTECT\00000323. -> TrackingCookie.Advertising : No action taken.
:mozilla.10:C:\RECYCLER\NPROTECT\00001266. -> TrackingCookie.Advertising : No action taken.
:mozilla.11:C:\RECYCLER\NPROTECT\00000323. -> TrackingCookie.Advertising : No action taken.
:mozilla.11:C:\RECYCLER\NPROTECT\00001266. -> TrackingCookie.Advertising : No action taken.
:mozilla.12:C:\RECYCLER\NPROTECT\00000323. -> TrackingCookie.Advertising : No action taken.
:mozilla.12:C:\RECYCLER\NPROTECT\00001266. -> TrackingCookie.Advertising : No action taken.
:mozilla.13:C:\RECYCLER\NPROTECT\00000323. -> TrackingCookie.Advertising : No action taken.
:mozilla.13:C:\RECYCLER\NPROTECT\00001266. -> TrackingCookie.Advertising : No action taken.
:mozilla.16:C:\RECYCLER\NPROTECT\00028125. -> TrackingCookie.Advertising : No action taken.
:mozilla.17:C:\RECYCLER\NPROTECT\00000722. -> TrackingCookie.Advertising : No action taken.
:mozilla.17:C:\RECYCLER\NPROTECT\00001788. -> TrackingCookie.Advertising : No action taken.
:mozilla.17:C:\RECYCLER\NPROTECT\00028125. -> TrackingCookie.Advertising : No action taken.
:mozilla.18:C:\RECYCLER\NPROTECT\00000722. -> TrackingCookie.Advertising : No action taken.
:mozilla.18:C:\RECYCLER\NPROTECT\00001788. -> TrackingCookie.Advertising : No action taken.
:mozilla.18:C:\RECYCLER\NPROTECT\00001845. -> TrackingCookie.Advertising : No action taken.
:mozilla.19:C:\RECYCLER\NPROTECT\00001788. -> TrackingCookie.Advertising : No action taken.
:mozilla.19:C:\RECYCLER\NPROTECT\00001845. -> TrackingCookie.Advertising : No action taken.
:mozilla.19:C:\RECYCLER\NPROTECT\00027999. -> TrackingCookie.Advertising : No action taken.
:mozilla.20:C:\RECYCLER\NPROTECT\00001787. -> TrackingCookie.Advertising : No action taken.
:mozilla.20:C:\RECYCLER\NPROTECT\00001788. -> TrackingCookie.Advertising : No action taken.
:mozilla.20:C:\RECYCLER\NPROTECT\00001845. -> TrackingCookie.Advertising : No action taken.
:mozilla.20:C:\RECYCLER\NPROTECT\00027999. -> TrackingCookie.Advertising : No action taken.
:mozilla.21:C:\RECYCLER\NPROTECT\00001787. -> TrackingCookie.Advertising : No action taken.
:mozilla.21:C:\RECYCLER\NPROTECT\00001788. -> TrackingCookie.Advertising : No action taken.
:mozilla.21:C:\RECYCLER\NPROTECT\00001845. -> TrackingCookie.Advertising : No action taken.
:mozilla.21:C:\RECYCLER\NPROTECT\00027999. -> TrackingCookie.Advertising : No action taken.
:mozilla.22:C:\RECYCLER\NPROTECT\00001787. -> TrackingCookie.Advertising : No action taken.
:mozilla.22:C:\RECYCLER\NPROTECT\00001845. -> TrackingCookie.Advertising : No action taken.
:mozilla.22:C:\RECYCLER\NPROTECT\00027999. -> TrackingCookie.Advertising : No action taken.
:mozilla.23:C:\RECYCLER\NPROTECT\00001787. -> TrackingCookie.Advertising : No action taken.
:mozilla.23:C:\RECYCLER\NPROTECT\00027999. -> TrackingCookie.Advertising : No action taken.
:mozilla.24:C:\RECYCLER\NPROTECT\00001787. -> TrackingCookie.Advertising : No action taken.
:mozilla.9:C:\RECYCLER\NPROTECT\00000323. -> TrackingCookie.Advertising : No action taken.
:mozilla.9:C:\RECYCLER\NPROTECT\00001266. -> TrackingCookie.Advertising : No action taken.
:mozilla.10:C:\RECYCLER\NPROTECT\00001787. -> TrackingCookie.Fastclick : No action taken.
:mozilla.10:C:\RECYCLER\NPROTECT\00001788. -> TrackingCookie.Fastclick : No action taken.
:mozilla.10:C:\RECYCLER\NPROTECT\00001845. -> TrackingCookie.Fastclick : No action taken.
:mozilla.11:C:\RECYCLER\NPROTECT\00001787. -> TrackingCookie.Fastclick : No action taken.
:mozilla.11:C:\RECYCLER\NPROTECT\00001788. -> TrackingCookie.Fastclick : No action taken.
:mozilla.11:C:\RECYCLER\NPROTECT\00001845. -> TrackingCookie.Fastclick : No action taken.
:mozilla.11:C:\RECYCLER\NPROTECT\00027999. -> TrackingCookie.Fastclick : No action taken.
:mozilla.11:C:\RECYCLER\NPROTECT\00028125. -> TrackingCookie.Fastclick : No action taken.
:mozilla.12:C:\RECYCLER\NPROTECT\00000722. -> TrackingCookie.Fastclick : No action taken.
:mozilla.12:C:\RECYCLER\NPROTECT\00001787. -> TrackingCookie.Fastclick : No action taken.
:mozilla.12:C:\RECYCLER\NPROTECT\00001788. -> TrackingCookie.Fastclick : No action taken.
:mozilla.12:C:\RECYCLER\NPROTECT\00001845. -> TrackingCookie.Fastclick : No action taken.
:mozilla.12:C:\RECYCLER\NPROTECT\00027999. -> TrackingCookie.Fastclick : No action taken.
:mozilla.13:C:\RECYCLER\NPROTECT\00001787. -> TrackingCookie.Fastclick : No action taken.
:mozilla.13:C:\RECYCLER\NPROTECT\00001845. -> TrackingCookie.Fastclick : No action taken.
:mozilla.13:C:\RECYCLER\NPROTECT\00027999. -> TrackingCookie.Fastclick : No action taken.
:mozilla.14:C:\RECYCLER\NPROTECT\00027999. -> TrackingCookie.Fastclick : No action taken.
:mozilla.9:C:\RECYCLER\NPROTECT\00001788. -> TrackingCookie.Fastclick : No action taken.
:mozilla.12:C:\RECYCLER\NPROTECT\00028125. -> TrackingCookie.Mediaplex : No action taken.
:mozilla.13:C:\RECYCLER\NPROTECT\00000722. -> TrackingCookie.Mediaplex : No action taken.
:mozilla.13:C:\RECYCLER\NPROTECT\00001788. -> TrackingCookie.Mediaplex : No action taken.
:mozilla.14:C:\RECYCLER\NPROTECT\00001787. -> TrackingCookie.Mediaplex : No action taken.
:mozilla.14:C:\RECYCLER\NPROTECT\00001845. -> TrackingCookie.Mediaplex : No action taken.
:mozilla.15:C:\RECYCLER\NPROTECT\00027999. -> TrackingCookie.Mediaplex : No action taken.
::Report end
--------------------------
I removed Norton Untilities months ago, but this I cannot remove this f-'n RECYCLER\NPROTECT directory or any or the files. I just get errors.
-------------------------
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xe.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ShopSafe Browser Helper Object - {333F6B96-3992-4D58-A499-145A10FE48C3} - C:\WINDOWS\system32\BhoSSafe.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Home Cinema\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard Utility\1.3\KbdAp32A.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [AWLGTSTA.exe] C:\WINDOWS\system32\AWLGTSTA.exe /START
O4 - HKLM\..\Run: [ShopSafe] C:\Program Files\ShopSafe\ShopSafe.exe /dontopenmycards
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [QuickenScheduledUpdates] C:\Program Files\QUICKEN USA 2006\bagent.exe
O4 - HKCU\..\Run: [VoipCheapCom] "C:\Program Files\VoipCheapCom\VoipCheapCom.exe" -nosplash -minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Online Backup TaskBar Icon.LNK = C:\Program Files\Quicken Online Backup\CBSysTray.exe
O4 - Global Startup: SmartUI.lnk = C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: GIC - https://www.ib.albb.co.uk/ebs/ie/classes.cab
O16 - DPF: SEAGULL J Walk Java Client 4_0C11 - http://www.rateexplorer.com/jwalk/jwalk_ie.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {3334504D-9980-0010-8000-00AA00389B71} -
O16 - DPF: {3D19135C-6D38-44AD-80F0-D9318F48726D} (BwOutlook.OutlookIntegrator) - http://appserver.dca.broadvoice.com/commpilot/customcontrols/BwOutlook.CAB
O16 - DPF: {630F2610-7654-11D1-83E3-0080C71A8794} (Interconnect Resources) - https://www.ib.albb.co.uk/ebs/ie/gic.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586-jc.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} -
O16 - DPF: {DBFECB3F-B78F-442E-AE46-4952E6F17545} (Bonusprint Image Uploader Version 3.5) - http://webalbum.bonusprint.com/ukipc01/downloads//ImageUploader3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{048558D7-796A-4C68-B023-E45B4D91449C}: NameServer = 208.67.220.220,208.67.222.222,192.168.1.254,66.226.64.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{213D55A5-3AA6-4A19-8050-44972618FA5D}: NameServer = 192.168.1.64,66.226.64.3,208.67.222.222,208.67.220.220,192.168.1.254
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: "C:\PROGRA~1\Google\Google Desktop Search\GOEC62~1.DLL"
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Quicken Online Backup\AgentSrv.EXE
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Avast4\ashServ.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\BlueSoleil\BTNtService.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
--------------------------------------------------------
Thanks again for your patience, time and consideration! :angel:
Hi :)
The HijackThis log was taken in safe mode. Please post a fresh HijackThis log but take it in the normal mode.
:bigthumb:
Here is new HJT.
Interesting Development. I ran AVAST Anitivirus scan from Boot. It found 5 versions of OPE2E8.exe a WIN32DElf-DLH [TRojan] all installed at the same time I had the orginal infection last October. Seems they are part of the same trojan download dialer from the orginal SMIT / Vundo infection. None of Antivirus or SPYware programs have ever found this running from Windows, S&D, Symantec, AVG, AVAST, both online scans and full programs. They were found only on scheduled scan on boot by Avast before XP loads.
Here is latest HJT.
Logfile of HijackThis v1.99.1
Scan saved at 11:36:30, on 12/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Quicken Online Backup\AgentSrv.EXE
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Home Cinema\PowerCinema\PCMService.exe
C:\WINDOWS\htpatch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\Program Files\Muiltmedia keyboard Utility\1.3\KbdAp32A.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\Dit.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\WINDOWS\system32\AWLGTSTA.exe
C:\WINDOWS\DitExp.exe
C:\Program Files\ShopSafe\ShopSafe.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\VM_STI.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\VoipCheapCom\VoipCheapCom.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Quicken Online Backup\CBSysTray.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\Program Files\BlueSoleil\BlueSoleil.exe
C:\Program Files\Avast4\ashSimpl.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\HJT\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ShopSafe Browser Helper Object - {333F6B96-3992-4D58-A499-145A10FE48C3} - C:\WINDOWS\system32\BhoSSafe.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Home Cinema\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard Utility\1.3\KbdAp32A.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [AWLGTSTA.exe] C:\WINDOWS\system32\AWLGTSTA.exe /START
O4 - HKLM\..\Run: [ShopSafe] C:\Program Files\ShopSafe\ShopSafe.exe /dontopenmycards
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [QuickenScheduledUpdates] C:\Program Files\QUICKEN USA 2006\bagent.exe
O4 - HKCU\..\Run: [VoipCheapCom] "C:\Program Files\VoipCheapCom\VoipCheapCom.exe" -nosplash -minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Online Backup TaskBar Icon.LNK = C:\Program Files\Quicken Online Backup\CBSysTray.exe
O4 - Global Startup: SmartUI.lnk = C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: GIC - https://www.ib.albb.co.uk/ebs/ie/classes.cab
O16 - DPF: SEAGULL J Walk Java Client 4_0C11 - http://www.rateexplorer.com/jwalk/jwalk_ie.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {3334504D-9980-0010-8000-00AA00389B71} -
O16 - DPF: {3D19135C-6D38-44AD-80F0-D9318F48726D} (BwOutlook.OutlookIntegrator) - http://appserver.dca.broadvoice.com/commpilot/customcontrols/BwOutlook.CAB
O16 - DPF: {630F2610-7654-11D1-83E3-0080C71A8794} (Interconnect Resources) - https://www.ib.albb.co.uk/ebs/ie/gic.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586-jc.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} -
O16 - DPF: {DBFECB3F-B78F-442E-AE46-4952E6F17545} (Bonusprint Image Uploader Version 3.5) - http://webalbum.bonusprint.com/ukipc01/downloads//ImageUploader3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{048558D7-796A-4C68-B023-E45B4D91449C}: NameServer = 208.67.220.220,208.67.222.222,192.168.1.254,66.226.64.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{213D55A5-3AA6-4A19-8050-44972618FA5D}: NameServer = 192.168.1.64,66.226.64.3,208.67.222.222,208.67.220.220,192.168.1.254
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: "C:\PROGRA~1\Google\Google Desktop Search\GOEC62~1.DLL"
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Quicken Online Backup\AgentSrv.EXE
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Avast4\ashServ.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
--------------------------------------------:rolleyes:
Thanks
Hi :)
Did Avast clean the found infections ?
Fix these with HijackThis:
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O16 - DPF: {3334504D-9980-0010-8000-00AA00389B71} -
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} -
Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.
How is the computer running ? :bigthumb:
hijack this fixed those entries. S&D is coming clean the past fews days. AVG and Dr Web found Trojan Dropper file variants that seem to have been missed for. One was found only after submitting a file. I found from fake flash installation that attempted to install.
All goes well with Kaspersky until I accept the active x, then the browser fails to the "Welcome to the Kaspersky Online Scanner!" pageUse it to scan your PC for viruses and other malware for free . I get script error on the page with the /kos/eng.
tea timer is disabled in S&D and so are browser locks.
Hmmmm
Hi again and sorry for the delay, I was out of town.
How is the computer running at the moment? You scanned with AVG and DrWeb so I don't think Kaspersky is needed anymore.
You could post one more HijackThis log just in case :bigthumb:
This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.