PDA

View Full Version : SpyBot Log attached - please help



AllBotOne
2007-03-13, 13:20
Hi,

Please can you assist me in cleaning up my machine; SpyBot detects the Malware, says it is fixed but then detects it again after a reboot. Please see attached log.

Thank you in advance

Regards

pskelley
2007-03-13, 15:05
Welcome to Safer Networking, if you still need help and are not receiving it elsewhere, it appears you have missed some important instructions our administrator has posted at the top of the forum, especially this: "BEFORE you POST" Mandatory Steps Before Requesting Assistance
http://forums.spybot.info/showthread.php?t=288
Please read and follow all instructions and post all required logs or reports, anything less will slow your process.

Please do not attach infected files!
If a helper requests files they will give you a link to upload them.
All logs should be copy/pasted into topic and not attached unless requested by helper in that format.
Use "Post Reply" to post the information in the instructions and stay in the same topic.

Thanks

AllBotOne
2007-03-13, 16:43
--- Search result list ---
Win32.Small.dp: Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1960408961-1383384898-1060284298-1003\Software\Microsoft\Internet Explorer\Security\host

ABetterInternet: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\popuppers.com\*!=W=4

ABetterInternet: User settings (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\popuppers.com\*!=W=4

DyFuCA.InternetOptimizer: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt

DyFuCA.InternetOptimizer: Settings (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt

MediaMotor: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\media-motor.net\*!=W=4

MediaMotor: User settings (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\media-motor.net\*!=W=4

Nat: Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1960408961-1383384898-1060284298-1003\Software\Microsoft\Internet Explorer\Desktop\id

Nat: Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1960408961-1383384898-1060284298-1003\Software\Microsoft\Internet Explorer\Desktop\host


--- Spybot - Search && Destroy version: 1.3 ---
2007-03-07 Includes\Cookies.sbi
2006-12-08 Includes\Dialer.sbi
2007-03-07 Includes\DialerC.sbi
2007-02-07 Includes\Hijackers.sbi
2007-03-07 Includes\HijackersC.sbi
2006-10-27 Includes\Keyloggers.sbi
2007-03-07 Includes\KeyloggersC.sbi
2004-05-12 Includes\LSP.sbi
2007-02-14 Includes\Malware.sbi
2007-03-07 Includes\MalwareC.sbi
2004-08-11 Includes\plugin-ignore.ini
2007-01-19 Includes\PUPS.sbi
2007-03-07 Includes\PUPSC.sbi
2007-03-07 Includes\Revision.sbi
2006-12-08 Includes\Security.sbi
2007-03-07 Includes\SecurityC.sbi
2007-02-02 Includes\Spybots.sbi
2007-03-07 Includes\SpybotsC.sbi
2005-02-17 Includes\Tracks.uti
2007-03-07 Includes\Trojans.sbi
2007-03-07 Includes\TrojansC.sbi


--- System information ---
Windows XP (Build: 2600)
/ Internet Explorer 6 / SP0: Windows XP Hotfix - KB834707
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q329048 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) Q329170
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q329390 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q329441 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q329834 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) Q810577
/ Windows XP / SP1: Windows XP Hotfix (SP1) Q810833
/ Windows XP / SP1: Windows XP Hotfix (SP1) Q811630
/ Windows XP / SP1: Windows XP Hotfix (SP1) Q817606
/ Windows XP / SP2: Windows XP Hotfix - KB823559
/ Windows XP / SP2: Windows XP Hotfix - KB828741
/ Windows XP / SP2: Windows XP Hotfix - KB833407
/ Windows XP / SP2: Windows XP Hotfix - KB835732
/ Windows XP / SP2: Windows XP Hotfix - KB842773
/ Windows XP / SP2: Windows XP Hotfix (SP2) [See Q323255 for more information]
/ Windows XP / SP2: Windows XP Hotfix (SP2) [See Q329115 for more information]


--- Startup entries list ---
Located: HK_LM:Run, AVG7_CC
command: C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
file: C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
size: 411648
MD5: 2a62570d13f14f49218ce7b03caa9cb2

Located: HK_LM:Run, iTunesHelper
command: "C:\Program Files\iTunes\iTunesHelper.exe"
file: C:\Program Files\iTunes\iTunesHelper.exe
size: 256576
MD5: d2ed7af383aab672cb7e135040967954

Located: HK_LM:Run, Picasa Media Detector
command: C:\Program Files\Picasa2\PicasaMediaDetector.exe
file: C:\Program Files\Picasa2\PicasaMediaDetector.exe
size: 366400
MD5: 5345770beec2f434e005c579e5518b4c

Located: HK_LM:Run, QuickTime Task
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: C:\Program Files\QuickTime\qttask.exe
size: 282624
MD5: d195e74b712dd105402b90e6cb28263f

Located: HK_LM:Run, SpeedTouch USB Diagnostics
command: "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
file: C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
size: 866816
MD5: d40191aa225638ab20e59524cdd74030

Located: HK_LM:Run, Zone Labs Client
command: "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
file: C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
size: 705808
MD5: a0ce57a58dcc1572374b583837a0fc79

Located: HK_LM:RunOnce, SpybotSnD
command: "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
file: C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 3948032
MD5: 9d7660564cf9a8226dc8d44679f3a64b

Located: HK_CU:Run, ctfmon.exe
command: C:\WINDOWS\System32\ctfmon.exe
file: C:\WINDOWS\System32\ctfmon.exe
size: 13312
MD5: 85b1054db58d13aa42d7dca778c30f57

Located: HK_CU:Run, MSMSGS
command: "C:\Program Files\Messenger\msmsgs.exe" /background
file: C:\Program Files\Messenger\msmsgs.exe
size: 1077277
MD5: 10a98fa310d1b6664f999378efd031ba

Located: Startup (common), Adobe Gamma Loader.exe.lnk
command: C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
file: C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
size: 113664
MD5: c2ff17734176cd15221c10044ef0ba1a

Located: Startup (common), Adobe Reader Speed Launch.lnk
command: C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
file: C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
size: 29696
MD5: 43362b96870ce8649f4f2ec893da93f0

Located: Startup (common), Picture Package Menu.lnk
command: C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
file: C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
size: 151552
MD5: f15fcbb20fe82674f48a60a37e5ba45a

Located: Startup (common), Picture Package VCD Maker.lnk
command: C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
file: C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
size: 106496
MD5: cd7db8bf7f82f78e89e0ac0f58dcb3b0

Located: Startup (common), Quick Album SE.lnk
command: C:\Program Files\Ulead Systems\Ulead PhotoImpact SE\ABMTSR.EXE
file: C:\Program Files\Ulead Systems\Ulead PhotoImpact SE\ABMTSR.EXE
size: 21504
MD5: 1fe0885e500904372c56df8226cf1850

Located: Startup (user), BHODemon 2.0.lnk
command: C:\Program Files\BHODemon 2\BHODemon.exe
file: C:\Program Files\BHODemon 2\BHODemon.exe
size: 946176
MD5: 84accf24270d95ec15101fb64458b45d



--- Browser helper object list ---


--- ActiveX list ---
{17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool)
DPF name:
CLSID name: Windows Genuine Advantage Validation Tool
Path: C:\WINDOWS\System32\
Long name: LegitCheckControl.DLL
Short name: LEGITC~1.DLL
Date (created): 12/12/2006 10:45:04 AM
Date (last access): 3/12/2007 12:21:28 PM
Date (last write): 12/12/2006 10:45:04 AM
Filesize: 1474864
Attributes: archive
MD5: C7F2604BB81A5E8F8FB12AB8CCBE25CE
CRC32: 42057390
Version: 0.1.0.5



--- Process list ---
Spybot - Search && Destroy process list report, 3/13/2007 10:57:36 AM

PID: 0 ( 0) [System]
PID: 4 ( 0) System
PID: 448 ( 4) \SystemRoot\System32\smss.exe
PID: 464 (1388) C:\Program Files\QuickTime\qttask.exe
PID: 496 ( 448) csrss.exe
PID: 524 ( 448) \??\C:\WINDOWS\system32\winlogon.exe
PID: 568 ( 524) C:\WINDOWS\system32\services.exe
PID: 580 ( 524) C:\WINDOWS\system32\lsass.exe
PID: 688 (1388) C:\Program Files\Messenger\msmsgs.exe
PID: 744 ( 568) C:\WINDOWS\system32\svchost.exe
PID: 796 ( 568) C:\WINDOWS\System32\svchost.exe
PID: 816 ( 568) C:\Program Files\iPod\bin\iPodService.exe
PID: 880 ( 568) svchost.exe
PID: 928 (1388) C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
PID: 960 ( 568) svchost.exe
PID: 1028 (1388) C:\Program Files\Ulead Systems\Ulead PhotoImpact SE\ABMTSR.EXE
PID: 1076 (1388) C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
PID: 1136 ( 568) C:\WINDOWS\System32\svchost.exe
PID: 1148 ( 568) C:\WINDOWS\system32\spoolsv.exe
PID: 1224 ( 568) alg.exe
PID: 1236 ( 568) C:\WINDOWS\System32\Atievxx.exe
PID: 1248 ( 568) C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
PID: 1292 (1388) C:\Program Files\Picasa2\PicasaMediaDetector.exe
PID: 1320 (1388) C:\WINDOWS\System32\ctfmon.exe
PID: 1348 ( 568) C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
PID: 1376 (1388) C:\Program Files\iTunes\iTunesHelper.exe
PID: 1388 (1296) C:\WINDOWS\Explorer.EXE
PID: 1428 ( 568) C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
PID: 1444 ( 568) C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
PID: 1492 ( 568) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
PID: 1712 (1388) C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
PID: 1876 (1388) C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
PID: 3004 (1388) C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
PID: 3380 (1388) C:\Program Files\BHODemon 2\BHODemon.exe
PID: 3536 (1388) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe


--- Browser start & search pages list ---
Spybot - Search && Destroy browser pages report, 3/13/2007 10:57:36 AM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\windows\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.google.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
http://www.google.com/ie
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
about:blank
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://www.google.com/ie
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
http://www.google.com/search?q=%s
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
C:\windows\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.google.com/ie
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://www.google.com/ie
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{B4035883-B2CB-487C-9DE4-4CD8D3BC01EE}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{B4035883-B2CB-487C-9DE4-4CD8D3BC01EE}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7E1C682A-47FF-4BFD-9320-BAE19440D7AB}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7E1C682A-47FF-4BFD-9320-BAE19440D7AB}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{FB565A2D-CD7D-4929-8E1B-E578A348C4A0}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{FB565A2D-CD7D-4929-8E1B-E578A348C4A0}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D94F837A-47B0-40E2-BDB7-09A95732ACF9}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D94F837A-47B0-40E2-BDB7-09A95732ACF9}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{94004A96-065F-4D4A-B2FE-F7BCA9BDDA27}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{94004A96-065F-4D4A-B2FE-F7BCA9BDDA27}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace

pskelley
2007-03-13, 17:10
Please read and follow all instructions and post all required logs or reports, anything less will slow your process.

http://forums.spybot.info/showthread.php?t=288

Those are the instructions, and no where does it ask you to post a Spybot report. I need to see a HijackThis log properly posted according to the instructions and the results of one of the mentioned free antivirus scan and nothing else.

Thanks

pskelley
2007-03-24, 17:31
No response to the request for information since 2007-03-13, 11:10. As a result the topic will be closed.

If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Anyone else with similar problems please start a new topic.

Thanks