View Full Version : popups in ie and have tried everything :(
hi,i,m new here,and am infected that I think has something to do with deluxe communications.I,ve unistalled it but the popups remain.heres a log,please helllllllllp,thanks,railLogfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:11:06 AM, on 4/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\warren\Desktop\HiJackThis_v2.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0765EA83-9EC8-4BA2-A7F5-D6A0E251B2F5} - C:\WINDOWS\system32\jkkll.dll
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: (no name) - {3B1AC5EE-E04B-43DB-A5AD-F88BF11BA440} - C:\Program Files\MSN\meqosadi.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} - C:\WINDOWS\system32\yaywwuv.dll
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [WatchDog] "C:\Program Files\mobile PhoneTools\WatchDog.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\npbfdoxx.dll",setvm
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.shockwave.com/content/ricochetlostworlds/ReflexiveWebGameLoader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129645445375
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129645431937
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/files/installers/cab/WinAntiVirusPro2007FreeInstall.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://sra.cn.ca/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O20 - Winlogon Notify: jkkll - C:\WINDOWS\system32\jkkll.dll
O20 - Winlogon Notify: yaywwuv - C:\WINDOWS\SYSTEM32\yaywwuv.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 9992 bytes
just to name a few,Ive tried,avg7.5,avg spyware,spysweeper,smithfraudfix.I use popup stopper companion.nothing seems to help.the popups come when i,m in explorer or firefox.Getting to my witts end.thanks
Angelfire777
2007-04-05, 23:27
Hi, welcome to Safer Networking forums!
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your Desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES.
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
thanks very much for your help! here is the vundo log.VundoFix V6.3.19
Checking Java version...
Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 10:04:10 AM 4/5/2007
Listing files found while scanning....
C:\WINDOWS\system32\byxvspn.dll
C:\WINDOWS\system32\byxvtut.dll
C:\WINDOWS\system32\byxyxyw.dll
C:\WINDOWS\system32\byxyywt.dll
C:\WINDOWS\system32\cbxvwtr.dll
C:\WINDOWS\system32\cbxwxxu.dll
C:\WINDOWS\system32\ddcdddd.dll
C:\WINDOWS\system32\fcccddb.dll
C:\WINDOWS\system32\gebcbaa.dll
C:\WINDOWS\system32\gebyxuu.dll
C:\WINDOWS\system32\hggefdb.dll
C:\WINDOWS\system32\jkkll.dll
C:\WINDOWS\system32\khfeecy.dll
C:\WINDOWS\system32\khfggfc.dll
C:\WINDOWS\system32\llkkj.bak1
C:\WINDOWS\system32\llkkj.ini
C:\WINDOWS\system32\mljgfee.dll
C:\WINDOWS\system32\nnnnoop.dll
C:\WINDOWS\system32\npbfdoxx.dll
C:\WINDOWS\system32\qomllmm.dll
C:\WINDOWS\system32\qomnkji.dll
C:\WINDOWS\system32\rqrssrs.dll
C:\WINDOWS\system32\tuvspop.dll
C:\WINDOWS\system32\tuvwusq.dll
C:\WINDOWS\system32\urqronk.dll
C:\WINDOWS\system32\vtututq.dll
C:\WINDOWS\system32\vtuuuuu.dll
C:\WINDOWS\system32\wvuvtro.dll
C:\WINDOWS\system32\xxodfbpn.ini
C:\WINDOWS\system32\xxyawuv.dll
C:\WINDOWS\system32\yaywwuv.dll
C:\WINDOWS\system32\yayyvsq.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\byxvspn.dll
C:\WINDOWS\system32\byxvspn.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\byxvtut.dll
C:\WINDOWS\system32\byxvtut.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\byxyxyw.dll
C:\WINDOWS\system32\byxyxyw.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\byxyywt.dll
C:\WINDOWS\system32\byxyywt.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\cbxvwtr.dll
C:\WINDOWS\system32\cbxvwtr.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\cbxwxxu.dll
C:\WINDOWS\system32\cbxwxxu.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ddcdddd.dll
C:\WINDOWS\system32\ddcdddd.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\fcccddb.dll
C:\WINDOWS\system32\fcccddb.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\gebcbaa.dll
C:\WINDOWS\system32\gebcbaa.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\gebyxuu.dll
C:\WINDOWS\system32\gebyxuu.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\hggefdb.dll
C:\WINDOWS\system32\hggefdb.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\jkkll.dll
C:\WINDOWS\system32\jkkll.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\khfeecy.dll
C:\WINDOWS\system32\khfeecy.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\khfggfc.dll
C:\WINDOWS\system32\khfggfc.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\llkkj.bak1
C:\WINDOWS\system32\llkkj.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\llkkj.ini
C:\WINDOWS\system32\llkkj.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\mljgfee.dll
C:\WINDOWS\system32\mljgfee.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\nnnnoop.dll
C:\WINDOWS\system32\nnnnoop.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\npbfdoxx.dll
C:\WINDOWS\system32\npbfdoxx.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\qomllmm.dll
C:\WINDOWS\system32\qomllmm.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\qomnkji.dll
C:\WINDOWS\system32\qomnkji.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\rqrssrs.dll
C:\WINDOWS\system32\rqrssrs.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\tuvspop.dll
C:\WINDOWS\system32\tuvspop.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\tuvwusq.dll
C:\WINDOWS\system32\tuvwusq.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\urqronk.dll
C:\WINDOWS\system32\urqronk.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\vtututq.dll
C:\WINDOWS\system32\vtututq.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\vtuuuuu.dll
C:\WINDOWS\system32\vtuuuuu.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\wvuvtro.dll
C:\WINDOWS\system32\wvuvtro.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\xxodfbpn.ini
C:\WINDOWS\system32\xxodfbpn.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\xxyawuv.dll
C:\WINDOWS\system32\xxyawuv.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\yaywwuv.dll
C:\WINDOWS\system32\yaywwuv.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\yayyvsq.dll
C:\WINDOWS\system32\yayyvsq.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.19
And now the hijack this log.(ive renamed hijack this to hjt.exe Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:05:24 PM, on 4/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Tweak-XP Pro 4\AdBlocker.exe
C:\Program Files\Tweak-XP Pro 4\Tweak-XP.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\warren\Desktop\icons\hjt.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: (no name) - {48E0245E-6ACF-47B6-8C78-BA8BBE269D45} - C:\WINDOWS\system32\pmnnl.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [WatchDog] "C:\Program Files\mobile PhoneTools\WatchDog.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\Run: [Tweak-XP Pro] "C:\Program Files\Tweak-XP Pro 4\autostart.exe"
O4 - HKCU\..\Run: [Pop-Up-Blocker] "C:\Program Files\Tweak-XP Pro 4\popup.exe"
O4 - HKCU\..\Run: [BlockAds] "C:\Program Files\Tweak-XP Pro 4\AdBlocker.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://cdn.downloadcontrol.com/files/installers/cab/SystemDoctor2006FreeBHInstall.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.shockwave.com/content/ricochetlostworlds/ReflexiveWebGameLoader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129645445375
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129645431937
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://sra.cn.ca/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 9938 bytes
Angelfire777
2007-04-08, 04:36
Hi,
Did you install a program called Winpcap?
*Update AVG Anti-Spyware
From the main AVG Anti-Spyware screen, click on Update, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Exit AVG Anti-Spyware. DO NOT scan yet.
*Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune
Do not use it yet.
_________________
*Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.
O2 - BHO: (no name) - {48E0245E-6ACF-47B6-8C78-BA8BBE269D45} - C:\WINDOWS\system32\pmnnl.dll (file missing)
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://cdn.downloadcontrol.com/files...eBHInstall.cab
Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.
_________________
You may want to print these instructions here or save them in notepad since you'll work offline.
Reboot into Safe Mode.
To enter Safe Mode..
Click Start > Turn Off Computer > Restart > Tap F8 key just before Windows starts to load, > This will bring up a Menu > Use your keyboard to scroll to Safe Mode> Hit enter.
*Important: Make sure all your browsers are closed before running ATF Cleaner..
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
Click Firefox at the top and choose:Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click
No at the prompt.
If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE:If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
*Please run AVG AntiSpyware, and run a full scan as follow:
IMPORTANT: Do not open any other windows or programs while AVG AntiSpyware is scanning, it may interfere with the scanning process.
Launch AVG AntiSpyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
AVG AntiSpyware will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save Report As" button in the lower left hand of the screen and save it to a text file on your system. (Make sure to remember where you saved that file, this is important).
Close AVG AntiSpyware.
Reboot to normal mode.
*Your Java is out of date....
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components.
Click Start > Control Panel
Click Add/Remove Programs
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove button.
Repeat as many times as necessary to remove all versions of Java.
Reboot your computer once all Java components are removed.
Then download Java Runtime Environment 6u1 (http://java.sun.com/javase/downloads/index.jsp), and install it to your computer.
On your next reply, please include a fresh HijackThis log, AVG Antispyware log and a description on how's your machine running.
hi,thanks again for your help.I have completed the above steps,and I dont remember downloading that program.avg anti spyware keeps finding yayawuv.dll and cant doanyting with it,I finally have to ignore it.here are the logsLogfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:59:50 AM, on 4/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Tweak-XP Pro 4\Tweak-XP.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\warren\Desktop\icons\hjt.exe.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com
O2 - BHO: (no name) - {02AB5694-F3B7-4543-B6EA-58EF966A4C2B} - C:\WINDOWS\system32\gebyy.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [WatchDog] "C:\Program Files\mobile PhoneTools\WatchDog.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\vamkblcy.dll",setvm
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\Run: [Tweak-XP Pro] "C:\Program Files\Tweak-XP Pro 4\autostart.exe"
O4 - HKCU\..\Run: [Pop-Up-Blocker] "C:\Program Files\Tweak-XP Pro 4\popup.exe"
O4 - HKCU\..\Run: [BlockAds] "C:\Program Files\Tweak-XP Pro 4\AdBlocker.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.shockwave.com/content/ricochetlostworlds/ReflexiveWebGameLoader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129645445375
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129645431937
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://sra.cn.ca/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O20 - Winlogon Notify: gebyy - C:\WINDOWS\system32\gebyy.dll
O20 - Winlogon Notify: yayawuv - yayawuv.dll (file missing)
O20 - Winlogon Notify: yayyxyv - C:\WINDOWS\SYSTEM32\yayyxyv.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 10194 bytes---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 10:33:51 AM 4/9/2007
+ Scan result:
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP58\A0046043.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP60\A0046127.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP60\A0046128.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP60\A0046131.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP62\A0046280.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP63\A0047464.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINDOWS\NDNuninstall7_48.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINDOWS\system32\bund1\ClientBundle1.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINDOWS\system32\micro1\a1.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP60\A0046114.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP60\A0046115.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP60\A0046116.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP60\A0046118.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\WINDOWS\system32\micro1\a4.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP58\A0046060.dll -> Adware.TTC : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP58\A0046062.exe -> Adware.TTC : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP59\A0046076.dll -> Adware.TTC : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP59\A0046077.exe -> Adware.TTC : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP59\A0046092.exe -> Adware.TTC : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP60\A0046098.dll -> Adware.TTC : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP60\A0046099.exe -> Adware.TTC : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP60\A0046104.dll -> Adware.TTC : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP60\A0046108.dll -> Adware.TTC : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP60\A0046125.exe -> Adware.TTC : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP60\A0046130.dll -> Adware.TTC : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP63\A0047537.dll -> Adware.TTC : Cleaned with backup (quarantined).
C:\WINDOWS\VTTC.exe -> Adware.TTC : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP60\A0046106.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP63\A0047417.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP63\A0047418.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP63\A0047420.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP63\A0047422.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP63\A0047425.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP63\A0047426.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP63\A0047429.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP63\A0047430.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP63\A0047431.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP63\A0047432.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP63\A0047435.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP63\A0047439.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP63\A0047440.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP63\A0047441.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP63\A0047443.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP65\A0047622.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\byxvspn.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\byxvtut.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\byxyywt.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\cbxwxxu.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\gebcbaa.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\gebyxuu.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\khfeecy.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\khfggfc.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\mljgfee.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\nnnnoop.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\pmnlklk.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\qomnkji.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\urqronk.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\vtututq.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\vtuuuuu.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\xxyawuv.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP62\A0046252.dll -> Adware.ZQuest : Cleaned with backup (quarantined).
C:\WINDOWS\system32\micro1\a3.exe -> Adware.ZQuest : Cleaned with backup (quarantined).
C:\WINDOWS\system32\micro1\win5.exe -> Dropper.Agent.bfr : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWA7P_0001_N91M0809NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\UWA7P_0001_N91M0809NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\USDR6_7777_BHLP0611NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.q : Cleaned with backup (quarantined).
E:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP46\A0034835.exe -> Trojan.Obfuscated.en : Cleaned with backup (quarantined).
::Report end
Angelfire777
2007-04-09, 19:13
You got reinfected by vundo..
*Please run vundofix again.
*Click Start > Control Panel > Add or Remove Programs and uninstall the item in bold if found.
WinPcap
*Reboot and delete the following folders:
C:\Program Files\WinPcap
C:\WINDOWS\system32\bund1
C:\WINDOWS\system32\micro1
empty your recycle bin.
Please post the vundofix log and a new HijackThis log.
no popups so far!C:\WINDOWS\system32\gebyy.dll
C:\WINDOWS\system32\hgggghe.dll
C:\WINDOWS\system32\vamkblcy.dll
C:\WINDOWS\system32\yayyxyv.dll
C:\WINDOWS\system32\yclbkmav.ini
C:\WINDOWS\system32\yybeg.bak1
C:\WINDOWS\system32\yybeg.ini
Beginning removal...
Attempting to delete C:\WINDOWS\system32\gebyy.dll
C:\WINDOWS\system32\gebyy.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\hgggghe.dll
C:\WINDOWS\system32\hgggghe.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\vamkblcy.dll
C:\WINDOWS\system32\vamkblcy.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\yayyxyv.dll
C:\WINDOWS\system32\yayyxyv.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\yclbkmav.ini
C:\WINDOWS\system32\yclbkmav.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\yybeg.bak1
C:\WINDOWS\system32\yybeg.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\yybeg.ini
C:\WINDOWS\system32\yybeg.ini Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\yayyxyv.dll
C:\WINDOWS\system32\yayyxyv.dll Has been deleted!
Performing Repairs to the registry.
Done!Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:03:31 PM, on 4/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Tweak-XP Pro 4\AdBlocker.exe
C:\Program Files\Tweak-XP Pro 4\Tweak-XP.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\warren\Desktop\icons\hjt.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [WatchDog] "C:\Program Files\mobile PhoneTools\WatchDog.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Tweak-XP Pro] "C:\Program Files\Tweak-XP Pro 4\autostart.exe"
O4 - HKCU\..\Run: [Pop-Up-Blocker] "C:\Program Files\Tweak-XP Pro 4\popup.exe"
O4 - HKCU\..\Run: [BlockAds] "C:\Program Files\Tweak-XP Pro 4\AdBlocker.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.shockwave.com/content/ricochetlostworlds/ReflexiveWebGameLoader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129645445375
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129645431937
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://sra.cn.ca/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 9422 bytes
spoke to soon,just got a popup
Angelfire777
2007-04-09, 20:14
Hmm.. Something is messing with us there :scratch:
Don't worry let's check some more :ninja:
Download combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
1. Double click combofix.exe & follow the prompts.
2. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
"warren" - 07-04-09 12:20:22 Service Pack 2
ComboFix 07-04-05 - Running from: "C:\Documents and Settings\warren\Desktop"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\warren\Desktop\internet.lnk
C:\WINDOWS\system32\vbuzip10.dll
((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\nm
-------\LEGACY_NM
((((((((((((((((((((((((((((((( Files Created from 2007-03-09 to 2007-04-09 ))))))))))))))))))))))))))))))))))
2007-04-05 13:41 <DIR> d-------- C:\!KillBox
2007-04-05 10:24 <DIR> d-------- C:\SmitfraudFix
2007-04-05 08:36 3,064 --a------ C:\WINDOWS\system32\tmp.reg
2007-04-05 08:34 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-04-05 08:34 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-04-05 08:34 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-04-05 08:34 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-04-05 08:34 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-04-05 08:34 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2007-04-03 14:34 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-03 11:40 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Webroot
2007-04-03 11:38 22,080 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-04-03 11:38 21,056 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-04-03 11:38 20,544 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys
2007-04-03 11:38 144,448 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-04-03 11:38 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Webroot
2007-04-03 11:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-04-03 11:36 <DIR> d-------- C:\DOCUME~1\warren\APPLIC~1\Webroot
2007-04-03 09:22 385,024 --a------ C:\WINDOWS\system32\IKAutoUp.exe
2007-04-03 09:22 385,024 --a------ C:\WINDOWS\system32\IkAutoUp.dat
2007-04-02 21:48 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-04-02 19:47 <DIR> d-------- C:\Program Files\STOPzilla!
2007-04-02 19:47 <DIR> d-------- C:\Program Files\Common Files\iS3
2007-04-02 19:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ZILLAbar
2007-04-02 19:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\STOPzilla!
2007-04-02 15:45 <DIR> d-------- C:\WINDOWS\pss
2007-04-02 12:11 72,320 --a------ C:\WINDOWS\system32\drivers\core.sys
2007-04-02 12:11 <DIR> d-------- C:\Temp\tn3
2007-03-18 19:54 <DIR> d-------- C:\Program Files\iTunes
2007-03-15 11:23 497,496 --a------ C:\WINDOWS\system32\XceedZip.dll
2007-03-15 11:19 526,184 --a------ C:\WINDOWS\system32\XceedCry.dll
2007-03-14 17:06 <DIR> d-------- C:\My Games
2007-03-14 17:05 <DIR> d-------- C:\My Download Files
2007-03-14 17:04 774,144 --a------ C:\Program Files\RngInterstitial.dll
2007-03-14 17:04 <DIR> d-------- C:\Program Files\Real
2007-03-11 16:32 <DIR> d-------- C:\DOCUME~1\alex\APPLIC~1\DivX
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-04-09 11:57 -------- d-------- C:\Program Files\tweak-xp pro 4
2007-04-09 11:51 -------- d-------- C:\DOCUME~1\warren\APPLIC~1\skype
2007-04-09 10:55 -------- d-------- C:\Program Files\java
2007-04-05 13:16 2951 --a------ C:\WINDOWS\mozver.dat
2007-04-05 11:28 -------- d-------- C:\Program Files\super internet tv
2007-04-03 12:30 -------- d-------- C:\DOCUME~1\warren\APPLIC~1\verbatim software
2007-04-03 11:38 -------- d-------- C:\Program Files\webroot
2007-04-02 16:22 -------- d-------- C:\Program Files\google
2007-03-28 19:09 -------- d-------- C:\DOCUME~1\warren\APPLIC~1\vso_hwe
2007-03-18 20:55 -------- d-------- C:\Program Files\dvdfab platinum 3
2007-03-18 20:55 -------- d-------- C:\DOCUME~1\warren\APPLIC~1\vso
2007-03-18 19:54 -------- d-------- C:\Program Files\ipod
2007-03-18 19:52 -------- d-------- C:\Program Files\quicktime
2007-03-14 17:04 -------- d-------- C:\Program Files\Common Files\real
2007-03-08 09:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 09:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 09:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 07:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-07 09:32 -------- d-------- C:\Program Files\divx
2007-03-05 19:16 -------- d-------- C:\Program Files\yahoo! games
2007-03-05 18:21 -------- d-------- C:\DOCUME~1\warren\APPLIC~1\juniper networks
2007-03-01 08:53 142 --a------ C:\Program Files\Common Files\rtele.html
2007-02-22 22:29 524288 --a------ C:\WINDOWS\system32\divxsm.exe
2007-02-22 22:29 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-02-22 22:29 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-02-22 22:29 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-02-22 22:25 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-02-22 22:25 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-02-22 22:25 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-02-22 22:25 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-02-22 22:25 639066 --a------ C:\WINDOWS\system32\divx.dll
2007-02-22 22:25 593920 --a------ C:\WINDOWS\system32\dpugui11.dll
2007-02-22 22:25 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-02-22 22:25 53248 --a------ C:\WINDOWS\system32\dpugui10.dll
2007-02-22 22:25 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-02-22 22:25 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-02-22 22:25 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-02-22 22:25 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-02-15 19:40 124472 --a------ C:\WINDOWS\system32\divxcodecupdatechecker.exe
2007-02-11 18:22 -------- d-------- C:\Program Files\openvideoconverter
2007-02-11 17:53 0 --a------ C:\WINDOWS\nsreg.dat
2007-01-29 23:03 129784 --------- C:\WINDOWS\system32\pxafs.dll
2007-01-29 23:03 118520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-01-29 23:03 116472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-01-22 19:24 23392 --a--c--- C:\WINDOWS\system32\emptyregdb.dat
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"Tweak-XP Pro"="\"C:\\Program Files\\Tweak-XP Pro 4\\autostart.exe\""
"Pop-Up-Blocker"="\"C:\\Program Files\\Tweak-XP Pro 4\\popup.exe\""
"BlockAds"="\"C:\\Program Files\\Tweak-XP Pro 4\\AdBlocker.exe\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SiSUSBRG"="C:\\WINDOWS\\SiSUSBrg.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"type32"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\""
"RegistryMechanic"=""
"MessengerPlus3"="\"C:\\Program Files\\MessengerPlus! 3\\MsgPlus.exe\""
"OpwareSE2"="\"C:\\Program Files\\ScanSoft\\OmniPageSE2.0\\OpwareSE2.exe\""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"AVG7_CC"="\"C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe\" /STARTUP"
"WatchDog"="\"C:\\Program Files\\mobile PhoneTools\\WatchDog.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{E44527F6-1296-4A84-B67D-A6CEA6ED4B69}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{D2A0728D-AB2F-4B91-9EEF-590C70EA075D}"=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWinKeys"=dword:00000001
"NoRecentDocsMenu"=dword:00000001
"NoLowDiskSpaceChecks"=dword:00000001
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
********************************************************************
catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
********************************************************************
Completion time: 07-04-09 12:25:09
C:\ComboFix-quarantined-files.txt ... 07-04-09 12:25
when i restart my computer,avg finds malware,often a different file,usually one every time.eg.yayawuv.dll,ddcawx.dll.windows/system32
Angelfire777
2007-04-10, 07:17
Hi,
Please download the Suspicious file Packer (http://www.safer-networking.org/files/sfp.zip) from Safer-Networking.Org and unzip it to your desktop.
Run SFP.exe.
Please copy the following lines into the Step 1: Paste Text window:
C:\WINDOWS\system32\drivers\core.sys
then click "Continue".
This will create a .cab file on your desktop named requested-files[Date/Time].cab
Next, please visit TheSpyKillers forum HERE (http://www.thespykiller.co.uk/index.php?board=1.0)
Read the first topic for instructions on uploading files then start a new Topic, name the topic "core.sys sample" thenpost a link to this thread and upload the requested files.cab archive from your desktop.
__________________
*Do you recognize the following file? If not, locate the file and right click on it, select properties, and look for the vendor name, or anything that would indicate the program with which it may be associated. If you still do not recognize it, nor does it appear to be associated with a known valid program, delete it...
C:\Program Files\Common Files\rtele.html
*Delete the following folder:
C:\Temp\tn3
Empty your recycle bin.
Open HijackThis > Click Misc Tools Section
Click "Delete a File on Reboot."
Copy and paste this into the file name box: C:\WINDOWS\system32\drivers\core.sys
Hijackthis will ask you if you want to reboot, click yes.
Please post a fresh HijackThis log.
good morning and thanks.last night I used this program and things were working quite well.After following the latest instructions,my computer is so slow I can hardly post this.here is the log from both programs
[04/09/2007, 21:55:07] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\warren\Desktop\VirtumundoBeGone.exe" )
[04/09/2007, 21:55:13] - Detected System Information:
[04/09/2007, 21:55:13] - Windows Version: 5.1.2600, Service Pack 2
[04/09/2007, 21:55:13] - Current Username: warren (Admin)
[04/09/2007, 21:55:13] - Windows is in NORMAL mode.
[04/09/2007, 21:55:13] - Searching for Browser Helper Objects:
[04/09/2007, 21:55:13] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[04/09/2007, 21:55:13] - BHO 2: {0CF0B8EE-6596-11D5-A98E-0003470BB48E} (CCHelper Class)
[04/09/2007, 21:55:13] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[04/09/2007, 21:55:13] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/09/2007, 21:55:13] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[04/09/2007, 21:55:13] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[04/09/2007, 21:55:13] - BHO 4: {6ED6EB56-AD46-488C-B515-2A8EA53BB42D} ()
[04/09/2007, 21:55:13] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/09/2007, 21:55:13] - Checking for HKLM\...\Winlogon\Notify\ddcyy
[04/09/2007, 21:55:13] - Found: HKLM\...\Winlogon\Notify\ddcyy - This is probably Virtumundo.
[04/09/2007, 21:55:13] - Assigning {6ED6EB56-AD46-488C-B515-2A8EA53BB42D} MSEvents Object
[04/09/2007, 21:55:13] - BHO list has been changed! Starting over...
[04/09/2007, 21:55:13] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[04/09/2007, 21:55:13] - BHO 2: {0CF0B8EE-6596-11D5-A98E-0003470BB48E} (CCHelper Class)
[04/09/2007, 21:55:13] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[04/09/2007, 21:55:13] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/09/2007, 21:55:13] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[04/09/2007, 21:55:13] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[04/09/2007, 21:55:13] - BHO 4: {6ED6EB56-AD46-488C-B515-2A8EA53BB42D} (MSEvents Object)
[04/09/2007, 21:55:13] - ALERT: Found MSEvents Object!
[04/09/2007, 21:55:13] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[04/09/2007, 21:55:13] - Finished Searching Browser Helper Objects
[04/09/2007, 21:55:13] - *** Detected MSEvents Object
[04/09/2007, 21:55:13] - Trying to remove MSEvents Object...
[04/09/2007, 21:55:14] - Terminating Process: IEXPLORE.EXE
[04/09/2007, 21:55:15] - Terminating Process: RUNDLL32.EXE
[04/09/2007, 21:55:15] - Disabling Automatic Shell Restart
[04/09/2007, 21:55:15] - Terminating Process: EXPLORER.EXE
[04/09/2007, 21:55:16] - Suspending the NT Session Manager System Service
[04/09/2007, 21:55:16] - Terminating Windows NT Logon/Logoff Manager
[04/09/2007, 21:55:16] - Re-enabling Automatic Shell Restart
[04/09/2007, 21:55:16] - File to disable: C:\WINDOWS\system32\ddcyy.dll
[04/09/2007, 21:55:16] - Renaming C:\WINDOWS\system32\ddcyy.dll -> C:\WINDOWS\system32\ddcyy.dll.vir
[04/09/2007, 21:55:17] - File successfully renamed!
[04/09/2007, 21:55:17] - Removing HKLM\...\Browser Helper Objects\{6ED6EB56-AD46-488C-B515-2A8EA53BB42D}
[04/09/2007, 21:55:17] - Removing HKCR\CLSID\{6ED6EB56-AD46-488C-B515-2A8EA53BB42D}
[04/09/2007, 21:55:17] - Adding Kill Bit for ActiveX for GUID: {6ED6EB56-AD46-488C-B515-2A8EA53BB42D}
[04/09/2007, 21:55:17] - Deleting ATLEvents/MSEvents Registry entries
[04/09/2007, 21:55:17] - Removing HKLM\...\Winlogon\Notify\ddcyy
[04/09/2007, 21:55:17] - Searching for Browser Helper Objects:
[04/09/2007, 21:55:17] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[04/09/2007, 21:55:17] - BHO 2: {0CF0B8EE-6596-11D5-A98E-0003470BB48E} (CCHelper Class)
[04/09/2007, 21:55:17] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[04/09/2007, 21:55:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/09/2007, 21:55:17] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[04/09/2007, 21:55:17] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[04/09/2007, 21:55:17] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[04/09/2007, 21:55:17] - Finished Searching Browser Helper Objects
[04/09/2007, 21:55:17] - Finishing up...
[04/09/2007, 21:55:17] - A restart is needed.
[04/09/2007, 21:55:28] - Attempting to Restart via STOP error (Blue Screen!)
[04/09/2007, 21:57:33] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\warren\Desktop\VirtumundoBeGone.exe" )
[04/09/2007, 21:57:36] - Detected System Information:
[04/09/2007, 21:57:36] - Windows Version: 5.1.2600, Service Pack 2
[04/09/2007, 21:57:36] - Current Username: warren (Admin)
[04/09/2007, 21:57:36] - Windows is in SAFE mode with Networking.
[04/09/2007, 21:57:36] - Searching for Browser Helper Objects:
[04/09/2007, 21:57:36] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[04/09/2007, 21:57:36] - BHO 2: {0CF0B8EE-6596-11D5-A98E-0003470BB48E} (CCHelper Class)
[04/09/2007, 21:57:36] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[04/09/2007, 21:57:36] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/09/2007, 21:57:36] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[04/09/2007, 21:57:36] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[04/09/2007, 21:57:36] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[04/09/2007, 21:57:36] - BHO 5: {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} ()
[04/09/2007, 21:57:36] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/09/2007, 21:57:36] - Checking for HKLM\...\Winlogon\Notify\byxxwxw
[04/09/2007, 21:57:36] - Found: HKLM\...\Winlogon\Notify\byxxwxw - This is probably Virtumundo.
[04/09/2007, 21:57:36] - Assigning {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} MSEvents Object
[04/09/2007, 21:57:36] - BHO list has been changed! Starting over...
[04/09/2007, 21:57:36] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[04/09/2007, 21:57:37] - BHO 2: {0CF0B8EE-6596-11D5-A98E-0003470BB48E} (CCHelper Class)
[04/09/2007, 21:57:37] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[04/09/2007, 21:57:37] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/09/2007, 21:57:37] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[04/09/2007, 21:57:37] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[04/09/2007, 21:57:37] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[04/09/2007, 21:57:37] - BHO 5: {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} (MSEvents Object)
[04/09/2007, 21:57:37] - ALERT: Found MSEvents Object!
[04/09/2007, 21:57:37] - Finished Searching Browser Helper Objects
[04/09/2007, 21:57:37] - *** Detected MSEvents Object
[04/09/2007, 21:57:37] - Trying to remove MSEvents Object...
[04/09/2007, 21:57:38] - Terminating Process: IEXPLORE.EXE
[04/09/2007, 21:57:39] - Terminating Process: RUNDLL32.EXE
[04/09/2007, 21:57:39] - Disabling Automatic Shell Restart
[04/09/2007, 21:57:39] - Terminating Process: EXPLORER.EXE
[04/09/2007, 21:57:39] - Suspending the NT Session Manager System Service
[04/09/2007, 21:57:39] - Terminating Windows NT Logon/Logoff Manager
[04/09/2007, 21:57:39] - Re-enabling Automatic Shell Restart
[04/09/2007, 21:57:39] - File to disable: C:\WINDOWS\system32\byxxwxw.dll
[04/09/2007, 21:57:39] - Renaming C:\WINDOWS\system32\byxxwxw.dll -> C:\WINDOWS\system32\byxxwxw.dll.vir
[04/09/2007, 21:57:39] - File successfully renamed!
[04/09/2007, 21:57:39] - Removing HKLM\...\Browser Helper Objects\{E44527F6-1296-4A84-B67D-A6CEA6ED4B69}
[04/09/2007, 21:57:39] - Removing HKCR\CLSID\{E44527F6-1296-4A84-B67D-A6CEA6ED4B69}
[04/09/2007, 21:57:39] - Adding Kill Bit for ActiveX for GUID: {E44527F6-1296-4A84-B67D-A6CEA6ED4B69}
[04/09/2007, 21:57:39] - Deleting ATLEvents/MSEvents Registry entries
[04/09/2007, 21:57:39] - Removing HKLM\...\Winlogon\Notify\byxxwxw
[04/09/2007, 21:57:39] - Searching for Browser Helper Objects:
[04/09/2007, 21:57:39] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[04/09/2007, 21:57:39] - BHO 2: {0CF0B8EE-6596-11D5-A98E-0003470BB48E} (CCHelper Class)
[04/09/2007, 21:57:39] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[04/09/2007, 21:57:39] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/09/2007, 21:57:39] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[04/09/2007, 21:57:39] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[04/09/2007, 21:57:39] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[04/09/2007, 21:57:39] - Finished Searching Browser Helper Objects
[04/09/2007, 21:57:39] - Finishing up...
[04/09/2007, 21:57:39] - A restart is needed.
[04/09/2007, 21:57:43] - Attempting to Restart via STOP error (Blue Screen!)
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:39:53 AM, on 4/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Tweak-XP Pro 4\AdBlocker.exe
C:\WINDOWS\system32\micro1\b9.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\hijack this\hjt.exe.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\TEMP\New21.tmp\upgrade.exe
C:\Program Files\Mozilla Firefox\firefox.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {94C566BD-A7C8-425A-B98B-A2E9ACB2C8BE} - C:\Program Files\MSN\meqosadi.dll
O2 - BHO: 0 - {B6B32DB0-24C7-4473-50A1-241AEEC9EB9E} - C:\Program Files\Common Files\quca.dll
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [WatchDog] "C:\Program Files\mobile PhoneTools\WatchDog.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [bantool] C:\WINDOWS\system32\micro1\b9.exe
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [BlockAds] "C:\Program Files\Tweak-XP Pro 4\AdBlocker.exe"
O4 - HKCU\..\Run: [Pop-Up-Blocker] "C:\Program Files\Tweak-XP Pro 4\popup.exe"
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.shockwave.com/content/ricochetlostworlds/ReflexiveWebGameLoader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129645445375
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129645431937
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://sra.cn.ca/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O20 - AppInit_DLLs: dxclib303562752.dll
O20 - Winlogon Notify: yayaaya - C:\WINDOWS\SYSTEM32\yayaaya.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 10367 bytes
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 10:05:27 AM 4/10/2007
+ Scan result:
HKLM\SOFTWARE\Classes\CLSID\{A8BD6820-6ED7-423E-9558-2D1486B0FEEA} -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKLM\SOFTWARE\DeluxeCommunications -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKLM\SOFTWARE\DeluxeCommunications\Internet Explorer -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKU\S-1-5-21-606747145-1500820517-725345543-1006\Software\DeluxeCommunications -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKU\S-1-5-21-606747145-1500820517-725345543-1006\Software\DeluxeCommunications\Internet Explorer -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
C:\Program Files\hijack this\backups\backup-20070410-074709-409.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP79\A0053561.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP79\A0053562.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP79\A0053563.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINDOWS\NDNuninstall6_38.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINDOWS\NDNuninstall7_48.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKU\S-1-5-21-606747145-1500820517-725345543-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP79\A0053546.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP79\A0053565.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP79\A0053566.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP79\A0053579.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP79\A0053547.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP79\A0053577.dll -> Adware.ZQuest : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP79\A0053576.exe -> Hijacker.Small.jf : Cleaned with backup (quarantined).
::Report endLogfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:07:58 AM, on 4/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Tweak-XP Pro 4\AdBlocker.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\hijack this\hjt.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {9A932671-F0DD-436E-A521-4AA2D5506CBF} - C:\Program Files\MSN\meqosadi.dll
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [WatchDog] "C:\Program Files\mobile PhoneTools\WatchDog.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [BlockAds] "C:\Program Files\Tweak-XP Pro 4\AdBlocker.exe"
O4 - HKCU\..\Run: [Pop-Up-Blocker] "C:\Program Files\Tweak-XP Pro 4\popup.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.shockwave.com/content/ricochetlostworlds/ReflexiveWebGameLoader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129645445375
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129645431937
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://sra.cn.ca/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 9025 bytes
Angelfire777
2007-04-10, 19:52
You got reinfected so fast.. I suggest you stay offline with that computer as long as possible and go online only when you are waiting for my instructions..
Is your AVG Antivirus up to date?
*Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {9A932671-F0DD-436E-A521-4AA2D5506CBF} - C:\Program Files\MSN\meqosadi.dll
Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.
Open HijackThis > Click Misc Tools Section
Click "Delete a File on Reboot."
Copy and paste this into the file name box: C:\Program Files\MSN\meqosadi.dll
Hijackthis will ask you if you want to reboot, click yes.
*Download Gmer (http://www.majorgeeks.com/downloadget.php?id=5198&file=15&evp=3f18075291813a665b2a25536a70b307)
Disconnect from internet and close running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double click gmer.exe
Let the gmer.sys driver load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run scan...say Ok.
If no warning....
Click "Rootkit" tab and click "Scan"
Once done, click "Copy"
Open Notepad and hit "ctrl+v" to paste the log.
Reconnect to the internet and post the log back to this thread please.
*please run combofix once more.
On your next reply, please include a fresh HijackThis log, combofix log and the gmer log.
heres the logs"warren" - 07-04-11 15:54:36 Service Pack 2
ComboFix 07-04-05 - Running from: "C:\Documents and Settings\warren\Desktop\icons"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\bund1\ClientBundle1.exe
C:\WINDOWS\system32\bund1\temp.txt
C:\WINDOWS\system32\bkd.exe
C:\WINDOWS\system32\bund1
((((((((((((((((((((((((((((((( Files Created from 2007-03-11 to 2007-04-11 ))))))))))))))))))))))))))))))))))
2007-04-11 11:57 <DIR> d-------- C:\WINDOWS\LastGood
2007-04-10 11:08 <DIR> d-------- C:\Temp\tn3
2007-04-10 07:51 776,959 ---hs---- C:\WINDOWS\system32\ppqss.bak1
2007-04-10 07:50 280,676 --ahs---- C:\WINDOWS\system32\ssqpp.dll.vir
2007-04-10 07:36 105,434 --a------ C:\WINDOWS\VTTC.exe
2007-04-10 07:35 <DIR> d-------- C:\WINDOWS\system32\micro1
2007-04-09 21:44 <DIR> d-------- C:\Program Files\hijack this
2007-04-09 16:41 776,959 ---hs---- C:\WINDOWS\system32\yycdd.bak1
2007-04-09 15:29 776,959 ---hs---- C:\WINDOWS\system32\npqss.bak1
2007-04-09 12:57 776,959 ---hs---- C:\WINDOWS\system32\jmllm.bak1
2007-04-09 12:56 280,676 ---hs---- C:\WINDOWS\system32\mllmj.dll
2007-04-05 13:41 <DIR> d-------- C:\!KillBox
2007-04-05 10:24 <DIR> d-------- C:\SmitfraudFix
2007-04-05 08:36 3,064 --a------ C:\WINDOWS\system32\tmp.reg
2007-04-05 08:34 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-04-05 08:34 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-04-05 08:34 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-04-05 08:34 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-04-05 08:34 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-04-05 08:34 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2007-04-03 14:34 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-03 11:40 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Webroot
2007-04-03 11:38 22,080 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-04-03 11:38 21,056 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-04-03 11:38 20,544 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys
2007-04-03 11:38 144,448 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-04-03 11:38 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Webroot
2007-04-03 11:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-04-03 11:36 <DIR> d-------- C:\DOCUME~1\warren\APPLIC~1\Webroot
2007-04-03 09:22 385,024 --a------ C:\WINDOWS\system32\IKAutoUp.exe
2007-04-03 09:22 385,024 --a------ C:\WINDOWS\system32\IkAutoUp.dat
2007-04-02 21:48 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-04-02 19:47 <DIR> d-------- C:\Program Files\STOPzilla!
2007-04-02 19:47 <DIR> d-------- C:\Program Files\Common Files\iS3
2007-04-02 19:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\STOPzilla!
2007-04-02 15:45 <DIR> d-------- C:\WINDOWS\pss
2007-04-02 12:11 72,320 --a------ C:\WINDOWS\system32\drivers\core.sys
2007-03-18 19:54 <DIR> d-------- C:\Program Files\iTunes
2007-03-15 11:23 497,496 --a------ C:\WINDOWS\system32\XceedZip.dll
2007-03-15 11:19 526,184 --a------ C:\WINDOWS\system32\XceedCry.dll
2007-03-14 17:06 <DIR> d-------- C:\My Games
2007-03-14 17:05 <DIR> d-------- C:\My Download Files
2007-03-14 17:04 774,144 --a------ C:\Program Files\RngInterstitial.dll
2007-03-14 17:04 <DIR> d-------- C:\Program Files\Real
2007-03-11 16:32 <DIR> d-------- C:\DOCUME~1\alex\APPLIC~1\DivX
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-04-11 15:49 -------- d-------- C:\DOCUME~1\warren\APPLIC~1\skype
2007-04-10 11:04 -------- d-------- C:\Program Files\tweak-xp pro 4
2007-04-09 18:25 -------- d-------- C:\Program Files\replay7
2007-04-09 13:32 -------- d-------- C:\Program Files\google
2007-04-09 10:55 -------- d-------- C:\Program Files\java
2007-04-05 13:16 2951 --a------ C:\WINDOWS\mozver.dat
2007-04-05 11:28 -------- d-------- C:\Program Files\super internet tv
2007-04-03 12:30 -------- d-------- C:\DOCUME~1\warren\APPLIC~1\verbatim software
2007-04-03 11:38 -------- d-------- C:\Program Files\webroot
2007-03-28 19:09 -------- d-------- C:\DOCUME~1\warren\APPLIC~1\vso_hwe
2007-03-18 20:55 -------- d-------- C:\Program Files\dvdfab platinum 3
2007-03-18 20:55 -------- d-------- C:\DOCUME~1\warren\APPLIC~1\vso
2007-03-18 19:54 -------- d-------- C:\Program Files\ipod
2007-03-18 19:52 -------- d-------- C:\Program Files\quicktime
2007-03-14 17:04 -------- d-------- C:\Program Files\Common Files\real
2007-03-08 09:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 09:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 09:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 07:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-07 09:32 -------- d-------- C:\Program Files\divx
2007-03-05 19:16 -------- d-------- C:\Program Files\yahoo! games
2007-03-05 18:21 -------- d-------- C:\DOCUME~1\warren\APPLIC~1\juniper networks
2007-02-22 22:29 524288 --a------ C:\WINDOWS\system32\divxsm.exe
2007-02-22 22:29 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-02-22 22:29 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-02-22 22:29 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-02-22 22:25 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-02-22 22:25 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-02-22 22:25 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-02-22 22:25 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-02-22 22:25 639066 --a------ C:\WINDOWS\system32\divx.dll
2007-02-22 22:25 593920 --a------ C:\WINDOWS\system32\dpugui11.dll
2007-02-22 22:25 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-02-22 22:25 53248 --a------ C:\WINDOWS\system32\dpugui10.dll
2007-02-22 22:25 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-02-22 22:25 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-02-22 22:25 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-02-22 22:25 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-02-15 19:40 124472 --a------ C:\WINDOWS\system32\divxcodecupdatechecker.exe
2007-02-11 18:22 -------- d-------- C:\Program Files\openvideoconverter
2007-02-11 17:53 0 --a------ C:\WINDOWS\nsreg.dat
2007-01-29 23:03 129784 --------- C:\WINDOWS\system32\pxafs.dll
2007-01-29 23:03 118520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-01-29 23:03 116472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-01-22 19:24 23392 --a--c--- C:\WINDOWS\system32\emptyregdb.dat
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SiSUSBRG"="C:\\WINDOWS\\SiSUSBrg.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"RegistryMechanic"=""
"MessengerPlus3"="\"C:\\Program Files\\MessengerPlus! 3\\MsgPlus.exe\""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"AVG7_CC"="\"C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe\" /STARTUP"
"WatchDog"="\"C:\\Program Files\\mobile PhoneTools\\WatchDog.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{E44527F6-1296-4A84-B67D-A6CEA6ED4B69}"=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWinKeys"=dword:00000001
"NoRecentDocsMenu"=dword:00000001
"NoLowDiskSpaceChecks"=dword:00000001
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
********************************************************************
catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
********************************************************************
Completion time: 07-04-11 15:59:21
C:\ComboFix-quarantined-files.txt ... 07-04-11 15:59
GMER 1.0.12.12086 - http://www.gmer.net
Rootkit scan 2007-04-11 15:52:44
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.12 ----
SSDT 84586828 ZwAllocateVirtualMemory
SSDT \SystemRoot\system32\drivers\core.sys ZwClose
SSDT \SystemRoot\system32\drivers\core.sys ZwCreateKey
SSDT 84586D50 ZwCreateProcess
SSDT 84586CD8 ZwCreateProcessEx
SSDT 84586AF8 ZwCreateThread
SSDT \SystemRoot\system32\drivers\core.sys ZwDeleteKey
SSDT \SystemRoot\system32\drivers\core.sys ZwDeleteValueKey
SSDT \SystemRoot\system32\drivers\core.sys ZwLoadKey
SSDT \SystemRoot\system32\drivers\core.sys ZwOpenKey
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT 845868A0 ZwQueueApcThread
SSDT 84586738 ZwReadVirtualMemory
SSDT 84586F30 ZwRenameKey
SSDT \SystemRoot\system32\drivers\core.sys ZwReplaceKey
SSDT \SystemRoot\system32\drivers\core.sys ZwRestoreKey
SSDT 84586990 ZwSetContextThread
SSDT 84586EB8 ZwSetInformationKey
SSDT 84586BE8 ZwSetInformationProcess
SSDT 84586A08 ZwSetInformationThread
SSDT \SystemRoot\system32\drivers\core.sys ZwSetValueKey
SSDT 84586B70 ZwSuspendProcess
SSDT 84586918 ZwSuspendThread
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess
SSDT 84586A80 ZwTerminateThread
SSDT 845867B0 ZwWriteVirtualMemory
---- Kernel code sections - GMER 1.0.12 ----
? C:\WINDOWS\system32\drivers\core.sys The process cannot access the file because it is being used by another process.
---- User code sections - GMER 1.0.12 ----
.text C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[1900] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes [ AB, FA, C3, 83 ]
---- Devices - GMER 1.0.12 ----
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE 8393F370
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE 8393F2F8
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE 839743E8
Device \Driver\Tcpip \Device\Ip IRP_MJ_READ 83974370
Device \Driver\Tcpip \Device\Ip IRP_MJ_WRITE 839742F8
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION 838C4BA0
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION 838C4B28
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA 838C4AB0
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA 838CDFA8
Device \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS 838CDF30
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION 838CDEB8
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION 838CDE40
Device \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL 838F97F8
Device \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL 838F9780
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL 838F9708
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B8085A] avgtdi.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN 839ADFA8
Device \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL 839ADF30
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP 839ADEB8
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT 839ADE40
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY 839068F0
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY 83906878
Device \Driver\Tcpip \Device\Ip IRP_MJ_POWER 83906800
Device \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL 83906788
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE 83905650
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA 839055D8
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA 83905560
Device \Driver\Tcpip \Device\Ip IRP_MJ_PNP 839054E8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE 8393F370
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE 8393F2F8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE 839743E8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_READ 83974370
Device \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE 839742F8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION 838C4BA0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION 838C4B28
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA 838C4AB0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA 838CDFA8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS 838CDF30
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION 838CDEB8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION 838CDE40
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL 838F97F8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL 838F9780
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL 838F9708
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B8085A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN 839ADFA8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL 839ADF30
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP 839ADEB8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT 839ADE40
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY 839068F0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY 83906878
Device \Driver\Tcpip \Device\Tcp IRP_MJ_POWER 83906800
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL 83906788
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE 83905650
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA 839055D8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA 83905560
Device \Driver\Tcpip \Device\Tcp IRP_MJ_PNP 839054E8
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE 8393F370
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE 8393F2F8
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE 839743E8
Device \Driver\Tcpip \Device\Udp IRP_MJ_READ 83974370
Device \Driver\Tcpip \Device\Udp IRP_MJ_WRITE 839742F8
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION 838C4BA0
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION 838C4B28
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA 838C4AB0
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA 838CDFA8
Device \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS 838CDF30
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION 838CDEB8
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION 838CDE40
Device \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL 838F97F8
Device \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL 838F9780
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL 838F9708
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B8085A] avgtdi.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN 839ADFA8
Device \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL 839ADF30
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP 839ADEB8
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT 839ADE40
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY 839068F0
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY 83906878
Device \Driver\Tcpip \Device\Udp IRP_MJ_POWER 83906800
Device \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL 83906788
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE 83905650
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA 839055D8
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA 83905560
Device \Driver\Tcpip \Device\Udp IRP_MJ_PNP 839054E8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE 8393F370
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE 8393F2F8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE 839743E8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_READ 83974370
Device \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE 839742F8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION 838C4BA0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION 838C4B28
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA 838C4AB0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA 838CDFA8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS 838CDF30
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION 838CDEB8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION 838CDE40
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL 838F97F8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL 838F9780
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL 838F9708
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B8085A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN 839ADFA8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL 839ADF30
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP 839ADEB8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT 839ADE40
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY 839068F0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY 83906878
Device \Driver\Tcpip \Device\RawIp IRP_MJ_POWER 83906800
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL 83906788
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE 83905650
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA 839055D8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA 83905560
Device \Driver\Tcpip \Device\RawIp IRP_MJ_PNP 839054E8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE 8393F370
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_NAMED_PIPE 8393F2F8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE 839743E8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_READ 83974370
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_WRITE 839742F8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_INFORMATION 838C4BA0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_INFORMATION 838C4B28
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_EA 838C4AB0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_EA 838CDFA8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FLUSH_BUFFERS 838CDF30
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_VOLUME_INFORMATION 838CDEB8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_VOLUME_INFORMATION 838CDE40
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DIRECTORY_CONTROL 838F97F8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FILE_SYSTEM_CONTROL 838F9780
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL 838F9708
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B8085A] avgtdi.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN 839ADFA8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_LOCK_CONTROL 839ADF30
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP 839ADEB8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_MAILSLOT 839ADE40
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_SECURITY 839068F0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_SECURITY 83906878
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_POWER 83906800
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SYSTEM_CONTROL 83906788
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CHANGE 83905650
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_QUOTA 839055D8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_QUOTA 83905560
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_PNP 839054E8
---- Modules - GMER 1.0.12 ----
Module (noname) (*** hidden *** ) F7CA7000
---- EOF - GMER 1.0.12 ----
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 4:06:16 PM, on 4/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\hijack this\hjt.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [WatchDog] "C:\Program Files\mobile PhoneTools\WatchDog.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.shockwave.com/content/ricochetlostworlds/ReflexiveWebGameLoader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129645445375
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129645431937
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://sra.cn.ca/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 8414 bytes
Angelfire777
2007-04-12, 00:44
Hi,
Please answer my question earlier regarding AVG Antivirus..
*Reboot to safe mode.
*Open notepad.
Copy and paste the text inside the Code Box below into Notepad
Choose File > Save As and under "Save as type", choose "All Files".
Type gmer.bat in the File name and save it to your desktop.
gmer.exe -del file "C:\WINDOWS\system32\ppqss.bak1"
gmer.exe -del file "C:\WINDOWS\system32\ssqpp.dll.vir"
gmer.exe -del file "C:\WINDOWS\system32\VTTC.exe"
gmer.exe -del file "C:\WINDOWS\system32\yycdd.bak1"
gmer.exe -del file "C:\WINDOWS\system32\npqss.bak1"
gmer.exe -del file "C:\WINDOWS\system32\jmllm.bak1"
gmer.exe -del file "C:\WINDOWS\system32\mllmj.dll"
gmer.exe -del file "C:\WINDOWS\system32\drivers\core.sys"
Locate gmer.bat on your Desktop and double-click on it.
*Using Windows Explorer, find and delete this folder
C:\WINDOWS\system32\micro1
Empty your recycle bin.
Reboot to normal mode.
_______________________
*Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.
*I would like you to scan a few files for me.
Please go HERE (http://virusscan.jotti.org/). Click browse then, navigate to this file:
C:\WINDOWS\system32\win32k.sys
Then click submit.
Do the same for these files:
C:\WINDOWS\system32\user32.dll
C:\WINDOWS\system32\mf3216.dll
C:\WINDOWS\system32\gdi32.dll
Please post the results to your next reply.
If Jotti is too busy, you can go HERE (www.virustotal.com) and do the same as above.
*Please run GMER again.
Please post a fresh HijackThis log, kaspersky scan log, gmer log, jotti scan results and a description on how is your machine running.
just to keep you uptodate.When i tried to go this site from safe mode,I have no internt connection,so I couldnt paste the files into gmer.batI did delete micro 1 in safe mode.when i tried to go back to normal mode the computer would barely run again.Yes,my avg is up todate.as we speak,kapersky is scanning.I tried to to the gmer.bat from normal mode,but some files it couldnt delete.anyway,when kapersky is finished,I will report the logs as well as from the other instructions,thanks again,rail
KASPERSKY ONLINE SCANNER REPORT
Wednesday, April 11, 2007 7:42:15 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 12/04/2007
Kaspersky Anti-Virus database records: 295995
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\
Scan Statistics
Total number of scanned objects 79361
Number of viruses found 18
Number of infected objects 87 / 0
Number of suspicious objects 0
Duration of the scan process 01:43:10
Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\DSS\MachineKeys\877bc39ef839fa939b705b1a90e97340_4f534ae6-7184-4a90-9fcc-b855f153a5b6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\137cec12b57ae9730c37dee25424bf55_4f534ae6-7184-4a90-9fcc-b855f153a5b6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\13c939f4309675b6db5886a0995f61f7_4f534ae6-7184-4a90-9fcc-b855f153a5b6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1aa3322d97f28c1a1b504d407eb72f14_4f534ae6-7184-4a90-9fcc-b855f153a5b6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\22029e05ff2a4f413fa748cecfac68b6_4f534ae6-7184-4a90-9fcc-b855f153a5b6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\35dc51a19dfa11af88c6acf979cd336f_4f534ae6-7184-4a90-9fcc-b855f153a5b6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\38af7ae4da520eafefc60da89ce144df_4f534ae6-7184-4a90-9fcc-b855f153a5b6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5abd817771e1941fc0fa59abd1cb59ad_4f534ae6-7184-4a90-9fcc-b855f153a5b6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7e5c2de6b9467d087b7182d19c20e839_4f534ae6-7184-4a90-9fcc-b855f153a5b6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7fc7eb4b851d98df33a720c6121a4970_4f534ae6-7184-4a90-9fcc-b855f153a5b6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\91cbeb30cb4f7130e69961b45b45def8_4f534ae6-7184-4a90-9fcc-b855f153a5b6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\92358b8d1c853007b7ea8bd15089c0e0_4f534ae6-7184-4a90-9fcc-b855f153a5b6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9bfa0870d182047a8a9e35687ea981c1_4f534ae6-7184-4a90-9fcc-b855f153a5b6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\bca019238ac009136d1558cd63025de6_4f534ae6-7184-4a90-9fcc-b855f153a5b6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c0ac6e409347d3e1c567b186d017f59e_4f534ae6-7184-4a90-9fcc-b855f153a5b6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c0ebca7c48981a3a816e55cdb9ac9cca_4f534ae6-7184-4a90-9fcc-b855f153a5b6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c81e78891f42278e044f3fc8201035eb_4f534ae6-7184-4a90-9fcc-b855f153a5b6 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ea6825dba9c9f7760d489e613bacfdee_4f534ae6-7184-4a90-9fcc-b855f153a5b6 Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\warren\.housecall\Quarantine\1D9A9CAE-4322-438B-A10A-1121A3.bac_a03060 Infected: not-a-
C:\Documents and Settings\warren\.housecall\Quarantine\1D9A9CAE-4322-438B-A10A-1121A3.bac_a03060 Infected: not-a-virus:AdWare.Win32.WinAD.an skipped
C:\Documents and Settings\warren\.housecall\Quarantine\26E5C330-551F-47A8-8139-A272B6.bac_a03060 Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Documents and Settings\warren\.housecall\Quarantine\935C08B0-87A6-4B0B-91AD-6891BA.bac_a03060 Infected: not-a-virus:AdWare.Win32.WinAD.an skipped
C:\Documents and Settings\warren\.housecall\Quarantine\BC0EA3B0-24F2-41C3-BB8F-7BAE12.bac_a03060 Infected: not-a-virus:AdWare.Win32.WinAD.ao skipped
C:\Documents and Settings\warren\Application Data\Skype\railman81\call256.dbb Object is locked skipped
C:\Documents and Settings\warren\Application Data\Skype\railman81\callmember256.dbb Object is locked skipped
C:\Documents and Settings\warren\Application Data\Skype\railman81\contactgroup256.dbb Object is locked skipped
C:\Documents and Settings\warren\Application Data\Skype\railman81\index2.dat Object is locked skipped
C:\Documents and Settings\warren\Application Data\Skype\railman81\profile256.dbb Object is locked skipped
C:\Documents and Settings\warren\Application Data\Skype\railman81\user1024.dbb Object is locked skipped
C:\Documents and Settings\warren\Application Data\Skype\railman81\user16384.dbb Object is locked skipped
C:\Documents and Settings\warren\Application Data\Skype\railman81\user256.dbb Object is locked skipped
C:\Documents and Settings\warren\Application Data\Skype\railman81\user4096.dbb Object is locked skipped
C:\Documents and Settings\warren\Application Data\Skype\railman81\voicemail256.dbb Object is locked skipped
C:\Documents and Settings\warren\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\warren\Desktop\icons\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\warren\Desktop\icons\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\warren\Desktop\icons\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\warren\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\warren\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\warren\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\warren\Local Settings\History\History.IE5\MSHist012007041120070412\index.dat Object is locked skipped
C:\Documents and Settings\warren\Local Settings\Temporary Internet Files\Content.IE5\6B3TTV98\hGFdeYYm64pUIdwQ[1].exe/data0004 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\Documents and Settings\warren\Local Settings\Temporary Internet Files\Content.IE5\6B3TTV98\hGFdeYYm64pUIdwQ[1].exe NSIS: infected - 1 skipped
C:\Documents and Settings\warren\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\warren\ntuser.dat Object is locked skipped
C:\Documents and Settings\warren\NTUSER.DAT.LOG Object is locked skipped
C:\Program Files\Common Files\quca.dll Infected: Trojan.Win32.BHO.ab skipped
C:\Program Files\hijack this\backups\backup-20070411-173520-411.dll Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped
C:\Program Files\hijack this\backups\backup-20070411-173520-852.dll Infected: Trojan.Win32.BHO.ab skipped
C:\Program Files\NewDotNet\newdotnet7_48.dll Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.const Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.mst Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters.base Object is locked skipped
C:\QooBox\Quarantine\WINDOWS\system32\bkd.exe.vir/InpB/DxcBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped
C:\QooBox\Quarantine\WINDOWS\system32\bkd.exe.vir/InpB/DxcCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped
C:\QooBox\Quarantine\WINDOWS\system32\bkd.exe.vir/InpB/Dxc.exe Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped
C:\QooBox\Quarantine\WINDOWS\system32\bkd.exe.vir/InpB/DxcRepairInstall.exe Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped
C:\QooBox\Quarantine\WINDOWS\system32\bkd.exe.vir/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped
C:\QooBox\Quarantine\WINDOWS\system32\bkd.exe.vir CAB: infected - 5 skipped
C:\QooBox\Quarantine\WINDOWS\system32\bund1\ClientBundle1.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\QooBox\Quarantine\WINDOWS\system32\bund1\ClientBundle1.exe.vir/data0004 Infected: Trojan.Win32.BHO.ab skipped
C:\QooBox\Quarantine\WINDOWS\system32\bund1\ClientBundle1.exe.vir/data0005 Infected: not-a-virus:AdWare.Win32.SurfSide.ax skipped
C:\QooBox\Quarantine\WINDOWS\system32\bund1\ClientBundle1.exe.vir/data0006 Infected: Trojan-Dropper.Win32.Agent.bfr skipped
C:\QooBox\Quarantine\WINDOWS\system32\bund1\ClientBundle1.exe.vir NSIS: infected - 4 skipped
C:\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP63\A0047433.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP63\A0047472.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP63\A0047485.exe/data.rar/wga_vista.exe/data0001 Infected: Trojan-Downloader.NSIS.Agent.ac skipped
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP63\A0047485.exe/data.rar/wga_vista.exe Infected: Trojan-Downloader.NSIS.Agent.ac skipped
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP63\A0047485.exe/data.rar/wga_xp.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP63\A0047485.exe/data.rar Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP63\A0047485.exe RarSFX: infected - 4 skipped
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP64\A0047590.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP78\A0048372.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP78\A0048388.exe/data0002 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP78\A0048388.exe/data0004 Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP78\A0048388.exe/data0005 Infected: not-a-virus:AdWare.Win32.SurfSide.ax skipped
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP78\A0048388.exe/data0006 Infected: Trojan-Dropper.Win32.Agent.bfr skipped
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP78\A0048388.exe NSIS: infected - 4 skipped
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP79\A0052506.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP79\A0052507.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP79\A0053585.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP79\A0053645.exe/data0002 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP79\A0053645.exe/data0004 Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP79\A0053645.exe/data0005 Infected: not-a-virus:AdWare.Win32.SurfSide.ax skipped
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP79\A0053645.exe/data0006 Infected: Trojan-Dropper.Win32.Agent.bfr skipped
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP79\A0053645.exe NSIS: infected - 4 skipped
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP79\A0053646.exe/InpB/DxcBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP79\A0053646.exe/InpB/DxcCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP79\A0053646.exe/InpB/Dxc.exe Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP79\A0053646.exe/InpB/DxcRepairInstall.exe Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP79\A0053646.exe/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP79\A0053646.exe CAB: infected - 5 skipped
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP79\A0056673.sys Infected: Rootkit.Win32.Agent.eq skipped
C:\VundoFix Backups\ijjqcqqh.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\VundoFix Backups\jsimhvwe.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\VundoFix Backups\kapsbvbx.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\VundoFix Backups\npbfdoxx.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\VundoFix Backups\vamkblcy.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\VundoFix Backups\wptwioed.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\USDR6_0001_D19M2108NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.q skipped
C:\WINDOWS\NDNuninstall6_38.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\WINDOWS\NDNuninstall7_48.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{32A00A99-E441-4C60-96FF-C17B6733B3DD}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\bkd.exe/InpB/DxcBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped
C:\WINDOWS\system32\bkd.exe/InpB/DxcCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped
C:\WINDOWS\system32\bkd.exe/InpB/Dxc.exe Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped
C:\WINDOWS\system32\bkd.exe/InpB/DxcRepairInstall.exe Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped
C:\WINDOWS\system32\bkd.exe/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped
C:\WINDOWS\system32\bkd.exe CAB: infected - 5 skipped
C:\WINDOWS\system32\bund1\ClientBundle1.exe/data0002 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\WINDOWS\system32\bund1\ClientBundle1.exe/data0004 Infected: Trojan.Win32.BHO.ab skipped
C:\WINDOWS\system32\bund1\ClientBundle1.exe/data0005 Infected: not-a-virus:AdWare.Win32.SurfSide.ax skipped
C:\WINDOWS\system32\bund1\ClientBundle1.exe/data0006 Infected: Trojan-Dropper.Win32.Agent.bfr skipped
C:\WINDOWS\system32\bund1\ClientBundle1.exe NSIS: infected - 4 skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\iifdcbc.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\WgaTray.exe/data.rar/wga_vista.exe/data0001 Infected: Trojan-Downloader.NSIS.Agent.ac skipped
C:\WINDOWS\system32\WgaTray.exe/data.rar/wga_vista.exe Infected: Trojan-Downloader.NSIS.Agent.ac skipped
C:\WINDOWS\system32\WgaTray.exe/data.rar/wga_xp.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\WINDOWS\system32\WgaTray.exe/data.rar Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\WINDOWS\system32\WgaTray.exe RarSFX: infected - 4 skipped
C:\WINDOWS\system32\__delete_on_reboot__x_x_y_v_w_v_s_._d_l_l_ Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\shared\Neww\(full version) vanilla mini wheats song 55.wma Infected: Trojan-Downloader.WMA.Wimad.d skipped
E:\shared\Neww\mini wheats theme song vanilla 36.wma Infected: Trojan-Downloader.WMA.Wimad.d skipped
E:\shared\Neww\mp3\03 Track 3.wma Infected: Trojan-Downloader.WMA.Wimad.d skipped
E:\shared\Neww\[release] mini wheats commercial 32.wma Infected: Trojan-Downloader.WMA.Wimad.d skipped
E:\shared\phone stuff\++++ motorola ringtones 56.wma Infected: Trojan-Downloader.WMA.Wimad.d skipped
E:\shared\phone stuff\released motorola ringtones 34.wma Infected: Trojan-Downloader.WMA.Wimad.d skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.
jotti found nothing wrong with any of thoseLogfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 8:35:41 PM, on 4/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\hijack this\hjt.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {970F0C19-E036-42A0-ABC3-AD7E81FF593F} - C:\WINDOWS\system32\mljgf.dll
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [WatchDog] "C:\Program Files\mobile PhoneTools\WatchDog.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.shockwave.com/content/ricochetlostworlds/ReflexiveWebGameLoader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129645445375
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129645431937
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://sra.cn.ca/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O20 - Winlogon Notify: mljgf - C:\WINDOWS\system32\mljgf.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 8918 bytes
files
At time it seems like a total invasion from the popups,other times its at best useable
Angelfire777
2007-04-12, 04:47
Please post the gmer log I asked for...
GMER 1.0.12.12086 - http://www.gmer.net
Rootkit scan 2007-04-11 20:23:11
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.12 ----
SSDT 84544678 ZwAllocateVirtualMemory
SSDT 845E7E00 ZwCreateKey
SSDT 84544BA0 ZwCreateProcess
SSDT 84544B28 ZwCreateProcessEx
SSDT 84544948 ZwCreateThread
SSDT 845CFC90 ZwDeleteKey
SSDT 84544C18 ZwDeleteValueKey
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT 845446F0 ZwQueueApcThread
SSDT 84544588 ZwReadVirtualMemory
SSDT 8456E3B8 ZwRenameKey
SSDT 845447E0 ZwSetContextThread
SSDT 84544D08 ZwSetInformationKey
SSDT 84544A38 ZwSetInformationProcess
SSDT 84544858 ZwSetInformationThread
SSDT 84544C90 ZwSetValueKey
SSDT 845449C0 ZwSuspendProcess
SSDT 84544768 ZwSuspendThread
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess
SSDT 845448D0 ZwTerminateThread
SSDT 84544600 ZwWriteVirtualMemory
---- User code sections - GMER 1.0.12 ----
.text C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[1812] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes [ AB, FA, C3, 83 ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!NlsMbOemCodePageTag + FFF84FE8 7C901000 23 Bytes [ A1, AC, DE, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!RtlEnterCriticalSection + 13 7C901018 37 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!RtlEnterCriticalSection + 39 7C90103E 74 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!RtlEnterCriticalSection + 84 7C901089 3 Bytes [ FF, FF, FF ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!RtlEnterCriticalSection + 8B 7C901090 51 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!RtlEnterCriticalSection + BF 7C9010C4 2 Bytes [ FF, FF ]
.text ...
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!RtlLeaveCriticalSection + 7 7C9010F4 8 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!RtlLeaveCriticalSection + 10 7C9010FD 34 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!RtlLeaveCriticalSection + 33 7C901120 16 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!RtlTryEnterCriticalSection + 9 7C901134 55 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!RtlTryEnterCriticalSection + 41 7C90116C 2 Bytes [ FF, FF ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!RtlTryEnterCriticalSection + 44 7C90116F 44 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!LdrInitializeThunk + 1E 7C90119C 2 Bytes [ FF, FF ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!LdrInitializeThunk + 21 7C90119F 2 Bytes [ FF, FF ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!LdrInitializeThunk + 24 7C9011A2 2 Bytes [ FF, FF ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!LdrInitializeThunk + 27 7C9011A5 17 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!RtlActivateActivationContextUnsafeFast + 2 7C9011B7 29 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!RtlActivateActivationContextUnsafeFast + 20 7C9011D5 38 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!RtlDeactivateActivationContextUnsafeFast + 2 7C9011FC 55 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!DbgBreakPoint + 4 7C901234 9 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!DbgUserBreakPoint + 5 7C90123E 49 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!RtlInitString + 14 7C901270 4 Bytes [ FF, FF, FF, FF ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!RtlInitString + 19 7C901275 8 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!RtlInitString + 23 7C90127F 5 Bytes [ FF, FF, FF, FF, FF ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!RtlInitString + 2A 7C901286 38 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!RtlInitAnsiString + 14 7C9012AD 4 Bytes [ FF, FF, FF, FF ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!RtlInitAnsiString + 19 7C9012B2 8 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!RtlInitAnsiString + 23 7C9012BC 5 Bytes [ FF, FF, FF, FF, FF ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!RtlInitAnsiString + 2A 7C9012C3 38 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!RtlInitUnicodeString + 14 7C9012EA 4 Bytes [ FF, FF, FF, FF ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!RtlInitUnicodeString + 19 7C9012EF 12 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!RtlInitUnicodeString + 26 7C9012FC 6 Bytes [ FF, FF, FF, FF, FF, FF ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!RtlInitUnicodeString + 2D 7C901303 71 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!cos + 20 7C90134B 54 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!cos + 57 7C901382 10 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!cos + 63 7C90138E 63 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!log + 4 7C9013CE 118 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!_CIlog + 73 7C901446 41 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!_CIlog + 9E 7C901471 64 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!pow + 5 7C9014B2 241 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!_CIpow + EE 7C9015A5 30 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!_CIpow + 10E 7C9015C5 71 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!_CIpow + 158 7C90160F 5 Bytes [ FF, FF, FF, FF, FF ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!_CIpow + 15F 7C901616 10 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!_CIpow + 16B 7C901622 7 Bytes [ FF, FF, FF, FF, FF, FF, FF ]
.text ...
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!sin + 53 7C901732 122 Bytes [ F3, F0, 75, AD, CF, 1B, 74, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!sqrt + 1B 7C9017AD 52 Bytes [ AF, 1C, 79, B5, 1D, 82, C0, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!sqrt + 51 7C9017E3 40 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!sqrt + 7A 7C90180C 813 Bytes [ 74, D1, 91, 55, BC, 7E, 46, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!_allshr + 14 7C901B3A 262 Bytes [ BC, 78, E0, A0, 60, CA, 8A, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!_aulldvrm + 88 7C901C41 276 Bytes [ 54, 27, 93, 5A, 2A, A0, 64, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!_memccpy + 39 7C901D56 35 Bytes [ FF, FF, FF, FF, D0, 86, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!atan + 5 7C901D7A 33 Bytes [ 45, 96, FF, 57, A7, FF, 69, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!atan + 27 7C901D9C 57 Bytes [ 86, 51, 25, 8B, 55, 28, 95, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!atan + 62 7C901DD7 237 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!ceil + A7 7C901EC5 38 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!ceil + CE 7C901EEC 84 Bytes [ 54, F2, 1C, 4E, E4, 63, 7E, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!ceil + 123 7C901F41 99 Bytes [ FF, FF, FF, 7B, 9F, F6, 42, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!floor + 48 7C901FA5 30 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!floor + 67 7C901FC4 204 Bytes [ 45, 94, FF, 4B, 98, FF, 44, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!floor + 134 7C902091 115 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!memchr + 60 7C902105 7 Bytes [ FF, FF, FF, FF, FF, FF, FF ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!memchr + 68 7C90210D 193 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!memcmp + 80 7C9021CF 28 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!memcmp + 9D 7C9021EC 5 Bytes [ FF, FF, FF, FF, FF ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!memcmp + A3 7C9021F2 67 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!memcpy + 36 7C902236 23 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!memcpy + 4E 7C90224E 6 Bytes [ FF, FF, FF, FF, FF, FF ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!memcpy + 55 7C902255 7 Bytes [ FF, FF, FF, FF, FF, FF, FF ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!memcpy + 5D 7C90225D 53 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!memcpy + 93 7C902293 37 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text ...
Angelfire777
2007-04-12, 07:15
Hi, you don't need to post the rest of the Gmer log anymore, the other entries will probably be the same. The entry that I want to check seems gone anyway..
I tried to to the gmer.bat from normal mode,but some files it couldnt delete
Can you tell me which of those it wouldn't delete?
Get ready we'll attack that nasty in one shot..
*Please download the OTMoveIt by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe).
Do not use it yet.
*Pls. download LSP FIX from Here (http://www.bleepingcomputer.com/files/lspfix.php)
In the event that you lose connection after removing NewDotNet, just run the tool then click "Finish" and it will restore your internet connection.
Do not mess with this tool or do anything with it besides the instructions above.
Go to Control Panel > Add or Remove Programs > uninstall the items in bold if found.
NewdotNet or New.Net <<and all their variants
If you didn't find NewDotNet in the Add/Remove list, please go Here (http://www.newdotnet.com/removal.html) and proceed to Procedure #4 and download the Uninstaller there then run it.
Reboot
*Starting this point I want you to do all the instructions while disconnected from the internet. It will help a lot if you print these instructions or save them in notepad for reference.
*VundoFix
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once the scan is complete, Right Click inside the listbox (white box) and click add more files.
Copy&Paste the 2 entries below into the top 2 boxes.
C:\WINDOWS\system32\mljgf.dll
C:\WINDOWS\SYSTEM32\fgjlm.*
Click Add Files and click Close Window.
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES.
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt
*Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.
O2 - BHO: (no name) - {970F0C19-E036-42A0-ABC3-AD7E81FF593F} - C:\WINDOWS\system32\mljgf.dll
O20 - Winlogon Notify: mljgf - C:\WINDOWS\system32\mljgf.dll
Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.
*Run OTMoveiT
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\Documents and Settings\warren\.housecall
C:\Documents and Settings\warren\Local Settings\Temporary Internet Files\Content.IE5\6B3TTV98
C:\Program Files\Common Files\quca.dll
C:\WINDOWS\Downloaded Program Files\USDR6_0001_D19M2108NetInstaller.exe
C:\WINDOWS\NDNuninstall6_38.exe
C:\WINDOWS\NDNuninstall7_48.exe
C:\WINDOWS\system32\bund1
C:\WINDOWS\system32\bkd.exe
C:\WINDOWS\system32\iifdcbc.dll
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\__delete_on_reboot__x_x_y_v_w_v_s_._d_l_l_
E:\shared\Neww\(full version) vanilla mini wheats song 55.wma
E:\shared\Neww\mini wheats theme song vanilla 36.wma
E:\shared\Neww\mp3\03 Track 3.wma
E:\shared\Neww\[release] mini wheats commercial 32.wma
E:\shared\phone stuff\++++ motorola ringtones 56.wma
E:\shared\phone stuff\released motorola ringtones 34.wma
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\VTTC.exe
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
*Reboot to safe mode
*Empty all the contents of this folder: C:\QooBox\Quarantine
empty your recycle bin.
then run AVG Antispyware once more then post the scan log.
*Reboot to normal mode then run combofix again.
On your next reply, please include a fresh HijackThis log, combofix log, vundofix log, OTmoveit log, and AVG Antispyware log.
please disregard my previous gmr1,I foGMER 1.0.12.12086 - http://www.gmer.net
Rootkit scan 2007-04-11 23:22:38
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.12 ----
SSDT 84544678 ZwAllocateVirtualMemory
SSDT 845E7E00 ZwCreateKey
SSDT 84544BA0 ZwCreateProcess
SSDT 84544B28 ZwCreateProcessEx
SSDT 84544948 ZwCreateThread
SSDT 845CFC90 ZwDeleteKey
SSDT 84544C18 ZwDeleteValueKey
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT 845446F0 ZwQueueApcThread
SSDT 84544588 ZwReadVirtualMemory
SSDT 8456E3B8 ZwRenameKey
SSDT 845447E0 ZwSetContextThread
SSDT 84544D08 ZwSetInformationKey
SSDT 84544A38 ZwSetInformationProcess
SSDT 84544858 ZwSetInformationThread
SSDT 84544C90 ZwSetValueKey
SSDT 845449C0 ZwSuspendProcess
SSDT 84544768 ZwSuspendThread
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess
SSDT 845448D0 ZwTerminateThread
SSDT 84544600 ZwWriteVirtualMemory
---- User code sections - GMER 1.0.12 ----
.text C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[1760] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes [ AB, FA, C3, 83 ]
---- Devices - GMER 1.0.12 ----
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE 838D5678
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE 838D5600
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE 838D5588
Device \Driver\Tcpip \Device\Ip IRP_MJ_READ 838D5510
Device \Driver\Tcpip \Device\Ip IRP_MJ_WRITE 838D5B10
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION 838D5A98
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION 838D5A20
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA 838D59A8
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA 838D5FA8
Device \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS 838D5F30
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION 838D5EB8
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION 838D5E40
Device \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL 838D8880
Device \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL 838D8808
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL 838D8790
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B7085A] avgtdi.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN 838D8D18
Device \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL 838D8CA0
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP 838D8C28
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT 838D8BB0
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY 838D9FA8
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY 838D9F30
Device \Driver\Tcpip \Device\Ip IRP_MJ_POWER 838D9EB8
Device \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL 838D9E40
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE 838DAFA8
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA 838DAF30
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA 838DAEB8
Device \Driver\Tcpip \Device\Ip IRP_MJ_PNP 838DAE40
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE 838D5678
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE 838D5600
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE 838D5588
Device \Driver\Tcpip \Device\Tcp IRP_MJ_READ 838D5510
Device \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE 838D5B10
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION 838D5A98
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION 838D5A20
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA 838D59A8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA 838D5FA8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS 838D5F30
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION 838D5EB8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION 838D5E40
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL 838D8880
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL 838D8808
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL 838D8790
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B7085A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN 838D8D18
Device \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL 838D8CA0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP 838D8C28
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT 838D8BB0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY 838D9FA8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY 838D9F30
Device \Driver\Tcpip \Device\Tcp IRP_MJ_POWER 838D9EB8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL 838D9E40
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE 838DAFA8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA 838DAF30
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA 838DAEB8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_PNP 838DAE40
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE 838D5678
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE 838D5600
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE 838D5588
Device \Driver\Tcpip \Device\Udp IRP_MJ_READ 838D5510
Device \Driver\Tcpip \Device\Udp IRP_MJ_WRITE 838D5B10
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION 838D5A98
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION 838D5A20
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA 838D59A8
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA 838D5FA8
Device \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS 838D5F30
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION 838D5EB8
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION 838D5E40
Device \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL 838D8880
Device \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL 838D8808
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL 838D8790
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B7085A] avgtdi.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN 838D8D18
Device \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL 838D8CA0
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP 838D8C28
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT 838D8BB0
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY 838D9FA8
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY 838D9F30
Device \Driver\Tcpip \Device\Udp IRP_MJ_POWER 838D9EB8
Device \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL 838D9E40
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE 838DAFA8
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA 838DAF30
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA 838DAEB8
Device \Driver\Tcpip \Device\Udp IRP_MJ_PNP 838DAE40
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE 838D5678
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE 838D5600
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE 838D5588
Device \Driver\Tcpip \Device\RawIp IRP_MJ_READ 838D5510
Device \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE 838D5B10
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION 838D5A98
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION 838D5A20
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA 838D59A8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA 838D5FA8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS 838D5F30
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION 838D5EB8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION 838D5E40
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL 838D8880
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL 838D8808
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL 838D8790
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B7085A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN 838D8D18
Device \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL 838D8CA0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP 838D8C28
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT 838D8BB0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY 838D9FA8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY 838D9F30
Device \Driver\Tcpip \Device\RawIp IRP_MJ_POWER 838D9EB8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL 838D9E40
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE 838DAFA8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA 838DAF30
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA 838DAEB8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_PNP 838DAE40
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE 838D5678
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_NAMED_PIPE 838D5600
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE 838D5588
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_READ 838D5510
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_WRITE 838D5B10
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_INFORMATION 838D5A98
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_INFORMATION 838D5A20
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_EA 838D59A8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_EA 838D5FA8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FLUSH_BUFFERS 838D5F30
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_VOLUME_INFORMATION 838D5EB8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_VOLUME_INFORMATION 838D5E40
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DIRECTORY_CONTROL 838D8880
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FILE_SYSTEM_CONTROL 838D8808
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL 838D8790
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B7085A] avgtdi.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN 838D8D18
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_LOCK_CONTROL 838D8CA0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP 838D8C28
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_MAILSLOT 838D8BB0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_SECURITY 838D9FA8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_SECURITY 838D9F30
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_POWER 838D9EB8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SYSTEM_CONTROL 838D9E40
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CHANGE 838DAFA8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_QUOTA 838DAF30
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_QUOTA 838DAEB8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_PNP 838DAE40
---- Processes - GMER 1.0.12 ----
Library C:\WINDOWS\system32\ddcddaw.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [612] 0x01930000
---- EOF - GMER 1.0.12 ----
rgot to kill internet connection
this firstLogfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:57:25 AM, on 4/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\hijack this\hjt.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [WatchDog] "C:\Program Files\mobile PhoneTools\WatchDog.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.shockwave.com/content/ricochetlostworlds/ReflexiveWebGameLoader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129645445375
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129645431937
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://www.winantivirus.com/download/2007/download.php?file=2&aid=nm_ik_spt_meta_kw_ca_en&lid=file&affid=nm_67284_F2A4C604E88211DB97280015C55D3487_488d8a51+6D9170741ED94BE1B336BD8DCDEAEC74
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://sra.cn.ca/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 8982 bytes
"warren" - 07-04-12 10:46:58 Service Pack 2
ComboFix 07-04-05 - Running from: "C:\Documents and Settings\warren\Desktop\icons"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\warren\APPLIC~1\Dxcknwrd.dll
C:\DOCUME~1\warren\APPLIC~1\Dxcuknwrd.dll
C:\WINDOWS\system32\dwdsregt.exe
((((((((((((((((((((((((((((((( Files Created from 2007-03-12 to 2007-04-12 ))))))))))))))))))))))))))))))))))
2007-04-11 22:06 774,595 ---hs---- C:\WINDOWS\system32\fgjlm.bak2
2007-04-11 22:05 778,184 ---hs---- C:\WINDOWS\system32\fgjlm.ini2
2007-04-11 17:52 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-04-11 17:37 774,314 ---hs---- C:\WINDOWS\system32\fgjlm.bak1
2007-04-11 17:36 280,676 --ah----- C:\WINDOWS\system32\mljgf.dll.vir
2007-04-11 17:18 31,844 --------- C:\WINDOWS\system32\geede.exe
2007-04-11 17:13 49,183 --a------ C:\WINDOWS\system32\nsdsrego.exe
2007-04-11 17:07 31,844 ---hs---- C:\WINDOWS\system32\sstqo.exe
2007-04-11 17:07 31,844 ---hs---- C:\WINDOWS\system32\gebcd.exe
2007-04-11 16:59 931 --a------ C:\WINDOWS\system32\winpfz32.sys
2007-04-10 11:08 <DIR> d-------- C:\Temp\tn3
2007-04-10 07:36 105,434 --a------ C:\WINDOWS\VTTC.exe
2007-04-09 21:44 <DIR> d-------- C:\Program Files\hijack this
2007-04-09 11:04 184,320 --a------ C:\WINDOWS\sys012172355371.exe
2007-04-09 11:04 184,320 --a------ C:\WINDOWS\ase.exe
2007-04-06 14:49 53,248 --a------ C:\WINDOWS\111uninst.exe
2007-04-05 13:41 <DIR> d-------- C:\!KillBox
2007-04-05 10:24 <DIR> d-------- C:\SmitfraudFix
2007-04-05 08:36 3,064 --a------ C:\WINDOWS\system32\tmp.reg
2007-04-05 08:34 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-04-05 08:34 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-04-05 08:34 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-04-05 08:34 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-04-05 08:34 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-04-05 08:34 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2007-04-03 14:34 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-03 11:40 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Webroot
2007-04-03 11:38 22,080 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-04-03 11:38 21,056 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-04-03 11:38 20,544 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys
2007-04-03 11:38 144,448 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-04-03 11:38 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Webroot
2007-04-03 11:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-04-03 11:36 <DIR> d-------- C:\DOCUME~1\warren\APPLIC~1\Webroot
2007-04-03 09:22 385,024 --a------ C:\WINDOWS\system32\IKAutoUp.exe
2007-04-03 09:22 385,024 --a------ C:\WINDOWS\system32\IkAutoUp.dat
2007-04-02 21:48 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-04-02 19:47 <DIR> d-------- C:\Program Files\STOPzilla!
2007-04-02 19:47 <DIR> d-------- C:\Program Files\Common Files\iS3
2007-04-02 19:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\STOPzilla!
2007-04-02 15:45 <DIR> d-------- C:\WINDOWS\pss
2007-03-18 19:54 <DIR> d-------- C:\Program Files\iTunes
2007-03-15 11:23 497,496 --a------ C:\WINDOWS\system32\XceedZip.dll
2007-03-15 11:19 526,184 --a------ C:\WINDOWS\system32\XceedCry.dll
2007-03-15 08:46 57,344 --a------ C:\WINDOWS\uni_eh10.exe
2007-03-14 17:06 <DIR> d-------- C:\My Games
2007-03-14 17:05 <DIR> d-------- C:\My Download Files
2007-03-14 17:04 774,144 --a------ C:\Program Files\RngInterstitial.dll
2007-03-14 17:04 <DIR> d-------- C:\Program Files\Real
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-04-12 10:45 -------- d-------- C:\DOCUME~1\warren\APPLIC~1\skype
2007-04-11 17:31 484 --a------ C:\Program Files\Common Files\quca
2007-04-10 11:04 -------- d-------- C:\Program Files\tweak-xp pro 4
2007-04-09 18:25 -------- d-------- C:\Program Files\replay7
2007-04-09 13:32 -------- d-------- C:\Program Files\google
2007-04-09 10:55 -------- d-------- C:\Program Files\java
2007-04-05 13:16 2951 --a------ C:\WINDOWS\mozver.dat
2007-04-05 11:28 -------- d-------- C:\Program Files\super internet tv
2007-04-03 12:30 -------- d-------- C:\DOCUME~1\warren\APPLIC~1\verbatim software
2007-04-03 11:38 -------- d-------- C:\Program Files\webroot
2007-03-28 19:09 -------- d-------- C:\DOCUME~1\warren\APPLIC~1\vso_hwe
2007-03-18 20:55 -------- d-------- C:\Program Files\dvdfab platinum 3
2007-03-18 20:55 -------- d-------- C:\DOCUME~1\warren\APPLIC~1\vso
2007-03-18 19:54 -------- d-------- C:\Program Files\ipod
2007-03-18 19:52 -------- d-------- C:\Program Files\quicktime
2007-03-17 07:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-14 17:04 -------- d-------- C:\Program Files\Common Files\real
2007-03-08 09:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 09:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 09:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 07:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-07 09:32 -------- d-------- C:\Program Files\divx
2007-03-05 19:16 -------- d-------- C:\Program Files\yahoo! games
2007-03-05 18:21 -------- d-------- C:\DOCUME~1\warren\APPLIC~1\juniper networks
2007-03-01 08:53 142 --a------ C:\Program Files\Common Files\rtele.html
2007-02-22 22:29 524288 --a------ C:\WINDOWS\system32\divxsm.exe
2007-02-22 22:29 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-02-22 22:29 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-02-22 22:29 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-02-22 22:25 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-02-22 22:25 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-02-22 22:25 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-02-22 22:25 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-02-22 22:25 639066 --a------ C:\WINDOWS\system32\divx.dll
2007-02-22 22:25 593920 --a------ C:\WINDOWS\system32\dpugui11.dll
2007-02-22 22:25 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-02-22 22:25 53248 --a------ C:\WINDOWS\system32\dpugui10.dll
2007-02-22 22:25 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-02-22 22:25 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-02-22 22:25 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-02-22 22:25 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-02-15 19:40 124472 --a------ C:\WINDOWS\system32\divxcodecupdatechecker.exe
2007-02-11 17:53 0 --a------ C:\WINDOWS\nsreg.dat
2007-02-05 14:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll
2007-01-29 23:03 129784 --------- C:\WINDOWS\system32\pxafs.dll
2007-01-29 23:03 118520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-01-29 23:03 116472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-01-22 19:24 23392 --a--c--- C:\WINDOWS\system32\emptyregdb.dat
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SiSUSBRG"="C:\\WINDOWS\\SiSUSBrg.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"RegistryMechanic"=""
"MessengerPlus3"="\"C:\\Program Files\\MessengerPlus! 3\\MsgPlus.exe\""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"AVG7_CC"="\"C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe\" /STARTUP"
"WatchDog"="\"C:\\Program Files\\mobile PhoneTools\\WatchDog.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{D2A0728D-AB2F-4B91-9EEF-590C70EA075D}"=""
"{E44527F6-1296-4A84-B67D-A6CEA6ED4B69}"=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWinKeys"=dword:00000001
"NoRecentDocsMenu"=dword:00000001
"NoLowDiskSpaceChecks"=dword:00000001
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcdcba
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
********************************************************************
catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
********************************************************************
Completion time: 07-04-12 10:51:27
C:\ComboFix-quarantined-files.txt ... 07-04-12 10:51
C:\WINDOWS\system32\awvtq.dll
C:\WINDOWS\system32\fosdieqt.dll
C:\WINDOWS\system32\gvpitbem.dll
C:\WINDOWS\system32\jkkkhig.dll
C:\WINDOWS\system32\khfdefd.dll
C:\WINDOWS\system32\opnlkji.dll
C:\WINDOWS\system32\opnnnoo.dll
C:\WINDOWS\system32\opnonol.dll
C:\WINDOWS\system32\qtvwa.bak1
C:\WINDOWS\system32\qtvwa.ini
C:\WINDOWS\system32\rovkclwc.dll
C:\WINDOWS\system32\ssqrrpn.dll
C:\WINDOWS\system32\tvgajgrm.dll
C:\WINDOWS\system32\vesdmeed.dll
C:\WINDOWS\system32\wgcipjuh.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\awvtq.dll
C:\WINDOWS\system32\awvtq.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\fosdieqt.dll
C:\WINDOWS\system32\fosdieqt.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\gvpitbem.dll
C:\WINDOWS\system32\gvpitbem.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\jkkkhig.dll
C:\WINDOWS\system32\jkkkhig.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\khfdefd.dll
C:\WINDOWS\system32\khfdefd.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\opnlkji.dll
C:\WINDOWS\system32\opnlkji.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\opnnnoo.dll
C:\WINDOWS\system32\opnnnoo.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\opnonol.dll
C:\WINDOWS\system32\opnonol.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\qtvwa.bak1
C:\WINDOWS\system32\qtvwa.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\qtvwa.ini
C:\WINDOWS\system32\qtvwa.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\rovkclwc.dll
C:\WINDOWS\system32\rovkclwc.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ssqrrpn.dll
C:\WINDOWS\system32\ssqrrpn.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\tvgajgrm.dll
C:\WINDOWS\system32\tvgajgrm.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\vesdmeed.dll
C:\WINDOWS\system32\vesdmeed.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\wgcipjuh.dll
C:\WINDOWS\system32\wgcipjuh.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.19
Checking Java version...
Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.11
Scan started at 8:46:42 AM 4/12/2007
Listing files found while scanning....
C:\WINDOWS\system32\wvuvwwx.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\wvuvwwx.dll
C:\WINDOWS\system32\wvuvwwx.dll Has been deleted!
Performing Repairs to the registry.
Done!
File/Folder :\Documents and Settings\warren\.housecall not found.
File/Folder C:\Documents and Settings\warren\Local Settings\Temporary Internet Files\Content.IE5\6B3TTV98 not found.
File/Folder C:\Program Files\Common Files\quca.dll not found.
File/Folder C:\WINDOWS\Downloaded Program Files\USDR6_0001_D19M2108NetInstaller.exe not found.
File/Folder C:\WINDOWS\NDNuninstall6_38.exe not found.
File/Folder C:\WINDOWS\NDNuninstall7_48.exe not found.
File/Folder C:\WINDOWS\system32\bund1 not found.
File/Folder C:\WINDOWS\system32\bkd.exe not found.
File/Folder C:\WINDOWS\system32\iifdcbc.dll not found.
File/Folder C:\WINDOWS\system32\WgaTray.exe not found.
File/Folder C:\WINDOWS\system32\__delete_on_reboot__x_x_y_v_w_v_s_._d_l_l_ not found.
File/Folder E:\shared\Neww\(full version) vanilla mini wheats song 55.wma not found.
File/Folder E:\shared\Neww\mini wheats theme song vanilla 36.wma not found.
File/Folder E:\shared\Neww\mp3\03 Track 3.wma not found.
File/Folder E:\shared\Neww\[release] mini wheats commercial 32.wma not found.
File/Folder E:\shared\phone stuff\++++ motorola ringtones 56.wma not found.
File/Folder E:\shared\phone stuff\released motorola ringtones 34.wma not found.
File/Folder C:\WINDOWS\system32\drivers\core.sys not found.
File/Folder C:\WINDOWS\system32\VTTC.exe not found.
Created on 04/12/2007 09:03:08 this was the log after the second time i ran it,for some reason i couldnt copy the first log
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 10:42:40 AM 4/12/2007
+ Scan result:
HKLM\SOFTWARE\Classes\CLSID\{A8BD6820-6ED7-423E-9558-2D1486B0FEEA} -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKLM\SOFTWARE\DeluxeCommunications -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKLM\SOFTWARE\DeluxeCommunications\Internet Explorer -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKU\S-1-5-21-606747145-1500820517-725345543-1006\Software\DeluxeCommunications -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKU\S-1-5-21-606747145-1500820517-725345543-1006\Software\DeluxeCommunications\Internet Explorer -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
C:\Documents and Settings\warren\Local Settings\Temporary Internet Files\Content.IE5\G3YNA7GJ\NNuninstall[1].exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\hijack this\backups\backup-20070411-173520-411.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP80\A0059711.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP80\A0059712.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKU\S-1-5-21-606747145-1500820517-725345543-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP80\A0059713.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\wvuvwwx.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP79\A0053623.exe -> Adware.WebBuying : Cleaned with backup (quarantined).
C:\Program Files\hijack this\backups\backup-20070411-173520-852.dll -> Adware.ZQuest : Cleaned with backup (quarantined).
C:\_OTMoveIt\MovedFiles\Program Files\Common Files\quca.dll -> Adware.ZQuest : Cleaned with backup (quarantined).
C:\Documents and Settings\warren\Local Settings\Temp\ICD3.tmp\UDC6_0001_D21M0303NetInstaller.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\warren\Local Settings\Temp\ICD2.tmp\UERT_0001_D19M2109NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.l : Cleaned with backup (quarantined).
C:\Documents and Settings\warren\Local Settings\Temp\ICD1.tmp\USDR6_0001_D19M2108NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.q : Cleaned with backup (quarantined).
C:\Documents and Settings\warren\Local Settings\Temp\ICD4.tmp\USDR6_0001_D19M2108NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.q : Cleaned with backup (quarantined).
C:\Documents and Settings\gaynette.USER-52FBA29A54\Cookies\gaynette@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\warren\Cookies\warren@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\warren\Cookies\warren@buzznet.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\warren\Cookies\warren@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\warren\Cookies\warren@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\warren\Cookies\warren@pch.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\warren\Cookies\warren@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\warren\Cookies\warren@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\gaynette.USER-52FBA29A54\Cookies\gaynette@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\gaynette.USER-52FBA29A54\Cookies\gaynette@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\gaynette.USER-52FBA29A54\Cookies\gaynette@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\warren\Cookies\warren@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\gaynette.USER-52FBA29A54\Cookies\gaynette@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\warren\Cookies\warren@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\gaynette.USER-52FBA29A54\Cookies\gaynette@searchportal.information[1].txt -> TrackingCookie.Information : Cleaned.
C:\Documents and Settings\gaynette.USER-52FBA29A54\Cookies\gaynette@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\warren\Cookies\warren@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\warren\Cookies\warren@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\gaynette.USER-52FBA29A54\Cookies\gaynette@revenue[2].txt -> TrackingCookie.Revenue : Cleaned.
C:\Documents and Settings\gaynette.USER-52FBA29A54\Cookies\gaynette@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
::Report end
I cant tell you what files gmr could delete,but now it says problem moving any of those files.I assume they all have been deleted.Since perforning these actions the computer is working great,and I havent seen a popup.I sure hope it doesnt replicate when rebooting,but I will keep you posted.thanks again for all your help,and putting up with my computer ignorance.......rail
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:02:02 PM, on 4/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\hijack this\hjt.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [WatchDog] "C:\Program Files\mobile PhoneTools\WatchDog.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.shockwave.com/content/ricochetlostworlds/ReflexiveWebGameLoader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129645445375
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129645431937
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://www.winantivirus.com/download/2007/download.php?file=2&aid=nm_ik_spt_meta_kw_ca_en&lid=file&affid=nm_67284_F2A4C604E88211DB97280015C55D3487_488d8a51+6D9170741ED94BE1B336BD8DCDEAEC74
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://sra.cn.ca/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 9073 bytes
thanks so very much again,it was a long and arduos process.But well worth the pain
Angelfire777
2007-04-12, 23:21
Hi,
The stubborn one is now gone but there are a lot of crap that appeared again.. Please avoid downloading anything as of now..I want you to stay offline with that computer as long as possible until this infections stop regenerating..
*Open Spy Sweeper.
Click the Options button on the left hand side.
Select the Update Tab.
Click Update Spy Sweeper.
Once the updates have all been downloaded, exit spysweeper.
*Although Windows Xp comes with a firewall, you should not rely on it because the Windows Firewall can only filter incoming data; outgoing traffic is not controlled, meaning that malware/viruses that are present in your computer can access the internet with no restrictions. There are several other Firewall that can protect you better by filtering incoming and outgoing data. Make sure you get only one of these...
» ZoneAlarm (http://www.zonelabs.com)
» Kerio (http//www.sunbelt-software.com/Kerio-Download.cfm)
After installing the firewall and the Spysweeper updates, reboot first then you may print these instructions or copy them in notepad since you need to do all of these instructions while offline.
*Run a new rootkit scan with GMER.
When you see the following process on the list:
C:\WINDOWS\system32\ddcddaw.dll
Rigthclick it with your mouse and a menu will open. Choose Kill Process from the list.
Then close GMER.
*Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://www.winantivirus.com/download...36BD8DCDEAEC74
Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.
*Run OTMoveiT
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\system32\fgjlm.bak2
C:\WINDOWS\system32\fgjlm.ini2
C:\WINDOWS\system32\fgjlm.bak1
C:\WINDOWS\system32\mljgf.dll.vir
C:\WINDOWS\system32\geede.exe
C:\WINDOWS\system32\nsdsrego.exe
C:\WINDOWS\system32\sstqo.exe
C:\WINDOWS\system32\gebcd.exe
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\VTTC.exe
C:\WINDOWS\sys012172355371.exe
C:\WINDOWS\ase.exe
C:\WINDOWS\uni_eh10.exe
C:\WINDOWS\111uninst.exe
C:\Program Files\Common Files\quca
C:\Program Files\Common Files\rtele.html
C:\WINDOWS\system32\ddcddaw.dll
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
*Click start > run > copy and paste the following command in the box:
reg delete "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcdcba"
*Now open Spy Sweeper again
Select the Sweep Tab.
Ensure that the Full Sweep (recommended) option is selected.
Click the Start Sweep button.
Once the scan has completed, Spy Sweeper will display the results of the scan.
If anything has been found, click Quarantine Selected.
If you are asked to allow a reboot, do so - if not, manually reboot your PC instead.
Once the PC has rebooted, open Spy Sweeper: Click the Options button on the left.
Select the Sweep Tab again.
Click the View Session Log link in the bottom left hand corner.
Click the Save to File button - by default the log will be saved as Spy Sweeper Sessions Log.txt in My Documents.
*After reboot, please do a rootkit scan with GMER again.
On your next replym please include a fresh HijackThis log, OTMoveiT log, spysweeper scan log and a the new gmer log and a description on how is your machine running.
MER 1.0.12.12086 - http://www.gmer.net
Rootkit scan 2007-04-12 18:51:37
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.12 ----
SSDT 84548B70 ZwAllocateVirtualMemory
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS ZwClose
SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey
SSDT \SystemRoot\System32\vsdatant.sys ZwCreatePort
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS ZwCreateProcess
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS ZwCreateProcessEx
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS ZwCreateSection
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS ZwCreateSymbolicLinkObject
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS ZwCreateThread
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePort
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS ZwDuplicateObject
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadDriver
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys ZwMapViewOfSection
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS ZwOpenProcess
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS ZwOpenSection
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS ZwQuerySystemInformation
SSDT 84548BE8 ZwQueueApcThread
SSDT 84548A80 ZwReadVirtualMemory
SSDT 84549318 ZwRenameKey
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS ZwResumeThread
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS ZwSetContextThread
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS ZwSetInformationFile
SSDT 845492A0 ZwSetInformationKey
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS ZwSetInformationProcess
SSDT 84548D50 ZwSetInformationThread
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS ZwSetSecurityObject
SSDT \SystemRoot\System32\vsdatant.sys ZwSetSystemInformation
SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey
SSDT 84548EB8 ZwSuspendProcess
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS ZwSuspendThread
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS ZwTerminateProcess
SSDT 84548DC8 ZwTerminateThread
SSDT \SystemRoot\System32\vsdatant.sys ZwUnloadDriver
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS ZwWriteVirtualMemory
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS SSDT[284]
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS SSDT[285]
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS SSDT[286]
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS SSDT[287]
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS SSDT[288]
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS SSDT[289]
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS SSDT[290]
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS SSDT[291]
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS SSDT[292]
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS SSDT[293]
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS SSDT[294]
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS SSDT[295]
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS SSDT[296]
INT 0x20 srescan.sys F72EC9B0
Code \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS FsRtlCheckLockForReadAccess
Code \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS IoIsOperationSynchronous
---- Kernel code sections - GMER 1.0.12 ----
.text ntkrnlpa.exe!FsRtlCheckLockForReadAccess 804E9E54 5 Bytes JMP B4C57760 \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS
.text ntkrnlpa.exe!IoIsOperationSynchronous 804EE738 5 Bytes JMP B4C57C50 \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS
.text ntkrnlpa.exe!ZwCallbackReturn + 23E4 805012B4 12 Bytes [ F0, A1, 5C, B5, 80, 04, 5D, ... ]
.text ntkrnlpa.exe!ZwCallbackReturn + 252C 805013FC 2 Bytes [ 60, FD ]
.text ntkrnlpa.exe!KiDispatchInterrupt + BA 80540CDA 7 Bytes JMP B4C5ACD0 \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS
? srescan.sys The system cannot find the file specified.
.text ntkrnlpa.exe!FsRtlCheckLockForReadAccess 804E9E54 5 Bytes JMP B4C57760 \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS
.text ntkrnlpa.exe!IoIsOperationSynchronous 804EE738 5 Bytes JMP B4C57C50 \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS
.text ntkrnlpa.exe!ZwYieldExecution + 28BC 805012B4 12 Bytes [ F0, A1, 5C, B5, 80, 04, 5D, ... ]
.text ntkrnlpa.exe!ZwYieldExecution + 2A04 805013FC 2 Bytes [ 60, FD ]
.text ntkrnlpa.exe!KiDispatchInterrupt + BA 80540CDA 7 Bytes JMP B4C5ACD0 \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS
---- User code sections - GMER 1.0.12 ----
.text C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1176] ntdll.dll!KiFastSystemCall + 2 7C90EB8D 2 Bytes [ CD, 20 ]
.text C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[1228] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes [ AB, FA, C3, 83 ]
.text C:\Program Files\Webroot\Spy Sweeper\ssu.exe[2984] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 0002FCB0 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
.text C:\Program Files\Webroot\Spy Sweeper\ssu.exe[2984] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0002FEDC C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
.text C:\Program Files\Webroot\Spy Sweeper\ssu.exe[2984] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 0002FE60 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
.text C:\Program Files\Webroot\Spy Sweeper\ssu.exe[2984] kernel32.dll!VirtualFree 7C809AE4 5 Bytes JMP 0002FEA0 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
.text C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe[3344] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes [ 03, FF, C3, 83 ]
---- Devices - GMER 1.0.12 ----
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [B55DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE 83930100
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [B55DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_READ 839311F0
Device \Driver\Tcpip \Device\Ip IRP_MJ_WRITE 83931178
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION 83931100
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION 83921020
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA 839211F0
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA 83921178
Device \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS 83921100
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION 83934020
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION 839341F0
Device \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL 83934178
Device \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL 83934100
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [B55DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B4C85A] avgtdi.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN 83926B20
Device \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL 83926AA8
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [B55DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT 8391D1F8
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY 8391D180
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY 8391D108
Device \Driver\Tcpip \Device\Ip IRP_MJ_POWER 8385C020
Device \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL 8385C1F8
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE 8385C180
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA 8385C108
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA 837D69B0
Device \Driver\Tcpip \Device\Ip IRP_MJ_PNP 837D6938
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [B55DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE 83930100
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [B55DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_READ 839311F0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE 83931178
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION 83931100
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION 83921020
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA 839211F0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA 83921178
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS 83921100
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION 83934020
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION 839341F0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL 83934178
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL 83934100
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [B55DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B4C85A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN 83926B20
Device \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL 83926AA8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [B55DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT 8391D1F8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY 8391D180
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY 8391D108
Device \Driver\Tcpip \Device\Tcp IRP_MJ_POWER 8385C020
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL 8385C1F8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE 8385C180
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA 8385C108
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA 837D69B0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_PNP 837D6938
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [B55DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE 83930100
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [B55DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_READ 839311F0
Device \Driver\Tcpip \Device\Udp IRP_MJ_WRITE 83931178
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION 83931100
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION 83921020
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA 839211F0
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA 83921178
Device \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS 83921100
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION 83934020
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION 839341F0
Device \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL 83934178
Device \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL 83934100
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [B55DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B4C85A] avgtdi.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN 83926B20
Device \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL 83926AA8
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [B55DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT 8391D1F8
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY 8391D180
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY 8391D108
Device \Driver\Tcpip \Device\Udp IRP_MJ_POWER 8385C020
Device \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL 8385C1F8
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE 8385C180
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA 8385C108
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA 837D69B0
Device \Driver\Tcpip \Device\Udp IRP_MJ_PNP 837D6938
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [B55DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE 83930100
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [B55DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_READ 839311F0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE 83931178
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION 83931100
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION 83921020
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA 839211F0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA 83921178
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS 83921100
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION 83934020
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION 839341F0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL 83934178
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL 83934100
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [B55DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B4C85A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN 83926B20
Device \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [B55DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT 8391D1F8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY 8391D180
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY 8391D108
Device \Driver\Tcpip \Device\RawIp IRP_MJ_POWER 8385C020
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL 8385C1F8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE 8385C180
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA 8385C108
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA 837D69B0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_PNP 837D6938
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [B55DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_NAMED_PIPE 83930100
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [B55DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_READ 839311F0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_WRITE 83931178
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_INFORMATION 83931100
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_INFORMATION 83921020
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_EA 839211F0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_EA 83921178
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FLUSH_BUFFERS 83921100
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_VOLUME_INFORMATION 83934020
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_VOLUME_INFORMATION 839341F0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DIRECTORY_CONTROL 83934178
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FILE_SYSTEM_CONTROL 83934100
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [B55DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B4C85A] avgtdi.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN 83926B20
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_LOCK_CONTROL 83926AA8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [B55DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_MAILSLOT 8391D1F8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_SECURITY 8391D180
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_SECURITY 8391D108
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_POWER 8385C020
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SYSTEM_CONTROL 8385C1F8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CHANGE 8385C180
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_QUOTA 8385C108
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_QUOTA 837D69B0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_PNP 837D6938
---- EOF - GMER 1.0.12 ----
File/Folder :\WINDOWS\system32\fgjlm.bak2 not found.
C:\WINDOWS\system32\fgjlm.ini2 moved successfully.
C:\WINDOWS\system32\fgjlm.bak1 moved successfully.
C:\WINDOWS\system32\mljgf.dll.vir moved successfully.
C:\WINDOWS\system32\geede.exe moved successfully.
C:\WINDOWS\system32\nsdsrego.exe moved successfully.
C:\WINDOWS\system32\sstqo.exe moved successfully.
C:\WINDOWS\system32\gebcd.exe moved successfully.
C:\WINDOWS\system32\winpfz32.sys moved successfully.
C:\WINDOWS\VTTC.exe moved successfully.
C:\WINDOWS\sys012172355371.exe moved successfully.
C:\WINDOWS\ase.exe moved successfully.
C:\WINDOWS\uni_eh10.exe moved successfully.
C:\WINDOWS\111uninst.exe moved successfully.
C:\Program Files\Common Files\quca moved successfully.
C:\Program Files\Common Files\rtele.html moved successfully.
File/Folder C:\WINDOWS\system32\ddcddaw.dll not found.
Created on 04/12/2007 17:34:51
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 6:55:12 PM, on 4/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\hijack this\hjt.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [WatchDog] "C:\Program Files\mobile PhoneTools\WatchDog.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.shockwave.com/content/ricochetlostworlds/ReflexiveWebGameLoader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129645445375
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129645431937
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://sra.cn.ca/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 9204 bytes
Keylogger: Off
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites: Off
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: Off
IE Hijack Shield: On
6:33 PM: IE Hijack Shield: Resetting IE advanced data value.
IE Tracking Cookies Shield: Off
6:33 PM: Shield States
6:33 PM: Spyware Definitions: 845
6:33 PM: Spy Sweeper 5.3.1.2344 started
6:33 PM: Spy Sweeper 5.3.1.2344 started
6:33 PM: | Start of Session, Thursday, April 12, 2007 |
***************
6:27 PM: ApplicationMinimized - EXIT
6:27 PM: ApplicationMinimized - EXIT
6:27 PM: ApplicationMinimized - ENTER
6:27 PM: ApplicationMinimized - ENTER
6:26 PM: Removal process completed. Elapsed time 00:00:10
6:26 PM: Quarantining All Traces: adecn cookie
6:26 PM: Quarantining All Traces: 2o7.net cookie
6:26 PM: Quarantining All Traces: deluxecommunications
6:26 PM: Quarantining All Traces: maxifiles
6:26 PM: Quarantining All Traces: zenosearchassistant
6:26 PM: Quarantining All Traces: enbrowser
6:26 PM: Removal process initiated
6:26 PM: Traces Found: 10
6:26 PM: Full Sweep has completed. Elapsed time 00:28:43
6:26 PM: File Sweep Complete, Elapsed Time: 00:17:12
6:24 PM: Warning: SweepCompressedFiles: Access violation at address 00401D84 in module 'SpySweeper.exe'. Read of address 7DCA000C
6:24 PM: Warning: SweepCompressedFiles: Access violation at address 00401D84 in module 'SpySweeper.exe'. Read of address 7DEB000C
6:24 PM: Warning: SweepCompressedFiles: Access violation at address 00401D84 in module 'SpySweeper.exe'. Read of address 7E20000C
6:23 PM: Warning: Unable to sweep compressed file: "c:\recycler\s-1-5-21-606747145-1500820517-725345543-1006\dc26.zip": File not found
6:23 PM: Warning: SweepCompressedFiles: Access violation at address 00401D84 in module 'SpySweeper.exe'. Read of address 7E60000C
6:23 PM: Warning: SweepDirectories: Cannot find directory "h:". This directory was not added to the list of paths to be scanned.
6:23 PM: Warning: SweepDirectories: Cannot find directory "g:". This directory was not added to the list of paths to be scanned.
6:23 PM: Warning: SweepDirectories: Cannot find directory "f:". This directory was not added to the list of paths to be scanned.
6:22 PM: C:\WINDOWS\system32\zxdnt3d.cfg (ID = 91140)
6:22 PM: C:\WINDOWS\system32\msnav32.ax (ID = 220229)
6:21 PM: Warning: Failed to read file "c:\recycler\s-1-5-21-606747145-1500820517-725345543-1006\dc13\dvdfabplatinum3020.exe". "c:\recycler\s-1-5-21-606747145-1500820517-725345543-1006\dc13\dvdfabplatinum3020.exe": File not found
6:21 PM: Warning: PerformFileOffsetMatch Failed to check file "c:\recycler\s-1-5-21-606747145-1500820517-725345543-1006\dc14\zlib.dll". "c:\recycler\s-1-5-21-606747145-1500820517-725345543-1006\dc14\zlib.dll": File not found
6:21 PM: Warning: PerformFileOffsetMatch Failed to check file "c:\recycler\s-1-5-21-606747145-1500820517-725345543-1006\dc15\zlib.dll". "c:\recycler\s-1-5-21-606747145-1500820517-725345543-1006\dc15\zlib.dll": File not found
6:15 PM: C:\_OTMoveIt\MovedFiles\WINDOWS\system32\bkd.exe (ID = 361293)
6:15 PM: Found Adware: deluxecommunications
6:11 PM: C:\_OTMoveIt\MovedFiles\WINDOWS\system32\nsdsrego.exe (ID = 294)
6:09 PM: C:\QooBox\Quarantine\WINDOWS\system32\dwdsregt.exe.vir (ID = 294)
6:09 PM: Found Adware: zenosearchassistant
6:09 PM: Starting File Sweep
6:09 PM: Warning: SweepDirectories: Cannot find directory "a:". This directory was not added to the list of paths to be scanned.
6:09 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
6:09 PM: c:\documents and settings\gaynette.user-52fba29a54\cookies\gaynette@adecn[1].txt (ID = 2063)
6:09 PM: c:\documents and settings\gaynette.user-52fba29a54\cookies\gaynette@ad2.adecn[1].txt (ID = 2064)
6:09 PM: Found Spy Cookie: adecn cookie
6:09 PM: c:\documents and settings\alex\cookies\alex@msnportal.112.2o7[1].txt (ID = 1958)
6:09 PM: Found Spy Cookie: 2o7.net cookie
6:09 PM: Starting Cookie Sweep
6:09 PM: Registry Sweep Complete, Elapsed Time:00:00:21
6:08 PM: HKLM\software\microsoft\juan\ (ID = 1781228)
6:08 PM: Found Adware: maxifiles
6:08 PM: HKLM\software\system\sysold\ (ID = 926808)
6:08 PM: Found Adware: enbrowser
6:08 PM: Starting Registry Sweep
6:08 PM: Memory Sweep Complete, Elapsed Time: 00:11:07
6:02 PM: Access to Hosts file allowed for C:\PROGRAM FILES\GRISOFT\AVG ANTI-SPYWARE 7.5\AVGAS.EXE
6:01 PM: Access to Hosts file allowed for C:\PROGRAM FILES\GRISOFT\AVG ANTI-SPYWARE 7.5\AVGAS.EXE
5:57 PM: Starting Memory Sweep
5:57 PM: Start Full Sweep
5:57 PM: Sweep initiated using definitions version 845
5:57 PM: Spy Sweeper 5.3.1.2344 started
5:57 PM: | Start of Session, Thursday, April 12, 2007 |
***************
I completed all the steps,and thanks again,all seems to be well
Angelfire777
2007-04-13, 16:30
Hi,
We got it! :yahoo: :2thumb:
I see that you have chosen a ZoneAlarm version that has an Antivirus component..It is recommended that you use only 1 Antivirus with realtime monitoring switched on.. 2 Antivirus running at the same time will cause conflicts with each other and furthermore, it will reduce your machine's overall security..So please turn off either ZoneAlarm or AVG Free's realtime monitoring to prevent such conflicts.
Please empty the contents of these folders:
C:\_OTMoveiT\MovedFiles
C:\QooBox\Quarantine
Empty your recycle bin.
_________
Other than that,
Congratulations! Your log looks clean!
This is a good time to clear your existing system restore points and establish a new clean restore point:
Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Select the More options tab
Choose the option to clean up system restore and OK it.
This will remove all restore points except the new one you just created.
______________________
Here are some free programs I recommend that could help you improve your pc's security.
Install Spyware Guard
~You can download it from here (http://www.javacoolsoftware.com/spywareguard.html)
~You can read the tutorial on how to use Spyware Guard here (http://www.bleepingcomputer.com/tutorials/tutorial50.html)
Install SpyWare Blaster
~You can download it from here (http://www.javacoolsoftware.com/spywareblaster.html)
~You can read the tutorial on how to use Spyware Blaster here (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
Install WinPatrol
~You can download it from here (http://www.winpatrol.com/download.html)
~You can get some information about how WinPatrol works here (http://www.winpatrol.com/features.html)
IESpyAds
~You can download it from here (http://www.spywarewarrior.com/uiuc/resource.htm#IESPYAD)
~If you want to know how IEspyads work you can take a look at it here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)
~Please note that IESpyAds only works with Internet Explorer.
Note: Make sure you update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
Please check out Tony Klein's article "How did I get infected in the first place?" (http://castlecops.com/t7736-So_how_did_I_get_infected_in_the_first_place.html)
Happy safe surfing!
Angelfire777
2007-04-13, 16:31
I'll leave this thread open for 2 days just in case those nasties decides to fight again:bigthumb:
gotta love a plan that comes together.This computer is working fanatastic.
Angelfire777
2007-04-16, 08:28
Glad we could be of assistance :bigthumb:
Since the problem has been resolved, this topic is now closed and archived. If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.