View Full Version : Smithfraud-C.Toolbar888
mindalter
2007-06-04, 19:45
Hi,
Well I just got done reading about 15 posts on this issue and tried many of them on my system but am unable to get rid of this on my own.
I tried Vundofix, spybot, spyware doctor, cleanreg.
It is kind of funny as my system is so bad now its running audio advertisements with no processes running according to task manager. LOL
I renamed hijack this to scanner.exe and here are my HJT logs. Any help is much appreciated. I can post vundo.txt if needed.
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:45:11 AM, on 6/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Brad\Desktop\scanner.exe.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O2 - BHO: (no name) - {E4D9BB1E-EC04-4220-8F87-40F091813D30} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [SDTray] C:\Program Files\Spyware Doctor\SDTrayApp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment File Import Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\VmGateway.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Online Services\rtenefsuzy.html
--
End of file - 8007 bytes
BTW I have viewed and understand the information inside "BEFORE you POST"
http://forums.spybot.info/showthread.php?t=288
And I understand that all advice given is taken at your own risk.
mindalter
2007-06-05, 03:36
I downloaded SmitfraudFix (by S!Ri).
http://siri.urz.free.fr/Fix/SmitfraudFix.exe
and ran the application and here are the results of rapport.txt
SmitFraudFix v2.192
Scan done at 17:30:48.32, Mon 06/04/2007
Run from C:\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Brad\Desktop\scanner.exe.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Brad
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Brad\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Brad\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\Online Services\\rtenefsuzy.html"
"SubscribedURL"=""
"FriendlyName"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 10.0.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{FAA209ED-7AE5-4EE8-BB45-B7DEA9E16BCB}: DhcpNameServer=10.0.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{FAA209ED-7AE5-4EE8-BB45-B7DEA9E16BCB}: DhcpNameServer=10.0.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{FAA209ED-7AE5-4EE8-BB45-B7DEA9E16BCB}: DhcpNameServer=10.0.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=10.0.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=10.0.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=10.0.1.1
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
Hello mindalter and welcome to the Forums :)
You got at least some leftovers there...
1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
mindalter
2007-06-07, 18:11
Thanks sooo much for the help on this one.
Here are the combo fix logs.
"Brad" - 2007-06-07 7:52:18 Service Pack 2 NTFS
ComboFix 07-06-3B - Running from: "C:\Documents and Settings\Brad\Desktop\"
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
-- Purity Folders:
C:\Program Files\DOBE~1
C:\Program Files\Online Services\rtenefsuzy.html
C:\Temp\0b9
C:\Temp\0b9\tmpTF.log
C:\Temp\tn3
C:\WINDOWS\cs_cache.ini
C:\WINDOWS\rau001978.exe
C:\WINDOWS\setup.exe
C:\WINDOWS\system32\pog
C:\WINDOWS\system32\T3
C:\WINDOWS\system32\T3\am67.exe
C:\WINDOWS\system32\T4
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_NET_AGENT
-------\LEGACY_NM
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\nm
((((((((((((((((((((((((( Files Created from 2007-05-07 to 2007-06-07 )))))))))))))))))))))))))))))))
2007-06-04 17:31 2,536 --a------ C:\WINDOWS\system32\tmp.reg
2007-06-04 17:30 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-06-04 17:30 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-06-04 17:30 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-06-04 17:30 <DIR> d-------- C:\SmitfraudFix
2007-06-04 17:28 879,247 --a------ C:\SmitfraudFix.exe
2007-06-04 08:22 <DIR> d-------- C:\VundoFix Backups
2007-06-03 17:56 2,580 --a------ C:\WINDOWS\system32\yijufoes.exe
2007-06-03 16:45 <DIR> d-------- C:\Program Files\RegCure
2007-06-03 16:41 1,621,850 ---hs---- C:\WINDOWS\system32\wvvwa.ini2
2007-06-03 16:36 2,580 --a------ C:\WINDOWS\system32\hqwdxant.exe
2007-06-03 16:34 2,719,068 --a------ C:\WINDOWS\system32\SBSP.dat
2007-06-03 16:33 11,758 --a------ C:\WINDOWS\system32\SBFC.dat
2007-06-03 15:17 2,580 --a------ C:\WINDOWS\system32\wptrcwpr.exe
2007-06-03 15:17 1,611,822 ---hs---- C:\WINDOWS\system32\dcbeg.bak1
2007-06-03 12:53 1,613,131 ---hs---- C:\WINDOWS\system32\opqss.ini2
2007-06-03 12:07 2,580 --a------ C:\WINDOWS\system32\bsfdwyup.exe
2007-06-03 11:23 1,587,323 ---hs---- C:\WINDOWS\system32\aycdd.ini2
2007-06-03 10:24 15,544 --a------ C:\WINDOWS\system32\drivers\sbhr.sys
2007-06-03 10:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sunbelt Software
2007-06-03 10:21 <DIR> d-------- C:\Program Files\Sunbelt Software
2007-06-03 08:48 83,536 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-06-03 08:48 59,984 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-06-03 08:48 52,304 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-06-03 08:48 39,248 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-06-03 08:48 26,064 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-06-03 08:47 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-06-03 08:47 2,580 --a------ C:\WINDOWS\system32\tcyrrnhf.exe
2007-06-03 08:47 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-06-03 08:47 <DIR> d-------- C:\DOCUME~1\Gisele\APPLIC~1\PC Tools
2007-06-03 08:38 <DIR> d-------- C:\DOCUME~1\Gisele\APPLIC~1\Lavasoft
2007-06-03 08:28 72,192 --a------ C:\WINDOWS\system32\zlib.dll
2007-06-03 08:28 169,017 --a------ C:\WINDOWS\system32\mcpcuninstaller1_25.EXE
2007-06-03 08:25 226,352 -r-hs---- C:\WINDOWS\cimhujaA.exe
2007-06-03 08:25 <DIR> d-------- C:\Program Files\myCleanerPC
2007-06-03 08:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\myCleanerPC
2007-06-03 08:24 49,152 --a------ C:\WINDOWS\TISKY009.exe
2007-06-03 08:24 192,622 --a------ C:\WINDOWS\system32\lwinondt.exe
2007-06-03 08:24 <DIR> d-------- C:\WINDOWS\system32\TQ0
2007-06-03 08:24 <DIR> d-------- C:\WINDOWS\system32\T9
2007-06-03 08:24 <DIR> d-------- C:\WINDOWS\system32\T7
2007-06-03 08:24 <DIR> d-------- C:\WINDOWS\system32\T6
2007-06-03 08:24 <DIR> d-------- C:\WINDOWS\system32\T1QaSQ
2007-06-03 08:24 <DIR> d-------- C:\Temp\x2b
2007-06-03 08:24 <DIR> d-------- C:\Temp
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-07 14:58:31 -------- d-----w C:\Program Files\Online Services
2007-06-07 13:57:21 -------- d-----w C:\Program Files\Warcraft III
2007-06-03 15:43:26 -------- d--h--w C:\Program Files\WindowsUpdate
2007-06-03 15:08:18 -------- d-----w C:\DOCUME~1\Brad\APPLIC~1\BitTorrent
2007-06-03 14:50:24 -------- d-----w C:\Program Files\PokerStars
2007-05-29 16:15:48 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-09 16:54:19 -------- d-----w C:\Program Files\WC3Banlist
2007-04-09 15:34:53 -------- d-----w C:\Program Files\WinPcap
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-09 16:57:40 27,376 ----a-w C:\WINDOWS\system32\SBBD.exe
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 15:17]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-15 22:00]
"VAIO Update 2"="C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" [2004-01-17 04:36]
"Disc Detector"="C:\Program Files\Creative\ShareDLL\CtNotify.exe" [2001-12-26 02:00]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 16:45]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-08-13 10:54]
"AGRSMMSG"="AGRSMMSG.exe" [2003-05-23 11:43 C:\WINDOWS\AGRSMMSG.exe]
"@"="" []
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-03-09 10:31]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-05-17 12:02]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Online Services\rtenefsuzy.html
FriendlyName=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\SBCSSvc]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice]
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*
Contents of the 'Scheduled Tasks' folder
2007-06-07 15:04:41 C:\WINDOWS\tasks\RegCure Program Check.job
2007-06-07 10:00:00 C:\WINDOWS\tasks\RegCure.job
2007-06-07 15:05:00 C:\WINDOWS\tasks\Symantec NetDetect.job
**************************************************************************
catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-07 08:04:57
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Disc Detector = C:\Program Files\Creative\ShareDLL\CtNotify.exe?X???0???????????????E?@?Disc Detector?A????? ?A?? ????B?e!@???@???@?? C?????E?@?????????@?B???A????? ?A?0?????B???@?????P?????@?? ????????A~??????????@?W?????????????????B?????<????????????????????@??????r?B
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-06-07 8:07:17 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-07 08:07
--- E O F ---
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
-- Purity Folders:
C:\Program Files\DOBE~1
C:\Program Files\Online Services\rtenefsuzy.html
C:\Temp\0b9
C:\Temp\0b9\tmpTF.log
C:\Temp\tn3
C:\WINDOWS\cs_cache.ini
C:\WINDOWS\rau001978.exe
C:\WINDOWS\setup.exe
C:\WINDOWS\system32\pog
C:\WINDOWS\system32\T3
C:\WINDOWS\system32\T3\am67.exe
C:\WINDOWS\system32\T4
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_NET_AGENT
-------\LEGACY_NM
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\nm
((((((((((((((((((((((((( Files Created from 2007-05-07 to 2007-06-07 )))))))))))))))))))))))))))))))
2007-06-07 08:07 49,152 --a------ C:\WINDOWS\nircmd.exe
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-07 14:58:31 -------- d-----w C:\Program Files\Online Services
2007-06-07 13:57:21 -------- d-----w C:\Program Files\Warcraft III
2007-06-03 15:43:26 -------- d--h--w C:\Program Files\WindowsUpdate
2007-06-03 15:08:18 -------- d-----w C:\DOCUME~1\Brad\APPLIC~1\BitTorrent
2007-06-03 14:50:24 -------- d-----w C:\Program Files\PokerStars
2007-05-29 16:15:48 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-09 16:54:19 -------- d-----w C:\Program Files\WC3Banlist
2007-04-09 15:34:53 -------- d-----w C:\Program Files\WinPcap
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-09 16:57:40 27,376 ----a-w C:\WINDOWS\system32\SBBD.exe
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 15:17]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-15 22:00]
"VAIO Update 2"="C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" [2004-01-17 04:36]
"Disc Detector"="C:\Program Files\Creative\ShareDLL\CtNotify.exe" [2001-12-26 02:00]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 16:45]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-08-13 10:54]
"AGRSMMSG"="AGRSMMSG.exe" [2003-05-23 11:43 C:\WINDOWS\AGRSMMSG.exe]
"@"="" []
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-03-09 10:31]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-05-17 12:02]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Online Services\rtenefsuzy.html
FriendlyName=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\SBCSSvc]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice]
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*
Contents of the 'Scheduled Tasks' folder
2007-06-07 15:04:41 C:\WINDOWS\tasks\RegCure Program Check.job
2007-06-07 10:00:00 C:\WINDOWS\tasks\RegCure.job
2007-06-07 15:05:00 C:\WINDOWS\tasks\Symantec NetDetect.job
**************************************************************************
catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-07 08:08:46
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Disc Detector = C:\Program Files\Creative\ShareDLL\CtNotify.exe?X???0???????????????E?@?Disc Detector?A????? ?A?? ????B?e!@???@???@?? C?????E?@?????????@?B???A????? ?A?0?????B???@?????P?????@?? ????????A~??????????@?W?????????????????B?????<????????????????????@??????r?B
scanning hidden files ...
**************************************************************************
Completion time: 2007-06-07 8:10:23 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-07 08:09
--- E O F ---
Hi again, we'll continue :)
You should print these instructions or save these to a text file. Follow these instructions carefully.
Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.
Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
==================
Open Control Panel -> Add/Remove programs -> Remove all the of the following or similar entries if found:
myCleanerPC
PokerStars
and any other programs you didn't install or don't recognize - if your not sure please ask first
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O2 - BHO: (no name) - {E4D9BB1E-EC04-4220-8F87-40F091813D30} - (no file)
O24 - Desktop Component 0: (no name) - C:\Program Files\Online Services\rtenefsuzy.html
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Go to the My Computer and delete the following files (if present):
C:\WINDOWS\system32\yijufoes.exe
C:\WINDOWS\system32\wvvwa.ini2
C:\WINDOWS\system32\hqwdxant.exe
C:\WINDOWS\system32\wptrcwpr.exe
C:\WINDOWS\system32\dcbeg.bak1
C:\WINDOWS\system32\opqss.ini2
C:\WINDOWS\system32\bsfdwyup.exe
C:\WINDOWS\system32\aycdd.ini2
C:\WINDOWS\system32\drivers\sbhr.sys
C:\WINDOWS\system32\tcyrrnhf.exe
C:\WINDOWS\system32\mcpcuninstaller1_25.EXE
C:\WINDOWS\cimhujaA.exe
C:\WINDOWS\TISKY009.exe
C:\WINDOWS\system32\lwinondt.exe
C:\Program Files\Online Services\rtenefsuzy.html
Go to the My Computer and delete the following folders (if present):
C:\WINDOWS\system32\TQ0
C:\WINDOWS\system32\T9
C:\WINDOWS\system32\T7
C:\WINDOWS\system32\T6
C:\WINDOWS\system32\T1QaSQ
C:\Program Files\myCleanerPC
C:\Documents and Settings\All Users\Application Data\myCleanerPC
C:\Program Files\PokerStars
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Restart the computer to the normal mode.
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
================
When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log
mindalter
2007-06-08, 05:21
ok - I completed everything listed above.
When I Was in safe mode deleting files all of the .ini2 files also had .tmp and .tmp2 files of the same name. They seemed to be created on the same day and time as the infection so I deleted them also.
Completed the full AVG scan and it found 20 objects with 39 items. But when the scan was completed it would not allow me to save report (step 4). Does this auto save the report to somewhere? If so I can grab it and post it here? Otherwise I may need to do a full system scan again and try to get the logs.
Here are the latest HJT logs.
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 19:16, on 2007-06-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Brad\Desktop\scanner.exe.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [SDTray] C:\Program Files\Spyware Doctor\SDTrayApp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment File Import Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\VmGateway.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Online Services\rtenefsuzy.html
--
End of file - 7318 bytes
Hi :)
Ok no need for AVg log, I forgot that the function has some problems at the moment...
Backup your registry:
Start
Run
Type the following to the box and hit Ok: regedit
A window opens, click on File
Choose Export form the menu
Change the save location to C:\
Give the filename, RegBackUp
Make sure that the filetype is set to Registryfiles (*.reg)
Click on Save and Close the window
Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.
Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.
Delete this file if found:
C:\Program Files\Online Services\rtenefsuzy.html
Restart the computer.
Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post along with a fresh HijackTHis log
mindalter
2007-06-09, 04:25
When I was looking to Delete this file if found:
C:\Program Files\Online Services\rtenefsuzy.html
I did not find it but in the same folder I saw a file qufaqygi that last used on the infection date of all the other files you had me delete previsouly. Not sure if I should go back and delete this file.
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2007-06-08 18:21
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 9/06/2007
Kaspersky Anti-Virus database records: 341466
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
Scan Statistics:
Total number of scanned objects: 58449
Number of viruses found: 7
Number of infected objects: 34
Number of suspicious objects: 0
Duration of the scan process: 00:59:00
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Sony Corporation\SonicStage\Packages\MtData.ldb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Sony Corporation\SonicStage\Packages\MtData.mdb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Sony Corporation\VAIO Entertainment Platform\1.0\VzCdb\MtData.ldb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Sony Corporation\VAIO Entertainment Platform\1.0\VzCdb\MtData.mdb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Sunbelt Software\CounterSpy\Quarantine\{68623201-5B4D-4FB7-BF94-9DC6DE4688CB} Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles\i6vd93ld.default\cert8.db Object is locked skipped
C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles\i6vd93ld.default\history.dat Object is locked skipped
C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles\i6vd93ld.default\key3.db Object is locked skipped
C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles\i6vd93ld.default\parent.lock Object is locked skipped
C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles\i6vd93ld.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles\i6vd93ld.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Brad\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Brad\Desktop\backups\backup-20070604-071012-532.dll Infected: Trojan.Win32.BHO.bd skipped
C:\Documents and Settings\Brad\Desktop\backups\backup-20070604-071012-561.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\Documents and Settings\Brad\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Brad\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Brad\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Brad\Local Settings\Application Data\Mozilla\Firefox\Profiles\i6vd93ld.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Brad\Local Settings\Application Data\Mozilla\Firefox\Profiles\i6vd93ld.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Brad\Local Settings\Application Data\Mozilla\Firefox\Profiles\i6vd93ld.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Brad\Local Settings\Application Data\Mozilla\Firefox\Profiles\i6vd93ld.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Brad\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Brad\Local Settings\History\History.IE5\MSHist012007060820070609\index.dat Object is locked skipped
C:\Documents and Settings\Brad\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Brad\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Brad\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Brad\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Gisele\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-c973141-5871cf37.class Infected: Trojan-Downloader.Java.OpenStream.y skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{549DE6A1-CCD3-45E9-A3FB-BD70F79FB4CC}\RP803\A0102312.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\System Volume Information\_restore{549DE6A1-CCD3-45E9-A3FB-BD70F79FB4CC}\RP803\A0102315.exe Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\System Volume Information\_restore{549DE6A1-CCD3-45E9-A3FB-BD70F79FB4CC}\RP803\A0104312.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\System Volume Information\_restore{549DE6A1-CCD3-45E9-A3FB-BD70F79FB4CC}\RP803\A0104324.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\System Volume Information\_restore{549DE6A1-CCD3-45E9-A3FB-BD70F79FB4CC}\RP803\A0106324.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\System Volume Information\_restore{549DE6A1-CCD3-45E9-A3FB-BD70F79FB4CC}\RP803\A0106325.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\System Volume Information\_restore{549DE6A1-CCD3-45E9-A3FB-BD70F79FB4CC}\RP805\A0108381.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{549DE6A1-CCD3-45E9-A3FB-BD70F79FB4CC}\RP805\A0108382.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{549DE6A1-CCD3-45E9-A3FB-BD70F79FB4CC}\RP805\A0108383.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{549DE6A1-CCD3-45E9-A3FB-BD70F79FB4CC}\RP805\A0108384.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{549DE6A1-CCD3-45E9-A3FB-BD70F79FB4CC}\RP806\A0108389.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kg skipped
C:\System Volume Information\_restore{549DE6A1-CCD3-45E9-A3FB-BD70F79FB4CC}\RP806\A0108390.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{549DE6A1-CCD3-45E9-A3FB-BD70F79FB4CC}\RP806\A0108391.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\System Volume Information\_restore{549DE6A1-CCD3-45E9-A3FB-BD70F79FB4CC}\RP806\A0108393.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{549DE6A1-CCD3-45E9-A3FB-BD70F79FB4CC}\RP806\A0108394.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kg skipped
C:\System Volume Information\_restore{549DE6A1-CCD3-45E9-A3FB-BD70F79FB4CC}\RP806\A0108396.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kg skipped
C:\System Volume Information\_restore{549DE6A1-CCD3-45E9-A3FB-BD70F79FB4CC}\RP806\A0108398.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{549DE6A1-CCD3-45E9-A3FB-BD70F79FB4CC}\RP806\A0109407.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\System Volume Information\_restore{549DE6A1-CCD3-45E9-A3FB-BD70F79FB4CC}\RP814\change.log Object is locked skipped
C:\VundoFix Backups\anldojgy.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.kg skipped
C:\VundoFix Backups\aywyuucu.dll.bad Infected: Trojan.Win32.BHO.bd skipped
C:\VundoFix Backups\ddcyv.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\VundoFix Backups\hkbvjduw.dll.bad Infected: Trojan.Win32.BHO.bd skipped
C:\VundoFix Backups\mfgqnald.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.kg skipped
C:\VundoFix Backups\msgxhjyd.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.kg skipped
C:\VundoFix Backups\pmnlm.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\VundoFix Backups\tnrvdhtp.dll.bad Infected: Trojan.Win32.BHO.bd skipped
C:\WINDOWS\$NtUninstallKB824141$\user32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\win32k.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\accwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\crypt32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\cryptsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hh.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hhctrl.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hhsetup.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\html32.cnv Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\itircl.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\itss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\locator.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\magnify.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\migwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\mrxsmb.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\msconv97.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\narrator.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\newdev.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\pchshell.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\raspptp.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shdocvw.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shell32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shmedia.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\srrstr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\srv.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\urlmon.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\user32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\winsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828028$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\wmp.dll Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\dtscsi.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd5389.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\JETAAD6.tmp Object is locked skipped
C:\WINDOWS\Temp\JETABFF.tmp Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Hi jack this log in the next post!!!
mindalter
2007-06-09, 04:26
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 18:23, on 2007-06-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Brad\Desktop\scanner.exe.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [SDTray] C:\Program Files\Spyware Doctor\SDTrayApp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment File Import Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\VmGateway.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
--
End of file - 7565 bytes
OK looks pretty good...
How is the computer running? Any issues?
mindalter
2007-06-11, 01:26
System is running a lot better now but still is infected.
Still takes 15 seconds to launch firefox or IE.
Also some applications take longer to launch. But it is definetly better then a week ago.
I run sybot S&D and find 4 problems:
Doubleclick, fastclick, hitbox, and tagasaurus
Hmm might not be malware related but let's see...
Please run a GMER Rootkit scan:
Download GMER's application from here:
http://www.gmer.net/gmer.zip
Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.
Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.
Warning ! Please, do not select the "Show all" checkbox during the scan.
mindalter
2007-06-12, 03:42
GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-06-11 17:40:53
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.12 ----
SSDT sbhr.sys ZwClose
SSDT \SystemRoot\system32\drivers\iksysflt.sys ZwCreateKey
SSDT \SystemRoot\system32\drivers\iksysflt.sys ZwCreateProcess
SSDT \SystemRoot\system32\drivers\iksysflt.sys ZwCreateProcessEx
SSDT \SystemRoot\system32\drivers\iksysflt.sys ZwDeleteKey
SSDT \SystemRoot\system32\drivers\iksysflt.sys ZwDeleteValueKey
SSDT sptd.sys ZwEnumerateKey
SSDT sptd.sys ZwEnumerateValueKey
SSDT sbhr.sys ZwOpenKey
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT sptd.sys ZwQueryKey
SSDT sptd.sys ZwQueryValueKey
SSDT \SystemRoot\system32\drivers\iksysflt.sys ZwSetValueKey
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess
SSDT \SystemRoot\system32\drivers\iksysflt.sys ZwWriteVirtualMemory
mindalter
2007-06-12, 03:43
GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-06-11 17:43:08
Windows 5.1.2600 Service Pack 2
---- Kernel code sections - GMER 1.0.12 ----
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
? C:\WINDOWS\System32\Drivers\SPTD5389.SYS The process cannot access the file because it is being used by another process.
? C:\WINDOWS\System32\Drivers\dtscsi.sys The process cannot access the file because it is being used by another process.
? C:\WINDOWS\System32\DRIVERS\update.sys
? C:\WINDOWS\system32\Drivers\mchInjDrv.sys The system cannot find the file specified.
? C:\WINDOWS\system32\drivers\sbapifs.sys The system cannot find the file specified.
---- User code sections - GMER 1.0.12 ----
.text C:\WINDOWS\system32\ctfmon.exe[160] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\ctfmon.exe[160] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\ctfmon.exe[160] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Messenger\msmsgs.exe[180] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Messenger\msmsgs.exe[180] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Messenger\msmsgs.exe[180] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[200] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[200] user32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[200] user32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Creative\ShareDLL\Mediadet.exe[300] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Creative\ShareDLL\Mediadet.exe[300] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Creative\ShareDLL\Mediadet.exe[300] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[400] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[400] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[400] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\CTSVCCDA.EXE[420] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\CTSVCCDA.EXE[420] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\CTSVCCDA.EXE[420] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe[588] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe[588] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe[588] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Spyware Doctor\svcntaux.exe[704] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Spyware Doctor\svcntaux.exe[704] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Spyware Doctor\svcntaux.exe[704] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\csrss.exe[796] KERNEL32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\csrss.exe[796] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\csrss.exe[796] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\winlogon.exe[820] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\winlogon.exe[820] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\winlogon.exe[820] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\services.exe[868] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\services.exe[868] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\services.exe[868] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\lsass.exe[880] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\lsass.exe[880] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\lsass.exe[880] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[1048] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1048] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[1116] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1116] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[1212] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1212] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[1300] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1300] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Spyware Doctor\swdsvc.exe[1312] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes [ C7, 9E, C5, 83 ]
.text C:\DOCUME~1\Brad\LOCALS~1\Temp\Rar$EX01.047\gmer.exe[1348] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\DOCUME~1\Brad\LOCALS~1\Temp\Rar$EX01.047\gmer.exe[1348] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\DOCUME~1\Brad\LOCALS~1\Temp\Rar$EX01.047\gmer.exe[1348] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\DOCUME~1\Brad\LOCALS~1\Temp\Rar$EX01.047\gmer.exe[1348] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[1408] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1408] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\spoolsv.exe[1564] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\spoolsv.exe[1564] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\spoolsv.exe[1564] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\wdfmgr.exe[1572] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\wdfmgr.exe[1572] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\wdfmgr.exe[1572] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe[1640] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe[1640] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe[1640] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\MsPMSPSv.exe[1708] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\MsPMSPSv.exe[1708] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\MsPMSPSv.exe[1708] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\explorer.exe[1880] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\explorer.exe[1880] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\explorer.exe[1880] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe[1960] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe[1960] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe[1960] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Creative\ShareDLL\CTNotify.exe[1968] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Creative\ShareDLL\CTNotify.exe[1968] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Creative\ShareDLL\CTNotify.exe[1968] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[1976] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[1976] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[1976] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\AGRSMMSG.exe[1992] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\AGRSMMSG.exe[1992] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\AGRSMMSG.exe[1992] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe[2000] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe[2000] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe[2000] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Spyware Doctor\SDTrayApp.exe[2008] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Spyware Doctor\SDTrayApp.exe[2008] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes [ A7, 94, C3, 83 ]
.text C:\Program Files\Spyware Doctor\SDTrayApp.exe[2008] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Spyware Doctor\SDTrayApp.exe[2008] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\iPod\bin\iPodService.exe[2572] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\iPod\bin\iPodService.exe[2572] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\Program Files\iPod\bin\iPodService.exe[2572] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\iPod\bin\iPodService.exe[2572] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\wscntfy.exe[2692] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\wscntfy.exe[2692] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\WINDOWS\system32\wscntfy.exe[2692] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\wscntfy.exe[2692] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\WinRAR\WinRAR.exe[3028] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\WinRAR\WinRAR.exe[3028] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\Program Files\WinRAR\WinRAR.exe[3028] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\WinRAR\WinRAR.exe[3028] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\WinRAR\WinRAR.exe[3052] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\WinRAR\WinRAR.exe[3052] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\Program Files\WinRAR\WinRAR.exe[3052] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\WinRAR\WinRAR.exe[3052] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3464] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3464] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[3464] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3464] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
mindalter
2007-06-12, 03:45
First half of devices
~~~~~~~~~~~~~~~
GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-06-11 17:43:08
Windows 5.1.2600 Service Pack 2
---- Devices - GMER 1.0.12 ----
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 82FDAC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE 82FDAC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 82FDAC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE 82FDAC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION 82FDAC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION 82FDAC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA 82FDAC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA 82FDAC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS 82FDAC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION 82FDAC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION 82FDAC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL 82FDAC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL 82FDAC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL 82FDAC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN 82FDAC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL 82FDAC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP 82FDAC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY 82FDAC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY 82FDAC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA 82FDAC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA 82FDAC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_PNP 82FDAC78
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE 82F91A58
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_READ 82F91A58
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_WRITE 82F91A58
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FLUSH_BUFFERS 82F91A58
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CONTROL 82F91A58
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_INTERNAL_DEVICE_CONTROL 82F91A58
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SHUTDOWN 82F91A58
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLEANUP 82F91A58
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_POWER 82F91A58
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SYSTEM_CONTROL 82F91A58
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_PNP 82F91A58
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CREATE 82F91A58
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_READ 82F91A58
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_WRITE 82F91A58
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_FLUSH_BUFFERS 82F91A58
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_DEVICE_CONTROL 82F91A58
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_INTERNAL_DEVICE_CONTROL 82F91A58
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SHUTDOWN 82F91A58
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CLEANUP 82F91A58
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_POWER 82F91A58
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SYSTEM_CONTROL 82F91A58
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_PNP 82F91A58
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 82D85428
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 82D85428
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 82D85428
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 82D85428
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 82D85428
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 82D85428
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 82D85428
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 82D85428
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 82D85428
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 82D85428
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 82D85428
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE 82B96EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE_NAMED_PIPE 82B96EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CLOSE 82B96EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_READ 82B96EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_WRITE 82B96EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_INFORMATION 82B96EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_INFORMATION 82B96EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_EA 82B96EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_EA 82B96EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_FLUSH_BUFFERS 82B96EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_VOLUME_INFORMATION 82B96EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_VOLUME_INFORMATION 82B96EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DIRECTORY_CONTROL 82B96EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_FILE_SYSTEM_CONTROL 82B96EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DEVICE_CONTROL 82B96EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_INTERNAL_DEVICE_CONTROL 82B96EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SHUTDOWN 82B96EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_LOCK_CONTROL 82B96EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CLEANUP 82B96EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE_MAILSLOT 82B96EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_SECURITY 82B96EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_SECURITY 82B96EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_POWER 82B96EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SYSTEM_CONTROL 82B96EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DEVICE_CHANGE 82B96EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_QUOTA 82B96EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_QUOTA 82B96EB0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 82D85428
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLOSE 82D85428
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_READ 82D85428
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_WRITE 82D85428
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FLUSH_BUFFERS 82D85428
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CONTROL 82D85428
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_INTERNAL_DEVICE_CONTROL 82D85428
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SHUTDOWN 82D85428
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_POWER 82D85428
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SYSTEM_CONTROL 82D85428
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP 82D85428
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE 82D85428
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CLOSE 82D85428
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_READ 82D85428
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_WRITE 82D85428
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_FLUSH_BUFFERS 82D85428
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_DEVICE_CONTROL 82D85428
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_INTERNAL_DEVICE_CONTROL 82D85428
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SHUTDOWN 82D85428
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_POWER 82D85428
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SYSTEM_CONTROL 82D85428
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_PNP 82D85428
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CREATE 82CDC848
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLOSE 82CDC848
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_DEVICE_CONTROL 82CDC848
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_INTERNAL_DEVICE_CONTROL 82CDC848
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLEANUP 82CDC848
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_PNP 82CDC848
Device \Driver\NetBT \Device\NetBT_Tcpip_{FAA209ED-7AE5-4EE8-BB45-B7DEA9E16BCB} IRP_MJ_CREATE 82CDC848
Device \Driver\NetBT \Device\NetBT_Tcpip_{FAA209ED-7AE5-4EE8-BB45-B7DEA9E16BCB} IRP_MJ_CLOSE 82CDC848
Device \Driver\NetBT \Device\NetBT_Tcpip_{FAA209ED-7AE5-4EE8-BB45-B7DEA9E16BCB} IRP_MJ_DEVICE_CONTROL 82CDC848
Device \Driver\NetBT \Device\NetBT_Tcpip_{FAA209ED-7AE5-4EE8-BB45-B7DEA9E16BCB} IRP_MJ_INTERNAL_DEVICE_CONTROL 82CDC848
Device \Driver\NetBT \Device\NetBT_Tcpip_{FAA209ED-7AE5-4EE8-BB45-B7DEA9E16BCB} IRP_MJ_CLEANUP 82CDC848
Device \Driver\NetBT \Device\NetBT_Tcpip_{FAA209ED-7AE5-4EE8-BB45-B7DEA9E16BCB} IRP_MJ_PNP 82CDC848
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CREATE 82CDC848
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLOSE 82CDC848
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_DEVICE_CONTROL 82CDC848
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_INTERNAL_DEVICE_CONTROL 82CDC848
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLEANUP 82CDC848
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_PNP 82CDC848
Device \Driver\00000079 \Device\0000004c IRP_MJ_POWER [F869DEA8] sptd.sys
Device \Driver\00000079 \Device\0000004c IRP_MJ_SYSTEM_CONTROL [F86B1A70] sptd.sys
Device \Driver\00000079 \Device\0000004c IRP_MJ_PNP [F86AA728] sptd.sys
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_CREATE 82FDAEB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_CLOSE 82FDAEB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_READ 82FDAEB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_WRITE 82FDAEB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_FLUSH_BUFFERS 82FDAEB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_DEVICE_CONTROL 82FDAEB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_INTERNAL_DEVICE_CONTROL 82FDAEB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_SHUTDOWN 82FDAEB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_POWER 82FDAEB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_SYSTEM_CONTROL 82FDAEB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_PNP 82FDAEB0
mindalter
2007-06-12, 03:46
second half of devices section
~~~~~~~~~~~~~~~~~~~~~
GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-06-11 17:43:08
Windows 5.1.2600 Service Pack 2
---- Devices - GMER 1.0.12 ----
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_NAMED_PIPE 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLOSE 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_READ 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_WRITE 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_INFORMATION 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_INFORMATION 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_EA 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_EA 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FLUSH_BUFFERS 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_VOLUME_INFORMATION 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_VOLUME_INFORMATION 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DIRECTORY_CONTROL 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FILE_SYSTEM_CONTROL 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CONTROL 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_INTERNAL_DEVICE_CONTROL 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SHUTDOWN 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_LOCK_CONTROL 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLEANUP 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_MAILSLOT 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_SECURITY 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_SECURITY 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_POWER 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SYSTEM_CONTROL 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CHANGE 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_QUOTA 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_QUOTA 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_PNP 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_NAMED_PIPE 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLOSE 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_READ 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_WRITE 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_INFORMATION 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_INFORMATION 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_EA 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_EA 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FLUSH_BUFFERS 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_VOLUME_INFORMATION 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_VOLUME_INFORMATION 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DIRECTORY_CONTROL 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FILE_SYSTEM_CONTROL 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CONTROL 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_INTERNAL_DEVICE_CONTROL 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SHUTDOWN 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_LOCK_CONTROL 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLEANUP 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_MAILSLOT 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_SECURITY 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_SECURITY 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_POWER 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SYSTEM_CONTROL 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CHANGE 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_QUOTA 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_QUOTA 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_PNP 82CD5AE0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CREATE 82CDC410
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CREATE_NAMED_PIPE 82CDC410
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CLOSE 82CDC410
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_READ 82CDC410
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_WRITE 82CDC410
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_QUERY_INFORMATION 82CDC410
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_SET_INFORMATION 82CDC410
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_FLUSH_BUFFERS 82CDC410
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_QUERY_VOLUME_INFORMATION 82CDC410
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_DIRECTORY_CONTROL 82CDC410
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_FILE_SYSTEM_CONTROL 82CDC410
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CLEANUP 82CDC410
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_QUERY_SECURITY 82CDC410
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_SET_SECURITY 82CDC410
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CREATE 82F91A58
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_READ 82F91A58
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_WRITE 82F91A58
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_FLUSH_BUFFERS 82F91A58
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_DEVICE_CONTROL 82F91A58
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_INTERNAL_DEVICE_CONTROL 82F91A58
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SHUTDOWN 82F91A58
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CLEANUP 82F91A58
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_POWER 82F91A58
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SYSTEM_CONTROL 82F91A58
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_PNP 82F91A58
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CREATE 82CCCC48
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CLOSE 82CCCC48
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_READ 82CCCC48
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_WRITE 82CCCC48
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_QUERY_INFORMATION 82CCCC48
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_SET_INFORMATION 82CCCC48
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_QUERY_VOLUME_INFORMATION 82CCCC48
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_DIRECTORY_CONTROL 82CCCC48
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_FILE_SYSTEM_CONTROL 82CCCC48
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CLEANUP 82CCCC48
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CREATE_MAILSLOT 82CCCC48
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_QUERY_SECURITY 82CCCC48
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_SET_SECURITY 82CCCC48
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target0Lun0 IRP_MJ_CREATE 82C693C8
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target0Lun0 IRP_MJ_CLOSE 82C693C8
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target0Lun0 IRP_MJ_DEVICE_CONTROL 82C693C8
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target0Lun0 IRP_MJ_INTERNAL_DEVICE_CONTROL 82C693C8
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target0Lun0 IRP_MJ_POWER 82C693C8
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target0Lun0 IRP_MJ_SYSTEM_CONTROL 82C693C8
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target0Lun0 IRP_MJ_PNP 82C693C8
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_CREATE 82C693C8
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_CLOSE 82C693C8
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_DEVICE_CONTROL 82C693C8
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_INTERNAL_DEVICE_CONTROL 82C693C8
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_POWER 82C693C8
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_SYSTEM_CONTROL 82C693C8
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_PNP 82C693C8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CREATE 82C06290
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLOSE 82C06290
Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ 82C06290
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_INFORMATION 82C06290
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SET_INFORMATION 82C06290
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_VOLUME_INFORMATION 82C06290
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DIRECTORY_CONTROL 82C06290
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL 82C06290
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DEVICE_CONTROL 82C06290
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SHUTDOWN 82C06290
Device \FileSystem\Cdfs \Cdfs IRP_MJ_LOCK_CONTROL 82C06290
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLEANUP 82C06290
Device \FileSystem\Cdfs \Cdfs IRP_MJ_PNP 82C06290
---- EOF - GMER 1.0.12 ----
Hmm nothing bad there.
Please post a fresh HijackThis log :bigthumb:
mindalter
2007-06-13, 17:26
I think there is still something infecting the system.
Still takes 30 seconds for system to log into user. And longer then nornmal to launch any application. But it is way better then before when it just was super slow.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 07:25, on 2007-06-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Brad\Desktop\scanner.exe.exe
C:\Program Files\Internet Explorer\iexplore.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [SDTray] C:\Program Files\Spyware Doctor\SDTrayApp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment File Import Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\VmGateway.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
--
End of file - 7510 bytes
Hi :)
You have SpywareDoctor, AVG Anti-Spyware and Spybot Teatimer running. These all may slow the computer down, try if disabling the shields helps.
Also I can see some Norton leftovers, please run this uninstaller -> link (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039)
You don't seem to have a third-party firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) installed. You must install one firewall.
It is possible that you're using the Windows XP firewall. That is of course better than nothing but I recommend that you install a more advanced firewall that gives more protection. Windows firewall doesn't eg protect your computer from inbound threats. This means that any malware on your computer is free to "phone home" for more instructions. Remember to use only one firewall at the same time. I'll give you a few alternatives if you want to install a third-party firewall:
These are good (free) firewalls: Sunbelt-Kerio (http://www.sunbelt-software.com/Kerio.cfm)
ZoneAlarm (http://www.zonelabs.com/)
Sygate (http://http://www.majorgeeks.com/download.php?det=3356)
Outpost (http://www.majorgeeks.com/download.php?det=1056)
Comodo (http://www.personalfirewall.comodo.com)
You don't have an antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) on your computer, you must install one antivirus. Otherwise you'll get infected again.
These are good (free) antiviruses: AVG (http://free.grisoft.com)
Antivir (http://www.free-av.com)
Avast (http://www.avast.com)
Then update the Antivirus you installed and run a full system scan with it.
Then let me know the status :bigthumb:
mindalter
2007-06-15, 18:21
I cleaned up most of the spyware apps I had running.
Question: should I leave spybot S&D installed? I couldn't figure out how to uninstall or even turn off the TeaTimer. I couldn't find it in my add/remove programs and I couldn't find it in my start list or programs and I couldn't find it if I launched Spybot S&D?
I dl and installed Comodo firewall.
I also dl and installed AVG antivirus and ran the full scan.
It found 4 issues.
first was a backup copy of a Trajan horse Generic4.SLB
and the 3 others were in the Vundofix backup folder.
I tried to export the logs from AVG but they didnt turn out very pretty.
Here they are:
<history>
<!-- 01c7af1e165705b0 -->
<rec time="2007/06/15 07:23:36" user="SYSTEM" source="Update">
<value>@HL_UpdateOK</value>
<attr name="version">avi:1041-1024;iavi:860-827;</attr>
</rec>
<rec time="2007/06/15 07:24:04" user="Brad" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2007/06/15 07:26:15" user="Brad" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\Documents and Settings\Brad\Desktop\backups\backup-20070604-071012-532.dll</attr>
<attr name="type">@EID_Id_trj</attr>
<attr name="what">Generic4.SLB</attr>
</rec>
<rec time="2007/06/15 07:48:19" user="Brad" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\VundoFix Backups\aywyuucu.dll.bad</attr>
<attr name="type">@EID_Id_trj</attr>
<attr name="what">Generic4.SLB</attr>
</rec>
<rec time="2007/06/15 07:48:19" user="Brad" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\VundoFix Backups\hkbvjduw.dll.bad</attr>
<attr name="type">@EID_Id_trj</attr>
<attr name="what">Generic4.SLB</attr>
</rec>
<rec time="2007/06/15 07:48:20" user="Brad" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\VundoFix Backups\tnrvdhtp.dll.bad</attr>
<attr name="type">@EID_Id_trj</attr>
<attr name="what">Generic4.SLB</attr>
</rec>
<rec time="2007/06/15 08:00:17" user="Brad" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2007/06/15 08:04:27" user="Brad" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\Documents and Settings\Brad\Desktop\backups\backup-20070604-071012-532.dll</attr>
<attr name="type">@EID_Id_trj</attr>
<attr name="what">Generic4.SLB</attr>
</rec>
<rec time="2007/06/15 08:05:10" user="Brad" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">1</attr>
</rec>
<rec time="2007/06/15 08:05:11" user="Brad" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">C:\Documents and Settings\Brad\Desktop\backups\backup-20070604-071012-532.dll</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2007/06/15 08:12:01" user="Brad" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">4</attr>
</rec>
<rec time="2007/06/15 08:12:01" user="Brad" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">C:\Documents and Settings\Brad\Desktop\backups\backup-20070604-071012-532.dll</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2007/06/15 08:12:01" user="Brad" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">C:\VundoFix Backups\aywyuucu.dll.bad</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2007/06/15 08:12:01" user="Brad" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">C:\VundoFix Backups\hkbvjduw.dll.bad</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2007/06/15 08:12:01" user="Brad" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">C:\VundoFix Backups\tnrvdhtp.dll.bad</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
</history>
Hi :)
You can delete these backup folders:
C:\Documents and Settings\Brad\Desktop\backups
C:\VundoFix Backups
This is how you can disable teatimer:
Disable Spybot S&D Teatimer.
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu select "Advanced Mode"
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer
Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.
Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.
Use AVG Anti-Spyware (http://www.ewido.net/en/)
Download and install AVG Anti-Spyware. Update it and scan your computer regularly with it.
Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.
Install SpywareBlaster (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
SpywareBlaster will prevent spyware from being installed.
Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.
Use Firefox browser (http://www.mozilla.org)
Firefox is faster and more secure browser than Internet Explorer.
Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly. How to enable Automatic Updates? (http://www.bleepingcomputer.com/tutorials/tutorial35.html)
Keep your antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) and firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) up-to-date
Scan your computer regularly with you antivirus software.
Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?
Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Stay clean and be safe ;)
mindalter
2007-06-21, 18:49
Hi,
Sorry for the delays in the reply.
I was going down the items you had listed above and when I downloaded the Ad-Aware and ran it it found 55 infections.
I also ran Spybot S&D and it found 23 issues.
Here are the Ad-Aware logfiles:
Ad-Aware 2007 Build
Log File Created on: 2007-06-21 08:42:23
Using Definitions File: C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware 2007\core.aawdef
Computer name: VALUED-664B84C7
Name of user performing scan: SYSTEM
Scan detailed statistics
===========================
Type Critical Total
Process Scan....: 0 0
Registry Scan...: 1 1
Registry PE Scan: 0 0
Hosts File Scan.: 0 0
File Scan.......: 0 0
Folder Scan.....: 0 0
LSP Scan........: 0 0
ADS Scan........: 0 0
Cookie Scan.....: 51 51
File Hash Scan..: 0 0
Infections Found
===========================
Family Id: 1082 Name: Windows Category: Vulnerability TAI:3
Item Id: 300024286 Value: Root: HKU Path: S-1-5-21-938936901-3726737095-2621704382-1005\software\microsoft\windows\currentversion\policies\system Value: DisableRegistryTools Data:
Family Id: 723 Name: Tracking Cookie Category: DataMiner TAI:3
Item Id: 600000050 Value: Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt tribalfusion.com TfCtxtAdServer /
Item Id: 600000050 Value: Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt tribalfusion.com ANON_ID /
Item Id: 600000408 Value: Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt serving-sys.com E2 /
Item Id: 600000408 Value: Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt serving-sys.com D3 /
Item Id: 600000171 Value: Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt bs.serving-sys.com eyeblaster /
Item Id: 600000408 Value: Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt serving-sys.com A2 /
Item Id: 600000408 Value: Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt serving-sys.com B2 /
Item Id: 600000408 Value: Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt serving-sys.com C3 /
Item Id: 600000415 Value: Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt revsci.net rsi_cls_1000000 /
Item Id: 600000415 Value: Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt revsci.net NETSEGS_K05540 /
Item Id: 600000415 Value: Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt revsci.net NETID01 /
Item Id: 600000415 Value: Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt revsci.net rsi_segs_1000000 /
Item Id: 600000179 Value: Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt atdmt.com AA002 /
Item Id: 600000000 Value: Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt zedo.com ZEDOIDA /
Item Id: 600000000 Value: Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt zedo.com FFcat /
Item Id: 600000000 Value: Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt zedo.com geo /
Item Id: 600000000 Value: Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt zedo.com ZEDOIDX /
Item Id: 600000000 Value: Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt zedo.com FFad /
Item Id: 600000144 Value: Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt doubleclick.net test_cookie /
Item Id: 600000263 Value: Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt mediaplex.com svid /
Item Id: 600000513 Value: Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt adbrite.com Apache /
Item Id: 600000513 Value: Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt adbrite.com b /
Item Id: 600000513 Value: Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt adbrite.com CT1181929931 /stats/
Item Id: 600000295 Value: Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt adtech.de CfP /
Item Id: 600000354 Value: Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt as-eu.falkag.net BSUID /
Item Id: 600000354 Value: Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt as-eu.falkag.net IIDYMD /
Item Id: 600000354 Value: Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt as-eu.falkag.net KIDYMD /
Item Id: 600000354 Value: Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt as-eu.falkag.net WIDYMD /
Item Id: 600000667 Value: Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt hit.gemius.pl Gtestb /
Item Id: 600000667 Value: Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt hit.gemius.pl Gtestcc /
Item Id: 600000661 Value: Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt kontera.com cluid /
Item Id: 600000661 Value: Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt kontera.com imprs /
Item Id: 600000101 Value: Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt overture.com CMUserData /
Item Id: 600000095 Value: Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt perf.overture.com SYSTEM_USER_ID /
Item Id: 600000083 Value: Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt realmedia.com RMID /
Item Id: 600000052 Value: Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt trafficmp.com loc /
Item Id: 600000052 Value: Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt trafficmp.com fc /
Item Id: 600000052 Value: Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt trafficmp.com POVisit /
Item Id: 600000052 Value: Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt trafficmp.com TMPCrByAS /
Item Id: 600000052 Value: Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt trafficmp.com TMPFreqCap /
Item Id: 600000052 Value: Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt trafficmp.com TMPPOByAS /
Item Id: 600000052 Value: Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt trafficmp.com ctime /
Item Id: 600000052 Value: Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt trafficmp.com u /
Item Id: 600000464 Value: Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt valueclick.net ksa /
Item Id: 600000304 Value: Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt zillow.adbureau.net LE0 /
Item Id: 600000304 Value: Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt zillow.adbureau.net LE3 /
Item Id: 600000304 Value: Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt zillow.adbureau.net GUID /
Item Id: 600000001 Value: Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt ad.iconadserver.com rmCookiesChecked /
Item Id: 600000460 Value: Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt ad.yieldmanager.com uid /
Item Id: 600000460 Value: Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt ad.yieldmanager.com ih /
Item Id: 600000460 Value: Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt ad.yieldmanager.com pv1 /
Family Id: 9999 Name: MRU Object Category: MRU Object TAI:0
Item Id: 1 Value: MRU Path: C:\Documents and Settings\Brad\Recent Count: 13
Item Id: 2 Value: MRU Registry Key: S-1-5-21-938936901-3726737095-2621704382-1005\Software\Microsoft\Search Assistant\ACMru\5603 Count: 8
Item Id: 3 Value: MRU Registry Key: S-1-5-21-938936901-3726737095-2621704382-1005\Software\Microsoft\Internet Explorer\TypedURLs Count: 9
mindalter
2007-06-21, 18:50
Quarantined Infections
===========================
Root: HKU Path: S-1-5-21-938936901-3726737095-2621704382-1005\software\microsoft\windows\currentversion\policies\system Value: DisableRegistryTools Data: belonging to Windows
Root: HKU Path: S-1-5-21-938936901-3726737095-2621704382-1005\software\microsoft\windows\currentversion\policies\system Value: DisableRegistryTools Data: , Belonging to Windows
End Quarantine / Cleaned Infection Log
===========================
Cleaned Infections
===========================
Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt tribalfusion.com TfCtxtAdServer /, Belonging to Tracking Cookie
Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt tribalfusion.com ANON_ID /, Belonging to Tracking Cookie
Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt serving-sys.com E2 /, Belonging to Tracking Cookie
Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt serving-sys.com D3 /, Belonging to Tracking Cookie
Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt bs.serving-sys.com eyeblaster /, Belonging to Tracking Cookie
Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt serving-sys.com A2 /, Belonging to Tracking Cookie
Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt serving-sys.com B2 /, Belonging to Tracking Cookie
Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt serving-sys.com C3 /, Belonging to Tracking Cookie
Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt revsci.net rsi_cls_1000000 /, Belonging to Tracking Cookie
Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt revsci.net NETSEGS_K05540 /, Belonging to Tracking Cookie
Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt revsci.net NETID01 /, Belonging to Tracking Cookie
Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt revsci.net rsi_segs_1000000 /, Belonging to Tracking Cookie
Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt atdmt.com AA002 /, Belonging to Tracking Cookie
Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt zedo.com ZEDOIDA /, Belonging to Tracking Cookie
Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt zedo.com FFcat /, Belonging to Tracking Cookie
Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt zedo.com geo /, Belonging to Tracking Cookie
Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt zedo.com ZEDOIDX /, Belonging to Tracking Cookie
Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt zedo.com FFad /, Belonging to Tracking Cookie
Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt doubleclick.net test_cookie /, Belonging to Tracking Cookie
Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt mediaplex.com svid /, Belonging to Tracking Cookie
Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt adbrite.com Apache /, Belonging to Tracking Cookie
Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt adbrite.com b /, Belonging to Tracking Cookie
Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt adbrite.com CT1181929931 /stats/, Belonging to Tracking Cookie
Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt adtech.de CfP /, Belonging to Tracking Cookie
Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt as-eu.falkag.net BSUID /, Belonging to Tracking Cookie
Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt as-eu.falkag.net IIDYMD /, Belonging to Tracking Cookie
Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt as-eu.falkag.net KIDYMD /, Belonging to Tracking Cookie
Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt as-eu.falkag.net WIDYMD /, Belonging to Tracking Cookie
Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt hit.gemius.pl Gtestb /, Belonging to Tracking Cookie
Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt hit.gemius.pl Gtestcc /, Belonging to Tracking Cookie
Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt kontera.com cluid /, Belonging to Tracking Cookie
Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt kontera.com imprs /, Belonging to Tracking Cookie
Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt overture.com CMUserData /, Belonging to Tracking Cookie
Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt perf.overture.com SYSTEM_USER_ID /, Belonging to Tracking Cookie
Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt realmedia.com RMID /, Belonging to Tracking Cookie
Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt trafficmp.com loc /, Belonging to Tracking Cookie
Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt trafficmp.com fc /, Belonging to Tracking Cookie
Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt trafficmp.com POVisit /, Belonging to Tracking Cookie
Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt trafficmp.com TMPCrByAS /, Belonging to Tracking Cookie
Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt trafficmp.com TMPFreqCap /, Belonging to Tracking Cookie
Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt trafficmp.com TMPPOByAS /, Belonging to Tracking Cookie
Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt trafficmp.com ctime /, Belonging to Tracking Cookie
Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt trafficmp.com u /, Belonging to Tracking Cookie
Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt valueclick.net ksa /, Belonging to Tracking Cookie
Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt zillow.adbureau.net LE0 /, Belonging to Tracking Cookie
Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt zillow.adbureau.net LE3 /, Belonging to Tracking Cookie
Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt zillow.adbureau.net GUID /, Belonging to Tracking Cookie
Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt ad.iconadserver.com rmCookiesChecked /, Belonging to Tracking Cookie
Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt ad.yieldmanager.com uid /, Belonging to Tracking Cookie
Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt ad.yieldmanager.com ih /, Belonging to Tracking Cookie
Browser: Firefox Cookie: C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles/i6vd93ld.default\cookies.txt ad.yieldmanager.com pv1 /, Belonging to Tracking Cookie
MRU Path: C:\Documents and Settings\Brad\Recent Count: 13, Belonging to MRU Object
MRU Registry Key: S-1-5-21-938936901-3726737095-2621704382-1005\Software\Microsoft\Search Assistant\ACMru\5603 Count: 8, Belonging to MRU Object
MRU Registry Key: S-1-5-21-938936901-3726737095-2621704382-1005\Software\Microsoft\Internet Explorer\TypedURLs Count: 9, Belonging to MRU Object
End of Cleaned Infections
===========================
Hello :)
AdAware found only cookies which are pretty harmless. You prevent then from coming to your computer by using MVPS Hosts file and SpywareBlaster (both on my list)
:bigthumb:
Glad we could help, as the problem appears to be resolved this topic has been archived.
If you need it re-opened, please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.
Thank you Mr_JAk3