View Full Version : Smitfraud.C CoreService virus.
Bumblebootbaby
2007-07-30, 13:59
Hi,
I have got this Smitfraud virus which keeps giving me problems. I installed SpyBot and have run it but like others on this forum it keeps coming back.
When I ran SpyBot in safe mode it actually fixed the problem instead of saying it could not be dealt with so am not sure if it is now fixed.
Anyway, I ran the online scan and the HJT scan as requested and the logs are attached.
I am not sure if I saved the online scan log correctly...it only gave me one line but I'll let you tell me if I need to do it again.
Also, one question regarding viruses etc. My kids use my PC to go onto YouTube, MySpace, MSN and hotmail. They don't download anything although they save stuff on their YouTube/MySpace accounts. Can this lead to viruses on my PC? I have SpyBot running in the background all the time now as well as Sygate Personal Firewall but had to take Windows Defender off my PC as it was constantly using all my CPU and slowing down everything. Am I well enough protected???
Anyway, here are my online and HJT scan logs.
Logfile of HijackThis v1.99.1
Scan saved at 11:46:22, on 30/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\blueyonder\PCguard\fws.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\windows\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\windows\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\windows\Explorer.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn3\YTBSDK.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Documents and Settings\mal\Local Settings\Temporary Internet Files\Content.IE5\Y4V6YDOE\HijackThis[1].exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ycomp/defaults/sp/*http://uk.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://uk.search.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [UVS10 Preload] D:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe" /m=2 /w
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Capture Page to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddLinkEntryFromDocument.html
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZUxdm079YYGB
O8 - Extra context menu item: &Translate English Word - res://c:\windows\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Capt&ure Target to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddEntryFromDocumentElement.html
O8 - Extra context menu item: Capture &Snippet to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddEntryFromDocumentSelection.html
O8 - Extra context menu item: Capture Ima&ge to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddEntryFromDocumentElement.html
O8 - Extra context menu item: Capture Page and Selected &Links to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddSiteSnippetFromDocumentSelection.html
O8 - Extra context menu item: Capture Selected Ite&ms to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddMultipleEntriesFromDocumentSelection.html
O8 - Extra context menu item: Capture Site to &Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddSiteFromDocument.html
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\windows\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\mal\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/1.1.1067.8/WinSSWebAgent.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133445007203
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {F3D69634-67FF-4CA6-B39E-7DC11ED9676F} (VoiceRecCtrl Class) - http://members.audiogenerator.com/activerecorder/SoundRecControl.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\windows\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\windows\system32\WPDShServiceObj.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Radialpoint Service (FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: KnowNow Event Router - Unknown owner - C:\PROGRA~1\KnowNow\NOTIFI~1\bin\nsd.exe" -S -s runtime -t "c:\PROGRA~1\KnowNow\NOTIFI~1\conf\knrouter.conf (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Windows Live OneCare (winss) - Unknown owner - C:\Program Files\Microsoft Windows OneCare Live\winss.exe (file missing)
This is the log from the online scan.
braincodec.1409.exe Win32/Nuvens.CH
infected D:\mals\newdownloads\
Any help to get rid of this virus would be much appreciated but please bear in mind I am an "absolute blonde" when it comes to technical stuff on my pc (my kids say they are surprised I know how to switch it on) so please make it simple!!!
Many thanks,
Bumblebootbaby
random/random
2007-07-30, 21:28
Also, one question regarding viruses etc. My kids use my PC to go onto YouTube, MySpace, MSN and hotmail.
Youtube should be safe
MSN & hotmail should be safe if you don't open unsolicited e-mail
MySpace is a security minefield, and I refuse to visit it
Download the latest version of ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Bumblebootbaby
2007-08-06, 19:59
Hi,
Thanks for geting back to me..I have now baned my kids from My Space on my pc.
I have run combofix and HJT again. Logs are here:
ComboFix 07-08-04.3 - "mal" 2007-08-06 17:18:20.1 [GMT 1:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.True
* Created a new restore point
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\mal\APPLIC~1\FunWebProducts
C:\DOCUME~1\mal\Desktop\internet.lnk
C:\Program Files\video activex access
C:\Program Files\video activex access\iesbpl.dll
C:\Program Files\video activex access\iesbunst.exe
C:\Program Files\video activex access\iesmin.exe
C:\Program Files\video activex access\iesmn.exe
C:\Program Files\video activex access\iesplg.dll
C:\Program Files\video activex access\iesunst.exe
C:\Program Files\video activex access\imsmain.exe
C:\Program Files\video activex access\imsmn.exe
C:\Program Files\video activex access\imsunst.exe
C:\Program Files\video activex access\ot.ico
C:\Program Files\video activex access\ts.ico
C:\Program Files\video activex access\uninst.exe
C:\Program Files\VirusProtectPro 3.6
C:\Program Files\VirusProtectPro 3.6\ignored.lst
C:\Program Files\VirusProtectPro 3.6\VirusProtectPro 3.6.exe
C:\Program Files\VirusProtectPro 3.6\vpp.ini
C:\Program Files\winpop
C:\temp\tn3
C:\windows\b138.exe
C:\windows\system32\crosof~1.net
C:\windows\system32\drivers\npf.sys
C:\windows\system32\packet.dll
C:\windows\system32\pthreadVC.dll
C:\windows\system32\wanpacket.dll
C:\windows\system32\wpcap.dll
C:\windows\wr.txt
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_CORE
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_NPF
-------\NPF
((((((((((((((((((((((((( Files Created from 2007-07-06 to 2007-08-06 )))))))))))))))))))))))))))))))
2007-08-06 17:16 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-30 13:23 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-07-27 08:59 <DIR> d-------- C:\Program Files\NoAdware5.0
2007-07-27 08:51 <DIR> d-------- C:\DOCUME~1\mal\APPLIC~1\Uniblue
2007-07-26 15:49 <DIR> d--hs---- C:\INCINERATE
2007-07-26 08:12 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-07-25 14:40 77,312 --a------ C:\WINDOWS\ua2.dll
2007-07-25 08:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-07-24 17:30 <DIR> d--hs---- C:\WINDOWS\QW5kcmV3IFllbw
2007-07-12 11:30 <DIR> d-------- C:\DOCUME~1\mal\APPLIC~1\WinRAR
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-06 17:24 --------- d-------- C:\DOCUME~1\mal\APPLIC~1\Skype
2007-08-01 08:18 --------- d-------- C:\DOCUME~1\mal\APPLIC~1\Canon
2007-07-30 13:14 8704 --a-s---- C:\windows\system32\gusur.dll
2007-07-28 11:41 --------- d-------- C:\Program Files\Instant Buzz
2007-07-28 11:39 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-26 17:55 --------- d-------- C:\Program Files\Windows Media Connect 2
2007-07-26 17:55 --------- d-------- C:\Program Files\Windows Live Toolbar
2007-07-26 17:55 --------- d-------- C:\Program Files\Tweak-XP
2007-07-26 17:55 --------- d-------- C:\Program Files\IMVU
2007-07-26 15:49 --------- d-------- C:\Program Files\iolo
2007-07-26 15:47 --------- d-------- C:\Program Files\Apense Express
2007-07-25 08:20 --------- d-------- C:\Program Files\Yahoo!
2007-07-11 19:25 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-11 19:25 --------- d-------- C:\Program Files\eMusic Download Manager
2007-07-08 14:48 1632 --a------ C:\windows\system32\d3d8caps.dat
2007-06-26 12:29 --------- d-------- C:\Program Files\MSN Messenger
2007-06-26 09:27 363520 --a--c--- C:\windows\system32\dllcache\w3svc.dll
2007-06-19 20:12 114136 --a--c--- C:\DOCUME~1\mal\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-06-18 11:34 --------- d-------- C:\Program Files\Common Files\Macrovision Shared
2007-06-15 11:54 --------- d-------- C:\DOCUME~1\mal\APPLIC~1\AdobeUM
2007-06-13 19:40 --------- d-------- C:\DOCUME~1\mal\APPLIC~1\IMVU
2007-06-02 13:17 1744 --a------ C:\windows\system32\d3d9caps.dat
2007-05-16 16:12 86528 -----c--- C:\windows\system32\dllcache\directdb.dll
2007-05-16 16:12 85504 --a--c--- C:\windows\system32\dllcache\wabimp.dll
2007-05-16 16:12 683520 --a------ C:\windows\system32\inetcomm.dll
2007-05-16 16:12 683520 -----c--- C:\windows\system32\dllcache\inetcomm.dll
2007-05-16 16:12 510976 -----c--- C:\windows\system32\dllcache\wab32.dll
2007-05-16 16:12 1314816 -----c--- C:\windows\system32\dllcache\msoe.dll
2007-05-08 10:24 3583488 --a--c--- C:\windows\system32\dllcache\mshtml.dll
2006-04-19 10:15 69614 --a--c--- C:\DOCUME~1\mal\APPLIC~1\unins000.dat
2006-04-19 10:14 673546 --a------ C:\DOCUME~1\mal\APPLIC~1\unins000.exe
2005-11-14 01:17 14 -----c--- C:\Program Files\dss.cfg
2001-08-18 14:00:00 94,784 -csh--w C:\windows\twain.dll
2005-07-29 15:24:26 472 --sha-r C:\windows\QW5kcmV3IFllbw\kqc4wApaKI55vT.vbs
2006-09-26 07:47:58 88 --sh--r C:\windows\system32\BD377B4020.sys
2006-09-26 07:48:46 2,828 --sha-w C:\windows\system32\KGyGaAvL.sys
2004-08-04 07:56:42 1,028,096 --sha-w C:\windows\system32\mfc42.dll
2004-08-04 07:56:43 54,784 --sha-w C:\windows\system32\msvcirt.dll
2004-08-04 07:56:43 413,696 --sha-w C:\windows\system32\msvcp60.dll
1999-12-07 17:00:00 11,776 --sha-w C:\windows\system32\regsvr32.exe
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 04:23]
"UVS10 Preload"="D:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe" [2006-03-07 01:52]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 20:40]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-29 18:40]
"Ulead AutoDetector"="C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe" [2003-11-18 17:20]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-11-10 14:43]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"My Web Search Bar Search Scope Monitor"="C:\PROGRA~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-07-30 13:15]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-02-09 17:00]
"ctfmon.exe"="C:\windows\system32\ctfmon.exe" [2004-08-04 08:56]
"Pop-Up-Blocker"="" []
"TransparentIcons"="" []
"BlockAds"="" []
"Tweak-XP"="" []
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2002-10-11 11:15:55]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{4f5f16ef-af9d-4fe6-8410-f0670b58979d}"= C:\windows\system32\gusur.dll [2007-07-30 13:14 8704]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau
R0 HWFProt;Hywave File Protector HWFProt;C:\windows\system32\Drivers\HWFProt.sys
R0 IdeBusDr;IdeBusDr;C:\windows\system32\DRIVERS\IdeBusDr.sys
R0 IdeChnDr;Intel(R) Ultra ATA Controller;C:\windows\system32\DRIVERS\IdeChnDr.sys
R0 Teefer;Teefer for NT;C:\windows\system32\Drivers\Teefer.sys
R1 eawdmfd;EAWDMFD;C:\windows\system32\DRIVERS\eawdmfd.sys
R1 pwd_2K;pwd_2K;C:\windows\system32\drivers\pwd_2K.sys
R1 wpsdrvnt;wpsdrvnt;\??\C:\windows\system32\drivers\wpsdrvnt.sys
R2 CdaC15BA;CdaC15BA;\??\C:\WINDOWS\system32\drivers\CdaC15BA.SYS
R2 CSS DVP;CSS DVP;C:\windows\system32\DRIVERS\css-dvp.sys
R2 FreeTdi;Radialpoint Filter;C:\windows\system32\Drivers\FreeTdi.sys
R2 wg3n;SyGate for NT, wg3n;C:\windows\system32\Drivers\wg3n.sys
R2 wg4n;SyGate for NT, wg4n;C:\windows\system32\Drivers\wg4n.sys
R2 wg5n;SyGate for NT, wg5n;C:\windows\system32\Drivers\wg5n.sys
R2 wg6n;SyGate for NT, wg6n;C:\windows\system32\Drivers\wg6n.sys
R3 E100B;Intel(R) PRO Network Connection Driver;C:\windows\system32\DRIVERS\e100b325.sys
R3 eaps2kbd;Compaq Easy Access PS2 Internet Keyboard (Win2K);C:\windows\system32\DRIVERS\eaps2kbd.sys
R3 Freedom;Freedom Miniport;C:\windows\system32\DRIVERS\FREEDOM.SYS
R3 Pcouffin;Low level access layer for CD devices;C:\windows\system32\Drivers\Pcouffin.sys
S2 IISADMIN;IIS Admin;C:\WINDOWS\System32\inetsrv\inetinfo.exe
S2 KnowNow Event Router;KnowNow Event Router;"C:\PROGRA~1\KnowNow\NOTIFI~1\bin\nsd.exe" -S -s runtime -t "c:\PROGRA~1\KnowNow\NOTIFI~1\conf\knrouter.conf"
S2 NWCWorkstation;Client Service for NetWare;C:\windows\System32\svchost.exe -k netsvcs
S2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\System32\inetsrv\inetinfo.exe
S3 Bridge;MAC Bridge;C:\windows\system32\DRIVERS\bridge.sys
S3 BridgeMP;MAC Bridge Miniport;C:\windows\system32\DRIVERS\bridge.sys
S3 DCamUSBET251;AP5001/AP5101;C:\windows\system32\Drivers\ET251.sys
S3 ndiscm;Motorola SURFboard USB Cable Modem Windows Driver;C:\windows\system32\DRIVERS\NetMotCM.sys
S3 nm;Network Monitor Driver;C:\windows\system32\DRIVERS\NMnt.sys
S3 NWRDR;NetWare Rdr;C:\windows\system32\DRIVERS\nwrdr.sys
S3 sermouse;Serial Mouse Driver;C:\windows\system32\DRIVERS\sermouse.sys
S3 SQTECH9160;CAMERA;C:\windows\system32\Drivers\Capt9160.sys
S3 WLANFVNETusb(505_2958)(R);WLAN FVNETusb(505_2958)(R) Service for USB Wireless LAN Card;C:\windows\system32\DRIVERS\ainu58x.sys
Contents of the 'Scheduled Tasks' folder
2007-08-01 23:15:00 C:\windows\Tasks\1-Click Maintenance.job - C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe
2007-08-06 08:41:02 C:\windows\Tasks\Check Updates for Windows Live Toolbar.job - C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
2007-02-09 16:39:19 C:\windows\Tasks\MP Scheduled Quick Scan.job
2007-08-06 16:27:33 C:\windows\Tasks\SDMsgUpdate (SmartDrawTrial).job - C:\PROGRA~1\SMARTD~1\Messages\SDNotify.exe
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-06 17:27:57
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-06 17:31:30 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-06 17:30
--- E O F ---
I will have to send the HJT file seperately as it's making this too long.
Hope it all makes sense to you...it's like double dutch to me. I also seem to have some problems with an icon that has placed itself in my tool bar (a red shield with a white cross that changes to a blue shield with a tick in it) which keeps telling my I have viruses and sending me to a home page to download anti-virus software. Needless to say I don't download anything! But it keeps changing my homepage from Yahoo to this webpage and I'm sick of it...maybe you will find it in the logs. :eek:
Thanks for your help.
Bumblebootbaby
Bumblebootbaby
2007-08-06, 20:00
Continuation of my last reply with the HJT log.
Thanks
bumblebootbaby
Logfile of HijackThis v1.99.1
Scan saved at 17:51:03, on 06/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\blueyonder\PCguard\fws.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\windows\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\windows\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\windows\Explorer.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\windows\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn3\YTBSDK.exe
C:\New Folder\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://uk.search.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [UVS10 Preload] D:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe" /m=2 /w
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Capture Page to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddLinkEntryFromDocument.html
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZUxdm079YYGB
O8 - Extra context menu item: &Translate English Word - res://c:\windows\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Capt&ure Target to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddEntryFromDocumentElement.html
O8 - Extra context menu item: Capture &Snippet to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddEntryFromDocumentSelection.html
O8 - Extra context menu item: Capture Ima&ge to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddEntryFromDocumentElement.html
O8 - Extra context menu item: Capture Page and Selected &Links to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddSiteSnippetFromDocumentSelection.html
O8 - Extra context menu item: Capture Selected Ite&ms to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddMultipleEntriesFromDocumentSelection.html
O8 - Extra context menu item: Capture Site to &Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddSiteFromDocument.html
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\windows\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\mal\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/1.1.1067.8/WinSSWebAgent.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133445007203
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {F3D69634-67FF-4CA6-B39E-7DC11ED9676F} (VoiceRecCtrl Class) - http://members.audiogenerator.com/activerecorder/SoundRecControl.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\windows\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\windows\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Radialpoint Service (FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: KnowNow Event Router - Unknown owner - C:\PROGRA~1\KnowNow\NOTIFI~1\bin\nsd.exe" -S -s runtime -t "c:\PROGRA~1\KnowNow\NOTIFI~1\conf\knrouter.conf (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Windows Live OneCare (winss) - Unknown owner - C:\Program Files\Microsoft Windows OneCare Live\winss.exe (file missing)
random/random
2007-08-06, 20:47
Go to Start> Control Panel> Add or Remove Programs.
Remove the following programs, if they are present.
MyWebsearch
To assist diagnosis I would like a list of installed programs.
Open HijackThis and select Open the Misc Tools section
Click on the Open Uninstall Manager…
Select the Save List button
I suggest that you accept the default name of uninstall_list.txt and save the file to your desktop
Close HijackThis
Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.exe
Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
IMPORTANT: Do NOT run any other options until you are asked to do so!
**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.
Open a new notepad window (Start>All programs>accessories>notepad)
Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard
Folder::
C:\WINDOWS\QW5kcmV3IFllbw
C:\PROGRA~1\MYWEBS~1
File::
C:\windows\system32\gusur.dll
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"My Web Search Bar Search Scope Monitor"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Pop-Up-Blocker"=-
"TransparentIcons"=-
"BlockAds"=-
"Tweak-XP"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{4f5f16ef-af9d-4fe6-8410-f0670b58979d}"=-
[-HKEY_CLASSES_ROOT\CLSID\{4f5f16ef-af9d-4fe6-8410-f0670b58979d}]
Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
Save it to the desktop as CFscript.txt
Now drag and drop CFscript.txt onto combofix.exe as in the picture below and follow the prompts:
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
When finished, it shall produce a log for you. Post that log, the uninstall list, the smitfraud fix log and a HiJackThis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Bumblebootbaby
2007-08-07, 10:22
Hi,
Lists as requested. Thanks for the help.
ACA Screen Recorder 2.03
Adobe Flash Player 9 ActiveX
Adobe Reader 8.1.0
Adobe® Photoshop® Album Starter Edition 3.2
Allok Video to FLV Converter 2.1.3
Anti-Spyware
Apsense Express
Audio Recorder for FREE v5.5
AVG 7.5
Azureus
blueyonder PCguard
Burn My Files
Canon Utilities Easy-PrintToolBox
dBpowerAMP Music Converter
Digital Audio Editor v7.7
DivX Player
DivXLand Media Subtitler
dMC Power Pack
Dr Watson for Microsoft Windows OneCare Live v1.1.1067.8
Easy Video Capture 1.20
Easy-WebPrint
Fast Email Verifier
Feed Blaster
FlashSpring Pro 1.5
Google Earth
Google Video Uploader
GroupMail :: Business Edition
HijackThis 2.0.0
HotDocs 2005 Player Edition SP2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Intel Application Accelerator
Intel(R) PRO Network Connections Drivers
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.1_02
Java 2 Runtime Environment, SE v1.4.1_07
Java Web Start
JpegSizer 5.3e
K-Lite Codec Pack 2.77 Basic
Lame ACM MP3 Codec
List Manager
Macromedia Dreamweaver 4
Macromedia Dreamweaver MX
Macromedia Extension Manager
Macromedia Fireworks MX
Macromedia Flash MX 2004
Macromedia Flash Player 8
Macromedia Flash Player 8 Plugin
Magic DVD Copier V4.3
Map Button (Windows Live Toolbar)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft ASP.NET Web Matrix
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Web Publishing Wizard 1.53
Mozilla Firefox (1.5.0.12)
MPEG Video Wizard DVD
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 Parser and SDK
Norton Spyware Scan provided by Yahoo!
OneCare Advisor (Windows Live Toolbar)
Onfolio Add-in for Windows Live Toolbar
Popup Blocker (Windows Live Toolbar)
Power Submitter 10.02 and AOS V2.02
QNX Software Installer
QuickTime
RealPlayer
Remote Diagnostics Enabling Agent
SafeCast Shared Components
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917537)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB939373)
Serif 3DPlus 2.0
Serif PagePlus 11
Skype 3.0
Skype Plugin Manager
Smart Menus (Windows Live Toolbar)
SmartSound Quicktracks Plugin
Sonic MyDVD Serif Edition
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Subtitle Workshop 2.51
Swiff Player 1.1
SWiSHmax
Sygate Personal Firewall
Tabbed Browsing (Windows Live Toolbar)
Tweak-XP
Ulead Photo Explorer 8.0 SE Basic
Ulead VideoStudio 10
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB914882)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB936357)
V3105s Digital Camera Driver
Video ActiveX Solution 2.07
VisiFly
Web Audio Plus
Web Page Maker V2
Windows Defender Signatures
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Favorites for Windows Live Toolbar
Windows Live Messenger
Windows Live Outlook Toolbar (Windows Live Toolbar)
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live Toolbar Feed Detector (Windows Live Toolbar)
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
Windows XP Winter Fun Pack Screensavers
WinPcap 3.1 beta3
WinRAR archiver
WinZip
Yahoo! Internet Mail
Yahoo! Mail Quick Select Tool (PhotoMail)
Yahoo! Messenger with BT Communicator
Yahoo! Photos Print-at-Home Tool
Yahoo! Toolbar
SmitFraudFix v2.209
Scan done at 7:33:40.58, 07/08/2007
Run from C:\Documents and Settings\mal\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\blueyonder\PCguard\fws.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\windows\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\windows\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\windows\Explorer.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn3\YTBSDK.exe
C:\windows\system32\notepad.exe
C:\windows\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\windows
»»»»»»»»»»»»»»»»»»»»»»»» C:\windows\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\windows\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\windows\system32
C:\windows\system32\gusur.dll FOUND !
C:\windows\system32\1024\ FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\windows\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\mal
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\mal\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\mal\FAVORI~1
C:\DOCUME~1\mal\FAVORI~1\Online Security Test.url FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{4f5f16ef-af9d-4fe6-8410-f0670b58979d}"="exultet"
[HKEY_CLASSES_ROOT\CLSID\{4f5f16ef-af9d-4fe6-8410-f0670b58979d}\InProcServer32]
@="C:\windows\system32\gusur.dll"
[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{4f5f16ef-af9d-4fe6-8410-f0670b58979d}\InProcServer32]
@="C:\windows\system32\gusur.dll"
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Intel(R) PRO/100 VM Network Connection - Freedom Miniport
DNS Server Search Order: 192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{010C2B69-6B26-44ED-887D-395F85A676FF}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{9EE1940C-CA0E-4CC5-8E7F-53D7FCDA63D6}: DhcpNameServer=62.30.112.39 194.117.134.19 62.30.0.39
HKLM\SYSTEM\CS2\Services\Tcpip\..\{010C2B69-6B26-44ED-887D-395F85A676FF}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{9EE1940C-CA0E-4CC5-8E7F-53D7FCDA63D6}: DhcpNameServer=62.30.112.39 194.117.134.19 62.30.0.39
HKLM\SYSTEM\CS3\Services\Tcpip\..\{010C2B69-6B26-44ED-887D-395F85A676FF}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{9EE1940C-CA0E-4CC5-8E7F-53D7FCDA63D6}: DhcpNameServer=62.30.112.39 194.117.134.19 62.30.0.39
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
Will send the Combofix log in another reply.
Thanks alot.
Bumblebootbaby
Bumblebootbaby
2007-08-07, 10:30
HJT log. I think I have sent everything you asked for...if not, please let me know.
Thanks.
bumblebootbaby
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 08:29:38, on 07/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\blueyonder\PCguard\fws.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\windows\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\windows\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn3\YTBSDK.exe
C:\windows\explorer.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\windows\notepad.exe
C:\hijackthis\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://uk.search.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [UVS10 Preload] D:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Capture Page to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddLinkEntryFromDocument.html
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Search - ?p=ZUxdm079YYGB
O8 - Extra context menu item: &Translate English Word - res://c:\windows\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Capt&ure Target to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddEntryFromDocumentElement.html
O8 - Extra context menu item: Capture &Snippet to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddEntryFromDocumentSelection.html
O8 - Extra context menu item: Capture Ima&ge to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddEntryFromDocumentElement.html
O8 - Extra context menu item: Capture Page and Selected &Links to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddSiteSnippetFromDocumentSelection.html
O8 - Extra context menu item: Capture Selected Ite&ms to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddMultipleEntriesFromDocumentSelection.html
O8 - Extra context menu item: Capture Site to &Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddSiteFromDocument.html
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\windows\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\mal\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/1.1.1067.8/WinSSWebAgent.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133445007203
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {F3D69634-67FF-4CA6-B39E-7DC11ED9676F} (VoiceRecCtrl Class) - http://members.audiogenerator.com/activerecorder/SoundRecControl.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Radialpoint Service (FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: KnowNow Event Router - Unknown owner - C:\PROGRA~1\KnowNow\NOTIFI~1\bin\nsd.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Windows Live OneCare (winss) - Unknown owner - C:\Program Files\Microsoft Windows OneCare Live\winss.exe (file missing)
--
End of file - 12440 bytes
random/random
2007-08-07, 16:53
Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.
______________________________
Reboot your computer in Safe Mode.
If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.
______________________________
Double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.
A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.
The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________
Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.
Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.
Clean out your Temporary Internet files. Proceed like this:
Quit Internet Explorer, all browsers and quit any instances of Windows Explorer.
For Internet Explorer 7
Click Start, click Control Panel, and then double-click Internet Options.
On the General tab, click Delete... under Browsing History.
Next to Temporary Internet Files, click Delete files, and then click OK.
Next to Cookies, click Delete cookies, and then click OK.
Next to History, click Delete history, and then click OK.
Click the Close button.
Click OK.
For Internet Explorer 4.x - 6.x
Click Start, click Control Panel, and then double-click Internet Options.
On the General tab, click Delete Files under Temporary Internet Files.
In the Delete Files dialog box, tick the Delete all offline content check box, and then click OK.
On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
Click OK.
For Netscape 4.x and Up
Click Edit from the Netscape menubar.
Click Preferences... from the Edit menu.
Expand the Advanced menu by clicking the triangle sign.
Click Cache.
Click both the Clear Memory Cache and the Clear Disk Cache buttons.
For Mozilla 1.x and Up
Click Edit from the Mozilla menubar.
Click Preferences... from the Edit menu.
Expand the Advanced menu by clicking the plus sign.
Click Cache.
Click the Clear Cache button.
For Opera
Click File from the Opera menubar.
Click Preferences... from the File menu.
Click the History and Cache menu.
Click the two Clear buttons next to Typed in addresses and Visited addresses (history) and click the Empty now button to clear the Disk cache.
Click Ok to close the Preferences menu.
Restart in normal mode
You are using an older version of HijackThis. Please do the following to download and install the latest version of HijackThis v2.0.2:
CLICK HERE (http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe) to download the HijackThis Installer:
Save HJTInstall.exe to your desktop.
Double-click on HJTInstall.exe to run the program.
By default it will install to C:\Program Files\Trend Micro\HijackThis.
Accept the license agreement by clicking the "I Accept" button.
Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
Click "Save log" to save the log file and then the log will open in Notepad.
Click on "Edit -> Select All" then click on "Edit -> Copy" to copy the entire contents of the log.
Come back here to this thread and paste the log in your next reply, along with the smitfraudfix log, and the combofix log from before (C:\combofix.txt)
Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
You may delete the older version once you have successfully downloaded and installed the latest version of HijackThis v2.0.2.
Bumblebootbaby
2007-08-08, 15:30
HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:24, on 2007-08-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\blueyonder\PCguard\fws.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\windows\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\windows\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\windows\Explorer.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\windows\system32\wuauclt.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn3\YTBSDK.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://uk.search.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [UVS10 Preload] D:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Capture Page to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddLinkEntryFromDocument.html
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Search - ?p=ZUxdm079YYGB
O8 - Extra context menu item: &Translate English Word - res://c:\windows\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Capt&ure Target to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddEntryFromDocumentElement.html
O8 - Extra context menu item: Capture &Snippet to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddEntryFromDocumentSelection.html
O8 - Extra context menu item: Capture Ima&ge to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddEntryFromDocumentElement.html
O8 - Extra context menu item: Capture Page and Selected &Links to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddSiteSnippetFromDocumentSelection.html
O8 - Extra context menu item: Capture Selected Ite&ms to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddMultipleEntriesFromDocumentSelection.html
O8 - Extra context menu item: Capture Site to &Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddSiteFromDocument.html
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\windows\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\mal\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/1.1.1067.8/WinSSWebAgent.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133445007203
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {F3D69634-67FF-4CA6-B39E-7DC11ED9676F} (VoiceRecCtrl Class) - http://members.audiogenerator.com/activerecorder/SoundRecControl.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Radialpoint Service (FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: KnowNow Event Router - Unknown owner - C:\PROGRA~1\KnowNow\NOTIFI~1\bin\nsd.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Windows Live OneCare (winss) - Unknown owner - C:\Program Files\Microsoft Windows OneCare Live\winss.exe (file missing)
--
End of file - 11891 bytes
SmitFraudFix v2.209
Scan done at 13:05:00.42, 2007-08-08
Run from C:\Documents and Settings\mal\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
127.0.0.1 localhost
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\windows\system32\1024\ Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
C:\DOCUME~1\mal\FAVORI~1\Online Security Test.url Deleted
»»»»»»»»»»»»»»»»»»»»»»»» DNS
HKLM\SYSTEM\CCS\Services\Tcpip\..\{010C2B69-6B26-44ED-887D-395F85A676FF}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{9EE1940C-CA0E-4CC5-8E7F-53D7FCDA63D6}: DhcpNameServer=62.30.112.39 194.117.134.19 62.30.0.39
HKLM\SYSTEM\CS2\Services\Tcpip\..\{010C2B69-6B26-44ED-887D-395F85A676FF}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{9EE1940C-CA0E-4CC5-8E7F-53D7FCDA63D6}: DhcpNameServer=62.30.112.39 194.117.134.19 62.30.0.39
HKLM\SYSTEM\CS3\Services\Tcpip\..\{010C2B69-6B26-44ED-887D-395F85A676FF}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{9EE1940C-CA0E-4CC5-8E7F-53D7FCDA63D6}: DhcpNameServer=62.30.112.39 194.117.134.19 62.30.0.39
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
Combofix log to follow.
Many many thanks for all your help.
bumblebootbaby
Bumblebootbaby
2007-08-08, 15:30
ComboFix 07-08-04.3 - "mal" 2007-08-06 17:18:20.1 [GMT 1:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.True
* Created a new restore point
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\mal\APPLIC~1\FunWebProducts
C:\DOCUME~1\mal\Desktop\internet.lnk
C:\Program Files\video activex access
C:\Program Files\video activex access\iesbpl.dll
C:\Program Files\video activex access\iesbunst.exe
C:\Program Files\video activex access\iesmin.exe
C:\Program Files\video activex access\iesmn.exe
C:\Program Files\video activex access\iesplg.dll
C:\Program Files\video activex access\iesunst.exe
C:\Program Files\video activex access\imsmain.exe
C:\Program Files\video activex access\imsmn.exe
C:\Program Files\video activex access\imsunst.exe
C:\Program Files\video activex access\ot.ico
C:\Program Files\video activex access\ts.ico
C:\Program Files\video activex access\uninst.exe
C:\Program Files\VirusProtectPro 3.6
C:\Program Files\VirusProtectPro 3.6\ignored.lst
C:\Program Files\VirusProtectPro 3.6\VirusProtectPro 3.6.exe
C:\Program Files\VirusProtectPro 3.6\vpp.ini
C:\Program Files\winpop
C:\temp\tn3
C:\windows\b138.exe
C:\windows\system32\crosof~1.net
C:\windows\system32\drivers\npf.sys
C:\windows\system32\packet.dll
C:\windows\system32\pthreadVC.dll
C:\windows\system32\wanpacket.dll
C:\windows\system32\wpcap.dll
C:\windows\wr.txt
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_CORE
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_NPF
-------\NPF
((((((((((((((((((((((((( Files Created from 2007-07-06 to 2007-08-06 )))))))))))))))))))))))))))))))
2007-08-06 17:16 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-30 13:23 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-07-27 08:59 <DIR> d-------- C:\Program Files\NoAdware5.0
2007-07-27 08:51 <DIR> d-------- C:\DOCUME~1\mal\APPLIC~1\Uniblue
2007-07-26 15:49 <DIR> d--hs---- C:\INCINERATE
2007-07-26 08:12 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-07-25 14:40 77,312 --a------ C:\WINDOWS\ua2.dll
2007-07-25 08:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-07-24 17:30 <DIR> d--hs---- C:\WINDOWS\QW5kcmV3IFllbw
2007-07-12 11:30 <DIR> d-------- C:\DOCUME~1\mal\APPLIC~1\WinRAR
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-06 17:24 --------- d-------- C:\DOCUME~1\mal\APPLIC~1\Skype
2007-08-01 08:18 --------- d-------- C:\DOCUME~1\mal\APPLIC~1\Canon
2007-07-30 13:14 8704 --a-s---- C:\windows\system32\gusur.dll
2007-07-28 11:41 --------- d-------- C:\Program Files\Instant Buzz
2007-07-28 11:39 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-26 17:55 --------- d-------- C:\Program Files\Windows Media Connect 2
2007-07-26 17:55 --------- d-------- C:\Program Files\Windows Live Toolbar
2007-07-26 17:55 --------- d-------- C:\Program Files\Tweak-XP
2007-07-26 17:55 --------- d-------- C:\Program Files\IMVU
2007-07-26 15:49 --------- d-------- C:\Program Files\iolo
2007-07-26 15:47 --------- d-------- C:\Program Files\Apense Express
2007-07-25 08:20 --------- d-------- C:\Program Files\Yahoo!
2007-07-11 19:25 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-11 19:25 --------- d-------- C:\Program Files\eMusic Download Manager
2007-07-08 14:48 1632 --a------ C:\windows\system32\d3d8caps.dat
2007-06-26 12:29 --------- d-------- C:\Program Files\MSN Messenger
2007-06-26 09:27 363520 --a--c--- C:\windows\system32\dllcache\w3svc.dll
2007-06-19 20:12 114136 --a--c--- C:\DOCUME~1\mal\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-06-18 11:34 --------- d-------- C:\Program Files\Common Files\Macrovision Shared
2007-06-15 11:54 --------- d-------- C:\DOCUME~1\mal\APPLIC~1\AdobeUM
2007-06-13 19:40 --------- d-------- C:\DOCUME~1\mal\APPLIC~1\IMVU
2007-06-02 13:17 1744 --a------ C:\windows\system32\d3d9caps.dat
2007-05-16 16:12 86528 -----c--- C:\windows\system32\dllcache\directdb.dll
2007-05-16 16:12 85504 --a--c--- C:\windows\system32\dllcache\wabimp.dll
2007-05-16 16:12 683520 --a------ C:\windows\system32\inetcomm.dll
2007-05-16 16:12 683520 -----c--- C:\windows\system32\dllcache\inetcomm.dll
2007-05-16 16:12 510976 -----c--- C:\windows\system32\dllcache\wab32.dll
2007-05-16 16:12 1314816 -----c--- C:\windows\system32\dllcache\msoe.dll
2007-05-08 10:24 3583488 --a--c--- C:\windows\system32\dllcache\mshtml.dll
2006-04-19 10:15 69614 --a--c--- C:\DOCUME~1\mal\APPLIC~1\unins000.dat
2006-04-19 10:14 673546 --a------ C:\DOCUME~1\mal\APPLIC~1\unins000.exe
2005-11-14 01:17 14 -----c--- C:\Program Files\dss.cfg
2001-08-18 14:00:00 94,784 -csh--w C:\windows\twain.dll
2005-07-29 15:24:26 472 --sha-r C:\windows\QW5kcmV3IFllbw\kqc4wApaKI55vT.vbs
2006-09-26 07:47:58 88 --sh--r C:\windows\system32\BD377B4020.sys
2006-09-26 07:48:46 2,828 --sha-w C:\windows\system32\KGyGaAvL.sys
2004-08-04 07:56:42 1,028,096 --sha-w C:\windows\system32\mfc42.dll
2004-08-04 07:56:43 54,784 --sha-w C:\windows\system32\msvcirt.dll
2004-08-04 07:56:43 413,696 --sha-w C:\windows\system32\msvcp60.dll
1999-12-07 17:00:00 11,776 --sha-w C:\windows\system32\regsvr32.exe
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 04:23]
"UVS10 Preload"="D:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe" [2006-03-07 01:52]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 20:40]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-29 18:40]
"Ulead AutoDetector"="C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe" [2003-11-18 17:20]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-11-10 14:43]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"My Web Search Bar Search Scope Monitor"="C:\PROGRA~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-07-30 13:15]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-02-09 17:00]
"ctfmon.exe"="C:\windows\system32\ctfmon.exe" [2004-08-04 08:56]
"Pop-Up-Blocker"="" []
"TransparentIcons"="" []
"BlockAds"="" []
"Tweak-XP"="" []
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2002-10-11 11:15:55]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{4f5f16ef-af9d-4fe6-8410-f0670b58979d}"= C:\windows\system32\gusur.dll [2007-07-30 13:14 8704]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau
R0 HWFProt;Hywave File Protector HWFProt;C:\windows\system32\Drivers\HWFProt.sys
R0 IdeBusDr;IdeBusDr;C:\windows\system32\DRIVERS\IdeBusDr.sys
R0 IdeChnDr;Intel(R) Ultra ATA Controller;C:\windows\system32\DRIVERS\IdeChnDr.sys
R0 Teefer;Teefer for NT;C:\windows\system32\Drivers\Teefer.sys
R1 eawdmfd;EAWDMFD;C:\windows\system32\DRIVERS\eawdmfd.sys
R1 pwd_2K;pwd_2K;C:\windows\system32\drivers\pwd_2K.sys
R1 wpsdrvnt;wpsdrvnt;\??\C:\windows\system32\drivers\wpsdrvnt.sys
R2 CdaC15BA;CdaC15BA;\??\C:\WINDOWS\system32\drivers\CdaC15BA.SYS
R2 CSS DVP;CSS DVP;C:\windows\system32\DRIVERS\css-dvp.sys
R2 FreeTdi;Radialpoint Filter;C:\windows\system32\Drivers\FreeTdi.sys
R2 wg3n;SyGate for NT, wg3n;C:\windows\system32\Drivers\wg3n.sys
R2 wg4n;SyGate for NT, wg4n;C:\windows\system32\Drivers\wg4n.sys
R2 wg5n;SyGate for NT, wg5n;C:\windows\system32\Drivers\wg5n.sys
R2 wg6n;SyGate for NT, wg6n;C:\windows\system32\Drivers\wg6n.sys
R3 E100B;Intel(R) PRO Network Connection Driver;C:\windows\system32\DRIVERS\e100b325.sys
R3 eaps2kbd;Compaq Easy Access PS2 Internet Keyboard (Win2K);C:\windows\system32\DRIVERS\eaps2kbd.sys
R3 Freedom;Freedom Miniport;C:\windows\system32\DRIVERS\FREEDOM.SYS
R3 Pcouffin;Low level access layer for CD devices;C:\windows\system32\Drivers\Pcouffin.sys
S2 IISADMIN;IIS Admin;C:\WINDOWS\System32\inetsrv\inetinfo.exe
S2 KnowNow Event Router;KnowNow Event Router;"C:\PROGRA~1\KnowNow\NOTIFI~1\bin\nsd.exe" -S -s runtime -t "c:\PROGRA~1\KnowNow\NOTIFI~1\conf\knrouter.conf"
S2 NWCWorkstation;Client Service for NetWare;C:\windows\System32\svchost.exe -k netsvcs
S2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\System32\inetsrv\inetinfo.exe
S3 Bridge;MAC Bridge;C:\windows\system32\DRIVERS\bridge.sys
S3 BridgeMP;MAC Bridge Miniport;C:\windows\system32\DRIVERS\bridge.sys
S3 DCamUSBET251;AP5001/AP5101;C:\windows\system32\Drivers\ET251.sys
S3 ndiscm;Motorola SURFboard USB Cable Modem Windows Driver;C:\windows\system32\DRIVERS\NetMotCM.sys
S3 nm;Network Monitor Driver;C:\windows\system32\DRIVERS\NMnt.sys
S3 NWRDR;NetWare Rdr;C:\windows\system32\DRIVERS\nwrdr.sys
S3 sermouse;Serial Mouse Driver;C:\windows\system32\DRIVERS\sermouse.sys
S3 SQTECH9160;CAMERA;C:\windows\system32\Drivers\Capt9160.sys
S3 WLANFVNETusb(505_2958)(R);WLAN FVNETusb(505_2958)(R) Service for USB Wireless LAN Card;C:\windows\system32\DRIVERS\ainu58x.sys
Contents of the 'Scheduled Tasks' folder
2007-08-01 23:15:00 C:\windows\Tasks\1-Click Maintenance.job - C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe
2007-08-06 08:41:02 C:\windows\Tasks\Check Updates for Windows Live Toolbar.job - C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
2007-02-09 16:39:19 C:\windows\Tasks\MP Scheduled Quick Scan.job
2007-08-06 16:27:33 C:\windows\Tasks\SDMsgUpdate (SmartDrawTrial).job - C:\PROGRA~1\SMARTD~1\Messages\SDNotify.exe
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-06 17:27:57
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-06 17:31:30 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-06 17:30
--- E O F ---
random/random
2007-08-09, 19:41
Delete your current copy of combofix
Download the latest version of ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Bumblebootbaby
2007-08-15, 16:12
ComboFix 07-08-14.4 - "mal" 2007-08-15 14:03:56.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.386 [GMT 1:00]
* Created a new restore point
((((((((((((((((((((((((( Files Created from 2007-07-15 to 2007-08-15 )))))))))))))))))))))))))))))))
2007-08-15 07:34 <DIR> d-------- C:\WINDOWS\LastGood
2007-08-08 18:19 <DIR> d-------- C:\DOCUME~1\mal\APPLIC~1\Leadertech
2007-08-08 13:23 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-07 07:33 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-08-07 07:33 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-08-07 07:33 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-08-07 07:33 2,690 --a------ C:\WINDOWS\system32\tmp.reg
2007-08-06 17:50 <DIR> d-------- C:\New Folder
2007-08-06 17:16 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-30 13:23 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-07-27 08:59 <DIR> d-------- C:\Program Files\NoAdware5.0
2007-07-27 08:51 <DIR> d-------- C:\DOCUME~1\mal\APPLIC~1\Uniblue
2007-07-26 15:49 <DIR> d--hs---- C:\INCINERATE
2007-07-26 08:12 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-07-25 14:40 77,312 --a------ C:\WINDOWS\ua2.dll
2007-07-25 08:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-15 13:51 --------- d-------- C:\DOCUME~1\mal\APPLIC~1\Skype
2007-08-01 08:18 --------- d-------- C:\DOCUME~1\mal\APPLIC~1\Canon
2007-07-28 11:41 --------- d-------- C:\Program Files\Instant Buzz
2007-07-28 11:39 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-26 17:55 --------- d-------- C:\Program Files\Windows Media Connect 2
2007-07-26 17:55 --------- d-------- C:\Program Files\Windows Live Toolbar
2007-07-26 17:55 --------- d-------- C:\Program Files\Tweak-XP
2007-07-26 17:55 --------- d-------- C:\Program Files\IMVU
2007-07-26 15:49 --------- d-------- C:\Program Files\iolo
2007-07-26 15:47 --------- d-------- C:\Program Files\Apense Express
2007-07-25 08:20 --------- d-------- C:\Program Files\Yahoo!
2007-07-12 11:30 --------- d-------- C:\DOCUME~1\mal\APPLIC~1\WinRAR
2007-07-11 19:25 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-11 19:25 --------- d-------- C:\Program Files\eMusic Download Manager
2007-06-26 12:29 --------- d-------- C:\Program Files\MSN Messenger
2007-06-26 09:27 363520 --a--c--- C:\windows\system32\dllcache\w3svc.dll
2007-06-18 11:34 --------- d-------- C:\Program Files\Common Files\Macrovision Shared
2007-06-15 11:54 --------- d-------- C:\DOCUME~1\mal\APPLIC~1\AdobeUM
2007-05-16 16:12 86528 -----c--- C:\windows\system32\dllcache\directdb.dll
2007-05-16 16:12 85504 --a--c--- C:\windows\system32\dllcache\wabimp.dll
2007-05-16 16:12 683520 --a------ C:\windows\system32\inetcomm.dll
2007-05-16 16:12 683520 -----c--- C:\windows\system32\dllcache\inetcomm.dll
2007-05-16 16:12 510976 -----c--- C:\windows\system32\dllcache\wab32.dll
2007-05-16 16:12 1314816 -----c--- C:\windows\system32\dllcache\msoe.dll
2006-04-19 10:14 673546 --a------ C:\DOCUME~1\mal\APPLIC~1\unins000.exe
2005-11-14 01:17 14 -----c--- C:\Program Files\dss.cfg
2001-08-18 14:00:00 94,784 -csh--w C:\windows\twain.dll
2006-09-26 07:47:58 88 --sh--r C:\windows\system32\BD377B4020.sys
2006-09-26 07:48:46 2,828 --sha-w C:\windows\system32\KGyGaAvL.sys
2004-08-04 07:56:42 1,028,096 --sha-w C:\windows\system32\mfc42.dll
2004-08-04 07:56:43 54,784 --sha-w C:\windows\system32\msvcirt.dll
2004-08-04 07:56:43 413,696 --sha-w C:\windows\system32\msvcp60.dll
1999-12-07 17:00:00 11,776 --sha-w C:\windows\system32\regsvr32.exe
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 04:23]
"UVS10 Preload"="D:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe" [2006-03-07 01:52]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 20:40]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-29 18:40]
"Ulead AutoDetector"="C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe" [2003-11-18 17:20]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-11-10 14:43]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-07-30 13:15]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-02-09 17:00]
"ctfmon.exe"="C:\windows\system32\ctfmon.exe" [2004-08-04 08:56]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2002-10-11 11:15:55]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau
R0 HWFProt;Hywave File Protector HWFProt;C:\windows\system32\Drivers\HWFProt.sys
R1 eawdmfd;EAWDMFD;C:\windows\system32\DRIVERS\eawdmfd.sys
R1 pwd_2K;pwd_2K;C:\windows\system32\drivers\pwd_2K.sys
R3 eaps2kbd;Compaq Easy Access PS2 Internet Keyboard (Win2K);C:\windows\system32\DRIVERS\eaps2kbd.sys
S2 KnowNow Event Router;KnowNow Event Router;"C:\PROGRA~1\KnowNow\NOTIFI~1\bin\nsd.exe" -S -s runtime -t "c:\PROGRA~1\KnowNow\NOTIFI~1\conf\knrouter.conf"
S2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\System32\inetsrv\inetinfo.exe
S3 DCamUSBET251;AP5001/AP5101;C:\windows\system32\Drivers\ET251.sys
S3 SQTECH9160;CAMERA;C:\windows\system32\Drivers\Capt9160.sys
S3 WLANFVNETusb(505_2958)(R);WLAN FVNETusb(505_2958)(R) Service for USB Wireless LAN Card;C:\windows\system32\DRIVERS\ainu58x.sys
Contents of the 'Scheduled Tasks' folder
2007-08-01 23:15:00 C:\windows\Tasks\1-Click Maintenance.job - C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe
2007-08-15 12:41:00 C:\windows\Tasks\Check Updates for Windows Live Toolbar.job - C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
2007-02-09 16:39:19 C:\windows\Tasks\MP Scheduled Quick Scan.job
2007-08-15 06:30:08 C:\windows\Tasks\SDMsgUpdate (SmartDrawTrial).job - C:\PROGRA~1\SMARTD~1\Messages\SDNotify.exe
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-15 14:09:01
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-15 14:10:43
C:\ComboFix-quarantined-files.txt ... 2007-08-15 14:10
C:\ComboFix2.txt ... 2007-08-07 07:48
C:\ComboFix3.txt ... 2007-08-06 17:31
--- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:12:20, on 15/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\blueyonder\PCguard\fws.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\windows\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\windows\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn3\YTBSDK.exe
C:\windows\system32\wuauclt.exe
C:\windows\explorer.exe
C:\windows\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://uk.search.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [UVS10 Preload] D:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Capture Page to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddLinkEntryFromDocument.html
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Search - ?p=ZUxdm079YYGB
O8 - Extra context menu item: &Translate English Word - res://c:\windows\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Capt&ure Target to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddEntryFromDocumentElement.html
O8 - Extra context menu item: Capture &Snippet to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddEntryFromDocumentSelection.html
O8 - Extra context menu item: Capture Ima&ge to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddEntryFromDocumentElement.html
O8 - Extra context menu item: Capture Page and Selected &Links to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddSiteSnippetFromDocumentSelection.html
O8 - Extra context menu item: Capture Selected Ite&ms to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddMultipleEntriesFromDocumentSelection.html
O8 - Extra context menu item: Capture Site to &Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddSiteFromDocument.html
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\windows\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\mal\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/1.1.1067.8/WinSSWebAgent.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133445007203
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {F3D69634-67FF-4CA6-B39E-7DC11ED9676F} (VoiceRecCtrl Class) - http://members.audiogenerator.com/activerecorder/SoundRecControl.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Radialpoint Service (FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: KnowNow Event Router - Unknown owner - C:\PROGRA~1\KnowNow\NOTIFI~1\bin\nsd.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Windows Live OneCare (winss) - Unknown owner - C:\Program Files\Microsoft Windows OneCare Live\winss.exe (file missing)
--
End of file - 11949 bytes
Many thanks (again!)
Kate
random/random
2007-08-16, 01:00
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says "The Java SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.
Run HijackThis
Click on do a system scan only
Place a checkmark next to these lines(if still present)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O8 - Extra context menu item: &Search - ?p=ZUxdm079YYGB
Then close all windows except HijackThis and click Fix Checked
Did you used to have windows live onecare installed?
Also, did you knowingly install winpcap & do you know what program this service is for?
O23 - Service: KnowNow Event Router - Unknown owner - C:\PROGRA~1\KnowNow\NOTIFI~1\bin\nsd.exe
Due to lack of a response to helper this topic has been archived.
If you need it re-opened please send me a private message (pm) and provide a link to the thread.
Applies only to the original poster, anyone else with similar problems please start a new topic.