View Full Version : A lot of malware problems
orange450
2007-08-09, 05:33
I've read the "read before posting" post. I think I have a lot of malware - I ran spybot and it lists smitfraud, virtumonde and many others. There's another problem too - when I run ad-aware, it freezes when it gets to the System32\drivers directory. I ran a symantec virtumonde remover, and it froze in the same place. Spybot crashed when I ran it in safe mode. I read about HijackThis, so I ran it, and here's the log. I appreciate your help, I've been using my son's computer and he'll be very upset with the way I've messed up his user environment:
Logfile of HijackThis v1.99.1
Scan saved at 10:06:16 PM, on 8/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1149391482\ee\AOLSoftware.exe
C:\WINDOWS\TEMP\win83.tmp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsrw.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\F-SECU~1\ANTI-S~1\fsaw.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
c:\program files\aol\aol toolbar 3.1\aoltbhelper.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\mgrs.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [XeroxScannerDaemon] C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [Error Nuker] C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
O4 - HKLM\..\Run: [MediaGateway] C:\Program Files\MediaGateway\MediaGateway.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1149391482\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [dlgabrkA] C:\WINDOWS\dlgabrkA.exe
O4 - HKLM\..\Run: [{96-6F-FB-B6-ZN}] C:\WINDOWS\SYSTEM32\dwdsregt.exe SKY009
O4 - HKLM\..\Run: [g4356cbvy63] C:\WINDOWS\g4356cbvy63
O4 - HKLM\..\Run: [WinCore32.exe] C:\WINDOWS\system32\WinCore32.exe
O4 - HKLM\..\Run: [Windows Configure] c:\windows\system32\syscfg32.exe
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\sssqiuhq.dll",forkonce
O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\win83.tmp.exe
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvjok.dll,startup
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\RunServices: [Windows Configure] c:\windows\system32\syscfg32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: eSClean.vbs
O4 - Global Startup: F-Secure Anti-Virus 2006.lnk = C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Scan Button.lnk = C:\SCANNER\EXE32\DETECTON.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure Internet Security\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Smiley District - {0418F3E3-C763-4e02-9EC5-F0AE13B54B0F} - C:\Program Files\SmileyDistrict\insmile.dll
O9 - Extra 'Tools' menuitem: Smiley District - {0418F3E3-C763-4e02-9EC5-F0AE13B54B0F} - C:\Program Files\SmileyDistrict\insmile.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/RiteAidOneHourPhotoOnline.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {AF087E66-838E-4A97-8A0B-0DDDA5DEA239} (OTAutoInstall Class) - http://trials1.endeavors.com/autodesk/acad2006/clientdownloads/OTAI.CAB
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {D0B5B58D-8CB9-4EDB-8BB0-9D34AEF727CF} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://pc.mywebexpc.com/client/v_mywebex-aa/ra/ieatgpc.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/TrueInstall.exe
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O21 - SSODL: tTIaba - {ACA96FB7-0603-C51D-9A17-121E9FEABAAD} - C:\WINDOWS\system32\jty.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe (file missing)
O23 - Service: Microsoft ASPI Manager (aspimgr) - Unknown owner - C:\WINDOWS\system32\aspimgr.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: F-Secure Anti-Virus 2006 (BackWeb Plug-in - 4476822) - F-Secure Internet Security 2005 - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\tsbwvmlv.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe (file missing)
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Hi orange450
Rename HijackThis.exe to scanner.exe and post back a fresh HijackThis log, please :)
orange450
2007-08-09, 21:04
Thank you very much for answering. The computer is very messed up. Browsers coming up all the time. I renamed the file - hope it's OK. Running XP - several user environments already unusable.
Logfile of HijackThis v1.99.1
Scan saved at 1:57:33 PM, on 8/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1149391482\ee\AOLSoftware.exe
C:\WINDOWS\TEMP\win83.tmp.exe
C:\WINDOWS\mgrs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsrw.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\PROGRA~1\F-SECU~1\ANTI-S~1\fsaw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\scanner.exe.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {16DEB2E1-3076-4F18-BB68-1F770A16E301} - C:\Program Files\Internet Explorer\hokepocen4444.dll
O2 - BHO: (no name) - {2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F} - C:\Program Files\Outerinfo\Outerinfo.dll (file missing)
O2 - BHO: (no name) - {40FE8B94-430C-6AF8-2D73-34B6094FA7E9} - C:\WINDOWS\system32\ivtmubs.dll
O2 - BHO: (no name) - {4CA8DCC4-4B0B-6FA8-2F73-34B6094FFFBA} - C:\WINDOWS\system32\woncemyg.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {64C2CC95-F31F-4B56-94BC-9D899055D3A9} - C:\WINDOWS\system32\jkkjk.dll
O2 - BHO: (no name) - {6A38DAB8-F278-4455-A757-0DB55936889B} - C:\WINDOWS\security\Database\bdofnt.dll (file missing)
O2 - BHO: (no name) - {6EFAF744-D734-4811-822B-A92FDAEF88F6} - C:\Program Files\Internet Explorer\hokepocen83122.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O2 - BHO: support - {991EF04C-93CF-469b-A2BE-CC1B3347566F} - C:\Program Files\BHO\plugin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {ba56536f-d1fb-439a-9b75-db8062c88bc9} - C:\WINDOWS\system32\qqjcfgy.dll
O2 - BHO: (no name) - {CF46BFB3-2ACC-441b-B82B-36B9562C7FF1} - C:\WINDOWS\system32\ouksqgqh.dll (file missing)
O2 - BHO: (no name) - {E9BD0828-1FD9-410C-A50F-43EBE65D310F} - C:\WINDOWS\system32\wvurrpp.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [XeroxScannerDaemon] C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [Error Nuker] C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
O4 - HKLM\..\Run: [MediaGateway] C:\Program Files\MediaGateway\MediaGateway.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1149391482\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [dlgabrkA] C:\WINDOWS\dlgabrkA.exe
O4 - HKLM\..\Run: [{96-6F-FB-B6-ZN}] C:\WINDOWS\SYSTEM32\dwdsregt.exe SKY009
O4 - HKLM\..\Run: [g4356cbvy63] C:\WINDOWS\g4356cbvy63
O4 - HKLM\..\Run: [WinCore32.exe] C:\WINDOWS\system32\WinCore32.exe
O4 - HKLM\..\Run: [Windows Configure] c:\windows\system32\syscfg32.exe
O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\win83.tmp.exe
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvjok.dll,startup
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\etxfmxtl.dll",forkonce
O4 - HKLM\..\RunServices: [Windows Configure] c:\windows\system32\syscfg32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - Global Startup: F-Secure Anti-Virus 2006.lnk = C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Scan Button.lnk = C:\SCANNER\EXE32\DETECTON.EXE
O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure Internet Security\Anti-Spyware\blockpopups.htm
O9 - Extra button: Smiley District - {0418F3E3-C763-4e02-9EC5-F0AE13B54B0F} - C:\Program Files\SmileyDistrict\insmile.dll
O9 - Extra 'Tools' menuitem: Smiley District - {0418F3E3-C763-4e02-9EC5-F0AE13B54B0F} - C:\Program Files\SmileyDistrict\insmile.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/RiteAidOneHourPhotoOnline.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {AF087E66-838E-4A97-8A0B-0DDDA5DEA239} (OTAutoInstall Class) - http://trials1.endeavors.com/autodesk/acad2006/clientdownloads/OTAI.CAB
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {D0B5B58D-8CB9-4EDB-8BB0-9D34AEF727CF} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://pc.mywebexpc.com/client/v_mywebex-aa/ra/ieatgpc.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/TrueInstall.exe
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: botreg - C:\Documents and Settings\All Users\Documents\Settings\bot.dll
O20 - Winlogon Notify: jkkjk - C:\WINDOWS\system32\jkkjk.dll
O20 - Winlogon Notify: mljge - mljge.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winzzc32 - C:\WINDOWS\SYSTEM32\winzzc32.dll
O20 - Winlogon Notify: wvurrpp - C:\WINDOWS\SYSTEM32\wvurrpp.dll
O21 - SSODL: tTIaba - {ACA96FB7-0603-C51D-9A17-121E9FEABAAD} - C:\WINDOWS\system32\jty.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe (file missing)
O23 - Service: Microsoft ASPI Manager (aspimgr) - Unknown owner - C:\WINDOWS\system32\aspimgr.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: F-Secure Anti-Virus 2006 (BackWeb Plug-in - 4476822) - F-Secure Internet Security 2005 - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\tsbwvmlv.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe (file missing)
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Hi
One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)
We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.
Should you have any questions, please feel free to ask.
Please let us know what you have decided to do in your next post.
orange450
2007-08-10, 16:58
Shaba, Thank you very much for answering. I don't do financial transactions from the computer, and have been thinking about upgrading the OS anyway, but I'd like to clean it, just to be able to save music, text and picture files. Do you think I can save those, or would they be compromised as well?
If they are OK to save, then I would be very grateful if you would tell me how to clean the computer, and then I will get my files off, and reformat.
I'm communicating with you from a clean computer, because the infected one is very hard to use. Thank you very much for all your help!
Hi
I don't think that they are compromised.
"If they are OK to save, then I would be very grateful if you would tell me how to clean the computer, and then I will get my files off, and reformat."
This doesn't make any sense to me. You can take your files off and reformat or I clean your computer.
I think that those are the options, let me know which one you like :)
orange450
2007-08-10, 19:37
Shaba, thank you for answering. I would like to clean the computer.
Hi
1. Download combofix from one of these links:
Link1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link2 (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
Post:
- a fresh HijackThis log
- combofix report
- sdfix report
orange450
2007-08-10, 22:26
Shaba, here is the SDFix log. I will send the Combo Fix log in my next post, and run HiJack This and send that as well. As soon as SDFix rebooted my computer, a pop-up for a product call "Magicantispy 2.1" re-appeared (it had been there before I ran the fixes), but so far it's the only one.
SDFix: Version 1.97
Run by Abba on Fri 08/10/2007 at 03:03 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Name:
aspimgr
ImagePath:
C:\WINDOWS\system32\aspimgr.exe
aspimgr - Deleted
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing Security Center Service
Restoring Missing SharedAccess Service
Rebooting...
Normal Mode:
Checking Files:
Trojan Files Found:
C:\WINDOWS\system32\install.exe - Deleted
C:\WINDOWS\tcb.pmw - Deleted
Removing Temp Files...
ADS Check:
C:\WINDOWS
No streams found.
C:\WINDOWS\system32
No streams found.
C:\WINDOWS\system32\svchost.exe
No streams found.
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
Remaining Files:
---------------
Backups Folder: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes:
C:\Documents and Settings\Avi Fuss\Application Data\?ystem\attrib.exe
C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP940\A0066780.exe
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP940\A0066781.exe
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP944\A0074594.exe
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP944\A0074595.exe
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP944\A0074631.exe
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP944\A0076612.exe
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP941\A0071454.sys
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP944\A0074913.sys
C:\Documents and Settings\All Users\Documents\Tali's TEMP Stuff\Application Data\Microsoft\Journal\Cache\NB177.tmp
C:\Documents and Settings\All Users\Documents\Tali's TEMP Stuff\Application Data\Microsoft\Journal\Cache\NB284.tmp
C:\Documents and Settings\All Users\Documents\Tali's TEMP Stuff\Application Data\Microsoft\Journal\Cache\NB2C.tmp
C:\Documents and Settings\All Users\Documents\Tali's TEMP Stuff\my documents\~WRL0008.tmp
C:\Documents and Settings\All Users\Documents\Tali's TEMP Stuff\my documents\~WRL2875.tmp
C:\Documents and Settings\All Users\Documents\Tali's TEMP Stuff\my documents\~WRL3883.tmp
C:\Documents and Settings\All Users\Documents\Tali's TEMP Stuff\my documents\~WRL{D877AC51-6A81-4298-A1B2-6F35B1E40CB3}.tmp
C:\Documents and Settings\All Users\Documents\Tali's TEMP Stuff\my documents\ChE Projects\~WRL0002.tmp
C:\Documents and Settings\All Users\Documents\Tali's TEMP Stuff\my documents\ChE Projects\~WRL0004.tmp
C:\Documents and Settings\All Users\Documents\Tali's TEMP Stuff\my documents\ChE Projects\~WRL0060.tmp
C:\Documents and Settings\All Users\Documents\Tali's TEMP Stuff\my documents\ChE Projects\~WRL0241.tmp
C:\Documents and Settings\All Users\Documents\Tali's TEMP Stuff\my documents\ChE Projects\~WRL0334.tmp
C:\Documents and Settings\All Users\Documents\Tali's TEMP Stuff\my documents\ChE Projects\~WRL0524.tmp
C:\Documents and Settings\All Users\Documents\Tali's TEMP Stuff\my documents\ChE Projects\~WRL0548.tmp
C:\Documents and Settings\All Users\Documents\Tali's TEMP Stuff\my documents\ChE Projects\~WRL0566.tmp
C:\Documents and Settings\All Users\Documents\Tali's TEMP Stuff\my documents\ChE Projects\~WRL0616.tmp
C:\Documents and Settings\All Users\Documents\Tali's TEMP Stuff\my documents\ChE Projects\~WRL0718.tmp
C:\Documents and Settings\All Users\Documents\Tali's TEMP Stuff\my documents\ChE Projects\~WRL0747.tmp
C:\Documents and Settings\All Users\Documents\Tali's TEMP Stuff\my documents\ChE Projects\~WRL1085.tmp
C:\Documents and Settings\All Users\Documents\Tali's TEMP Stuff\my documents\ChE Projects\~WRL1292.tmp
C:\Documents and Settings\All Users\Documents\Tali's TEMP Stuff\my documents\ChE Projects\~WRL1342.tmp
C:\Documents and Settings\Avi Fuss\Local Settings\Temp\~WRL0004.tmp
C:\Documents and Settings\Avi Fuss\My Documents\~WRL2254.tmp
C:\Documents and Settings\Avi Fuss\My Documents\Avi\Rambam misc 03-04\~WRL2846.tmp
C:\Documents and Settings\Avi Fuss\My Documents\Avi\Rambam misc 03-04\~WRL3522.tmp
C:\Documents and Settings\Avi Fuss\My Documents\french\letters (inserted)\~WRL0366.tmp
C:\Documents and Settings\Guest\Application Data\GTek(2)\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp
C:\Documents and Settings\Guest\Application Data\GTek(2)\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp
C:\Documents and Settings\Guest\Application Data\GTek(2)\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp
C:\Documents and Settings\Guest\Application Data\GTek(2)\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp
C:\Program Files\Microsoft Office\Office\Shortcut Bar\OffB.tmp
C:\WINDOWS\SYSTEM32\dacca.tmp
C:\WINDOWS\SYSTEM32\wybeg.tmp
C:\WINDOWS\SYSTEM32\wybeg.tmp2
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.tmp.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SAM.tmp.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.tmp.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.tmp.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.tmp.LOG
Finished
orange450
2007-08-10, 22:31
The file is too long, I have to send it in 2 parts. Here is part 1.
ComboFix 07-08-09.3 - "Abba" 2007-08-10 14:19:12.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.130 [GMT -4:00]
* Created a new restore point
/wow section - STAGE 4
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\Abba\APPLIC~1\install.dat
C:\DOCUME~1\Abba\Desktop.\Find Spyware Remover.lnk
C:\DOCUME~1\Abba\Desktop.\Free Online Dating.lnk
C:\DOCUME~1\Abba\Desktop.\Go to Casino.lnk
C:\DOCUME~1\Abba\STARTM~1\Programs.\Outerinfo
C:\DOCUME~1\Abba\STARTM~1\Programs.\Outerinfo\Terms.lnk
C:\DOCUME~1\Abba\STARTM~1\Programs\Startup.\system.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup.\autorun.exe
C:\DOCUME~1\AVIFUS~1\APPLIC~1\.rdr.ini
C:\DOCUME~1\AVIFUS~1\APPLIC~1\install.dat
C:\DOCUME~1\LOCALS~1\APPLIC~1\install.dat
C:\DOCUME~1\NETWOR~1\APPLIC~1\.rdr.ini
C:\DOCUME~1\NETWOR~1\APPLIC~1\install.dat
C:\Documents and Settings\All Users.\documents\settings
C:\Documents and Settings\All Users.\documents\settings\bot.dll
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\Documents and Settings\All Users.\documents\settings\partnership.dll
C:\Program Files\Common Files\racle~1
C:\Program Files\Common Files\racle~1\?racle\
C:\Program Files\Common Files\racle~1\ping.exe
C:\Program Files\Common Files\ssembl~1
C:\Program Files\Common Files\ssembl~1\?pool32.exe
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\Program Files\Common Files\winantispyware 2007\uwas7cw.exe
C:\Program Files\Common Files\winantispyware 2007\WAS7Mon.exe
C:\Program Files\Common Files\Yazzle1162OinAdmin.exe
C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\inetget2
C:\Program Files\inetget2\popinstall.exe
C:\Program Files\Internet Explorer\hokepocen4444.dll
C:\Program Files\Internet Explorer\hokepocen455101.dll
C:\Program Files\Internet Explorer\hokepocen83122.dll
C:\Program Files\MSN\lavuj.dll
C:\Program Files\outerinfo
C:\Program Files\outerinfo\Cache\ctxad-557.0000
C:\Program Files\outerinfo\Cache\ctxad-557.0001
C:\Program Files\outerinfo\Cache\ctxad-557.0002
C:\Program Files\outerinfo\Cache\ctxad-557.0003
C:\Program Files\outerinfo\Cache\ctxad-557.0004
C:\Program Files\outerinfo\Cache\ctxad-557.0005
C:\Program Files\outerinfo\Cache\ctxad-557.0006
C:\Program Files\outerinfo\Cache\ctxad-557.0007
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\ucleaner_setup.exe
C:\Program Files\Ultimate Cleaner
C:\Program Files\web buying
C:\Program Files\web buying\v1.8.0\wbuninst.exe
C:\Program Files\web buying\v1.8.0\webbuying.exe
C:\Program Files\winantispyware 2007
C:\Program Files\winantispyware 2007\RTMonitor.dat\561e415b07a14125a925aab6\b6b14329b9584a599b697cac\034f44349f0142f747fdc592\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\561e415b07a14125a925aab6\b6b14329b9584a599b697cac\034f44349f0142f747fdc592\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\561e415b07a14125a925aab6\b6b14329b9584a599b697cac\034f44349f0142f747fdc592\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\561e415b07a14125a925aab6\b6b14329b9584a599b697cac\4fed245965c8484b462adebb\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\561e415b07a14125a925aab6\b6b14329b9584a599b697cac\4fed245965c8484b462adebb\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\561e415b07a14125a925aab6\b6b14329b9584a599b697cac\4fed245965c8484b462adebb\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\561e415b07a14125a925aab6\b6b14329b9584a599b697cac\517332bc4c754a8b49837384\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\561e415b07a14125a925aab6\b6b14329b9584a599b697cac\517332bc4c754a8b49837384\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\561e415b07a14125a925aab6\b6b14329b9584a599b697cac\517332bc4c754a8b49837384\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\561e415b07a14125a925aab6\b6b14329b9584a599b697cac\b26c8f2021744fec43208da6\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\561e415b07a14125a925aab6\b6b14329b9584a599b697cac\b26c8f2021744fec43208da6\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\561e415b07a14125a925aab6\b6b14329b9584a599b697cac\b26c8f2021744fec43208da6\#name
C:\Program Files\winpop
C:\Program Files\winpop\UnInstall.exe
C:\Program Files\winpop\winpop.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\temp\tn3
C:\WINDOWS\b122.exe
C:\WINDOWS\Casino.ico
C:\WINDOWS\dlgabrk.exe
C:\WINDOWS\Free Online Dating.ico
C:\WINDOWS\mgrs.exe
C:\WINDOWS\offun.exe
C:\WINDOWS\rau001978.exe
C:\WINDOWS\retadpu1000106.exe
C:\WINDOWS\s32.txt
C:\WINDOWS\sks~1
C:\WINDOWS\sks~1\??erinit.exe
C:\WINDOWS\Spyware Remover.ico
C:\WINDOWS\system32\aspimgr(2).exe
C:\WINDOWS\system32\byxuvvv.dll
C:\WINDOWS\system32\byxwuvv.dll
C:\WINDOWS\system32\config\systemprofile\application data\.rdr.ini
C:\WINDOWS\SYSTEM32\diojjjxu.ini
C:\WINDOWS\system32\dnsersnd.dll
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\driver\w71.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\system32\drivers\ip6fw.sys
C:\WINDOWS\system32\drivers\symavc32.sys
C:\WINDOWS\system32\gebcbay.dll
C:\WINDOWS\system32\hlpsrv.exe
C:\WINDOWS\system32\ie_ban.exe
C:\WINDOWS\system32\ivtmubs.dll
C:\WINDOWS\system32\jkkjk.dll
C:\WINDOWS\SYSTEM32\kjkkj.bak1
C:\WINDOWS\SYSTEM32\kjkkj.bak2
C:\WINDOWS\SYSTEM32\kjkkj.ini
C:\WINDOWS\system32\ldcore.dll
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\system32\msbind32.exe
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\Outerinfo-1832.exe
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\qqjcfgy.dll
C:\WINDOWS\system32\setup155.exe
C:\WINDOWS\system32\sydrwhap.dll
C:\WINDOWS\system32\uxjjjoid.dll
C:\WINDOWS\system32\vedxg3am1et3.exe
C:\WINDOWS\system32\vtuuuro.dll
C:\WINDOWS\system32\win
C:\WINDOWS\system32\win\bw72.exe
C:\WINDOWS\system32\WinAvXX.exe
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\system32\winzzc32.dll
C:\WINDOWS\system32\wmvds32.dll
C:\WINDOWS\system32\wnsapiicomsv32.exe
C:\WINDOWS\system32\woncemyg.dll
C:\WINDOWS\system32\wvurrpp.dll
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\TISKY009.exe
C:\WINDOWS\tk58.exe
C:\WINDOWS\TTC-4444.exe
C:\WINDOWS\uni_eh44.exe
C:\WINDOWS\uninst1014.exe
C:\WINDOWS\wr.txt
C:\WINDOWS\ws386.ini
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_AWF59
-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_FOPN
-------\LEGACY_NET_AGENT
-------\LEGACY_RUNTIME
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\core
-------\DomainService
-------\Net Agent
((((((((((((((((((((((((( Files Created from 2007-07-10 to 2007-08-10 )))))))))))))))))))))))))))))))
2007-08-10 14:17 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-10 00:47 37,376 --a------ C:\WINDOWS\SYSTEM32\vtr167.dll
2007-08-10 00:41 75,328 --a------ C:\WINDOWS\SYSTEM32\rxaavqhh.exe
2007-08-09 13:59 <DIR> d---s---- C:\DOCUME~1\Tali\UserData
2007-08-09 13:56 <DIR> d-------- C:\DOCUME~1\Tali\APPLIC~1\Google
2007-08-09 13:53 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Google
2007-08-09 13:45 <DIR> d-------- C:\Program Files\Magicantispy
2007-08-08 22:13 75,328 --a------ C:\WINDOWS\SYSTEM32\kespeulb.exe
2007-08-08 22:00 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS
2007-08-08 21:15 93,696 --a------ C:\WINDOWS\SYSTEM32\drvjok.dll
2007-08-08 21:14 75,328 --a------ C:\WINDOWS\SYSTEM32\slwkynpj.exe
2007-08-08 21:07 <DIR> d---s---- C:\DOCUME~1\Ima\UserData
2007-08-08 21:07 <DIR> d-------- C:\VundoFix Backups
2007-08-08 21:07 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-08 21:07 <DIR> d-------- C:\Program Files\Dell Support
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Ima\APPLIC~1\Xerox
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Ima\APPLIC~1\Symantec
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Ima\APPLIC~1\Sonic
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Ima\APPLIC~1\Real
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Ima\APPLIC~1\Nikon
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Ima\APPLIC~1\Jasc Software Inc
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Ima\APPLIC~1\Gtek
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Ima\APPLIC~1\Google
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Ima\APPLIC~1\F-Secure
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Ima\APPLIC~1\AdobeUM
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Gtek
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\Gtek
2007-08-08 20:40 <DIR> d-------- C:\DOCUME~1\Abba\APPLIC~1\Apple Computer
2007-08-08 16:49 <DIR> d-------- C:\Program Files\Lavasoft(2)
2007-08-08 16:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-08 16:35 <DIR> d-------- C:\DOCUME~1\Guest\UserData
2007-08-08 16:31 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Lavasoft
2007-08-08 15:43 1,048,576 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-08-08 15:43 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sonic
2007-08-08 15:39 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\GTek(2)
2007-08-07 22:02 <DIR> d-------- C:\WINDOWS\ERUNT
2007-08-07 20:11 <DIR> d-------- C:\Program Files\DellSupport
2007-08-07 15:13 9,769 --a------ C:\WINDOWS\SYSTEM32\user10.exe
2007-08-07 15:13 86,056 --a------ C:\WINDOWS\SYSTEM32\install.exe
2007-08-07 15:13 8,782 --a------ C:\WINDOWS\SYSTEM32\waverevenue.exe
2007-08-07 15:13 173,056 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Awf59.sys
2007-08-07 15:12 9,769 --a------ C:\WINDOWS\qsxbj0578.exe
2007-08-07 15:12 6,689 --a------ C:\WINDOWS\SYSTEM32\ldcore(3).dll
2007-08-07 15:12 115,606 --a------ C:\WINDOWS\SYSTEM32\skna455101.exe
2007-08-07 15:12 <DIR> d-------- C:\WINDOWS\SYSTEM32\f06WtR
2007-08-07 15:08 <DIR> d-------- C:\DOCUME~1\AVIFUS~1\APPLIC~1\WinAntiSpyware 2007 Free
2007-08-07 15:03 <DIR> d-------- C:\DOCUME~1\AVIFUS~1\APPLIC~1\WinAntiSpyware 2007
2007-08-07 14:58 192,582 --a------ C:\WINDOWS\SYSTEM32\swinmmdt.exe
2007-08-07 14:58 <DIR> d--h----- C:\Program Files\BHO
2007-08-07 14:58 <DIR> d-------- C:\WINDOWS\SYSTEM32\Z2
2007-08-07 14:58 <DIR> d-------- C:\WINDOWS\SYSTEM32\Z1
2007-08-07 14:58 <DIR> d-------- C:\WINDOWS\SYSTEM32\f02WtR
2007-08-07 14:58 <DIR> d-------- C:\WINDOWS\SYSTEM32\A1
2007-08-07 14:58 <DIR> d-------- C:\Temp
2007-08-07 14:58 <DIR> d-------- C:\DOCUME~1\AVIFUS~1\APPLIC~1\?ystem
orange450
2007-08-10, 22:33
Here is part 2 of ComboFix log:
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-08 21:06 --------- d-------- C:\DOCUME~1\Abba\APPLIC~1\Gtek
2007-08-07 15:16 932 --a------ C:\WINDOWS\system32\drivers\core.cache(14).dsk
2007-08-07 15:16 283 --a------ C:\WINDOWS\system32\drivers\x.gif
2007-08-07 15:16 164787 --a------ C:\WINDOWS\system32\drivers\core.cache(9).dsk
2007-08-07 15:16 164787 --a------ C:\WINDOWS\system32\drivers\core.cache(8).dsk
2007-08-07 15:16 164787 --a------ C:\WINDOWS\system32\drivers\core.cache(7).dsk
2007-08-07 15:16 164787 --a------ C:\WINDOWS\system32\drivers\core.cache(6).dsk
2007-08-07 15:16 164787 --a------ C:\WINDOWS\system32\drivers\core.cache(5).dsk
2007-08-07 15:16 164787 --a------ C:\WINDOWS\system32\drivers\core.cache(4).dsk
2007-08-07 15:16 164787 --a------ C:\WINDOWS\system32\drivers\core.cache(3).dsk
2007-08-07 15:16 164787 --a------ C:\WINDOWS\system32\drivers\core.cache(2).dsk
2007-08-07 15:16 164787 --a------ C:\WINDOWS\system32\drivers\core.cache(13).dsk
2007-08-07 15:16 164787 --a------ C:\WINDOWS\system32\drivers\core.cache(12).dsk
2007-08-07 15:16 164787 --a------ C:\WINDOWS\system32\drivers\core.cache(11).dsk
2007-08-07 15:16 164787 --a------ C:\WINDOWS\system32\drivers\core.cache(10).dsk
2007-08-07 15:15 639 --a------ C:\WINDOWS\system32\drivers\star.gif
2007-08-07 15:15 550 --a------ C:\WINDOWS\system32\drivers\star_small.gif
2007-08-07 15:15 53 --a------ C:\WINDOWS\system32\drivers\sep_vert.gif
2007-08-07 15:15 49 --a------ C:\WINDOWS\system32\drivers\spacer.gif
2007-08-07 15:15 425 --a------ C:\WINDOWS\system32\drivers\star_gray.gif
2007-08-07 15:15 3877 --a------ C:\WINDOWS\system32\drivers\warning_icon.gif
2007-08-07 15:15 291 --a------ C:\WINDOWS\system32\drivers\v.gif
2007-08-07 15:15 223 --a------ C:\WINDOWS\system32\drivers\star_gray_small.gif
2007-08-07 15:15 2090 --a------ C:\WINDOWS\system32\drivers\shadow.jpg
2007-08-07 15:15 1791 --a------ C:\WINDOWS\system32\drivers\win_logo.gif
2007-08-07 15:15 13618 --a------ C:\WINDOWS\system32\drivers\spy_away_box.jpg
2007-08-07 15:14 979 --a------ C:\WINDOWS\system32\drivers\product_2_name_small.gif
2007-08-07 15:14 65 --a------ C:\WINDOWS\system32\drivers\sep_hor.gif
2007-08-07 15:14 3080 --a------ C:\WINDOWS\system32\drivers\product_3_header.gif
2007-08-07 15:14 2604 --a------ C:\WINDOWS\system32\drivers\product_1_header.gif
2007-08-07 15:14 2214 --a------ C:\WINDOWS\system32\drivers\product_2_header.gif
2007-08-07 15:14 215 --a------ C:\WINDOWS\system32\drivers\main_back.gif
2007-08-07 15:14 1714 --a------ C:\WINDOWS\system32\drivers\product_3_name_small.gif
2007-08-07 15:14 1330 --a------ C:\WINDOWS\system32\drivers\product_features.gif
2007-08-07 15:14 1253 --a------ C:\WINDOWS\system32\drivers\product_1_name_small.gif
2007-08-07 15:14 10260 --a------ C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
2007-08-07 15:13 918 --a------ C:\WINDOWS\system32\drivers\s_detect.htm
2007-08-07 15:13 837 --a------ C:\WINDOWS\system32\drivers\blank.gif
2007-08-07 15:13 835 --a------ C:\WINDOWS\system32\drivers\style.css
2007-08-07 15:13 6575 --a------ C:\WINDOWS\system32\drivers\remove_spyware_button.gif
2007-08-07 15:13 6373 --a------ C:\WINDOWS\system32\drivers\secuity_center_logo.gif
2007-08-07 15:13 48933 --a------ C:\WINDOWS\system32\drivers\pt.htm
2007-08-07 15:13 2922 --a------ C:\WINDOWS\system32\drivers\footer_back.jpg
2007-08-07 15:13 28459 --a------ C:\WINDOWS\system32\drivers\header_1.gif
2007-08-07 15:13 2238 --a------ C:\WINDOWS\system32\drivers\download_box.gif
2007-08-07 15:13 1647 --a------ C:\WINDOWS\system32\drivers\button_freescan.gif
2007-08-07 15:13 1619 --a------ C:\WINDOWS\system32\drivers\button_buynow.gif
2007-08-07 15:13 15421 --a------ C:\WINDOWS\system32\drivers\header_2.gif
2007-08-07 15:13 12326 --a------ C:\WINDOWS\system32\drivers\box_3.gif
2007-08-07 15:13 12313 --a------ C:\WINDOWS\system32\drivers\box_1.gif
2007-08-07 15:13 1204 --a------ C:\WINDOWS\system32\drivers\infected.gif
2007-08-07 15:13 11927 --a------ C:\WINDOWS\system32\drivers\box_2.gif
2007-08-07 15:13 11077 --a------ C:\WINDOWS\system32\drivers\header_4.gif
2007-08-07 15:13 10193 --a------ C:\WINDOWS\system32\drivers\header_3.gif
2007-08-07 15:13 1014 --a------ C:\WINDOWS\system32\drivers\icon_warning.gif
2007-08-07 15:12 64 --a------ C:\WINDOWS\system32\drivers\close_icon.gif
2007-08-07 15:12 4723 --a------ C:\WINDOWS\system32\drivers\detect.htm
2007-08-07 15:12 360 --a------ C:\WINDOWS\system32\drivers\header_bg.gif
2007-08-07 15:12 2186 --a------ C:\WINDOWS\system32\drivers\alert_icon.gif
2007-07-01 22:31 --------- d-------- C:\Program Files\Winamp
2007-05-16 11:12 86528 --------- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 11:12 85504 --------- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 11:12 683520 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 11:12 510976 --------- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 11:12 1314816 --------- C:\WINDOWS\system32\dllcache\msoe.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 13:16]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-25 23:35]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 21:12]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 21:15]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 02:04]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-08-05 21:50]
"XeroxScannerDaemon"="C:\Program Files\Xerox\NWWia\XrxFTPLt.exe" [2001-08-17 22:37]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01]
"DVDTray"="C:\Program Files\HP DVD\Umbrella\DVDTray.exe" [2003-07-23 13:42]
"DVDBitSet"="C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" [2003-12-18 17:37]
"mmtask"="C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe" [2005-03-15 08:58]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-09-13 15:49]
"DIGStream"="C:\Program Files\DIGStream\digstream.exe" [2005-05-18 14:49]
"DIGServices"="C:\Program Files\ESPNRunTime\DIGServices.exe" [2005-05-19 13:55]
"F-Secure Manager"="C:\Program Files\F-Secure Internet Security\Common\FSM32.exe" [2005-06-02 18:37]
"F-Secure TNB"="C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" [2005-07-18 10:51]
"F-Secure Startup Wizard"="C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.exe" [2005-08-23 09:38]
"Error Nuker"="C:\Program Files\Error Nuker\bin\ErrorNuker.exe" []
"MediaGateway"="C:\Program Files\MediaGateway\MediaGateway.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-23 17:40]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 16:45]
"HostManager"="C:\Program Files\Common Files\AOL\1149391482\ee\AOLSoftware.exe" [2006-04-20 13:10]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 12:59]
"dlgabrkA"="C:\WINDOWS\dlgabrkA.exe" []
"{96-6F-FB-B6-ZN}"="C:\WINDOWS\SYSTEM32\dwdsregt.exe" []
"WinCore32.exe"="C:\WINDOWS\system32\WinCore32.exe" []
"Windows Configure"="c:\windows\system32\syscfg32.exe" []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-23 11:38]
"Magicantispy"="C:\Program Files\Magicantispy\Magicantispy.exe" [2007-08-09 13:45]
"Kuaiwcl"="C:\WINDOWS\??sks\??erinit.exe" []
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Windows Configure"=c:\windows\system32\syscfg32.exe
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SRUUninstall"="C:\WINDOWS\system32\msiexec.exe" /L*v C:\WINDOWS\TEMP\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress
C:\Documents and Settings\Abba\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 10:00:00]
eSClean.vbs [2005-09-03 20:41:17]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 10:00:00]
F-Secure Anti-Virus 2006.lnk - C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe [2005-12-14 20:42:44]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52]
Scan Button.lnk - C:\SCANNER\EXE32\DETECTON.EXE [2004-07-29 23:31:57]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"tTIaba"= {ACA96FB7-0603-C51D-9A17-121E9FEABAAD} - C:\WINDOWS\system32\jty.dll [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljge]
mljge.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\hrum167.txt
R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys
R0 iaStor;Intel AHCI Controller;C:\WINDOWS\system32\drivers\iaStor.sys
R2 BackWeb Plug-in - 4476822;F-Secure Anti-Virus 2006;C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
R2 DgivEcp;Team MFP Comm Driver;C:\WINDOWS\system32\Drivers\DgivEcp.Sys
R2 F-Secure Filter;F-Secure File System Filter;\??\C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSfilter.sys
R2 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSgk.sys
R2 F-Secure Recognizer;F-Secure File System Recognizer;\??\C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSrec.sys
R3 IntelC51;IntelC51;C:\WINDOWS\system32\DRIVERS\IntelC51.sys
R3 IntelC52;IntelC52;C:\WINDOWS\system32\DRIVERS\IntelC52.sys
R3 IntelC53;IntelC53;C:\WINDOWS\system32\DRIVERS\IntelC53.sys
R3 mohfilt;mohfilt;C:\WINDOWS\system32\DRIVERS\mohfilt.sys
R3 StillCam;Still Serial Digital Camera Driver;C:\WINDOWS\system32\DRIVERS\serscan.sys
S2 aspimgr;Microsoft ASPI Manager;C:\WINDOWS\system32\aspimgr.exe
S3 hpusbwdm;HP DVD Movie Writer dc3000/dc4000;C:\WINDOWS\system32\DRIVERS\hpusbwdm.sys
S3 Jukebox;Jukebox;C:\WINDOWS\system32\DRIVERS\ctpdusb2.sys
Contents of the 'Scheduled Tasks' folder
2007-08-10 04:00:02 C:\WINDOWS\Tasks\Scheduled scanning task.job
2004-12-24 18:42:14 C:\WINDOWS\Tasks\Symantec NetDetect.job - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-10 14:42:36
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-10 14:45:41 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-10 14:45
--- E O F ---
orange450
2007-08-10, 22:44
And finally, here's the HiJack This log. Thank you so much for your help. So far, the Magicantispy pop-up is the only one there, but I can't seem to get rid of it.
Logfile of HijackThis v1.99.1
Scan saved at 3:42:07 PM, on 8/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsrw.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1149391482\ee\AOLSoftware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Magicantispy\Magicantispy.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\F-SECU~1\ANTI-S~1\fsaw.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\aol\aol toolbar 3.1\aoltbhelper.exe
C:\Documents and Settings\Abba\Desktop\scanner.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [XeroxScannerDaemon] C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [Error Nuker] C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
O4 - HKLM\..\Run: [MediaGateway] C:\Program Files\MediaGateway\MediaGateway.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1149391482\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [dlgabrkA] C:\WINDOWS\dlgabrkA.exe
O4 - HKLM\..\Run: [Windows Configure] c:\windows\system32\syscfg32.exe
O4 - HKLM\..\RunServices: [Windows Configure] c:\windows\system32\syscfg32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Magicantispy] C:\Program Files\Magicantispy\Magicantispy.exe
O4 - HKCU\..\Run: [Kuaiwcl] C:\WINDOWS\??sks\??erinit.exe
O4 - Startup: eSClean.vbs
O4 - Global Startup: F-Secure Anti-Virus 2006.lnk = C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Scan Button.lnk = C:\SCANNER\EXE32\DETECTON.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure Internet Security\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Smiley District - {0418F3E3-C763-4e02-9EC5-F0AE13B54B0F} - C:\Program Files\SmileyDistrict\insmile.dll
O9 - Extra 'Tools' menuitem: Smiley District - {0418F3E3-C763-4e02-9EC5-F0AE13B54B0F} - C:\Program Files\SmileyDistrict\insmile.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/RiteAidOneHourPhotoOnline.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {AF087E66-838E-4A97-8A0B-0DDDA5DEA239} (OTAutoInstall Class) - http://trials1.endeavors.com/autodesk/acad2006/clientdownloads/OTAI.CAB
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {D0B5B58D-8CB9-4EDB-8BB0-9D34AEF727CF} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://pc.mywebexpc.com/client/v_mywebex-aa/ra/ieatgpc.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/TrueInstall.exe
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\hrum167.txt
O20 - Winlogon Notify: mljge - mljge.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: tTIaba - {ACA96FB7-0603-C51D-9A17-121E9FEABAAD} - C:\WINDOWS\system32\jty.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: F-Secure Anti-Virus 2006 (BackWeb Plug-in - 4476822) - F-Secure Internet Security 2005 - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe (file missing)
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
orange450
2007-08-11, 00:44
Shaba, thank you for all your help so far. The computer seems better - there are fewer pop ups, but the Magicantispy can't be removed, and my Control Panel capability is gone. When I try to activate it, I get a message that my computer has restrictions, and I should contact the system administrator - but my account has administrator privileges. I'm still getting other messages that look like an info message from Windows, saying that my computer is infected and I should download anti-spyware. Also, a message that says that copies of my registry are being made - that message started while I was running ComboFix, and I'm still getting it, even tho' the computer has been rebooted several times by the fix programs.
I'll be away tomorrow, so I won't be able to respond quickly if you post before then, but I'm still here. Thank you so much for everything you're doing.
Hi
Wow there were a lot of malware lurking and still is.
Do you recognize this folder?
C:\DOCUME~1\ADMINI~1\WINDOWS
Open HijackThis, click do a system scan only and checkmark these:
O4 - HKLM\..\Run: [Error Nuker] C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
O4 - HKLM\..\Run: [MediaGateway] C:\Program Files\MediaGateway\MediaGateway.exe
O4 - HKLM\..\Run: [dlgabrkA] C:\WINDOWS\dlgabrkA.exe
O4 - HKLM\..\Run: [Windows Configure] c:\windows\system32\syscfg32.exe
O4 - HKLM\..\RunServices: [Windows Configure] c:\windows\system32\syscfg32.exe
O4 - HKCU\..\Run: [Magicantispy] C:\Program Files\Magicantispy\Magicantispy.exe
O4 - HKCU\..\Run: [Kuaiwcl] C:\WINDOWS\??sks\??erinit.exe
O4 - Startup: eSClean.vbs
O9 - Extra button: Smiley District - {0418F3E3-C763-4e02-9EC5-F0AE13B54B0F} - C:\Program Files\SmileyDistrict\insmile.dll
O9 - Extra 'Tools' menuitem: Smiley District - {0418F3E3-C763-4e02-9EC5-F0AE13B54B0F} - C:\Program Files\SmileyDistrict\insmile.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\system32\hrum167.txt
O20 - Winlogon Notify: mljge - mljge.dll (file missing)
O21 - SSODL: tTIaba - {ACA96FB7-0603-C51D-9A17-121E9FEABAAD} - C:\WINDOWS\system32\jty.dll (file missing)
Close all windows including browser and press fix checked.
Reboot.
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\SYSTEM32\vtr167.dll
C:\WINDOWS\SYSTEM32\rxaavqhh.exe
C:\WINDOWS\SYSTEM32\kespeulb.exe
C:\WINDOWS\SYSTEM32\drvjok.dll
C:\WINDOWS\SYSTEM32\slwkynpj.exe
C:\WINDOWS\SYSTEM32\user10.exe
C:\WINDOWS\SYSTEM32\install.exe
C:\WINDOWS\SYSTEM32\waverevenue.exe
C:\WINDOWS\SYSTEM32\DRIVERS\Awf59.sys
C:\WINDOWS\qsxbj0578.exe
C:\WINDOWS\SYSTEM32\ldcore(3).dll
C:\WINDOWS\SYSTEM32\skna455101.exe
C:\WINDOWS\system32\drivers\core.cache(14).dsk
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\drivers\core.cache(9).dsk
C:\WINDOWS\system32\drivers\core.cache(8).dsk
C:\WINDOWS\system32\drivers\core.cache(7).dsk
C:\WINDOWS\system32\drivers\core.cache(6).dsk
C:\WINDOWS\system32\drivers\core.cache(5).dsk
C:\WINDOWS\system32\drivers\core.cache(4).dsk
C:\WINDOWS\system32\drivers\core.cache(3).dsk
C:\WINDOWS\system32\drivers\core.cache(2).dsk
C:\WINDOWS\system32\drivers\core.cache(13).dsk
C:\WINDOWS\system32\drivers\core.cache(12).dsk
C:\WINDOWS\system32\drivers\core.cache(11).dsk
C:\WINDOWS\system32\drivers\core.cache(10).dsk
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\product_3_header.gif
C:\WINDOWS\system32\drivers\product_1_header.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\product_3_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\product_1_name_small.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\remove_spyware_button.gif
C:\WINDOWS\system32\drivers\secuity_center_logo.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\download_box.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\box_3.gif
C:\WINDOWS\system32\drivers\box_1.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\icon_warning.gif
C:\WINDOWS\system32\drivers\close_icon.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\header_bg.gif
C:\WINDOWS\system32\drivers\alert_icon.gif
C:\WINDOWS\system32\hrum167.txt
C:\WINDOWS\SYSTEM32\dacca.tmp
C:\WINDOWS\SYSTEM32\wybeg.tmp
C:\WINDOWS\SYSTEM32\wybeg.tmp2
Folder::
C:\Program Files\Magicantispy
C:\WINDOWS\SYSTEM32\f06WtR
C:\DOCUME~1\AVIFUS~1\APPLIC~1\WinAntiSpyware 2007 Free
C:\DOCUME~1\AVIFUS~1\APPLIC~1\WinAntiSpyware
C:\Program Files\BHO
C:\WINDOWS\SYSTEM32\Z2
C:\WINDOWS\SYSTEM32\Z1
C:\WINDOWS\SYSTEM32\f02WtR
C:\WINDOWS\SYSTEM32\A1
C:\Temp
C:\DOCUME~1\AVIFUS~1\APPLIC~1\?ystem
C:\Program Files\SmileyDistrict
Save this as "CFScript"
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
orange450
2007-08-12, 06:13
Shaba, thank you so much for all your help. Here is the ComboFix log. Does it matter which account I run these fixes from? I'm not running them in the account in which I caused the problems, because that had become unusable - with background and color changes. It looks much better now, though.
Also, I got some error messages when I applied the HiJack This fixes - about "registry edit has been disabled by your administrator". There was an error message from the makers of HiJack This - asking to notify them -
020 - AppInit_DLLs: c:\WINDOWS\system32\hrum167.txt
seems to be the line that caused it.
ComboFix 07-08-09.3 - "Abba" 2007-08-11 22:55:15.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.198 [GMT -4:00]
Command switches used :: C:\Documents and Settings\Abba\Desktop\CFScript.txt
* Created a new restore point
FILE::
C:\WINDOWS\SYSTEM32\vtr167.dll
C:\WINDOWS\SYSTEM32\rxaavqhh.exe
C:\WINDOWS\SYSTEM32\kespeulb.exe
C:\WINDOWS\SYSTEM32\drvjok.dll
C:\WINDOWS\SYSTEM32\slwkynpj.exe
C:\WINDOWS\SYSTEM32\user10.exe
C:\WINDOWS\SYSTEM32\install.exe
C:\WINDOWS\SYSTEM32\waverevenue.exe
C:\WINDOWS\SYSTEM32\DRIVERS\Awf59.sys
C:\WINDOWS\qsxbj0578.exe
C:\WINDOWS\SYSTEM32\ldcore(3).dll
C:\WINDOWS\SYSTEM32\skna455101.exe
C:\WINDOWS\system32\drivers\core.cache(14).dsk
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\drivers\core.cache(9).dsk
C:\WINDOWS\system32\drivers\core.cache(8).dsk
C:\WINDOWS\system32\drivers\core.cache(7).dsk
C:\WINDOWS\system32\drivers\core.cache(6).dsk
C:\WINDOWS\system32\drivers\core.cache(5).dsk
C:\WINDOWS\system32\drivers\core.cache(4).dsk
C:\WINDOWS\system32\drivers\core.cache(3).dsk
C:\WINDOWS\system32\drivers\core.cache(2).dsk
C:\WINDOWS\system32\drivers\core.cache(13).dsk
C:\WINDOWS\system32\drivers\core.cache(12).dsk
C:\WINDOWS\system32\drivers\core.cache(11).dsk
C:\WINDOWS\system32\drivers\core.cache(10).dsk
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\product_3_header.gif
C:\WINDOWS\system32\drivers\product_1_header.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\product_3_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\product_1_name_small.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\remove_spyware_button.gif
C:\WINDOWS\system32\drivers\secuity_center_logo.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\download_box.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\box_3.gif
C:\WINDOWS\system32\drivers\box_1.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\icon_warning.gif
C:\WINDOWS\system32\drivers\close_icon.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\header_bg.gif
C:\WINDOWS\system32\drivers\alert_icon.gif
C:\WINDOWS\system32\hrum167.txt
C:\WINDOWS\SYSTEM32\dacca.tmp
C:\WINDOWS\SYSTEM32\wybeg.tmp
C:\WINDOWS\SYSTEM32\wybeg.tmp2
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\Abba\STARTM~1\Programs\Startup.\system.exe
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup.\autorun.exe
C:\DOCUME~1\AVIFUS~1\APPLIC~1\WinAntiSpyware 2007
C:\DOCUME~1\AVIFUS~1\APPLIC~1\WinAntiSpyware 2007 Free
C:\DOCUME~1\AVIFUS~1\APPLIC~1\WinAntiSpyware 2007 Free\DownloadUWAS7.url
C:\DOCUME~1\AVIFUS~1\APPLIC~1\WinAntiSpyware 2007\Logs\update.log
C:\Program Files\BHO
C:\Program Files\BHO\bho.dat
C:\Program Files\BHO\er.dat
C:\Program Files\BHO\plugin.dll
C:\Program Files\BHO\plugin1.dll
C:\Program Files\BHO\uninstall.exe
C:\Program Files\Magicantispy
C:\Program Files\Magicantispy\Magicantispy.exe
C:\Program Files\Magicantispy\Magicantispy.lic
C:\Program Files\Magicantispy\Magicantispy0.dll
C:\Program Files\Magicantispy\Magicantispy0.my
C:\Program Files\Magicantispy\Magicantispy1.dll
C:\Program Files\Magicantispy\Magicantispy1.my
C:\Program Files\Magicantispy\Magicantispy3.dll
C:\Program Files\Magicantispy\Uninstall.exe
C:\Program Files\SmileyDistrict
C:\Program Files\SmileyDistrict\bf.dat
C:\Program Files\SmileyDistrict\bm.dat
C:\Program Files\SmileyDistrict\insmile.dll
C:\Program Files\SmileyDistrict\OSmile.dll
C:\Program Files\SmileyDistrict\plugin.dll
C:\Program Files\SmileyDistrict\plugin.exe
C:\Program Files\SmileyDistrict\SDHelp.url
C:\Program Files\SmileyDistrict\SDistr.url
C:\Program Files\SmileyDistrict\serv.dat
C:\Program Files\SmileyDistrict\uninstall.exe
C:\Program Files\SmileyDistrict\ver.dat
C:\Program Files\SmileyDistrict\WrdSmile.dll
C:\Temp
C:\WINDOWS\qsxbj0578.exe
C:\WINDOWS\SYSTEM32\A1
C:\WINDOWS\system32\A1\kmhp83122.exe
C:\WINDOWS\SYSTEM32\A1\kmhp83122.exe
C:\WINDOWS\SYSTEM32\dacca.tmp
C:\WINDOWS\system32\drivers\alert_icon.gif
C:\WINDOWS\SYSTEM32\DRIVERS\Awf59.sys
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\box_1.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\box_3.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\close_icon.gif
C:\WINDOWS\system32\drivers\core.cache(10).dsk
C:\WINDOWS\system32\drivers\core.cache(11).dsk
C:\WINDOWS\system32\drivers\core.cache(12).dsk
C:\WINDOWS\system32\drivers\core.cache(13).dsk
C:\WINDOWS\system32\drivers\core.cache(14).dsk
C:\WINDOWS\system32\drivers\core.cache(2).dsk
C:\WINDOWS\system32\drivers\core.cache(3).dsk
C:\WINDOWS\system32\drivers\core.cache(4).dsk
C:\WINDOWS\system32\drivers\core.cache(5).dsk
C:\WINDOWS\system32\drivers\core.cache(6).dsk
C:\WINDOWS\system32\drivers\core.cache(7).dsk
C:\WINDOWS\system32\drivers\core.cache(8).dsk
C:\WINDOWS\system32\drivers\core.cache(9).dsk
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\download_box.gif
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\header_bg.gif
C:\WINDOWS\system32\drivers\icon_warning.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\product_1_header.gif
C:\WINDOWS\system32\drivers\product_1_name_small.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\product_3_header.gif
C:\WINDOWS\system32\drivers\product_3_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\remove_spyware_button.gif
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\secuity_center_logo.gif
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\SYSTEM32\drvjok.dll
C:\WINDOWS\SYSTEM32\f02WtR
C:\WINDOWS\system32\f02WtR\f02WtR1065.exe
C:\WINDOWS\SYSTEM32\f02WtR\f02WtR1065.exe
C:\WINDOWS\SYSTEM32\f06WtR
C:\WINDOWS\system32\f06WtR\f06WtR1083.exe
C:\WINDOWS\SYSTEM32\f06WtR\f06WtR1083.exe
C:\WINDOWS\system32\hrum167.txt
C:\WINDOWS\SYSTEM32\kespeulb.exe
C:\WINDOWS\SYSTEM32\ldcore(3).dll
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\SYSTEM32\rxaavqhh.exe
C:\WINDOWS\SYSTEM32\skna455101.exe
C:\WINDOWS\SYSTEM32\slwkynpj.exe
C:\WINDOWS\SYSTEM32\user10.exe
C:\WINDOWS\SYSTEM32\vtr167.dll
C:\WINDOWS\SYSTEM32\waverevenue.exe
C:\WINDOWS\system32\WinAvXX.exe
C:\WINDOWS\SYSTEM32\wybeg.tmp
C:\WINDOWS\SYSTEM32\wybeg.tmp2
C:\WINDOWS\SYSTEM32\Z1
C:\WINDOWS\SYSTEM32\Z2
C:\WINDOWS\SYSTEM32\Z2\x55.exe
C:\WINDOWS\system32\Z2\x55.exe
((((((((((((((((((((((((( Files Created from 2007-07-12 to 2007-08-12 )))))))))))))))))))))))))))))))
2007-08-10 14:17 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-09 13:59 <DIR> d---s---- C:\DOCUME~1\Tali\UserData
2007-08-09 13:56 <DIR> d-------- C:\DOCUME~1\Tali\APPLIC~1\Google
2007-08-09 13:53 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Google
2007-08-08 22:00 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS
2007-08-08 21:07 <DIR> d---s---- C:\DOCUME~1\Ima\UserData
2007-08-08 21:07 <DIR> d-------- C:\VundoFix Backups
2007-08-08 21:07 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-08 21:07 <DIR> d-------- C:\Program Files\Dell Support
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Ima\APPLIC~1\Xerox
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Ima\APPLIC~1\Symantec
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Ima\APPLIC~1\Sonic
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Ima\APPLIC~1\Real
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Ima\APPLIC~1\Nikon
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Ima\APPLIC~1\Jasc Software Inc
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Ima\APPLIC~1\Gtek
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Ima\APPLIC~1\Google
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Ima\APPLIC~1\F-Secure
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Ima\APPLIC~1\AdobeUM
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Gtek
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\Gtek
2007-08-08 20:40 <DIR> d-------- C:\DOCUME~1\Abba\APPLIC~1\Apple Computer
2007-08-08 16:49 <DIR> d-------- C:\Program Files\Lavasoft(2)
2007-08-08 16:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-08 16:35 <DIR> d-------- C:\DOCUME~1\Guest\UserData
2007-08-08 16:31 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Lavasoft
2007-08-08 15:43 1,048,576 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-08-08 15:43 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sonic
2007-08-08 15:39 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\GTek(2)
2007-08-07 22:02 <DIR> d-------- C:\WINDOWS\ERUNT
2007-08-07 20:11 <DIR> d-------- C:\Program Files\DellSupport
2007-08-07 14:58 192,582 --a------ C:\WINDOWS\SYSTEM32\swinmmdt.exe
2007-08-07 14:58 <DIR> d-------- C:\DOCUME~1\AVIFUS~1\APPLIC~1\?ystem
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-08 21:06 --------- d-------- C:\DOCUME~1\Abba\APPLIC~1\Gtek
2007-07-01 22:31 --------- d-------- C:\Program Files\Winamp
2007-05-16 11:12 86528 --------- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 11:12 85504 --------- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 11:12 683520 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 11:12 510976 --------- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 11:12 1314816 --------- C:\WINDOWS\system32\dllcache\msoe.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 13:16]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-25 23:35]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 21:12]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 21:15]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 02:04]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-08-05 21:50]
"XeroxScannerDaemon"="C:\Program Files\Xerox\NWWia\XrxFTPLt.exe" [2001-08-17 22:37]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01]
"DVDTray"="C:\Program Files\HP DVD\Umbrella\DVDTray.exe" [2003-07-23 13:42]
"DVDBitSet"="C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" [2003-12-18 17:37]
"mmtask"="C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe" [2005-03-15 08:58]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-09-13 15:49]
"DIGStream"="C:\Program Files\DIGStream\digstream.exe" [2005-05-18 14:49]
"DIGServices"="C:\Program Files\ESPNRunTime\DIGServices.exe" [2005-05-19 13:55]
"F-Secure Manager"="C:\Program Files\F-Secure Internet Security\Common\FSM32.exe" [2005-06-02 18:37]
"F-Secure TNB"="C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" [2005-07-18 10:51]
"F-Secure Startup Wizard"="C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.exe" [2005-08-23 09:38]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-23 17:40]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 16:45]
"HostManager"="C:\Program Files\Common Files\AOL\1149391482\ee\AOLSoftware.exe" [2006-04-20 13:10]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 12:59]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-23 11:38]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SRUUninstall"="C:\WINDOWS\system32\msiexec.exe" /L*v C:\WINDOWS\TEMP\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress
C:\Documents and Settings\Abba\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 10:00:00]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 10:00:00]
F-Secure Anti-Virus 2006.lnk - C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe [2005-12-14 20:42:44]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52]
Scan Button.lnk - C:\SCANNER\EXE32\DETECTON.EXE [2004-07-29 23:31:57]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\hrum167.txt
R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys
R0 iaStor;Intel AHCI Controller;C:\WINDOWS\system32\drivers\iaStor.sys
R2 BackWeb Plug-in - 4476822;F-Secure Anti-Virus 2006;C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
R2 DgivEcp;Team MFP Comm Driver;C:\WINDOWS\system32\Drivers\DgivEcp.Sys
R2 F-Secure Filter;F-Secure File System Filter;\??\C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSfilter.sys
R2 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSgk.sys
R2 F-Secure Recognizer;F-Secure File System Recognizer;\??\C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSrec.sys
R3 IntelC51;IntelC51;C:\WINDOWS\system32\DRIVERS\IntelC51.sys
R3 IntelC52;IntelC52;C:\WINDOWS\system32\DRIVERS\IntelC52.sys
R3 IntelC53;IntelC53;C:\WINDOWS\system32\DRIVERS\IntelC53.sys
R3 mohfilt;mohfilt;C:\WINDOWS\system32\DRIVERS\mohfilt.sys
R3 StillCam;Still Serial Digital Camera Driver;C:\WINDOWS\system32\DRIVERS\serscan.sys
S3 hpusbwdm;HP DVD Movie Writer dc3000/dc4000;C:\WINDOWS\system32\DRIVERS\hpusbwdm.sys
S3 Jukebox;Jukebox;C:\WINDOWS\system32\DRIVERS\ctpdusb2.sys
Contents of the 'Scheduled Tasks' folder
2007-08-12 02:24:04 C:\WINDOWS\Tasks\Scheduled scanning task.job
2004-12-24 18:42:14 C:\WINDOWS\Tasks\Symantec NetDetect.job - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-11 23:01:24
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-11 23:03:39 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-11 23:03
C:\ComboFix2.txt ... 2007-08-10 14:45
--- E O F ---
orange450
2007-08-12, 06:19
I didn't recognize the folder
C:\DOCUME~1\ADMINI~1\WINDOWS
And here is the HiJack This log:
Logfile of HijackThis v1.99.1
Scan saved at 11:14:33 PM, on 8/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsrw.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\F-SECU~1\ANTI-S~1\fsaw.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program Files\Common Files\AOL\1149391482\ee\AOLSoftware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\internet explorer\iexplore.exe
c:\program files\aol\aol toolbar 3.1\aoltbhelper.exe
C:\Documents and Settings\Abba\Desktop\scanner.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [XeroxScannerDaemon] C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1149391482\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: F-Secure Anti-Virus 2006.lnk = C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Scan Button.lnk = C:\SCANNER\EXE32\DETECTON.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure Internet Security\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/RiteAidOneHourPhotoOnline.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {AF087E66-838E-4A97-8A0B-0DDDA5DEA239} (OTAutoInstall Class) - http://trials1.endeavors.com/autodesk/acad2006/clientdownloads/OTAI.CAB
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {D0B5B58D-8CB9-4EDB-8BB0-9D34AEF727CF} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://pc.mywebexpc.com/client/v_mywebex-aa/ra/ieatgpc.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/TrueInstall.exe
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\hrum167.txt
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: F-Secure Anti-Virus 2006 (BackWeb Plug-in - 4476822) - F-Secure Internet Security 2005 - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe (file missing)
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
orange450
2007-08-12, 06:29
Hi Shaba, my Control Panel is back. Under Change/Remove Programs, I can see the entry for MagicantiSpy. Should I try to remove it? Right now I'm afraid to try anything unless you tell me to! Thank you so much for all your help. The computer seems much calmer now.
orange450
2007-08-12, 06:38
Shaba, it looks like I spoke too soon. I logged onto the account where I caused the problems, and the control panel capability is gone, and I get that error message about the capability being restricted and to contact the system administrator. Then I logged back onto the account from which I was doing the fixes, and from where I could see Control Panel a few minutes ago, and now it's gone from that account too.
I'm still getting some Windows pop-ups about the computer being infected, and asking to download software, but the browser pop-ups seem to have stopped.
Hi
Some baddies gone, but not clean yet.
I already warn you that this cleaning process will take time because your computer was in my papers a candidate for formatting (= in very bad shape).
"Does it matter which account I run these fixes from?"
You should run it from account that has admin rights, otherwise doesn't matter.
"Under Change/Remove Programs, I can see the entry for MagicantiSpy. Should I try to remove it"
No, it's not possible any more as we removed folder manually. However, we can later remove that corresponding entry from add/remove list.
Open HijackThis, click do a system scan only and checkmark this:
O20 - AppInit_DLLs: C:\WINDOWS\system32\hrum167.txt
Close all windows including browser and press fix checked.
Reboot.
Delete these:
C:\WINDOWS\SYSTEM32\swinmmdt.exe
C:\Documents and settings\AVIFUS~1\application data\?ystem (should look like "system).
C:\Documents and settings\Administrator\WINDOWS
Empty Recycle Bin
Re-run combofix
Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.exe
Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
Post:
- a fresh HijackThis log
- combofix report
- smitfraudfix report
orange450
2007-08-12, 16:50
Hi Shaba, here is the message I got when I tried to delete the hrum167.txt entry from HiJack This. It's the same error I got the last time I tried to remove it. I haven't continued with the rest of your instructions. Should I?
Thanks again.
An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: C:\WINDOWS\system32\hrum167.txt)
Error #5 - Invalid procedure call or argument
Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible
Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2900.2180
HijackThis version: 1.99.1
This message has been copied to your clipboard.
Click OK to continue the rest of the scan.
Hi
Yes, you should.
If that entry is still there, we'll remove it by other means.
orange450
2007-08-12, 17:31
Hi Shaba, when I tried to delete the file:
C:Documents and settings|AVIFUS~1\application data\system
I got an error message that "access is denied" can't delete attrib.exe
The others deleted OK.
Here is the RAPPORT.TXT log
SmitFraudFix v2.211
Scan done at 10:25:11.60, Sun 08/12/2007
Run from C:\Documents and Settings\Avi Fuss\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsrw.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1149391482\ee\AOLSoftware.exe
C:\PROGRA~1\F-SECU~1\ANTI-S~1\fsaw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\DOCUME~1\AVIFUS~1\APPLIC~1\YSTEM~1\attrib.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
hosts file corrupted !
192.168.200.3 download.microsoft.com
192.168.200.3 downloads.microsoft.com
192.168.200.3 go.microsoft.com
192.168.200.3 microsoft.com
192.168.200.3 msdn.microsoft.com
192.168.200.3 office.microsoft.com
192.168.200.3 support.microsoft.com
192.168.200.3 windowsupdate.microsoft.com
192.168.200.3 www.microsoft.com
192.168.200.3 pandasoftware.com
192.168.200.3 www.pandasoftware.com
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Avi Fuss
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Avi Fuss\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\AVIFUS~1\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\MSN\\profsywu.html"
"SubscribedURL"=""
"FriendlyName"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\WINDOWS\\system32\\hrum167.txt"
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Broadcom NetXtreme 57xx Gigabit Controller - Packet Scheduler Miniport
DNS Server Search Order: 24.29.103.10
DNS Server Search Order: 24.29.103.11
HKLM\SYSTEM\CCS\Services\Tcpip\..\{AEFDE037-0E69-40ED-9F9F-ACF44846B505}: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CS1\Services\Tcpip\..\{AEFDE037-0E69-40ED-9F9F-ACF44846B505}: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CS2\Services\Tcpip\..\{E0D82734-0FAF-43E9-AE26-F60462A51856}: DhcpNameServer=163.244.194.254 163.244.212.254 163.244.252.244
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.29.103.10 24.29.103.11
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
orange450
2007-08-12, 17:32
Here is the ComboFix log:
ComboFix 07-08-09.3 - "Avi Fuss" 2007-08-12 10:17:25.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.124 [GMT -4:00]
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup.\autorun.exe
C:\DOCUME~1\AVIFUS~1\APPLIC~1.\ystem~1
C:\DOCUME~1\AVIFUS~1\APPLIC~1.\ystem~1\?ystem\
C:\DOCUME~1\AVIFUS~1\APPLIC~1.\ystem~1\attrib.exe
C:\DOCUME~1\AVIFUS~1\Desktop.\Find Spyware Remover.lnk
C:\DOCUME~1\AVIFUS~1\Desktop.\Free Online Dating.lnk
C:\DOCUME~1\AVIFUS~1\Desktop.\Go to Casino.lnk
C:\DOCUME~1\AVIFUS~1\Desktop\Download WinAntiSpyware 2007 Free.lnk
C:\DOCUME~1\AVIFUS~1\STARTM~1\Programs.\Outerinfo
C:\DOCUME~1\AVIFUS~1\STARTM~1\Programs.\Outerinfo\Terms.lnk
C:\DOCUME~1\AVIFUS~1\STARTM~1\Programs.\Outerinfo\Uninstall.lnk
C:\DOCUME~1\AVIFUS~1\STARTM~1\Programs\Startup.\system.exe
C:\Program Files\MSN\profsywu.html
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\WinAvXX.exe
((((((((((((((((((((((((( Files Created from 2007-07-12 to 2007-08-12 )))))))))))))))))))))))))))))))
2007-08-10 14:17 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-09 13:59 <DIR> d---s---- C:\DOCUME~1\Tali\UserData
2007-08-09 13:56 <DIR> d-------- C:\DOCUME~1\Tali\APPLIC~1\Google
2007-08-09 13:53 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Google
2007-08-08 21:07 <DIR> d---s---- C:\DOCUME~1\Ima\UserData
2007-08-08 21:07 <DIR> d-------- C:\VundoFix Backups
2007-08-08 21:07 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-08 21:07 <DIR> d-------- C:\Program Files\Dell Support
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Ima\APPLIC~1\Xerox
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Ima\APPLIC~1\Symantec
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Ima\APPLIC~1\Sonic
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Ima\APPLIC~1\Real
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Ima\APPLIC~1\Nikon
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Ima\APPLIC~1\Jasc Software Inc
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Ima\APPLIC~1\Gtek
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Ima\APPLIC~1\Google
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Ima\APPLIC~1\F-Secure
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Ima\APPLIC~1\AdobeUM
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Gtek
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\Gtek
2007-08-08 20:40 <DIR> d-------- C:\DOCUME~1\Abba\APPLIC~1\Apple Computer
2007-08-08 16:49 <DIR> d-------- C:\Program Files\Lavasoft(2)
2007-08-08 16:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-08 16:35 <DIR> d-------- C:\DOCUME~1\Guest\UserData
2007-08-08 16:31 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Lavasoft
2007-08-08 15:43 1,048,576 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-08-08 15:43 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sonic
2007-08-08 15:39 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\GTek(2)
2007-08-07 22:02 <DIR> d-------- C:\WINDOWS\ERUNT
2007-08-07 20:11 <DIR> d-------- C:\Program Files\DellSupport
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-08 21:07 --------- d-------- C:\DOCUME~1\AVIFUS~1\APPLIC~1\Lavasoft
2007-08-08 21:06 --------- d--h----- C:\DOCUME~1\AVIFUS~1\APPLIC~1\GTek
2007-08-07 14:04 --------- d-------- C:\DOCUME~1\AVIFUS~1\APPLIC~1\BitTorrent
2007-07-09 11:33 --------- d-------- C:\DOCUME~1\AVIFUS~1\APPLIC~1\AdobeUM
2007-07-01 22:31 --------- d-------- C:\Program Files\Winamp
2007-05-16 11:12 86528 --------- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 11:12 85504 --------- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 11:12 683520 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 11:12 510976 --------- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 11:12 1314816 --------- C:\WINDOWS\system32\dllcache\msoe.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 13:16]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-25 23:35]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 21:12]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 21:15]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 02:04]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-08-05 21:50]
"XeroxScannerDaemon"="C:\Program Files\Xerox\NWWia\XrxFTPLt.exe" [2001-08-17 22:37]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01]
"DVDTray"="C:\Program Files\HP DVD\Umbrella\DVDTray.exe" [2003-07-23 13:42]
"DVDBitSet"="C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" [2003-12-18 17:37]
"mmtask"="C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe" [2005-03-15 08:58]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-09-13 15:49]
"DIGStream"="C:\Program Files\DIGStream\digstream.exe" [2005-05-18 14:49]
"DIGServices"="C:\Program Files\ESPNRunTime\DIGServices.exe" [2005-05-19 13:55]
"F-Secure Manager"="C:\Program Files\F-Secure Internet Security\Common\FSM32.exe" [2005-06-02 18:37]
"F-Secure TNB"="C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" [2005-07-18 10:51]
"F-Secure Startup Wizard"="C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.exe" [2005-08-23 09:38]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-23 17:40]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 16:45]
"HostManager"="C:\Program Files\Common Files\AOL\1149391482\ee\AOLSoftware.exe" [2006-04-20 13:10]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 12:59]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 13:00]
"RecordNow!"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"RealPlayer"="C:\Program Files\Real\RealPlayer\realplay.exe" [2006-05-30 22:07]
"Aim6"="C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" [2006-04-20 13:10]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [2006-09-29 22:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-23 11:38]
"Vaarr"="C:\Program Files\Common Files\?ssembly\?pool32.exe" []
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SRUUninstall"="C:\WINDOWS\system32\msiexec.exe" /L*v C:\WINDOWS\TEMP\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress
C:\Documents and Settings\Avi Fuss\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 10:00:00]
Microsoft Office OneNote 2007 (Beta) Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE12\ONENOTEM.EXE [2006-04-25 22:06:06]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 10:00:00]
F-Secure Anti-Virus 2006.lnk - C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe [2005-12-14 20:42:44]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52]
Scan Button.lnk - C:\SCANNER\EXE32\DETECTON.EXE [2004-07-29 23:31:57]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\MSN\profsywu.html
FriendlyName=
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\hrum167.txt
R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys
R0 iaStor;Intel AHCI Controller;C:\WINDOWS\system32\drivers\iaStor.sys
R2 BackWeb Plug-in - 4476822;F-Secure Anti-Virus 2006;C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
R2 DgivEcp;Team MFP Comm Driver;C:\WINDOWS\system32\Drivers\DgivEcp.Sys
R2 F-Secure Filter;F-Secure File System Filter;\??\C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSfilter.sys
R2 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSgk.sys
R2 F-Secure Recognizer;F-Secure File System Recognizer;\??\C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSrec.sys
R3 IntelC51;IntelC51;C:\WINDOWS\system32\DRIVERS\IntelC51.sys
R3 IntelC52;IntelC52;C:\WINDOWS\system32\DRIVERS\IntelC52.sys
R3 IntelC53;IntelC53;C:\WINDOWS\system32\DRIVERS\IntelC53.sys
R3 mohfilt;mohfilt;C:\WINDOWS\system32\DRIVERS\mohfilt.sys
R3 StillCam;Still Serial Digital Camera Driver;C:\WINDOWS\system32\DRIVERS\serscan.sys
S3 hpusbwdm;HP DVD Movie Writer dc3000/dc4000;C:\WINDOWS\system32\DRIVERS\hpusbwdm.sys
S3 Jukebox;Jukebox;C:\WINDOWS\system32\DRIVERS\ctpdusb2.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{00c6bd32-af1c-11db-9fbe-0011112826b8}]
AutoRun\command- G:\CA_Install.exe
Contents of the 'Scheduled Tasks' folder
2007-08-12 02:24:04 C:\WINDOWS\Tasks\Scheduled scanning task.job
2004-12-24 18:42:14 C:\WINDOWS\Tasks\Symantec NetDetect.job - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-12 10:21:27
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-12 10:23:08
C:\ComboFix-quarantined-files.txt ... 2007-08-12 10:22
C:\ComboFix2.txt ... 2007-08-11 23:03
C:\ComboFix3.txt ... 2007-08-10 14:45
--- E O F ---
orange450
2007-08-12, 17:35
And here is the HiJack This log:
Logfile of HijackThis v1.99.1
Scan saved at 10:33:24 AM, on 8/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsrw.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1149391482\ee\AOLSoftware.exe
C:\PROGRA~1\F-SECU~1\ANTI-S~1\fsaw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\DOCUME~1\AVIFUS~1\APPLIC~1\YSTEM~1\attrib.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Avi Fuss\Desktop\scanner.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [XeroxScannerDaemon] C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1149391482\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Vaarr] "C:\Program Files\Common Files\?ssembly\?pool32.exe"
O4 - Startup: Microsoft Office OneNote 2007 (Beta) Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE12\ONENOTEM.EXE
O4 - Global Startup: F-Secure Anti-Virus 2006.lnk = C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Scan Button.lnk = C:\SCANNER\EXE32\DETECTON.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure Internet Security\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/RiteAidOneHourPhotoOnline.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {AF087E66-838E-4A97-8A0B-0DDDA5DEA239} (OTAutoInstall Class) - http://trials1.endeavors.com/autodesk/acad2006/clientdownloads/OTAI.CAB
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {D0B5B58D-8CB9-4EDB-8BB0-9D34AEF727CF} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://pc.mywebexpc.com/client/v_mywebex-aa/ra/ieatgpc.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/TrueInstall.exe
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\hrum167.txt
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: F-Secure Anti-Virus 2006 (BackWeb Plug-in - 4476822) - F-Secure Internet Security 2005 - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe (file missing)
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Hi
"C:Documents and settings|AVIFUS~1\application data\system
I got an error message that "access is denied" can't delete attrib.exe
The others deleted OK."
Combofix deleted it:
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup.\autorun.exe
C:\DOCUME~1\AVIFUS~1\APPLIC~1.\ystem~1
C:\DOCUME~1\AVIFUS~1\APPLIC~1.\ystem~1\?ystem\
C:\DOCUME~1\AVIFUS~1\APPLIC~1.\ystem~1\attrib.exe
Looks like that some already deleted stuff is back, that's why keep computer offline as much as possible (=unplug network cable) or we won't get this cleaned.
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\system32\hrum167.txt
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Vaarr"=-
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=-
Save this as "CFScript"
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.
Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
______________________________
Reboot your computer in Safe Mode.
If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.
______________________________
Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.
Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.
Clean out your Temporary Internet files. Proceed like this:
Quit Internet Explorer, all browsers and quit any instances of Windows Explorer.
For Internet Explorer 7
Click Start, click Control Panel, and then double-click Internet Options.
On the General tab, click Delete... under Browsing History.
Next to Temporary Internet Files, click Delete files, and then click OK.
Next to Cookies, click Delete cookies, and then click OK.
Next to History, click Delete history, and then click OK.
Click the Close button.
Click OK.
For Internet Explorer 4.x - 6.x
Click Start, click Control Panel, and then double-click Internet Options.
On the General tab, click Delete Files under Temporary Internet Files.
In the Delete Files dialog box, tick the Delete all offline content check box, and then click OK.
On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
Click OK.
For Netscape 4.x and Up
Click Edit from the Netscape menubar.
Click Preferences... from the Edit menu.
Expand the Advanced menu by clicking the triangle sign.
Click Cache.
Click both the Clear Memory Cache and the Clear Disk Cache buttons.
For Mozilla 1.x and Up
Click Edit from the Mozilla menubar.
Click Preferences... from the Edit menu.
Expand the Advanced menu by clicking the plus sign.
Click Cache.
Click the Clear Cache button.
For Opera
Click File from the Opera menubar.
Click Preferences... from the File menu.
Click the History and Cache menu.
Click the two Clear buttons next to Typed in addresses and Visited addresses (history) and click the Empty now button to clear the Disk cache.
Click Ok to close the Preferences menu.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.
Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Unselect Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
______________________________
Please post:
combofix report
AVG Anti-Spyware log
A new HijackThis log
You may need several replies to post the requested logs, otherwise they might get cut off.
orange450
2007-08-12, 18:16
Shaba, I have to leave for the day, and since these instructions will take time to do, I will leave the computer off-line, and do them when I get back later. I don't want to leave you wondering if I've disappeared - I'm still here, and thank you so much for all your amazing help so far!
Hi
Thanks for letting me know :)
orange450
2007-08-13, 08:10
Hi Shaba, here is the new ComboFix log. I think that when the AVG scan was running, I'm pretty sure I noticed it scanning the hrum167.txt file in the system32 directory.
ComboFix 07-08-09.3 - "Avi Fuss" 2007-08-12 23:36:43.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.129 [GMT -4:00]
Command switches used :: C:\Documents and Settings\Avi Fuss\Desktop\CFScript.txt
* Created a new restore point
FILE::
C:\WINDOWS\system32\hrum167.txt
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\hrum167.txt
((((((((((((((((((((((((( Files Created from 2007-07-13 to 2007-08-13 )))))))))))))))))))))))))))))))
2007-08-12 10:25 4,522 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-08-12 10:24 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2007-08-12 10:24 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2007-08-12 10:24 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-08-10 14:17 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-09 13:59 <DIR> d---s---- C:\DOCUME~1\Tali\UserData
2007-08-09 13:56 <DIR> d-------- C:\DOCUME~1\Tali\APPLIC~1\Google
2007-08-09 13:53 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Google
2007-08-08 21:07 <DIR> d---s---- C:\DOCUME~1\Ima\UserData
2007-08-08 21:07 <DIR> d-------- C:\VundoFix Backups
2007-08-08 21:07 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-08 21:07 <DIR> d-------- C:\Program Files\Dell Support
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Ima\APPLIC~1\Xerox
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Ima\APPLIC~1\Symantec
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Ima\APPLIC~1\Sonic
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Ima\APPLIC~1\Real
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Ima\APPLIC~1\Nikon
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Ima\APPLIC~1\Jasc Software Inc
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Ima\APPLIC~1\Gtek
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Ima\APPLIC~1\Google
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Ima\APPLIC~1\F-Secure
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Ima\APPLIC~1\AdobeUM
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Gtek
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\Gtek
2007-08-08 20:40 <DIR> d-------- C:\DOCUME~1\Abba\APPLIC~1\Apple Computer
2007-08-08 16:49 <DIR> d-------- C:\Program Files\Lavasoft(2)
2007-08-08 16:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-08 16:35 <DIR> d-------- C:\DOCUME~1\Guest\UserData
2007-08-08 16:31 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Lavasoft
2007-08-08 15:43 1,048,576 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-08-08 15:43 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sonic
2007-08-08 15:39 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\GTek(2)
2007-08-07 22:02 <DIR> d-------- C:\WINDOWS\ERUNT
2007-08-07 20:11 <DIR> d-------- C:\Program Files\DellSupport
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-12 17:07 --------- d-------- C:\DOCUME~1\AVIFUS~1\APPLIC~1\BitTorrent
2007-08-08 21:07 --------- d-------- C:\DOCUME~1\AVIFUS~1\APPLIC~1\Lavasoft
2007-08-08 21:06 --------- d--h----- C:\DOCUME~1\AVIFUS~1\APPLIC~1\GTek
2007-07-09 11:33 --------- d-------- C:\DOCUME~1\AVIFUS~1\APPLIC~1\AdobeUM
2007-07-01 22:31 --------- d-------- C:\Program Files\Winamp
2007-05-16 11:12 86528 --------- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 11:12 85504 --------- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 11:12 683520 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 11:12 510976 --------- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 11:12 1314816 --------- C:\WINDOWS\system32\dllcache\msoe.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 13:16]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-25 23:35]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 21:12]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 21:15]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 02:04]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-08-05 21:50]
"XeroxScannerDaemon"="C:\Program Files\Xerox\NWWia\XrxFTPLt.exe" [2001-08-17 22:37]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01]
"DVDTray"="C:\Program Files\HP DVD\Umbrella\DVDTray.exe" [2003-07-23 13:42]
"DVDBitSet"="C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" [2003-12-18 17:37]
"mmtask"="C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe" [2005-03-15 08:58]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-09-13 15:49]
"DIGStream"="C:\Program Files\DIGStream\digstream.exe" [2005-05-18 14:49]
"DIGServices"="C:\Program Files\ESPNRunTime\DIGServices.exe" [2005-05-19 13:55]
"F-Secure Manager"="C:\Program Files\F-Secure Internet Security\Common\FSM32.exe" [2005-06-02 18:37]
"F-Secure TNB"="C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" [2005-07-18 10:51]
"F-Secure Startup Wizard"="C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.exe" [2005-08-23 09:38]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-23 17:40]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 16:45]
"HostManager"="C:\Program Files\Common Files\AOL\1149391482\ee\AOLSoftware.exe" [2006-04-20 13:10]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 12:59]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 13:00]
"RecordNow!"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"RealPlayer"="C:\Program Files\Real\RealPlayer\realplay.exe" [2006-05-30 22:07]
"Aim6"="C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" [2006-04-20 13:10]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [2006-09-29 22:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-23 11:38]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SRUUninstall"="C:\WINDOWS\system32\msiexec.exe" /L*v C:\WINDOWS\TEMP\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress
C:\Documents and Settings\Avi Fuss\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 10:00:00]
Microsoft Office OneNote 2007 (Beta) Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE12\ONENOTEM.EXE [2006-04-25 22:06:06]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 10:00:00]
F-Secure Anti-Virus 2006.lnk - C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe [2005-12-14 20:42:44]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52]
Scan Button.lnk - C:\SCANNER\EXE32\DETECTON.EXE [2004-07-29 23:31:57]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\MSN\profsywu.html
FriendlyName=
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\hrum167.txt
R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys
R0 iaStor;Intel AHCI Controller;C:\WINDOWS\system32\drivers\iaStor.sys
R2 BackWeb Plug-in - 4476822;F-Secure Anti-Virus 2006;C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
R2 DgivEcp;Team MFP Comm Driver;C:\WINDOWS\system32\Drivers\DgivEcp.Sys
R2 F-Secure Filter;F-Secure File System Filter;\??\C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSfilter.sys
R2 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSgk.sys
R2 F-Secure Recognizer;F-Secure File System Recognizer;\??\C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSrec.sys
R3 IntelC51;IntelC51;C:\WINDOWS\system32\DRIVERS\IntelC51.sys
R3 IntelC52;IntelC52;C:\WINDOWS\system32\DRIVERS\IntelC52.sys
R3 IntelC53;IntelC53;C:\WINDOWS\system32\DRIVERS\IntelC53.sys
R3 mohfilt;mohfilt;C:\WINDOWS\system32\DRIVERS\mohfilt.sys
R3 StillCam;Still Serial Digital Camera Driver;C:\WINDOWS\system32\DRIVERS\serscan.sys
S3 hpusbwdm;HP DVD Movie Writer dc3000/dc4000;C:\WINDOWS\system32\DRIVERS\hpusbwdm.sys
S3 Jukebox;Jukebox;C:\WINDOWS\system32\DRIVERS\ctpdusb2.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{00c6bd32-af1c-11db-9fbe-0011112826b8}]
AutoRun\command- G:\CA_Install.exe
Contents of the 'Scheduled Tasks' folder
2007-08-13 00:01:08 C:\WINDOWS\Tasks\Scheduled scanning task.job
2004-12-24 18:42:14 C:\WINDOWS\Tasks\Symantec NetDetect.job - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-12 23:40:15
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-12 23:41:55
C:\ComboFix-quarantined-files.txt ... 2007-08-12 23:41
C:\ComboFix2.txt ... 2007-08-12 10:23
C:\ComboFix3.txt ... 2007-08-11 23:03
--- E O F ---
orange450
2007-08-13, 08:14
And here is the first part of the AVG scan. That took a very long time, and looked like it found a lot.
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 12:50:16 AM 8/13/2007
+ Scan result:
C:\QooBox\Quarantine\C\Program Files\BHO\plugin1.dll.vir -> Adware.Adsor : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP940\A0066771.dll -> Adware.Adsor : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP944\A0074585.dll -> Adware.Adsor : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP947\A0080031.dll -> Adware.Adsor : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\win\bw72.exe.vir -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP946\A0079711.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Adware.Aws : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\offun.exe.vir -> Adware.Bagon : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP940\A0066773.exe -> Adware.Bagon : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP944\A0074587.exe -> Adware.Bagon : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP946\A0079718.exe -> Adware.Bagon : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\Program Files\Magicantispy\Magicantispy0.dll.vir -> Adware.BraveSentry : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\Program Files\Magicantispy\Magicantispy1.dll.vir -> Adware.BraveSentry : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\Program Files\Magicantispy\Magicantispy3.dll.vir -> Adware.BraveSentry : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP947\A0080025.dll -> Adware.BraveSentry : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP947\A0080026.dll -> Adware.BraveSentry : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP947\A0080027.dll -> Adware.BraveSentry : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\Program Files\Magicantispy\Magicantispy0.my.vir -> Adware.DrAntispy : Cleaned with backup (quarantined).
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\5NIFDTFP\skna455101[1].exe -> Adware.TTC : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\Program Files\Internet Explorer\hokepocen455101.dll.vir -> Adware.TTC : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\Program Files\Internet Explorer\hokepocen83122.dll.vir -> Adware.TTC : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\A1\kmhp83122.exe.vir -> Adware.TTC : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\skna455101.exe.vir -> Adware.TTC : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP940\A0066831.dll -> Adware.TTC : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP940\A0066833.dll -> Adware.TTC : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP940\A0066836.exe -> Adware.TTC : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP944\A0074624.dll -> Adware.TTC : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP944\A0074626.dll -> Adware.TTC : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP944\A0074629.exe -> Adware.TTC : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP946\A0079686.dll -> Adware.TTC : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP946\A0079687.dll -> Adware.TTC : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP947\A0080035.exe -> Adware.TTC : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP947\A0080056.exe -> Adware.TTC : Cleaned with backup (quarantined).
C:\Documents and Settings\Tali\Local Settings\Temporary Internet Files\Content.IE5\A98FUPE5\ucleaner_setup[1].exe -> Adware.UltimateDefender : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\Program Files\ucleaner_setup.exe.vir -> Adware.UltimateDefender : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP944\A0077633.exe -> Adware.UltimateDefender : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP946\A0079648.exe -> Adware.UltimateDefender : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP940\A0066782.exe -> Adware.WinAD : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP944\A0074596.exe -> Adware.WinAD : Cleaned with backup (quarantined).
C:\WINDOWS\MediaGateway.exe -> Adware.WinAD : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\lcinstaller.exe -> Adware.WinAD : Cleaned with backup (quarantined).
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\IDSXMP0N\TISKY008[1].exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\TISKY009.exe.vir -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP940\A0066784.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP940\A0066785.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP944\A0074598.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP944\A0074599.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP944\A0076566.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP946\A0079726.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP947\A0080201.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\tk58.exe.vir -> Adware.ZQuest : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP946\A0079725.exe -> Adware.ZQuest : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\ip6fw.sys.vir -> Downloader.Agent.acl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP946\A0079681.sys -> Downloader.Agent.acl : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OT6N85YN\retadpu[1].exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\IDSXMP0N\retadpu[1].exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\OR2JMBOX\retadpu[1].exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\retadpu1000106.exe.vir -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP940\A0066776.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP944\A0074590.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP946\A0079676.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP943\A0074042.exe -> Downloader.PurityScan : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1162OinAdmin.exe.vir -> Downloader.PurityScan.eg : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1281OinAdmin.exe.vir -> Downloader.PurityScan.eg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP940\A0066781.exe -> Downloader.PurityScan.eg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP944\A0074595.exe -> Downloader.PurityScan.eg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP944\A0076612.exe -> Downloader.PurityScan.eg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP946\A0079671.exe -> Downloader.PurityScan.eg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP946\A0079673.exe -> Downloader.PurityScan.eg : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\Program Files\Common Files\RACLE~1\ping.exe.vir -> Downloader.PurityScan.ej : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP946\A0079702.exe -> Downloader.PurityScan.ej : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\81EB01AJ\user9[1].exe -> Downloader.Small.dxm : Cleaned with backup (quarantined).
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\OR2JMBOX\user10[2].exe -> Downloader.Small.dxm : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ldcore(3).dll.vir -> Downloader.Small.dxm : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ldcore.dll.vir -> Downloader.Small.dxm : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\user10.exe.vir -> Downloader.Small.dxm : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\qsxbj0578.exe.vir -> Downloader.Small.dxm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP944\A0075088.dll -> Downloader.Small.dxm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP946\A0079715.dll -> Downloader.Small.dxm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP947\A0080051.exe -> Downloader.Small.dxm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP947\A0080054.exe -> Downloader.Small.dxm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP947\A0080055.dll -> Downloader.Small.dxm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP943\A0074039.exe -> Downloader.Tiny.id : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP945\A0079617.exe -> Downloader.Tiny.id : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\wmvds32.dll.vir -> Downloader.VB.asx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP946\A0079717.dll -> Downloader.VB.asx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP944\A0076592.exe -> Downloader.Zlob.bqw : Cleaned with backup (quarantined).
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\OR2JMBOX\install[2].exe -> Dropper.Agent.bfr : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/install.exe -> Dropper.Agent.bfr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP946\A0079856.exe -> Dropper.Agent.bfr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP946\A0079865.exe -> Dropper.Agent.bfr : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\Z2\x55.exe.vir -> Dropper.Agent.mu : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\dlgabrk.exe.vir -> Dropper.Agent.mu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP946\A0079682.exe -> Dropper.Agent.mu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP947\A0080033.exe -> Dropper.Agent.mu : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\dnsersnd.dll.vir -> Hijacker.Small.cf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP940\A0066834.dll -> Hijacker.Small.cf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP944\A0074627.dll -> Hijacker.Small.cf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP946\A0079714.dll -> Hijacker.Small.cf : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\Program Files\BHO\uninstall.exe.vir -> Hijacker.Small.iz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP940\A0066772.exe -> Hijacker.Small.iz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP944\A0074586.exe -> Hijacker.Small.iz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP947\A0080032.exe -> Hijacker.Small.iz : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\Program Files\MSN\lavuj.dll.vir -> Hijacker.StartPage : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP940\A0066832.dll -> Hijacker.StartPage : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP944\A0074625.dll -> Hijacker.StartPage : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP946\A0079685.dll -> Hijacker.StartPage : Cleaned with backup (quarantined).
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\IDSXMP0N\ie_ban[1].exe -> Hijacker.VB.po : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ie_ban.exe.vir -> Hijacker.VB.po : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP940\A0066844.exe -> Hijacker.VB.po : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP944\A0074633.exe -> Hijacker.VB.po : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP946\A0079742.exe -> Hijacker.VB.po : Cleaned with backup (quarantined).
orange450
2007-08-13, 08:17
Second part of the AVG scan:
C:\Program Files\DIGStream\digstream.exe -> Not-A-Virus.Downloader.Win32.DigStream.a : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe.vir -> Not-A-Virus.Downloader.Win32.WinFixer.x : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP940\A0066779.exe -> Not-A-Virus.Downloader.Win32.WinFixer.x : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP944\A0074593.exe -> Not-A-Virus.Downloader.Win32.WinFixer.x : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP946\A0079705.exe -> Not-A-Virus.Downloader.Win32.WinFixer.x : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP940\A0066829.dll -> Proxy.Agent.df : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\catchme2007-08-10_144233.37.zip/core.sys -> Rootkit.Agent.eq : Cleaned with backup (quarantined).
:mozilla.13:C:\Documents and Settings\Avi Fuss\Application Data\Mozilla\Firefox\Profiles\e3516sfg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.14:C:\Documents and Settings\Avi Fuss\Application Data\Mozilla\Firefox\Profiles\e3516sfg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.224:C:\Documents and Settings\Avi Fuss\Application Data\Mozilla\Firefox\Profiles\e3516sfg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.92:C:\Documents and Settings\Avi Fuss\Application Data\Mozilla\Firefox\Profiles\e3516sfg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Abba\Cookies\abba@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Abba\Cookies\abba@buzznet.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Abba\Cookies\abba@cupolaventures.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@heavycom.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Tali\Cookies\tali@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Tali\Cookies\tali@cupolaventures.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Abba\Cookies\abba@aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Abba\Cookies\abba@arn.aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@www.abcsearch[1].txt -> TrackingCookie.Abcsearch : Cleaned.
C:\Documents and Settings\Abba\Cookies\abba@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Abba\Cookies\abba@ads.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Abba\Cookies\abba@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned.
C:\Documents and Settings\Tali\Cookies\tali@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned.
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned.
:mozilla.271:C:\Documents and Settings\Avi Fuss\Application Data\Mozilla\Firefox\Profiles\e3516sfg.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.272:C:\Documents and Settings\Avi Fuss\Application Data\Mozilla\Firefox\Profiles\e3516sfg.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
C:\Documents and Settings\LocalService\Cookies\local service@rotator.adjuggler[2].txt -> TrackingCookie.Adjuggler : Cleaned.
C:\Documents and Settings\LocalService\Cookies\local service@rotator.its.adjuggler[2].txt -> TrackingCookie.Adjuggler : Cleaned.
C:\Documents and Settings\NetworkService\Cookies\system@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned.
C:\Documents and Settings\NetworkService\Cookies\system@rotator.its.adjuggler[2].txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.32:C:\Documents and Settings\Avi Fuss\Application Data\Mozilla\Firefox\Profiles\e3516sfg.default\cookies.txt -> TrackingCookie.Admarketplace : Cleaned.
C:\Documents and Settings\Abba\Cookies\abba@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Tali\Cookies\tali@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Abba\Cookies\abba@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.342:C:\Documents and Settings\Avi Fuss\Application Data\Mozilla\Firefox\Profiles\e3516sfg.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned.
:mozilla.77:C:\Documents and Settings\Avi Fuss\Application Data\Mozilla\Firefox\Profiles\e3516sfg.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Abba\Cookies\abba@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Tali\Cookies\tali@ads.cnn[1].txt -> TrackingCookie.Cnn : Cleaned.
:mozilla.96:C:\Documents and Settings\Avi Fuss\Application Data\Mozilla\Firefox\Profiles\e3516sfg.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.97:C:\Documents and Settings\Avi Fuss\Application Data\Mozilla\Firefox\Profiles\e3516sfg.default\cookies.txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Abba\Cookies\abba@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@connextra[1].txt -> TrackingCookie.Connextra : Cleaned.
C:\Documents and Settings\Abba\Cookies\abba@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Tali\Cookies\tali@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.117:C:\Documents and Settings\Avi Fuss\Application Data\Mozilla\Firefox\Profiles\e3516sfg.default\cookies.txt -> TrackingCookie.Dealtime : Cleaned.
:mozilla.118:C:\Documents and Settings\Avi Fuss\Application Data\Mozilla\Firefox\Profiles\e3516sfg.default\cookies.txt -> TrackingCookie.Dealtime : Cleaned.
:mozilla.119:C:\Documents and Settings\Avi Fuss\Application Data\Mozilla\Firefox\Profiles\e3516sfg.default\cookies.txt -> TrackingCookie.Dealtime : Cleaned.
:mozilla.120:C:\Documents and Settings\Avi Fuss\Application Data\Mozilla\Firefox\Profiles\e3516sfg.default\cookies.txt -> TrackingCookie.Dealtime : Cleaned.
C:\Documents and Settings\Abba\Cookies\abba@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Tali\Cookies\tali@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.130:C:\Documents and Settings\Avi Fuss\Application Data\Mozilla\Firefox\Profiles\e3516sfg.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.131:C:\Documents and Settings\Avi Fuss\Application Data\Mozilla\Firefox\Profiles\e3516sfg.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.132:C:\Documents and Settings\Avi Fuss\Application Data\Mozilla\Firefox\Profiles\e3516sfg.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.133:C:\Documents and Settings\Avi Fuss\Application Data\Mozilla\Firefox\Profiles\e3516sfg.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.134:C:\Documents and Settings\Avi Fuss\Application Data\Mozilla\Firefox\Profiles\e3516sfg.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Abba\Cookies\abba@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Tali\Cookies\tali@findwhat[1].txt -> TrackingCookie.Findwhat : Cleaned.
C:\Documents and Settings\Tali\Cookies\tali@goclick[2].txt -> TrackingCookie.Goclick : Cleaned.
C:\Documents and Settings\Abba\Cookies\abba@ehg-pcsecurityshield.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Abba\Cookies\abba@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.181:C:\Documents and Settings\Avi Fuss\Application Data\Mozilla\Firefox\Profiles\e3516sfg.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.182:C:\Documents and Settings\Avi Fuss\Application Data\Mozilla\Firefox\Profiles\e3516sfg.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.284:C:\Documents and Settings\Avi Fuss\Application Data\Mozilla\Firefox\Profiles\e3516sfg.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\LocalService\Cookies\local service@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned.
C:\Documents and Settings\Abba\Cookies\abba@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Tali\Cookies\tali@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Abba\Cookies\abba@search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Tali\Cookies\tali@search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Abba\Cookies\abba@overture[2].txt -> TrackingCookie.Overture : Cleaned.
:mozilla.389:C:\Documents and Settings\Avi Fuss\Application Data\Mozilla\Firefox\Profiles\e3516sfg.default\cookies.txt -> TrackingCookie.Paypal : Cleaned.
:mozilla.38:C:\Documents and Settings\Avi Fuss\Application Data\Mozilla\Firefox\Profiles\e3516sfg.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.39:C:\Documents and Settings\Avi Fuss\Application Data\Mozilla\Firefox\Profiles\e3516sfg.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.40:C:\Documents and Settings\Avi Fuss\Application Data\Mozilla\Firefox\Profiles\e3516sfg.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.41:C:\Documents and Settings\Avi Fuss\Application Data\Mozilla\Firefox\Profiles\e3516sfg.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Tali\Cookies\tali@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Tali\Cookies\tali@pro-market[1].txt -> TrackingCookie.Pro-market : Cleaned.
C:\Documents and Settings\Abba\Cookies\abba@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.266:C:\Documents and Settings\Avi Fuss\Application Data\Mozilla\Firefox\Profiles\e3516sfg.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.267:C:\Documents and Settings\Avi Fuss\Application Data\Mozilla\Firefox\Profiles\e3516sfg.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Abba\Cookies\abba@revsci[2].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Abba\Cookies\abba@www.safer-networking[2].txt -> TrackingCookie.Safer-networking : Cleaned.
C:\Documents and Settings\Tali\Cookies\tali@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Tali\Cookies\tali@specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Tali\Cookies\tali@h.starware[1].txt -> TrackingCookie.Starware : Cleaned.
C:\Documents and Settings\Abba\Cookies\abba@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Tali\Cookies\tali@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.302:C:\Documents and Settings\Avi Fuss\Application Data\Mozilla\Firefox\Profiles\e3516sfg.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.303:C:\Documents and Settings\Avi Fuss\Application Data\Mozilla\Firefox\Profiles\e3516sfg.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.307:C:\Documents and Settings\Avi Fuss\Application Data\Mozilla\Firefox\Profiles\e3516sfg.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.308:C:\Documents and Settings\Avi Fuss\Application Data\Mozilla\Firefox\Profiles\e3516sfg.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Abba\Cookies\abba@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Abba\Cookies\abba@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Abba\Cookies\abba@m.webtrends[2].txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\Abba\Cookies\abba@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Tali\Cookies\tali@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\drvjok.dll.vir -> Trojan.Agent.qt : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\winzzc32.dll.vir -> Trojan.Agent.qt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP940\A0066846.dll -> Trojan.Agent.qt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP946\A0079696.dll -> Trojan.Agent.qt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP947\A0080049.dll -> Trojan.Agent.qt : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\winzzc32(2).dll -> Trojan.Agent.qt : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe.vir -> Trojan.Fakealert.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP946\A0079704.exe -> Trojan.Fakealert.fb : Cleaned with backup (quarantined).
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\6JYLAZOX\hlpsrv[1].exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\hlpsrv.exe.vir -> Trojan.Small : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\wnsapiicomsv32.exe.vir -> Trojan.Small : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\rau001978.exe.vir -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP940\A0066835.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP940\A0066857.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP943\A0074031.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP944\A0074628.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP944\A0076610.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP944\A0077629.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP945\A0078636.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP945\A0079636.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP946\A0079664.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP946\A0079679.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP946\A0079719.exe -> Trojan.Small : Cleaned with backup (quarantined).
::Report end
orange450
2007-08-13, 08:20
And the HiJack This log. Thanks for all your help - this is so much work for you, and you make the instructions so clear. I really appreciate it!
Logfile of HijackThis v1.99.1
Scan saved at 12:56:32 AM, on 8/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsrw.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1149391482\ee\AOLSoftware.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\F-SECU~1\ANTI-S~1\fsaw.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Documents and Settings\Avi Fuss\Desktop\scanner.exe
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [XeroxScannerDaemon] C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1149391482\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: Microsoft Office OneNote 2007 (Beta) Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE12\ONENOTEM.EXE
O4 - Global Startup: F-Secure Anti-Virus 2006.lnk = C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Scan Button.lnk = C:\SCANNER\EXE32\DETECTON.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure Internet Security\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/RiteAidOneHourPhotoOnline.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {AF087E66-838E-4A97-8A0B-0DDDA5DEA239} (OTAutoInstall Class) - http://trials1.endeavors.com/autodesk/acad2006/clientdownloads/OTAI.CAB
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {D0B5B58D-8CB9-4EDB-8BB0-9D34AEF727CF} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://pc.mywebexpc.com/client/v_mywebex-aa/ra/ieatgpc.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/TrueInstall.exe
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\hrum167.txt
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: F-Secure Anti-Virus 2006 (BackWeb Plug-in - 4476822) - F-Secure Internet Security 2005 - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe (file missing)
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Hi
That 020 entry is still there, let's see if it goes away when file should be gone. If not (or if the file is back), we need stronger tools.
Still problems with control panel?
Open HijackThis, click do a system scan only and checkmark this:
O20 - AppInit_DLLs: C:\WINDOWS\system32\hrum167.txt
Close all windows including browser and press fix checked.
Reboot.
Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database:
+ Extended (If available otherwise Standard)
o Scan Options:
+ Scan Archives
+ Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
Post:
- a fresh HijackThis log
- kaspersky report
orange450
2007-08-13, 18:34
Hi Shaba, yes I still have Control Panel problems. When I ran HiJack This, I got the following error message - same as before:
An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: C:\WINDOWS\system32\hrum167.txt)
Error #5 - Invalid procedure call or argument
Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible
Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2900.2180
HijackThis version: 1.99.1
This message has been copied to your clipboard.
Click OK to continue the rest of the scan.
When I click on the link to the Kaspersky scanner in your post, the internet connection times out, and I get a file not found internet error message. When I click on the link from the clean computer I'm using to communicate with you, then it comes up just fine and starts working like you described in your post. On the infected computer, I can get to the main Kaspersky web site from IE, it's the link in your post that times out.
Hi
Is that 020 entry still in HijackThis log?
We try this instead of kaspersky:
Please print these instructions out, or write them down, as you can't read them during the fix.
Please download MWav (http://www.spywareinfo.dk/download/mwav.exe):
Unzip it to its predetermined directory (C:\Kaspersky)
Locate kavupd.exe in the new folder and double-click to Update.
If your firewall gives any messages about this program accessing to internet, allow it.
If it says the signatures are more than 30 days old, keep trying, until you get the actual definition updates.
When you see Updates Downloaded Successfully, hit Enter to continue.
Restart onto Safe Mode (http://www.pchell.com/support/safemode.shtml) and locate the Kaspersky folder.
Locate mwavscan.com and double-click on it to launch the MWAV Scanner.Now lets do the settings:
Leave the Default Settings checked.
Add a check to Drives
This will light up All Drives
Add a check to Scan all Files
Click Scan Clean to begin.
This scan might take around 3+ hours to finish when set to scan everything.
Please be sure it has finished before proceeding.
Once the Scan has finished, all entries identified as Infected, will be displayed in the lower panel.
Highlight everything that is inside the lower panel and hit Ctrl+C at the same time to copy.
Open an empty notepad file and paste the results (Ctrl+V) to it. Save the notepad to your desktop, name it as you want (e.g; MWav Results).Reboot into normal Windows and post the results here along with a fresh HijackThis log.
orange450
2007-08-13, 20:46
Hi Shaba, yes the 020 is still there.
The MWav update process seemed to be successfull - kavupd started and went through all the the updates and I got a Updates Downloaded Successfully message, and I hit enter to continue. All seemed OK. But when I restarted in Safe Mode and clicked on mwavescan, I got an error message from eScan Antivirus Toolkit Utility: Virus Database is older than 30 days - recommend download latest toolkit from http://www.mwti.net - and there's an "OK" box to click. So I clicked, and then nothing happened.
I tried mwavescan a few times, kept getting the same message. I went back to regular Mode, and tried the kavupd process again, but this time it tried to connect, and then it said "failed".
In Safe Mode, am I supposed to let mwavescan "sit" for a while before it starts, even after it gets that error message?
What now? :(
Hi
We'll try then another scanner:
* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found: http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
http://users.telenet.be/bluepatchy/miekiemoes/images/move.gif
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
orange450
2007-08-14, 02:18
Hi Shaba, I am so sorry that I didn't get back to you sooner. My neighborhood has had a cable outage, and our internet is unavailable. I am on another computer in a different area. I ran the scans, and have the logs, but I'm not on my home computer and can't send them to you. I hope to be able to post again tomorrow, sometime late. Again, I haven't disappeared, and thank you for all your help so far.
Hi
Thanks for letting me know :)
orange450
2007-08-14, 23:25
Hi Shaba, I'm sorry for the wait. My internet is back. Here's the latest HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 3:13:49 PM, on 8/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsrw.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\WINDOWS\system32\printer.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1149391482\ee\AOLSoftware.exe
C:\PROGRA~1\F-SECU~1\ANTI-S~1\fsaw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Documents and Settings\Avi Fuss\Desktop\scanner.exe
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [XeroxScannerDaemon] C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1149391482\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - Startup: Microsoft Office OneNote 2007 (Beta) Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE12\ONENOTEM.EXE
O4 - Startup: system.exe
O4 - Global Startup: autorun.exe
O4 - Global Startup: F-Secure Anti-Virus 2006.lnk = C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Scan Button.lnk = C:\SCANNER\EXE32\DETECTON.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure Internet Security\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/RiteAidOneHourPhotoOnline.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {AF087E66-838E-4A97-8A0B-0DDDA5DEA239} (OTAutoInstall Class) - http://trials1.endeavors.com/autodesk/acad2006/clientdownloads/OTAI.CAB
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {D0B5B58D-8CB9-4EDB-8BB0-9D34AEF727CF} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://pc.mywebexpc.com/client/v_mywebex-aa/ra/ieatgpc.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/TrueInstall.exe
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\hrum167.txt
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: F-Secure Anti-Virus 2006 (BackWeb Plug-in - 4476822) - F-Secure Internet Security 2005 - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe (file missing)
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
orange450
2007-08-14, 23:35
And here is the Dr. Web log. I notice that the hrum167.txt entry is still in the HJT log, even though Dr. Web claims to have deleted it. That is one stubborn file.
hrum167.txt;c:\windows\system32;Trojan.Proxy.1939;Deleted.;
setup.exe;C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\3991.4.16;Probably BACKDOOR.Trojan;Incurable.Moved.;
inst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_2.2.71.1;Probably BACKDOOR.Trojan;Incurable.Moved.;
Process.exe;C:\Documents and Settings\Avi Fuss\Desktop\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
restart.exe;C:\Documents and Settings\Avi Fuss\Desktop\SmitfraudFix;Tool.ShutDown.11;Incurable.Moved.;
Protected_May_28_2004_12_02_01_PM.asf;C:\Documents and Settings\Avi Fuss\My Documents\My Music;Trojan.DownLoader.1729;Deleted.;
countdownsetup.exe;C:\Documents and Settings\Avi Fuss\My Documents\New Folder;Trojan.Ulone;Deleted.;
m[1].exe;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\81EB01AJ;Trojan.Spambot.2400;Deleted.;
winjok[1].exe;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GNU96RM3;Trojan.DownLoader.29657;Deleted.;
is67718[1].exe;C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\IDSXMP0N;Trojan.Virtumod;Deleted.;
wr-1-361[1].exe;C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\IDSXMP0N;Trojan.DownLoader.26881;Deleted.;
m[1].exe;C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\IJ23MN67;Trojan.Spambot.2400;Deleted.;
winjok[1].exe;C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\OR2JMBOX;Trojan.DownLoader.29657;Deleted.;
WxBug.EXE;C:\Program Files\AIM\Sysfiles;Adware.Aws;Incurable.Moved.;
bot.dll.vir;C:\QooBox\Quarantine\C\Documents and Settings\All Users\Documents\Settings;Probably BACKDOOR.Trojan;Incurable.Moved.;
partnership.dll.vir;C:\QooBox\Quarantine\C\Documents and Settings\All Users\Documents\Settings;Probably BACKDOOR.Trojan;Incurable.Moved.;
attrib.exe.vir;C:\QooBox\Quarantine\C\DOCUME~1\AVIFUS~1\APPLIC~1\YSTEM~1;Adware.ClickSpring;Incurable.Moved.;
POOL32~1.VIR;C:\QooBox\Quarantine\C\Program Files\Common Files\SSEMBL~1;Trojan.DownLoader.29746;Deleted.;
popinstall.exe.vir;C:\QooBox\Quarantine\C\Program Files\InetGet2;Trojan.Winpop;Deleted.;
plugin.dll.vir;C:\QooBox\Quarantine\C\Program Files\SmileyDistrict;Adware.SaveNow;Incurable.Moved.;
webbuying.exe.vir;C:\QooBox\Quarantine\C\Program Files\Web Buying\v1.8.0;Adware.WebBuying;Incurable.Moved.;
UnInstall.exe.vir;C:\QooBox\Quarantine\C\Program Files\WinPop;Trojan.Winpop;Deleted.;
winpop.exe.vir;C:\QooBox\Quarantine\C\Program Files\WinPop;Trojan.LowZones.267;Deleted.;
b122.exe.vir;C:\QooBox\Quarantine\C\WINDOWS;Trojan.MulDrop.8200;Deleted.;
mgrs.exe.vir;C:\QooBox\Quarantine\C\WINDOWS;Trojan.DownLoader.25873;Deleted.;
ERINIT~1.VIR;C:\QooBox\Quarantine\C\WINDOWS\SKS~1;Trojan.DownLoader.29746;Deleted.;
byxuvvv.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod;Deleted.;
byxwuvv.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod;Deleted.;
gebcbay.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod;Deleted.;
hrum167.txt.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Proxy.1939;Deleted.;
ivtmubs.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.DownLoader.29746;Deleted.;
kespeulb.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.EzulaAd;Deleted.;
msbind32.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;BackDoor.Generic.1599;Deleted.;
qqjcfgy.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Adware.WebBuying;Incurable.Moved.;
rxaavqhh.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.EzulaAd;Deleted.;
slwkynpj.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.EzulaAd;Deleted.;
sydrwhap.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod;Deleted.;
uxjjjoid.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod;Deleted.;
vtr167.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.DownLoader.28776;Deleted.;
vtuuuro.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod;Deleted.;
waverevenue.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.DownLoader.26881;Deleted.;
woncemyg.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.DownLoader.29746;Deleted.;
w71.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\driver;Trojan.DownLoader.26881;Deleted.;
Awf59.sys.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS;Trojan.Spambot.2400;Deleted.;
symavc32.sys.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS;Trojan.Spambot.2400;Deleted.;
f02WtR1065.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\f02WtR;Trojan.DownLoader.24715;Deleted.;
f06WtR1083.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\f06WtR;Trojan.DownLoader.24715;Deleted.;
Process.exe;C:\SDFix\apps;Tool.Prockill;Incurable.Moved.;
A0080379.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP949;Adware.Aws;Incurable.Moved.;
A0080380.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP949;Adware.Winad;Incurable.Moved.;
A0080381.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP949;Adware.Winad;Incurable.Moved.;
GTDownDE_87.ocx;C:\WINDOWS\SYSTEM32;Adware.Gdown;Incurable.Moved.;
Hi
Sure it is.
I think that if we get rid of that 020 entry, we will win this battle.
Open HijackThis, click do a system scan only and checkmark these:
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - Startup: system.exe
O4 - Global Startup: autorun.exe
Close all windows including browser and press fix checked.
1. Please download The Avenger (http://swandog46.geekstogo.com/avenger.zip) by Swandog46 to your Desktop. Click on Avenger.zip to open the file Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
Files to delete:
C:\WINDOWS\system32\WinAvXX.exe
C:\WINDOWS\system32\printer.exe
C:\Documents and Settings\Abba\Start Menu\Programs\Startup\DESKTOP.INI
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI
C:\WINDOWS\system32\hrum167.txt
Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply
orange450
2007-08-15, 20:00
Hi Shaba, here are the logs. I still can't access the control panel, even after avenger rebooted - it only rebooted once. Everything worked OK, but as soon as avenger started to execute the script, I got a message "registry editing disabled by your system administrator" - it flashed by, so I'm not sure if it's the exact wording, but close.
Also, after rebooting, in the black command screen, there were some messages that certain files couldn't be deleted, but again, the messages flashed by quickly. At the same time, there was a Windows Exception Processing Message, which showed Parameters:
75b6bf9c 4 75b6bf9c 75b6bf9c and a choice to cancel, retry or continue. I chose continue. A continued big thanks for all your help.
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\xgvkreaj
*******************
Script file located at: \??\C:\Program Files\yhllwuvp.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\WINDOWS\system32\WinAvXX.exe deleted successfully.
File C:\WINDOWS\system32\printer.exe deleted successfully.
File C:\Documents and Settings\Abba\Start Menu\Programs\Startup\DESKTOP.INI deleted successfully.
File C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI deleted successfully.
File C:\WINDOWS\system32\hrum167.txt deleted successfully.
Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.
Completed script processing.
*******************
Finished! Terminate.
Here is the HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 12:46:59 PM, on 8/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsrw.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1149391482\ee\AOLSoftware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\F-SECU~1\ANTI-S~1\fsaw.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Avi Fuss\Desktop\scanner.exe
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [XeroxScannerDaemon] C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1149391482\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: Microsoft Office OneNote 2007 (Beta) Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE12\ONENOTEM.EXE
O4 - Global Startup: F-Secure Anti-Virus 2006.lnk = C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Scan Button.lnk = C:\SCANNER\EXE32\DETECTON.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure Internet Security\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/RiteAidOneHourPhotoOnline.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {AF087E66-838E-4A97-8A0B-0DDDA5DEA239} (OTAutoInstall Class) - http://trials1.endeavors.com/autodesk/acad2006/clientdownloads/OTAI.CAB
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {D0B5B58D-8CB9-4EDB-8BB0-9D34AEF727CF} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://pc.mywebexpc.com/client/v_mywebex-aa/ra/ieatgpc.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/TrueInstall.exe
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: F-Secure Anti-Virus 2006 (BackWeb Plug-in - 4476822) - F-Secure Internet Security 2005 - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe (file missing)
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Hi
Anyway it looks much better, that entry & file is gone :)
Open HijackThis, click do a system scan only and checkmark these:
O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
Close all windows including browser and press fix checked.
Reboot
Re-run combofix
After that:
Go to spykiller (http://www.thespykiller.co.uk/index.php?PHPSESSID=d65884362fbc872b70e1a9a9a7e13700&board=1.0)
Press new topic, make threads title "Files for Shaba"
Include to your message a link to here, then attach the C:\avenger\backup.zip file to your message and post the topic
If you cant locate it through the browse button just copy/paste the filename and path.
Post:
- a fresh HijackThis log
- combofix report
EDIT:
Save this to desktop, doubleclick it and tell me if control panel works after that,link (http://www.kellys-korner-xp.com/regs_edits/controlpanelrestrictionrestore.reg)
orange450
2007-08-15, 20:57
Hi Shaba, I posted the avenger backup.zip file on spykiller.
Here is the HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 1:54:27 PM, on 8/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsrw.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1149391482\ee\AOLSoftware.exe
C:\PROGRA~1\F-SECU~1\ANTI-S~1\fsaw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Avi Fuss\Desktop\scanner.exe
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [XeroxScannerDaemon] C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1149391482\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: Microsoft Office OneNote 2007 (Beta) Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE12\ONENOTEM.EXE
O4 - Global Startup: F-Secure Anti-Virus 2006.lnk = C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Scan Button.lnk = C:\SCANNER\EXE32\DETECTON.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure Internet Security\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/RiteAidOneHourPhotoOnline.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {AF087E66-838E-4A97-8A0B-0DDDA5DEA239} (OTAutoInstall Class) - http://trials1.endeavors.com/autodesk/acad2006/clientdownloads/OTAI.CAB
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {D0B5B58D-8CB9-4EDB-8BB0-9D34AEF727CF} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://pc.mywebexpc.com/client/v_mywebex-aa/ra/ieatgpc.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/TrueInstall.exe
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: F-Secure Anti-Virus 2006 (BackWeb Plug-in - 4476822) - F-Secure Internet Security 2005 - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe (file missing)
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
And the first part of the combofix log:
ComboFix 07-08-09.3 - "Avi Fuss" 2007-08-15 13:40:08.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.183 [GMT -4:00]
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup.\autorun.exe
C:\DOCUME~1\AVIFUS~1\STARTM~1\Programs\Startup.\system.exe
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\WinAvXX.exe
((((((((((((((((((((((((( Files Created from 2007-07-15 to 2007-08-15 )))))))))))))))))))))))))))))))
2007-08-15 13:39 <DIR> d-------- C:\WINDOWS\LastGood
2007-08-13 14:01 <DIR> d-------- C:\DOCUME~1\AVIFUS~1\DoctorWeb
2007-08-13 13:14 <DIR> d--h----- C:\WINDOWS\PIF
2007-08-13 13:07 <DIR> d-------- C:\Downloads
2007-08-13 13:07 <DIR> d-------- C:\Bases
2007-08-13 13:05 <DIR> d-------- C:\Kaspersky
2007-08-12 23:46 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-08-12 10:25 4,522 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-08-12 10:24 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2007-08-12 10:24 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-08-10 14:17 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-09 13:59 <DIR> d---s---- C:\DOCUME~1\Tali\UserData
2007-08-09 13:56 <DIR> d-------- C:\DOCUME~1\Tali\APPLIC~1\Google
2007-08-09 13:53 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Google
2007-08-08 21:07 <DIR> d-------- C:\VundoFix Backups
2007-08-08 21:07 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-08 21:07 <DIR> d-------- C:\Program Files\Dell Support
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Gtek
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\Gtek
2007-08-08 20:40 <DIR> d-------- C:\DOCUME~1\Abba\APPLIC~1\Apple Computer
2007-08-08 16:49 <DIR> d-------- C:\Program Files\Lavasoft(2)
2007-08-08 16:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-08 16:35 <DIR> d-------- C:\DOCUME~1\Guest\UserData
2007-08-08 16:31 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Lavasoft
2007-08-08 15:43 1,048,576 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-08-08 15:43 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sonic
2007-08-08 15:39 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\GTek(2)
2007-08-07 22:02 <DIR> d-------- C:\WINDOWS\ERUNT
2007-08-07 20:11 <DIR> d-------- C:\Program Files\DellSupport
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-13 11:39 --------- d-------- C:\DOCUME~1\AVIFUS~1\APPLIC~1\BitTorrent
2007-08-13 00:49 --------- d-------- C:\Program Files\DIGStream
2007-08-08 21:07 --------- d-------- C:\DOCUME~1\AVIFUS~1\APPLIC~1\Lavasoft
2007-08-08 21:06 --------- d--h----- C:\DOCUME~1\AVIFUS~1\APPLIC~1\GTek
2007-07-09 11:33 --------- d-------- C:\DOCUME~1\AVIFUS~1\APPLIC~1\AdobeUM
2007-07-01 22:31 --------- d-------- C:\Program Files\Winamp
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 02:08 1104896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-13 06:23 1033216 --------- C:\WINDOWS\system32\dllcache\explorer.exe
2007-05-16 11:12 86528 --------- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 11:12 85504 --------- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 11:12 683520 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 11:12 510976 --------- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 11:12 1314816 --------- C:\WINDOWS\system32\dllcache\msoe.dll
orange450
2007-08-15, 20:59
And here's the second part of the combofix log. The computer seems much quieter, but I haven't tried the control panel again yet.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 13:16]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-25 23:35]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 21:12]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 21:15]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 02:04]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-08-05 21:50]
"XeroxScannerDaemon"="C:\Program Files\Xerox\NWWia\XrxFTPLt.exe" [2001-08-17 22:37]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01]
"DVDTray"="C:\Program Files\HP DVD\Umbrella\DVDTray.exe" [2003-07-23 13:42]
"DVDBitSet"="C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" [2003-12-18 17:37]
"mmtask"="C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe" [2005-03-15 08:58]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-09-13 15:49]
"DIGStream"="C:\Program Files\DIGStream\digstream.exe" []
"DIGServices"="C:\Program Files\ESPNRunTime\DIGServices.exe" [2005-05-19 13:55]
"F-Secure Manager"="C:\Program Files\F-Secure Internet Security\Common\FSM32.exe" [2005-06-02 18:37]
"F-Secure TNB"="C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" [2005-07-18 10:51]
"F-Secure Startup Wizard"="C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.exe" [2005-08-23 09:38]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-23 17:40]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 16:45]
"HostManager"="C:\Program Files\Common Files\AOL\1149391482\ee\AOLSoftware.exe" [2006-04-20 13:10]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 12:59]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 13:00]
"RecordNow!"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"RealPlayer"="C:\Program Files\Real\RealPlayer\realplay.exe" [2006-05-30 22:07]
"Aim6"="C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" [2006-04-20 13:10]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [2006-09-29 22:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-23 11:38]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SRUUninstall"="C:\WINDOWS\system32\msiexec.exe" /L*v C:\WINDOWS\TEMP\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress
C:\Documents and Settings\Avi Fuss\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 10:00:00]
Microsoft Office OneNote 2007 (Beta) Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE12\ONENOTEM.EXE [2006-04-25 22:06:06]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
F-Secure Anti-Virus 2006.lnk - C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe [2005-12-14 20:42:44]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52]
Scan Button.lnk - C:\SCANNER\EXE32\DETECTON.EXE [2004-07-29 23:31:57]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\MSN\profsywu.html
FriendlyName=
R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys
R0 iaStor;Intel AHCI Controller;C:\WINDOWS\system32\drivers\iaStor.sys
R2 BackWeb Plug-in - 4476822;F-Secure Anti-Virus 2006;C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
R2 DgivEcp;Team MFP Comm Driver;C:\WINDOWS\system32\Drivers\DgivEcp.Sys
R2 F-Secure Filter;F-Secure File System Filter;\??\C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSfilter.sys
R2 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSgk.sys
R2 F-Secure Recognizer;F-Secure File System Recognizer;\??\C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSrec.sys
R3 IntelC51;IntelC51;C:\WINDOWS\system32\DRIVERS\IntelC51.sys
R3 IntelC52;IntelC52;C:\WINDOWS\system32\DRIVERS\IntelC52.sys
R3 IntelC53;IntelC53;C:\WINDOWS\system32\DRIVERS\IntelC53.sys
R3 mohfilt;mohfilt;C:\WINDOWS\system32\DRIVERS\mohfilt.sys
R3 StillCam;Still Serial Digital Camera Driver;C:\WINDOWS\system32\DRIVERS\serscan.sys
S3 hpusbwdm;HP DVD Movie Writer dc3000/dc4000;C:\WINDOWS\system32\DRIVERS\hpusbwdm.sys
S3 Jukebox;Jukebox;C:\WINDOWS\system32\DRIVERS\ctpdusb2.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{00c6bd32-af1c-11db-9fbe-0011112826b8}]
AutoRun\command- G:\CA_Install.exe
Contents of the 'Scheduled Tasks' folder
2007-08-15 00:00:15 C:\WINDOWS\Tasks\Scheduled scanning task.job
2004-12-24 18:42:14 C:\WINDOWS\Tasks\Symantec NetDetect.job - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-15 13:42:40
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-15 13:43:18
C:\ComboFix-quarantined-files.txt ... 2007-08-15 13:43
C:\ComboFix2.txt ... 2007-08-12 23:41
C:\ComboFix3.txt ... 2007-08-12 10:23
--- E O F ---
Hi
First we'll need to backup registry:
Start -> Run -> regedit -> ok. Then File -> Export. Give it a name and press Save.
Save text below as fix.reg on Notepad (save it as all files (*.*)) on Desktop
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"=-
It should look like this -> http://users.telenet.be/bluepatchy/miekiemoes/images/reg.gif
Doubleclick fix.reg, press Yes and ok.
(In case you are unsure how to create a reg file, take a look here (http://www.nellie2.co.uk/file.htm#How_to_Make_a_.Reg_File_) with screenshots.)
Delete this:
C:\Documents and Settings\Avi Fuss\Start Menu\Programs\Startup\DESKTOP.INI
Empty Recycle Bin
Re-run combofix
Post:
- a fresh HijackThis log
- combofix report
orange450
2007-08-15, 21:27
Hi Shaba, when I try to run regedit, I get an error message - registry editing has been disabled by your systems administrator, and I can't get in. Also, right after I posted my last message to you, I tried control panel, and it worked. Then I logged off, and onto another user account to see if it worked from there, and it didn't. When I logged back onto my usual account, it didn't work from there either, again. The computer had been offline during that time. Something seems to be still brewing in there. Also, a few of the Windows pop-ups are still there, but very few.
Hi
Next please post HijackThis logs from all user accounts of that computer.
orange450
2007-08-16, 16:52
Hi Shaba - here's what happened. I didn't see your edit to a previous post with the link on it until this morning (USA time), so I didn't run that yesterday. I saw it today, so I went back and re-executed your instructions from unchecking the 3 entries in HJT. Then I clicked on your link, and then control panel *did* reappear :-). Then I was able to do the registry edit, and the logs I'm posting now are from after that. The little yellow triangle in my icon tray has gone, and so has the icon that says "search settings changed" (my home page kept getting re-set to the Google page.) Haven't gotten the "your system is infected" pop-up yet.
I will go now and run HJT for the other users on this computer, unless you tell me not to. Thank you so much for everything you're doing!!!
Logfile of HijackThis v1.99.1
Scan saved at 9:41:16 AM, on 8/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsrw.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\F-SECU~1\ANTI-S~1\fsaw.exe
C:\Program Files\Common Files\AOL\1149391482\ee\AOLSoftware.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Avi Fuss\Desktop\scanner.exe
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [XeroxScannerDaemon] C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1149391482\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: F-Secure Anti-Virus 2006.lnk = C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Scan Button.lnk = C:\SCANNER\EXE32\DETECTON.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure Internet Security\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/RiteAidOneHourPhotoOnline.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {AF087E66-838E-4A97-8A0B-0DDDA5DEA239} (OTAutoInstall Class) - http://trials1.endeavors.com/autodesk/acad2006/clientdownloads/OTAI.CAB
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {D0B5B58D-8CB9-4EDB-8BB0-9D34AEF727CF} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://pc.mywebexpc.com/client/v_mywebex-aa/ra/ieatgpc.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/TrueInstall.exe
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: F-Secure Anti-Virus 2006 (BackWeb Plug-in - 4476822) - F-Secure Internet Security 2005 - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe (file missing)
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Combofix took much less time to run than it has previously!
ComboFix 07-08-09.3 - "Avi Fuss" 2007-08-16 9:36:48.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.160 [GMT -4:00]
((((((((((((((((((((((((( Files Created from 2007-07-16 to 2007-08-16 )))))))))))))))))))))))))))))))
2007-08-16 09:25 <DIR> d-------- C:\WINDOWS\LastGood
2007-08-13 14:01 <DIR> d-------- C:\DOCUME~1\AVIFUS~1\DoctorWeb
2007-08-13 13:14 <DIR> d--h----- C:\WINDOWS\PIF
2007-08-13 13:07 <DIR> d-------- C:\Downloads
2007-08-13 13:07 <DIR> d-------- C:\Bases
2007-08-13 13:05 <DIR> d-------- C:\Kaspersky
2007-08-12 23:46 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-08-12 10:25 4,522 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-08-12 10:24 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2007-08-12 10:24 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-08-10 14:17 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-09 13:59 <DIR> d---s---- C:\DOCUME~1\Tali\UserData
2007-08-09 13:56 <DIR> d-------- C:\DOCUME~1\Tali\APPLIC~1\Google
2007-08-09 13:53 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Google
2007-08-08 21:07 <DIR> d-------- C:\VundoFix Backups
2007-08-08 21:07 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-08 21:07 <DIR> d-------- C:\Program Files\Dell Support
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Gtek
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\Gtek
2007-08-08 20:40 <DIR> d-------- C:\DOCUME~1\Abba\APPLIC~1\Apple Computer
2007-08-08 16:49 <DIR> d-------- C:\Program Files\Lavasoft(2)
2007-08-08 16:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-08 16:35 <DIR> d-------- C:\DOCUME~1\Guest\UserData
2007-08-08 16:31 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Lavasoft
2007-08-08 15:43 1,048,576 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-08-08 15:43 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sonic
2007-08-08 15:39 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\GTek(2)
2007-08-07 22:02 <DIR> d-------- C:\WINDOWS\ERUNT
2007-08-07 20:11 <DIR> d-------- C:\Program Files\DellSupport
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-13 11:39 --------- d-------- C:\DOCUME~1\AVIFUS~1\APPLIC~1\BitTorrent
2007-08-13 00:49 --------- d-------- C:\Program Files\DIGStream
2007-08-08 21:07 --------- d-------- C:\DOCUME~1\AVIFUS~1\APPLIC~1\Lavasoft
2007-08-08 21:06 --------- d--h----- C:\DOCUME~1\AVIFUS~1\APPLIC~1\GTek
2007-07-09 11:33 --------- d-------- C:\DOCUME~1\AVIFUS~1\APPLIC~1\AdobeUM
2007-07-01 22:31 --------- d-------- C:\Program Files\Winamp
2007-06-26 10:09 658944 --------- C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 02:08 1104896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-14 14:09 96256 --------- C:\WINDOWS\system32\dllcache\inseng.dll
2007-06-14 14:09 615424 --------- C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-14 14:09 55808 --------- C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-14 14:09 532480 --------- C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-14 14:09 474112 --------- C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-06-14 14:09 449024 --------- C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-14 14:09 39424 --------- C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-06-14 14:09 357888 --------- C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-06-14 14:09 3058688 --------- C:\WINDOWS\system32\dllcache\mshtml.dll
2007-06-14 14:09 251392 --------- C:\WINDOWS\system32\dllcache\iepeers.dll
2007-06-14 14:09 205312 --------- C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-06-14 14:09 16384 --------- C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-14 14:09 151040 --------- C:\WINDOWS\system32\dllcache\cdfview.dll
2007-06-14 14:09 1494528 --------- C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-06-14 14:09 146432 --------- C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-14 14:09 1054208 --------- C:\WINDOWS\system32\dllcache\danim.dll
2007-06-14 14:09 1023488 --------- C:\WINDOWS\system32\dllcache\browseui.dll
2007-06-14 10:07 18432 --------- C:\WINDOWS\system32\dllcache\iedw.exe
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-13 06:23 1033216 --------- C:\WINDOWS\system32\dllcache\explorer.exe
2007-05-17 07:28 549376 --a------ C:\WINDOWS\system32\oleaut32.dll
2007-05-17 07:28 549376 --------- C:\WINDOWS\system32\dllcache\oleaut32.dll
2007-05-16 11:12 86528 --------- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 11:12 85504 --------- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 11:12 683520 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 11:12 510976 --------- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 11:12 1314816 --------- C:\WINDOWS\system32\dllcache\msoe.dll
orange450
2007-08-16, 16:53
and the rest of the combofix log:
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 13:16]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-25 23:35]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 21:12]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 21:15]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 02:04]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-08-05 21:50]
"XeroxScannerDaemon"="C:\Program Files\Xerox\NWWia\XrxFTPLt.exe" [2001-08-17 22:37]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01]
"DVDTray"="C:\Program Files\HP DVD\Umbrella\DVDTray.exe" [2003-07-23 13:42]
"DVDBitSet"="C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" [2003-12-18 17:37]
"mmtask"="C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe" [2005-03-15 08:58]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-09-13 15:49]
"DIGStream"="C:\Program Files\DIGStream\digstream.exe" []
"DIGServices"="C:\Program Files\ESPNRunTime\DIGServices.exe" [2005-05-19 13:55]
"F-Secure Manager"="C:\Program Files\F-Secure Internet Security\Common\FSM32.exe" [2005-06-02 18:37]
"F-Secure TNB"="C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" [2005-07-18 10:51]
"F-Secure Startup Wizard"="C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.exe" [2005-08-23 09:38]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-23 17:40]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 16:45]
"HostManager"="C:\Program Files\Common Files\AOL\1149391482\ee\AOLSoftware.exe" [2006-04-20 13:10]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 12:59]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 13:00]
"RecordNow!"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"RealPlayer"="C:\Program Files\Real\RealPlayer\realplay.exe" [2006-05-30 22:07]
"Aim6"="C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" [2006-04-20 13:10]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [2006-09-29 22:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-23 11:38]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SRUUninstall"="C:\WINDOWS\system32\msiexec.exe" /L*v C:\WINDOWS\TEMP\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress
C:\Documents and Settings\Avi Fuss\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 10:00:00]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
F-Secure Anti-Virus 2006.lnk - C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe [2005-12-14 20:42:44]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52]
Scan Button.lnk - C:\SCANNER\EXE32\DETECTON.EXE [2004-07-29 23:31:57]
R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys
R0 iaStor;Intel AHCI Controller;C:\WINDOWS\system32\drivers\iaStor.sys
R2 BackWeb Plug-in - 4476822;F-Secure Anti-Virus 2006;C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
R2 DgivEcp;Team MFP Comm Driver;C:\WINDOWS\system32\Drivers\DgivEcp.Sys
R2 F-Secure Filter;F-Secure File System Filter;\??\C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSfilter.sys
R2 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSgk.sys
R2 F-Secure Recognizer;F-Secure File System Recognizer;\??\C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSrec.sys
R3 IntelC51;IntelC51;C:\WINDOWS\system32\DRIVERS\IntelC51.sys
R3 IntelC52;IntelC52;C:\WINDOWS\system32\DRIVERS\IntelC52.sys
R3 IntelC53;IntelC53;C:\WINDOWS\system32\DRIVERS\IntelC53.sys
R3 mohfilt;mohfilt;C:\WINDOWS\system32\DRIVERS\mohfilt.sys
R3 StillCam;Still Serial Digital Camera Driver;C:\WINDOWS\system32\DRIVERS\serscan.sys
S3 hpusbwdm;HP DVD Movie Writer dc3000/dc4000;C:\WINDOWS\system32\DRIVERS\hpusbwdm.sys
S3 Jukebox;Jukebox;C:\WINDOWS\system32\DRIVERS\ctpdusb2.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{00c6bd32-af1c-11db-9fbe-0011112826b8}]
AutoRun\command- G:\CA_Install.exe
Contents of the 'Scheduled Tasks' folder
2007-08-16 00:02:24 C:\WINDOWS\Tasks\Scheduled scanning task.job
2004-12-24 18:42:14 C:\WINDOWS\Tasks\Symantec NetDetect.job - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-16 09:38:32
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-16 9:39:23
C:\ComboFix-quarantined-files.txt ... 2007-08-16 09:39
C:\ComboFix2.txt ... 2007-08-16 09:24
C:\ComboFix3.txt ... 2007-08-15 13:43
--- E O F ---
Hi
That's great :bigthumb:
Are you able to find this?
C:\Documents and Settings\Avi Fuss\Start Menu\Programs\Startup\DESKTOP.INI
If so, please delete it, too
And now to try scan with kaspersky and tell me if it was successful :)
orange450
2007-08-16, 17:06
Hi Shaba - I didn't find that file after I did the regedit - it wasn't in the directory you specified, so there was nothing to delete.
Now here's the sad part. As long as I stayed on my usual account, control panel was there, the triangle was gone, and there were no pop ups. As soon as I logged off that account and onto another to do the HJTs, the yellow triangle was back, control panel was gone, and the pop-ups returned. When I went back to my usual account, all these problems had returned. Something is still hiding in there!
I'm going to run HJT and send you those logs :(
Hi
Do you have hidden & system files visible?
Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)
Try again after that.
That's sad to hear; we need further research :(
orange450
2007-08-16, 17:34
Hi Shaba, I did the process to show the files. I'm going to run all the HJT logs again. Is that what you meant by "try again"? or should I execute all your instructions again from deleting the 3 lines in HJT (which are all back, when I look at the log from my usual account).
Hi
I mean delete that file if you can find it and then post back a fresh HijackThis log :)
orange450
2007-08-16, 17:50
Hi Shaba, I found and deleted the file, and here the HJT log from my usual account. The same folder also had an application with A BIG YELLOW TRIANGLE ON IT! I left that alone.
Logfile of HijackThis v1.99.1
Scan saved at 10:47:33 AM, on 8/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsrw.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1149391482\ee\AOLSoftware.exe
C:\PROGRA~1\F-SECU~1\ANTI-S~1\fsaw.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Avi Fuss\Desktop\scanner.exe
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [XeroxScannerDaemon] C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1149391482\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: F-Secure Anti-Virus 2006.lnk = C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Scan Button.lnk = C:\SCANNER\EXE32\DETECTON.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure Internet Security\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/RiteAidOneHourPhotoOnline.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {AF087E66-838E-4A97-8A0B-0DDDA5DEA239} (OTAutoInstall Class) - http://trials1.endeavors.com/autodesk/acad2006/clientdownloads/OTAI.CAB
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {D0B5B58D-8CB9-4EDB-8BB0-9D34AEF727CF} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://pc.mywebexpc.com/client/v_mywebex-aa/ra/ieatgpc.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/TrueInstall.exe
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: F-Secure Anti-Virus 2006 (BackWeb Plug-in - 4476822) - F-Secure Internet Security 2005 - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe (file missing)
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Hi
Please upload that file to jotti or virustotal and post back results here, please :)
See instructions below:
Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)
Please click this link-->Jotti (http://virusscan.jotti.org/)
When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.
insert file here
Please post back the results of the scan in your next post.
If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
orange450
2007-08-16, 17:58
Hi Shaba, I'm sorry to be so slow in understanding, but which file should I upload to Jotti?
Hi
That one ->
The same folder also had an application with A BIG YELLOW TRIANGLE ON IT!
orange450
2007-08-16, 18:11
Hi Shaba, I've tried both links repeatedly, but I keep getting "this page cannot be displayed" error message. I tried to go directly to the virustotal site, and got the same message.
Hi
Do this and try again, please:
Download HostsXpert (http://www.funkytoad.com/download/HostsXpert.zip) and unzip it to your desktop.
Open HostsXpert that you earlier unzipped on your desktop
Click "Make Hosts Writable?" upper right corner (if available)
Click "Restore MS Hosts File" and then click OK
Close HostsXpert
Note; IF you used any custom Hosts (eg. MVPS Hosts), you will have put them back manually
orange450
2007-08-16, 18:29
Hi Shaba - this is weird. I did the hostexpert thing, and Jotti was busy, but Virustotal came up, but the yellow triangle file is gone. I can still see other previously hidden files, but that one is gone from the directory,and I didn't remove it. Control panel is still working, and the yellow triangle isn't in the icon tray. I still haven't logged off my usual account yet, so I don't know if it will come back!
orange450
2007-08-16, 19:01
Hi Shaba, I logged off my usual account to see if the file was present in another account. It was :( Then I went back to my usual account and it was there again too. I did the Virustotal scan, and I think this is the log of the results. I didn't see any other way to get it over here to you.
File system.exe received on 08.16.2007 17:48:39 (CET)Antivirus Version Last Update Result
AhnLab-V3 2007.8.15.0 2007.08.16 -
AntiVir 7.4.1.62 2007.08.16 TR/Renos.14848.10
Authentium 4.93.8 2007.08.16 -
Avast 4.7.1029.0 2007.08.15 -
AVG 7.5.0.476 2007.08.16 Generic6.MLG
BitDefender 7.2 2007.08.16 Trojan.Agent.AZE
CAT-QuickHeal 9.00 2007.08.16 Hoax.Renos.hz (Not a Virus)
ClamAV 0.91 2007.08.16 Trojan.Fakealert-77
DrWeb 4.33 2007.08.16 Trojan.Fakealert.305
eSafe 7.0.15.0 2007.08.16 suspicious Trojan/Worm
eTrust-Vet 31.1.5064 2007.08.16 Win32/KillAV.BG
Ewido 4.0 2007.08.16 -
FileAdvisor 1 2007.08.16 -
Fortinet 2.91.0.0 2007.08.16 Misc/Renos
F-Prot 4.3.2.48 2007.08.15 -
F-Secure 6.70.13030.0 2007.08.16 not-virus:Hoax.Win32.Renos.hz
Ikarus T3.1.1.12 2007.08.16 Trojan.Packed.120
Kaspersky 4.0.2.24 2007.08.16 not-virus:Hoax.Win32.Renos.hz
McAfee 5098 2007.08.15 potentially unwanted program Winfixer
Microsoft 1.2803 2007.08.16 -
NOD32v2 2466 2007.08.16 -
Norman 5.80.02 2007.08.16 -
Panda 9.0.0.4 2007.08.16 Adware/WinAntiVirus2007
Prevx1 V2 2007.08.16 Generic.Malware
Rising 19.36.32.00 2007.08.16 -
Sophos 4.20.0 2007.08.12 -
Sunbelt 2.2.907.0 2007.08.16 -
Symantec 10 2007.08.16 Trojan.KillAV
TheHacker 6.1.8.170 2007.08.15 -
VBA32 3.12.2.2 2007.08.16 Trojan.Fakealert.305
VirusBuster 4.3.26:9 2007.08.16 -
Webwasher-Gateway 6.0.1 2007.08.16 Trojan.Renos.14848.10
Additional information
File size: 14848 bytes
MD5: 78df9cc72e2b5aabf7d17e32df1dc49b
SHA1: ac4c11cffb7697635dc7ee45c376c0e0d3c43208
packers: UPX
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5=96E43F30006A3C2F3A1C008883EC4B008B99C7A2
Hi
Delete that file.
After that:
Create a Startup List
Open HiJackThis
Click on the "Config..." button on the bottom right
Click on the tab "Misc Tools"
Check off the 2 boxes next to the Box that says "Generate StartupList log"
Copy and past the StartupList from the notepad into your next post
* Download GMER from
here (http://www.gmer.net/gmer.zip):
Unzip it and start GMER.exe
Click the rootkit-tab and click scan.
Once done, click the Copy button.
This will copy the results to clipboard.
Paste the results in your next reply.
Post:
- startuplist
- gmer log
- a fresh HijackThis log.
orange450
2007-08-16, 20:45
Hi Shaba, I deleted all instances of the "yellow triangle" file in all the user account I found it in. I also deleted any DESKTOP files in the same directory.
The GMER scan took a long time, and sort of stopped abruptly, no mention that it was done - I was watching the files, and it seemed to stop around right after the system32\drivers directory - where ad aware had problems in the very beginning of this saga. I clicked copy - but there was no log on the clipboard. While GMER was running, the yellow triangle disappeared from the icon tray.
Here's the latest HJT log from my usual account:
Logfile of HijackThis v1.99.1
Scan saved at 1:40:55 PM, on 8/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsrw.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\printer.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1149391482\ee\AOLSoftware.exe
C:\PROGRA~1\F-SECU~1\ANTI-S~1\fsaw.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\internet explorer\iexplore.exe
c:\program files\aol\aol toolbar 3.1\aoltbhelper.exe
C:\Documents and Settings\Avi Fuss\Desktop\scanner.exe
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [XeroxScannerDaemon] C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1149391482\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - Global Startup: F-Secure Anti-Virus 2006.lnk = C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Scan Button.lnk = C:\SCANNER\EXE32\DETECTON.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure Internet Security\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/RiteAidOneHourPhotoOnline.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {AF087E66-838E-4A97-8A0B-0DDDA5DEA239} (OTAutoInstall Class) - http://trials1.endeavors.com/autodesk/acad2006/clientdownloads/OTAI.CAB
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {D0B5B58D-8CB9-4EDB-8BB0-9D34AEF727CF} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://pc.mywebexpc.com/client/v_mywebex-aa/ra/ieatgpc.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/TrueInstall.exe
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: F-Secure Anti-Virus 2006 (BackWeb Plug-in - 4476822) - F-Secure Internet Security 2005 - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe (file missing)
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
And here's the STARTUP list.
StartupList report, 8/16/2007, 12:56:35 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Avi Fuss\Desktop\scanner.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsrw.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\printer.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1149391482\ee\AOLSoftware.exe
C:\PROGRA~1\F-SECU~1\ANTI-S~1\fsaw.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\internet explorer\iexplore.exe
c:\program files\aol\aol toolbar 3.1\aoltbhelper.exe
C:\Documents and Settings\Avi Fuss\Desktop\scanner.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
F-Secure Anti-Virus 2006.lnk = C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
Scan Button.lnk = C:\SCANNER\EXE32\DETECTON.EXE
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
IAAnotif = C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
IntelMeM = C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
PCMService = "C:\Program Files\Dell\Media Experience\PCMService.exe"
dla = C:\WINDOWS\system32\dla\tfswctrl.exe
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
XeroxScannerDaemon = C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
UpdateManager = "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
DVDTray = "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
DVDBitSet = "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
mmtask = "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
HP Software Update = "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
DIGStream = C:\Program Files\DIGStream\digstream.exe
DIGServices = C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
F-Secure Manager = "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
F-Secure TNB = "C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
F-Secure Startup Wizard = "C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
HostManager = C:\Program Files\Common Files\AOL\1149391482\ee\AOLSoftware.exe
IPHSend = C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
WinAVX = C:\WINDOWS\system32\WinAvXX.exe
--------------------------------------------------
orange450
2007-08-16, 20:46
The rest of the startup list:
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
IAAnotif = C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
IntelMeM = C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
PCMService = "C:\Program Files\Dell\Media Experience\PCMService.exe"
dla = C:\WINDOWS\system32\dla\tfswctrl.exe
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
XeroxScannerDaemon = C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
UpdateManager = "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
DVDTray = "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
DVDBitSet = "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
mmtask = "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
HP Software Update = "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
DIGStream = C:\Program Files\DIGStream\digstream.exe
DIGServices = C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
F-Secure Manager = "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
F-Secure TNB = "C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
F-Secure Startup Wizard = "C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
HostManager = C:\Program Files\Common Files\AOL\1149391482\ee\AOLSoftware.exe
IPHSend = C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
WinAVX = C:\WINDOWS\system32\WinAvXX.exe
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MoneyAgent = "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
RecordNow! =
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
RealPlayer = "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
Aim6 = "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
BitTorrent = "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
swg = C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
WinAVX = C:\WINDOWS\system32\WinAvXX.exe
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Enumerating Task Scheduler jobs:
Scheduled scanning task.job
Symantec NetDetect.job
--------------------------------------------------
Enumerating Download Program Files:
[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM32\Macromed\Director\SwDir.dll
CODEBASE = http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\legitcheckcontrol.dll
CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204
[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38199.7740972222
[Rite Aid One Hour Photo Online Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\RITEAI~1.OCX
CODEBASE = https://photos.riteaid.com/control/RiteAidOneHourPhotoOnline.cab
[ScorchPlugin Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\NPSibelius.dll
CODEBASE = http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
[OTAutoInstall Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\OTAIControl.dll
CODEBASE = http://trials1.endeavors.com/autodesk/acad2006/clientdownloads/OTAI.CAB
[SimCityX Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\SimCityX.ocx
CODEBASE = http://simcity.ea.com/play/classic/SimCityX.cab
[Facebook Photo Uploader Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\FacebookPhotoUploader.ocx
CODEBASE = http://upload.facebook.com/controls/FacebookPhotoUploader.cab
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash8.ocx
CODEBASE = http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
[GpcContainer Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\ieatgpc.dll
CODEBASE = https://pc.mywebexpc.com/client/v_mywebex-aa/ra/ieatgpc.cab
[{FFFFFFFF-CACE-BABE-BABE-00AA0055595A}]
CODEBASE = http://www.trueswitch.com/TrueInstall.exe
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
--------------------------------------------------
End of report, 9,679 bytes
Report generated in 0.031 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
Hi
Try to run gmer in safe mode and let me know if it works there.
Also rename scanner.exe back to HijackThis.exe (startuplist is incomplete due to "wrong" filename) and run startuplist again.
orange450
2007-08-16, 21:49
Hi Shaba, I am getting very depressed :( I ran GMER in Safe Mode. It took a long time, and the yellow triangle popped up again in the middle of the scan - even in Safe Mode!
It seemed to get a little further than before, but then it stopped abruptly again. I clicked on SCAN, and this time it said that a log had been copied to the clipboard, and I should open Notepad and CTRL-V it in. I opened Notepad (maybe my problem was that I opened it while GMER was still open), but the computer froze before I could copy the log in. Interestingly - while the system was frozen, a pop-up telling me the computer is infected did pop up, but the mouse was frozen, so I had to turn off the computer.
I think I will try it again, but close GMER before I open Notepad.
Here is the re-run startuplist.
StartupList report, 8/16/2007, 2:41:38 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Avi Fuss\Desktop\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1149391482\ee\AOLSoftware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\WinAvXX.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsrw.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\F-SECU~1\ANTI-S~1\fsaw.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
c:\program files\aol\aol toolbar 3.1\aoltbhelper.exe
C:\Documents and Settings\Avi Fuss\Desktop\HijackThis.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Startup:
[C:\Documents and Settings\Avi Fuss\Start Menu\Programs\Startup]
system.exe
Shell folders AltStartup:
*Folder not found*
User shell folders Startup:
*Folder not found*
User shell folders AltStartup:
*Folder not found*
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
autorun.exe
F-Secure Anti-Virus 2006.lnk = C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
Scan Button.lnk = C:\SCANNER\EXE32\DETECTON.EXE
Shell folders Common AltStartup:
*Folder not found*
User shell folders Common Startup:
*Folder not found*
User shell folders Alternate Common Startup:
*Folder not found*
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*
[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
IAAnotif = C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
IntelMeM = C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
PCMService = "C:\Program Files\Dell\Media Experience\PCMService.exe"
dla = C:\WINDOWS\system32\dla\tfswctrl.exe
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
XeroxScannerDaemon = C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
UpdateManager = "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
DVDTray = "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
DVDBitSet = "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
mmtask = "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
HP Software Update = "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
DIGStream = C:\Program Files\DIGStream\digstream.exe
DIGServices = C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
F-Secure Manager = "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
F-Secure TNB = "C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
F-Secure Startup Wizard = "C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
HostManager = C:\Program Files\Common Files\AOL\1149391482\ee\AOLSoftware.exe
IPHSend = C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
WinAVX = C:\WINDOWS\system32\WinAvXX.exe
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MoneyAgent = "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
RecordNow! =
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
RealPlayer = "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
Aim6 = "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
BitTorrent = "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
swg = C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
WinAVX = C:\WINDOWS\system32\WinAvXX.exe
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
[OptionalComponents]
*No values found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
[Setup]
*No values found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
[Setup]
*No values found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command
(Default) = "%1" /S
--------------------------------------------------
File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command
(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*
--------------------------------------------------
File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command
(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1
--------------------------------------------------
Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)
[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP
[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf
[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub
[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll
[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe
[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install
[{8b15971b-5355-4c82-8c07-7e181ea07608}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser
--------------------------------------------------
orange450
2007-08-16, 21:52
More of Startuplist
Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps
*No subkeys found*
--------------------------------------------------
Load/Run keys from C:\WINDOWS\WIN.INI:
load=*INI section not found*
run=*INI section not found*
Load/Run keys from Registry:
HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Checking for EXPLORER.EXE instances:
C:\WINDOWS\Explorer.exe: PRESENT!
C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present
--------------------------------------------------
Checking for superhidden extensions:
.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden
--------------------------------------------------
Verifying REGEDIT.EXE integrity:
- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'
Registry check passed
--------------------------------------------------
Enumerating Browser Helper Objects:
*No BHO's found*
--------------------------------------------------
Enumerating Task Scheduler jobs:
Scheduled scanning task.job
Symantec NetDetect.job
--------------------------------------------------
Enumerating Download Program Files:
[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM32\Macromed\Director\SwDir.dll
CODEBASE = http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\legitcheckcontrol.dll
CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204
[Java Plug-in 1.4.2]
InProcServer32 = C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
CODEBASE = http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38199.7740972222
[Rite Aid One Hour Photo Online Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\RITEAI~1.OCX
CODEBASE = https://photos.riteaid.com/control/RiteAidOneHourPhotoOnline.cab
[ScorchPlugin Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\NPSibelius.dll
CODEBASE = http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
[OTAutoInstall Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\OTAIControl.dll
CODEBASE = http://trials1.endeavors.com/autodesk/acad2006/clientdownloads/OTAI.CAB
[SimCityX Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\SimCityX.ocx
CODEBASE = http://simcity.ea.com/play/classic/SimCityX.cab
[Java Plug-in 1.4.2]
InProcServer32 = C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
CODEBASE = http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
[Facebook Photo Uploader Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\FacebookPhotoUploader.ocx
CODEBASE = http://upload.facebook.com/controls/FacebookPhotoUploader.cab
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash8.ocx
CODEBASE = http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
[GpcContainer Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\ieatgpc.dll
CODEBASE = https://pc.mywebexpc.com/client/v_mywebex-aa/ra/ieatgpc.cab
[{FFFFFFFF-CACE-BABE-BABE-00AA0055595A}]
CODEBASE = http://www.trueswitch.com/TrueInstall.exe
--------------------------------------------------
orange450
2007-08-16, 21:56
still more of Startuplist:
Enumerating Winsock LSP files:
NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
--------------------------------------------------
Enumerating Windows NT/2000/XP services
Ad-Aware 2007 Service: "C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe" (autostart)
abp480n5: \SystemRoot\System32\DRIVERS\ABP480N5.SYS (disabled)
Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
adpu160m: \SystemRoot\System32\DRIVERS\adpu160m.sys (disabled)
aeaudio: system32\drivers\aeaudio.sys (manual start)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Intel AGP Bus Filter: \SystemRoot\System32\DRIVERS\agp440.sys (disabled)
Compaq AGP Bus Filter: \SystemRoot\System32\DRIVERS\agpCPQ.sys (disabled)
Aha154x: \SystemRoot\System32\DRIVERS\aha154x.sys (disabled)
aic78u2: \SystemRoot\System32\DRIVERS\aic78u2.sys (disabled)
aic78xx: \SystemRoot\System32\DRIVERS\aic78xx.sys (disabled)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AliIde: \SystemRoot\System32\DRIVERS\aliide.sys (disabled)
ALI AGP Bus Filter: \SystemRoot\System32\DRIVERS\alim1541.sys (disabled)
AMD AGP Bus Filter Driver: \SystemRoot\System32\DRIVERS\amdagp.sys (disabled)
amsint: \SystemRoot\System32\DRIVERS\amsint.sys (disabled)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
asc: \SystemRoot\System32\DRIVERS\asc.sys (disabled)
asc3350p: \SystemRoot\System32\DRIVERS\asc3350p.sys (disabled)
asc3550: \SystemRoot\System32\DRIVERS\asc3550.sys (disabled)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
Ati HotKey Poller: %SystemRoot%\System32\Ati2evxx.exe (autostart)
ati2mtag: System32\DRIVERS\ati2mtag.sys (manual start)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
AVG Anti-Spyware Driver: \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys (system)
AVG Anti-Spyware Guard: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (autostart)
AVG Anti-Spyware Clean Driver: System32\DRIVERS\AvgAsCln.sys (system)
Broadcom NetXtreme 57xx Gigabit Controller: System32\DRIVERS\b57xp32.sys (manual start)
F-Secure Anti-Virus 2006: C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE (autostart)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
catchme: \??\C:\DOCUME~1\AVIFUS~1\LOCALS~1\Temp\catchme.sys (manual start)
cbidf: \SystemRoot\System32\DRIVERS\cbidf2k.sys (disabled)
Closed Caption Decoder: system32\DRIVERS\CCDECODE.sys (manual start)
cd20xrnt: \SystemRoot\System32\DRIVERS\cd20xrnt.sys (disabled)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
CmdIde: \SystemRoot\System32\DRIVERS\cmdide.sys (disabled)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cpqarray: \SystemRoot\System32\DRIVERS\cpqarray.sys (disabled)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
dac2w2k: \SystemRoot\System32\DRIVERS\dac2w2k.sys (disabled)
dac960nt: \SystemRoot\System32\DRIVERS\dac960nt.sys (disabled)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
Team MFP Comm Driver: System32\Drivers\DgivEcp.Sys (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
dpti2o: \SystemRoot\System32\DRIVERS\dpti2o.sys (disabled)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
drvmcdb: system32\drivers\drvmcdb.sys (system)
drvnddm: system32\drivers\drvnddm.sys (autostart)
DSBrokerService: "C:\Program Files\DellSupport\brkrsvc.exe" (manual start)
DSproct: \??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys (manual start)
DellSupport UniDriver: system32\DRIVERS\dsunidrv.sys (autostart)
IBM Access Support: \??\C:\WINDOWS\Downloaded Program Files\EGATHDRV.SYS (manual start)
3Com EtherLink XL 90XB/C Adapter Driver: System32\DRIVERS\el90xbc5.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
F-Secure File System Filter: \??\C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSfilter.sys (autostart)
F-Secure Gatekeeper: \??\C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSgk.sys (autostart)
FSGKHS: "C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe" (autostart)
F-Secure File System Recognizer: \??\C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSrec.sys (autostart)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Fax: %systemroot%\system32\fxssvc.exe (autostart)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
fsbwsys: "C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe" (autostart)
F-Secure Anti-Virus Firewall Daemon: "C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe" (manual start)
F-Secure Firewall Driver: System32\drivers\fsdfw.sys (system)
F-Secure Management Agent: "C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE" (autostart)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
GEAR CDRom Filter: SYSTEM32\DRIVERS\GEARAspiWDM.sys (manual start)
gmer: System32\DRIVERS\gmer.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Google Updater Service: "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe" (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
hpn: \SystemRoot\System32\DRIVERS\hpn.sys (disabled)
HP DVD Movie Writer dc3000/dc4000: system32\DRIVERS\hpusbwdm.sys (manual start)
IEEE-1284.4 Driver HPZid412: system32\DRIVERS\HPZid412.sys (manual start)
Print Class Driver for IEEE-1284.4 HPZipr12: system32\DRIVERS\HPZipr12.sys (manual start)
USB to IEEE-1284.4 Translation Driver HPZius12: system32\DRIVERS\HPZius12.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i2omp: \SystemRoot\System32\DRIVERS\i2omp.sys (disabled)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
i81x: System32\DRIVERS\i81xnt5.sys (manual start)
IAA Event Monitor: C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe (autostart)
iAimFP0: System32\DRIVERS\wADV01nt.sys (manual start)
iAimFP1: System32\DRIVERS\wADV02NT.sys (manual start)
iAimFP2: System32\DRIVERS\wADV05NT.sys (manual start)
iAimFP3: System32\DRIVERS\wSiINTxx.sys (manual start)
iAimFP4: System32\DRIVERS\wVchNTxx.sys (manual start)
iAimTV0: System32\DRIVERS\wATV01nt.sys (manual start)
iAimTV1: System32\DRIVERS\wATV02NT.sys (manual start)
iAimTV3: System32\DRIVERS\wATV04nt.sys (manual start)
iAimTV4: System32\DRIVERS\wCh7xxNT.sys (manual start)
InstallDriver Table Manager: "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" (manual start)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
ini910u: \SystemRoot\System32\DRIVERS\ini910u.sys (disabled)
IntelC51: System32\DRIVERS\IntelC51.sys (manual start)
IntelC52: System32\DRIVERS\IntelC52.sys (manual start)
IntelC53: System32\DRIVERS\IntelC53.sys (manual start)
IntelIde: \SystemRoot\System32\DRIVERS\intelide.sys (disabled)
Intel Processor Driver: System32\DRIVERS\intelppm.sys (system)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
iPodService: C:\Program Files\iPod\bin\iPodService.exe (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Jukebox: system32\DRIVERS\ctpdusb2.sys (manual start)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Unimodem Streaming Filter Device: system32\drivers\MODEMCSA.sys (manual start)
mohfilt: System32\DRIVERS\mohfilt.sys (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
mraid35x: \SystemRoot\System32\DRIVERS\mraid35x.sys (disabled)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
NABTS/FEC VBI Codec: system32\DRIVERS\NABTSFEC.sys (manual start)
Microsoft TV/Video Connection: system32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
orange450
2007-08-16, 22:00
and the last of it. Thank you so much, Shaba. I don't know how you do this!
Microsoft Office Diagnostics Service: "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE" (manual start)
OMCI WDM Device Driver: System32\DRIVERS\omci.sys (system)
Office Source Engine: "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" (manual start)
Intel PentiumIII Processor Driver: System32\DRIVERS\p3.sys (system)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
perc2: \SystemRoot\System32\DRIVERS\perc2.sys (disabled)
perc2hib: \SystemRoot\System32\DRIVERS\perc2hib.sys (disabled)
Padus ASPI Shell: system32\drivers\pfc.sys (manual start)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
Pml Driver HPZ12: C:\WINDOWS\system32\HPZipm12.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\Drivers\PxHelp20.sys (system)
ql1080: \SystemRoot\System32\DRIVERS\ql1080.sys (disabled)
Ql10wnt: \SystemRoot\System32\DRIVERS\ql10wnt.sys (disabled)
ql12160: \SystemRoot\System32\DRIVERS\ql12160.sys (disabled)
ql1240: \SystemRoot\System32\DRIVERS\ql1240.sys (disabled)
ql1280: \SystemRoot\System32\DRIVERS\ql1280.sys (disabled)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
ServiceLayer: "C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe" (manual start)
Internet Connection Sharing: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SIS AGP Bus Filter: \SystemRoot\System32\DRIVERS\sisagp.sys (disabled)
BDA Slip De-Framer: system32\DRIVERS\SLIP.sys (manual start)
smwdm: system32\drivers\smwdm.sys (manual start)
Sony USB Filter Driver (SONYPVU1): System32\DRIVERS\SONYPVU1.SYS (manual start)
Sparrow: \SystemRoot\System32\DRIVERS\sparrow.sys (disabled)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
sscdbhk5: system32\drivers\sscdbhk5.sys (system)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
ssrtln: system32\drivers\ssrtln.sys (system)
Still Serial Digital Camera Driver: System32\DRIVERS\serscan.sys (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
BDA IPSink: system32\DRIVERS\StreamIP.sys (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{F79A1568-D6C5-4C69-A086-936CF52DBBE3} (manual start)
symc810: \SystemRoot\System32\DRIVERS\symc810.sys (disabled)
symc8xx: \SystemRoot\System32\DRIVERS\symc8xx.sys (disabled)
SymEvent: \??\C:\Program Files\Symantec\SYMEVENT.SYS (manual start)
SymWMI Service: "C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe" (autostart)
sym_hi: \SystemRoot\System32\DRIVERS\sym_hi.sys (disabled)
sym_u3: \SystemRoot\System32\DRIVERS\sym_u3.sys (disabled)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
tfsnboio: system32\dla\tfsnboio.sys (autostart)
tfsncofs: system32\dla\tfsncofs.sys (autostart)
tfsndrct: system32\dla\tfsndrct.sys (autostart)
tfsndres: system32\dla\tfsndres.sys (autostart)
tfsnifs: system32\dla\tfsnifs.sys (autostart)
tfsnopio: system32\dla\tfsnopio.sys (autostart)
tfsnpool: system32\dla\tfsnpool.sys (autostart)
tfsnudf: system32\dla\tfsnudf.sys (autostart)
tfsnudfa: system32\dla\tfsnudfa.sys (autostart)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TosIde: \SystemRoot\System32\DRIVERS\toside.sys (disabled)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
ultra: \SystemRoot\System32\DRIVERS\ultra.sys (disabled)
Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr.exe (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Generic Parent Driver: System32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Bus Filter: \SystemRoot\System32\DRIVERS\viaagp.sys (disabled)
ViaIde: \SystemRoot\System32\DRIVERS\viaide.sys (disabled)
Viewpoint Manager Service: "C:\Program Files\Viewpoint\Common\ViewpointService.exe" (autostart)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
WAN Miniport (ATW): System32\DRIVERS\wanatw4.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
World Standard Teletext Codec: system32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Intel AHCI Controller: system32\drivers\iaStor.sys (system)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
--------------------------------------------------
Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*
Windows NT checkdisk command:
BootExecute = autocheck autochk *
Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
*No values found*
--------------------------------------------------
End of report, 43,840 bytes
Report generated in 0.171 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
orange450
2007-08-17, 02:09
I finally got the GMER scan - it seems to have finished in Safe Mode, even though it doesn't give a message that it's done.
GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-08-16 19:00:41
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.13 ----
Code \WINDOWS\System32\drivers\fsndis5.sys IoCreateDevice
---- Kernel code sections - GMER 1.0.13 ----
PAGE ntoskrnl.exe!IoCreateDevice 8059EAA2 5 Bytes JMP F8587FD0 \WINDOWS\System32\drivers\fsndis5.sys
---- Registry - GMER 1.0.13 ----
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Control\GroupOrderList@System Reserved?Boot Bus Extender?System Bus Extender?SCSI miniport?Port?Primary Disk?SCSI Class?SCSI CDROM Class?FSFilter Infrastructure?FSFilter System?FSFilter Bottom?FSFilter Copy Protection?FSFilter Security Enhancer?FSFilter Open File?FSFilter Physical Quota Management?FSFilter Encryption?FSFilter Compression?FSFilter HSM?FSFilter Cluster File System?FSFilter System Recovery?FSFilter Quota Management?FSFilter Content Screener?FSFilter Continuous Backup?FSFilter Replication?FSFilter Anti-Virus?FSFilter Undelete?FSFilter Activity Monitor?FSFilter Top?Filter?Boot File System?Base?Pointer Port?Keyboard Port?Pointer Class?Keyboard Class?Video Init?Video?Video Save?File System?Event Log?Streams Drivers?NDIS Wrapper?COM Infrastructure?UIGroup?LocalValidation?PlugPlay?PNP_TDI?NDIS?TDI?NetBIOSGroup?ShellSvcGroup?SchedulerGroup?SpoolerGroup?AudioGroup?SmartCardGroup?NetworkProvider?RemoteValidation?NetDDEGroup?Parallel arbitrator?Extended Base?PCI Con 0x01 0x00 0x00 0x00 ...
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Control\GroupOrderList@System Reserved?Boot Bus Extender?System Bus Extender?SCSI miniport?Port?Primary Disk?SCSI Class?SCSI CDROM Class?FSFilter Infrastructure?FSFilter System?FSFilter Bottom?FSFilter Copy Protection?FSFilter Security Enhancer?FSFilter Open File?FSFilter Physical Quota Management?FSFilter Encryption?FSFilter Compression?FSFilter HSM?FSFilter Cluster File System?FSFilter System Recovery?FSFilter Quota Management?FSFilter Content Screener?FSFilter Continuous Backup?FSFilter Replication?FSFilter Anti-Virus?FSFilter Undelete?FSFilter Activity Monitor?FSFilter Top?Filter?Boot File System?Base?Pointer Port?Keyboard Port?Pointer Class?Keyboard Class?Video Init?Video?Video Save?File System?Event Log?Streams Drivers?NDIS Wrapper?COM Infrastructure?UIGroup?LocalValidation?PlugPlay?PNP_TDI?NDIS?TDI?Symantec Services?NetBIOSGroup?ShellSvcGroup?SchedulerGroup?SpoolerGroup?AudioGroup?NetworkProvider?RemoteValidation?NetDDEGroup?Parallel arbitrator?Extended Base?PCI 0x01 0x00 0x00 0x00 ...
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Control\GroupOrderList@System Reserved?Boot Bus Extender?System Bus Extender?SCSI miniport?Port?Primary Disk?SCSI Class?SCSI CDROM Class?FSFilter Infrastructure?FSFilter System?FSFilter Bottom?FSFilter Copy Protection?FSFilter Security Enhancer?FSFilter Open File?FSFilter Physical Quota Management?FSFilter Encryption?FSFilter Compression?FSFilter HSM?FSFilter Cluster File System?FSFilter System Recovery?FSFilter Quota Management?FSFilter Content Screener?FSFilter Continuous Backup?FSFilter Replication?FSFilter Anti-Virus?FSFilter Undelete?FSFilter Activity Monitor?FSFilter Top?Filter?Boot File System?Base?Pointer Port?Keyboard Port?Pointer Class?Keyboard Class?Video Init?Video?Video Save?File System?Event Log?Streams Drivers?NDIS Wrapper?COM Infrastructure?UIGroup?LocalValidation?PlugPlay?PNP_TDI?NDIS?TDI?NetBIOSGroup?ShellSvcGroup?SchedulerGroup?SpoolerGroup?AudioGroup?SmartCardGroup?NetworkProvider?RemoteValidation?NetDDEGroup?Parallel arbitrator?Extended Base?PCI Con 0x01 0x00 0x00 0x00 ...
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Control\GroupOrderList@System Reserved?Boot Bus Extender?System Bus Extender?SCSI miniport?Port?Primary Disk?SCSI Class?SCSI CDROM Class?FSFilter Infrastructure?FSFilter System?FSFilter Bottom?FSFilter Copy Protection?FSFilter Security Enhancer?FSFilter Open File?FSFilter Physical Quota Management?FSFilter Encryption?FSFilter Compression?FSFilter HSM?FSFilter Cluster File System?FSFilter System Recovery?FSFilter Quota Management?FSFilter Content Screener?FSFilter Continuous Backup?FSFilter Replication?FSFilter Anti-Virus?FSFilter Undelete?FSFilter Activity Monitor?FSFilter Top?Filter?Boot File System?Base?Pointer Port?Keyboard Port?Pointer Class?Keyboard Class?Video Init?Video?Video Save?File System?Event Log?Streams Drivers?NDIS Wrapper?COM Infrastructure?UIGroup?LocalValidation?PlugPlay?PNP_TDI?NDIS?TDI?NetBIOSGroup?ShellSvcGroup?SchedulerGroup?SpoolerGroup?AudioGroup?SmartCardGroup?NetworkProvider?RemoteValidation?NetDDEGroup?Parallel arbitrator?Extended Base?PCI 0x01 0x00 0x00 0x00 ...
---- EOF - GMER 1.0.13 ----
Hi
I already told you that your computer is in my opinion a candidate for formatting and also told that cleaning process will take time(and chances are that we don't get it clean, I'm willing to try anyway).
If you like, we can stop cleaning process immediately.
If you don't like that, I research those logs next.
Let me know your decision.
orange450
2007-08-17, 15:52
Hi Shaba, yes I would like to get it as clean as possible. I noticed that another user on this forum has described the same problem - the user is xbennox. Probably there are others with this problem as well. I appreciate all the help you are providing.
Hi
Download WinPFind3U.exe (http://download.bleepingcomputer.com/oldtimer/winpfind3u.exe) to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
In the Files Created Within group click 30 days
In the Files Modified Within group select 30 days
In the File String Search group select Non-Microsoft
Now click the Run Scan button on the toolbar.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in.
orange450
2007-08-17, 19:04
Hi Shaba - I don't see an "Add Reply" button anywhere, so I had to post the reply. Here is the first part of the log. As soon as the scan started, I got an error message: NO DISK, exception processing, with the exact same parameters that I got a few days ago, and a choice to retry, continue or cancel. I chose continue, and the scan continued. Thank you for all your help.
WinPFind3 logfile created on: 8/17/2007 11:49:13 AM
WinPFind3U by OldTimer - Version 1.0.39 Folder = C:\Documents and Settings\Avi Fuss\Desktop\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)
510.09 Mb Total Physical Memory | 153.92 Mb Available Physical Memory | 30.17% Memory free
1.22 Gb Paging File | 0.88 Gb Available in Paging File | 72.30% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.44 Gb Total Space | 34.45 Gb Free Space | 46.28% Space Free
D: Drive not present or media not loaded
Drive E: | 120.81 Mb Total Space | 120.32 Mb Free Space | 99.60% Space Free
F: Drive not present or media not loaded
Computer Name: BASEMENT
Current User Name: Avi Fuss
Logged in as Administrator.
Current Boot Mode: Normal
[Processes - Non-Microsoft Only]
aolsoftware.exe -> %CommonProgramFiles%\AOL\1149391482\ee\AOLSoftware.exe -> America Online, Inc. [Ver = 1.4.16.3 | Size = 50792 bytes | Modified Date = 4/20/2006 1:10:14 PM | Attr = ]
digservices.exe -> %ProgramFiles%\ESPNRunTime\DIGServices.exe -> Walt Disney Internet Group [Ver = 1.0.0.0016 | Size = 101888 bytes | Modified Date = 5/19/2005 1:55:58 PM | Attr = ]
dvdtray.exe -> %ProgramFiles%\HP DVD\Umbrella\DVDTray.exe -> Hewlett-Packard Company [Ver = 2.0 | Size = 69632 bytes | Modified Date = 7/23/2003 1:42:04 PM | Attr = ]
fameh32.exe -> %ProgramFiles%\F-Secure Internet Security\Common\FAMEH32.EXE -> F-Secure Corporation [Ver = 6.0.8314 | Size = 270387 bytes | Modified Date = 6/2/2005 6:37:44 PM | Attr = ]
fch32.exe -> %ProgramFiles%\F-Secure Internet Security\Common\FCH32.EXE -> F-Secure Corporation [Ver = 6.0.8314 | Size = 65585 bytes | Modified Date = 6/2/2005 6:37:44 PM | Attr = ]
fsav32.exe -> %ProgramFiles%\F-Secure Internet Security\Anti-Virus\FSAV32.exe -> F-Secure Corporation [Ver = 6.10.11280 | Size = 179712 bytes | Modified Date = 7/15/2005 8:06:08 AM | Attr = ]
fsaw.exe -> %ProgramFiles%\F-Secure Internet Security\Anti-Spyware\FSAW.exe -> F-Secure Corporation [Ver = 1.1.197 | Size = 86064 bytes | Modified Date = 8/22/2005 8:16:52 AM | Attr = ]
fsbwsys.exe -> %ProgramFiles%\F-Secure Internet Security\backweb\4476822\Program\fsbwsys.exe -> F-Secure Corp. [Ver = 6.90.869 | Size = 274485 bytes | Modified Date = 12/14/2005 8:42:38 PM | Attr = ]
fsdfwd.exe -> %ProgramFiles%\F-Secure Internet Security\FWES\program\fsdfwd.exe -> F-Secure Corporation [Ver = 5.91.190 | Size = 204863 bytes | Modified Date = 8/29/2005 10:12:40 AM | Attr = ]
fsgk32.exe -> %ProgramFiles%\F-Secure Internet Security\Anti-Virus\fsgk32.exe -> F-Secure Corp. [Ver = 6.10.11380 | Size = 289792 bytes | Modified Date = 1/29/2006 11:12:34 AM | Attr = ]
fsgk32st.exe -> %ProgramFiles%\F-Secure Internet Security\Anti-Virus\fsgk32st.exe -> F-Secure Corporation [Ver = 1.00.11280 | Size = 36947 bytes | Modified Date = 7/13/2005 10:43:48 AM | Attr = ]
fsguidll.exe -> %ProgramFiles%\F-Secure Internet Security\FSGUI\fsguidll.exe -> F-Secure Corporation [Ver = 6, 20, 330, 0 | Size = 233537 bytes | Modified Date = 8/23/2005 9:42:34 AM | Attr = ]
fsm32.exe -> %ProgramFiles%\F-Secure Internet Security\Common\FSM32.EXE -> F-Secure Corporation [Ver = 6.0.8314 | Size = 122929 bytes | Modified Date = 6/2/2005 6:37:44 PM | Attr = ]
fsma32.exe -> %ProgramFiles%\F-Secure Internet Security\Common\FSMA32.EXE -> F-Secure Corporation [Ver = 6.0.8314 | Size = 61490 bytes | Modified Date = 6/2/2005 6:37:44 PM | Attr = ]
fsmb32.exe -> %ProgramFiles%\F-Secure Internet Security\Common\FSMB32.EXE -> F-Secure Corporation [Ver = 6.0.8314 | Size = 180274 bytes | Modified Date = 6/2/2005 6:37:44 PM | Attr = ]
fspex.exe -> %ProgramFiles%\F-Secure Internet Security\backweb\4476822\Program\fspex.exe -> F-Secure Internet Security 2005 [Ver = Version 6.3.2 (Build 116R) | Size = 36903 bytes | Modified Date = 12/14/2005 8:42:46 PM | Attr = ]
fsqh.exe -> %ProgramFiles%\F-Secure Internet Security\Anti-Virus\fsqh.exe -> F-Secure Corporation [Ver = 6.00.11240 | Size = 32826 bytes | Modified Date = 6/13/2005 12:19:34 PM | Attr = ]
fsrw.exe -> %ProgramFiles%\F-Secure Internet Security\Anti-Virus\FSRW.exe -> F-Secure Corporation [Ver = 1.1.220 | Size = 159792 bytes | Modified Date = 8/18/2005 8:09:26 AM | Attr = ]
fssm32.exe -> %ProgramFiles%\F-Secure Internet Security\Anti-Virus\fssm32.exe -> F-Secure Corp. [Ver = 6.10.11480 | Size = 247296 bytes | Modified Date = 1/29/2006 11:12:34 AM | Attr = ]
googletoolbarnotifier.exe -> %ProgramFiles%\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe -> Google Inc. [Ver = 2, 0, 301, 1654 | Size = 68856 bytes | Modified Date = 6/23/2007 11:38:52 AM | Attr = ]
guard.exe -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 5/30/2007 8:31:10 AM | Attr = ]
hpqgalry.exe -> %ProgramFiles%\HP\Digital Imaging\bin\hpqgalry.exe -> Hewlett-Packard Co. [Ver = 045.004.157.000 | Size = 425984 bytes | Modified Date = 11/4/2004 7:36:46 PM | Attr = ]
hpwuschd2.exe -> %ProgramFiles%\Hewlett-Packard\HP Software Update\HPWuSchd2.exe -> Hewlett-Packard Company [Ver = 5, 0, 0, 0 | Size = 49152 bytes | Modified Date = 9/13/2004 3:49:00 PM | Attr = ]
iaanotif.exe -> %ProgramFiles%\Intel\Intel Application Accelerator\IAAnotif.exe -> Intel Corporation [Ver = 4.0.0.6211 | Size = 135168 bytes | Modified Date = 3/23/2004 1:16:16 PM | Attr = ]
iaantmon.exe -> %ProgramFiles%\Intel\Intel Application Accelerator\IAANTmon.exe -> Intel Corporation [Ver = 4.0.0.6211 | Size = 73852 bytes | Modified Date = 3/23/2004 1:15:40 PM | Attr = ]
intelmem.exe -> %ProgramFiles%\Intel\Modem Event Monitor\IntelMEM.exe -> Intel Corporation [Ver = 0, 1, 0, 10 | Size = 221184 bytes | Modified Date = 9/3/2003 9:12:44 PM | Attr = ]
ipodservice.exe -> %ProgramFiles%\iPod\bin\iPodService.exe -> Apple Computer, Inc. [Ver = 6.0.4.2 | Size = 323584 bytes | Modified Date = 2/23/2006 4:45:06 PM | Attr = ]
ituneshelper.exe -> %ProgramFiles%\iTunes\iTunesHelper.exe -> Apple Computer, Inc. [Ver = 6.0.4.2 | Size = 278528 bytes | Modified Date = 2/23/2006 4:45:20 PM | Attr = ]
mmtask.exe -> %ProgramFiles%\MUSICMATCH\Musicmatch Jukebox\mmtask.exe -> Musicmatch Inc. [Ver = 9.0.0.1 | Size = 53248 bytes | Modified Date = 3/15/2005 8:58:08 AM | Attr = ]
pcmservice.exe -> %ProgramFiles%\Dell\Media Experience\PCMService.exe -> CyberLink Corp. [Ver = 1.0.1611 | Size = 290816 bytes | Modified Date = 4/11/2004 9:15:14 PM | Attr = ]
printer.exe -> %System32%\printer.exe -> Microsoft Co [Ver = 1, 0, 0, 1 | Size = 14848 bytes | Modified Date = 8/10/2007 12:47:08 AM | Attr = ]
qttask.exe -> %ProgramFiles%\QuickTime\qttask.exe -> Apple Computer, Inc. [Ver = 7.0.4 | Size = 155648 bytes | Modified Date = 1/23/2006 5:40:06 PM | Attr = ]
realsched.exe -> %CommonProgramFiles%\Real\Update_OB\realsched.exe -> RealNetworks, Inc. [Ver = 0.1.0.3034 | Size = 180269 bytes | Modified Date = 8/5/2004 9:50:12 PM | Attr = ]
servic~1.exe -> %ProgramFiles%\F-Secure Internet Security\backweb\4476822\Program\ServiceWrapper-4476822.exe -> F-Secure Internet Security 2005 [Ver = Version 6.3.2 (Build 116R) | Size = 36903 bytes | Modified Date = 12/14/2005 8:42:46 PM | Attr = ]
sgtray.exe -> %CommonProgramFiles%\Sonic\Update Manager\sgtray.exe -> Sonic Solutions [Ver = 1.01.32a | Size = 110592 bytes | Modified Date = 8/19/2003 1:01:00 AM | Attr = ]
tfswctrl.exe -> %System32%\dla\tfswctrl.exe -> Sonic Solutions [Ver = 1.04.07b | Size = 122933 bytes | Modified Date = 3/15/2004 2:04:00 AM | Attr = ]
viewmgr.exe -> %ProgramFiles%\Viewpoint\Viewpoint Manager\ViewMgr.exe -> Viewpoint Corporation [Ver = 2, 0, 0, 54 | Size = 112336 bytes | Modified Date = 1/4/2007 5:38:20 PM | Attr = ]
viewpointservice.exe -> %ProgramFiles%\Viewpoint\Common\ViewpointService.exe -> Viewpoint Corporation [Ver = 2, 0, 0, 54 | Size = 24652 bytes | Modified Date = 1/4/2007 5:38:10 PM | Attr = ]
winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.38.0 | Size = 322048 bytes | Modified Date = 6/23/2007 3:15:54 PM | Attr = ]
xrxftplt.exe -> %ProgramFiles%\XEROX\NWWIA\XrxFTPLt.exe -> [Ver = 1, 0, 0, 2 | Size = 27648 bytes | Modified Date = 8/17/2001 10:37:02 PM | Attr = ]
[Win32 Services - Non-Microsoft Only]
(aawservice) Ad-Aware 2007 Service [Win32_Own | Auto | Stopped] -> %ProgramFiles%\Lavasoft\Ad-Aware 2007\aawservice.exe -> File not found
(Ati HotKey Poller) Ati HotKey Poller [Win32_Own | Auto | Stopped] -> %System32%\Ati2evxx.exe -> File not found
(AVG Anti-Spyware Guard) AVG Anti-Spyware Guard [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 5/30/2007 8:31:10 AM | Attr = ]
(BackWeb Plug-in - 4476822) F-Secure Anti-Virus 2006 [Win32_Own | Auto | Running] -> %ProgramFiles%\F-Secure Internet Security\backweb\4476822\Program\ServiceWrapper-4476822.exe -> F-Secure Internet Security 2005 [Ver = Version 6.3.2 (Build 116R) | Size = 36903 bytes | Modified Date = 12/14/2005 8:42:46 PM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 8/4/2004 3:56:48 AM | Attr = ]
(DSBrokerService) DSBrokerService [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\DellSupport\brkrsvc.exe -> File not found
(F-Secure Gatekeeper Handler Starter) FSGKHS [Win32_Own | Auto | Running] -> %ProgramFiles%\F-Secure Internet Security\Anti-Virus\fsgk32st.exe -> F-Secure Corporation [Ver = 1.00.11280 | Size = 36947 bytes | Modified Date = 7/13/2005 10:43:48 AM | Attr = ]
(fsbwsys) fsbwsys [Win32_Own | Auto | Running] -> %ProgramFiles%\F-Secure Internet Security\backweb\4476822\Program\fsbwsys.exe -> F-Secure Corp. [Ver = 6.90.869 | Size = 274485 bytes | Modified Date = 12/14/2005 8:42:38 PM | Attr = ]
(FSDFWD) F-Secure Anti-Virus Firewall Daemon [Win32_Own | On_Demand | Running] -> %ProgramFiles%\F-Secure Internet Security\FWES\program\fsdfwd.exe -> F-Secure Corporation [Ver = 5.91.190 | Size = 204863 bytes | Modified Date = 8/29/2005 10:12:40 AM | Attr = ]
(FSMA) F-Secure Management Agent [Win32_Own | Auto | Running] -> %ProgramFiles%\F-Secure Internet Security\Common\FSMA32.EXE -> F-Secure Corporation [Ver = 6.0.8314 | Size = 61490 bytes | Modified Date = 6/2/2005 6:37:44 PM | Attr = ]
(gusvc) Google Updater Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe -> Google [Ver = 2.0.734.29932.beta | Size = 138168 bytes | Modified Date = 3/2/2007 5:10:08 PM | Attr = ]
(IAANTMon) IAA Event Monitor [Win32_Own | Auto | Running] -> %ProgramFiles%\Intel\Intel Application Accelerator\IAANTmon.exe -> Intel Corporation [Ver = 4.0.0.6211 | Size = 73852 bytes | Modified Date = 3/23/2004 1:15:40 PM | Attr = ]
(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\InstallShield\Driver\11\Intel 32\IDriverT.exe -> Macrovision Corporation [Ver = 11.00.28844 | Size = 69632 bytes | Modified Date = 4/4/2005 12:41:10 AM | Attr = ]
(iPodService) iPodService [Win32_Own | On_Demand | Running] -> %ProgramFiles%\iPod\bin\iPodService.exe -> Apple Computer, Inc. [Ver = 6.0.4.2 | Size = 323584 bytes | Modified Date = 2/23/2006 4:45:06 PM | Attr = ]
(Pml Driver HPZ12) Pml Driver HPZ12 [Win32_Own | Auto | Stopped] -> %System32%\HPZipm12.exe -> HP [Ver = 9, 0, 0, 0 | Size = 69632 bytes | Modified Date = 9/29/2004 12:14:36 PM | Attr = ]
(ServiceLayer) ServiceLayer [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\PCSuite\Services\ServiceLayer.exe -> Nokia. [Ver = 6, 81, 60, 0 | Size = 174080 bytes | Modified Date = 6/5/2006 1:59:18 PM | Attr = ]
(SymWSC) SymWMI Service [Win32_Own | Auto | Stopped] -> %CommonProgramFiles%\Symantec Shared\Security Center\symwsc.exe -> Symantec Corporation [Ver = 2005.1.2.20 | Size = 316544 bytes | Modified Date = 11/2/2004 5:59:50 PM | Attr = ]
(Viewpoint Manager Service) Viewpoint Manager Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Viewpoint\Common\ViewpointService.exe -> Viewpoint Corporation [Ver = 2, 0, 0, 54 | Size = 24652 bytes | Modified Date = 1/4/2007 5:38:10 PM | Attr = ]
[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
ATIPTA -> %ProgramFiles%\ATI Technologies\ATI Control Panel\atiptaxx.exe -> ATI Technologies, Inc. [Ver = 6.14.10.5103 | Size = 335872 bytes | Modified Date = 5/25/2004 11:35:00 PM | Attr = ]
DIGServices -> %ProgramFiles%\ESPNRunTime\DIGServices.exe -> Walt Disney Internet Group [Ver = 1.0.0.0016 | Size = 101888 bytes | Modified Date = 5/19/2005 1:55:58 PM | Attr = ]
DIGStream -> %ProgramFiles%\DIGStream\digstream.exe -> File not found
dla -> %System32%\dla\tfswctrl.exe -> Sonic Solutions [Ver = 1.04.07b | Size = 122933 bytes | Modified Date = 3/15/2004 2:04:00 AM | Attr = ]
DVDBitSet -> %ProgramFiles%\HP DVD\Umbrella\DVDBitSet.exe -> Hewlett-Packard Company [Ver = 1.2 | Size = 184320 bytes | Modified Date = 12/18/2003 5:37:58 PM | Attr = ]
DVDTray -> %ProgramFiles%\HP DVD\Umbrella\DVDTray.exe -> Hewlett-Packard Company [Ver = 2.0 | Size = 69632 bytes | Modified Date = 7/23/2003 1:42:04 PM | Attr = ]
F-Secure Manager -> %ProgramFiles%\F-Secure Internet Security\Common\FSM32.EXE -> F-Secure Corporation [Ver = 6.0.8314 | Size = 122929 bytes | Modified Date = 6/2/2005 6:37:44 PM | Attr = ]
F-Secure Startup Wizard -> %ProgramFiles%\F-Secure Internet Security\FSGUI\fssw.exe -> F-Secure Corporation [Ver = 1, 0, 37, 1 | Size = 372736 bytes | Modified Date = 8/23/2005 9:38:06 AM | Attr = ]
F-Secure TNB -> %ProgramFiles%\F-Secure Internet Security\TNB\tnbutil.exe -> F-Secure Corporation [Ver = 1.09.5050 | Size = 700416 bytes | Modified Date = 7/18/2005 10:51:18 AM | Attr = ]
HostManager -> %CommonProgramFiles%\AOL\1149391482\ee\AOLSoftware.exe -> America Online, Inc. [Ver = 1.4.16.3 | Size = 50792 bytes | Modified Date = 4/20/2006 1:10:14 PM | Attr = ]
HP Software Update -> %ProgramFiles%\Hewlett-Packard\HP Software Update\HPWuSchd2.exe -> Hewlett-Packard Company [Ver = 5, 0, 0, 0 | Size = 49152 bytes | Modified Date = 9/13/2004 3:49:00 PM | Attr = ]
IAAnotif -> %ProgramFiles%\Intel\Intel Application Accelerator\IAAnotif.exe -> Intel Corporation [Ver = 4.0.0.6211 | Size = 135168 bytes | Modified Date = 3/23/2004 1:16:16 PM | Attr = ]
IntelMeM -> %ProgramFiles%\Intel\Modem Event Monitor\IntelMEM.exe -> Intel Corporation [Ver = 0, 1, 0, 10 | Size = 221184 bytes | Modified Date = 9/3/2003 9:12:44 PM | Attr = ]
IPHSend -> %CommonProgramFiles%\AOL\IPHSend\IPHSend.exe -> America Online, Inc. [Ver = 1.0.12.1 | Size = 124520 bytes | Modified Date = 2/17/2006 12:59:48 PM | Attr = ]
iTunesHelper -> %ProgramFiles%\iTunes\iTunesHelper.exe -> Apple Computer, Inc. [Ver = 6.0.4.2 | Size = 278528 bytes | Modified Date = 2/23/2006 4:45:20 PM | Attr = ]
mmtask -> %ProgramFiles%\MUSICMATCH\Musicmatch Jukebox\mmtask.exe -> Musicmatch Inc. [Ver = 9.0.0.1 | Size = 53248 bytes | Modified Date = 3/15/2005 8:58:08 AM | Attr = ]
PCMService -> %ProgramFiles%\Dell\Media Experience\PCMService.exe -> CyberLink Corp. [Ver = 1.0.1611 | Size = 290816 bytes | Modified Date = 4/11/2004 9:15:14 PM | Attr = ]
QuickTime Task -> %ProgramFiles%\QuickTime\qttask.exe -> Apple Computer, Inc. [Ver = 7.0.4 | Size = 155648 bytes | Modified Date = 1/23/2006 5:40:06 PM | Attr = ]
TkBellExe -> %CommonProgramFiles%\Real\Update_OB\realsched.exe -> RealNetworks, Inc. [Ver = 0.1.0.3034 | Size = 180269 bytes | Modified Date = 8/5/2004 9:50:12 PM | Attr = ]
UpdateManager -> %CommonProgramFiles%\Sonic\Update Manager\sgtray.exe -> Sonic Solutions [Ver = 1.01.32a | Size = 110592 bytes | Modified Date = 8/19/2003 1:01:00 AM | Attr = ]
WinAVX -> %System32%\WinAvXX.exe -> Microsoft Co [Ver = 1, 0, 0, 1 | Size = 14848 bytes | Modified Date = 8/10/2007 12:47:08 AM | Attr = ]
XeroxScannerDaemon -> %ProgramFiles%\XEROX\NWWIA\XrxFTPLt.exe -> [Ver = 1, 0, 0, 2 | Size = 27648 bytes | Modified Date = 8/17/2001 10:37:02 PM | Attr = ]
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ ->
IMAIL -> Installed = 1 ->
MAPI -> Installed = 1 ->
MSFS -> Installed = 1 ->
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
Aim6 -> %CommonProgramFiles%\AOL\Launch\AOLLaunch.exe -> America Online, Inc. [Ver = 1.4.16.3 | Size = 50792 bytes | Modified Date = 4/20/2006 1:10:16 PM | Attr = ]
BitTorrent -> %ProgramFiles%\BitTorrent\bittorrent.exe -> [Ver = | Size = 43520 bytes | Modified Date = 9/29/2006 10:00:14 PM | Attr = ]
MoneyAgent -> %ProgramFiles%\Microsoft Money\System\mnyexpr.exe -> Microsoft Corp. [Ver = 12.00.0613 | Size = 200704 bytes | Modified Date = 6/18/2003 1:00:00 PM | Attr = ]
RealPlayer -> %ProgramFiles%\Real\RealPlayer\realplay.exe -> RealNetworks, Inc. [Ver = 6.0.12.883 | Size = 1003520 bytes | Modified Date = 5/30/2006 10:07:48 PM | Attr = ]
RecordNow! -> -> File not found
swg -> %ProgramFiles%\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe -> Google Inc. [Ver = 2, 0, 301, 1654 | Size = 68856 bytes | Modified Date = 6/23/2007 11:38:52 AM | Attr = ]
orange450
2007-08-17, 19:07
Second part of the log:
WinAvXX.exe -> %System32%\WinAvXX.exe -> Microsoft Co [Ver = 1, 0, 0, 1 | Size = 14848 bytes | Modified Date = 8/10/2007 12:47:08 AM | Attr = ]
WPA.DBL -> %System32%\WPA.DBL -> [Ver = | Size = 1170 bytes | Modified Date = 8/17/2007 11:45:48 AM | Attr = ]
ETC -> %System32%\drivers\ETC -> [Folder | Modified Date = 8/16/2007 10:25:48 AM | Attr = ]
gmer.sys -> %System32%\drivers\gmer.sys -> GMER [Ver = 1, 0, 12, 3911 | Size = 70001 bytes | Modified Date = 8/16/2007 12:58:28 PM | Attr = ]
[File String Scan - Non-Microsoft Only]
@Alternate Data Stream - 0 bytes -> %SystemRoot%\Thumbs.db:encryptable ->
PEC2 , -> %System32%\DFRG.MSC -> [Ver = | Size = 41397 bytes | Modified Date = 8/29/2002 6:00:00 AM | Attr = ]
PEC2 , -> %System32%\ODBCJET.HLP -> [Ver = | Size = 163384 bytes | Modified Date = 7/11/1997 1:00:00 AM | Attr = ]
UPX0 , -> %System32%\printer.exe -> Microsoft Co [Ver = 1, 0, 0, 1 | Size = 14848 bytes | Modified Date = 8/10/2007 12:47:08 AM | Attr = ]
UPX! , UPX0 , -> %System32%\SrchSTS.exe -> S!Ri [Ver = | Size = 288417 bytes | Modified Date = 4/27/2006 5:49:30 PM | Attr = ]
UPX! , UPX0 , -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.8 | Size = 279552 bytes | Modified Date = 7/22/2007 6:39:28 PM | Attr = ]
winsync , -> %System32%\WBDBASE.DEU -> [Ver = | Size = 1309184 bytes | Modified Date = 8/29/2002 6:00:00 AM | Attr = ]
UPX0 , -> %System32%\WinAvXX.exe -> Microsoft Co [Ver = 1, 0, 0, 1 | Size = 14848 bytes | Modified Date = 8/10/2007 12:47:08 AM | Attr = ]
Thawte Consulting , -> %System32%\XceedFtp.dll -> Xceed Software Inc (450) 442-2626 support@xceedsoft.com www.xceedsoft.com [Ver = 1.0.42.0 | Size = 236576 bytes | Modified Date = 10/2/2003 6:36:22 PM | Attr = ]
PTech , -> %System32%\drivers\mtlstrm.sys -> Smart Link [Ver = 3.80.01MC15 | Size = 1309184 bytes | Modified Date = 8/4/2004 1:41:38 AM | Attr = ]
< End of report >
Hi
No new baddies there.
Run combofix one more time and post its log along with a fresh HijackThis log.
orange450
2007-08-17, 19:40
Hi Shaba, here are the logs. As before, control panel is available right after running combofix, so I took a look at add/remove programs. I can see entries for Magicantispy, smileydistrict, and super text twist (may be OK but I don't recognize it). Should I remove them, while my control panel works? The computer is offline now - I use a removable drive to send these logs from a clean computer.
Also, what about the other accounts on the computer? Should I be running combofix and HJT from them?
HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 12:31:46 PM, on 8/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsrw.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\1149391482\ee\AOLSoftware.exe
C:\PROGRA~1\F-SECU~1\ANTI-S~1\fsaw.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Avi Fuss\Desktop\HijackThis.exe
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [XeroxScannerDaemon] C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1149391482\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: F-Secure Anti-Virus 2006.lnk = C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Scan Button.lnk = C:\SCANNER\EXE32\DETECTON.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure Internet Security\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/RiteAidOneHourPhotoOnline.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {AF087E66-838E-4A97-8A0B-0DDDA5DEA239} (OTAutoInstall Class) - http://trials1.endeavors.com/autodesk/acad2006/clientdownloads/OTAI.CAB
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {D0B5B58D-8CB9-4EDB-8BB0-9D34AEF727CF} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://pc.mywebexpc.com/client/v_mywebex-aa/ra/ieatgpc.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/TrueInstall.exe
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: F-Secure Anti-Virus 2006 (BackWeb Plug-in - 4476822) - F-Secure Internet Security 2005 - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe (file missing)
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
orange450
2007-08-17, 19:42
Here is the combofix log. I found a message on the computer saying that windows had installed an important security update, and the computer needed to be restarted for the changes to take effect. The messages did look like they came from Microsoft. The computer had restarted. This was before I ran the logs.
ComboFix 07-08-09.3 - "Avi Fuss" 2007-08-17 12:26:36.9 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.168 [GMT -4:00]
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup.\autorun.exe
C:\DOCUME~1\AVIFUS~1\STARTM~1\Programs\Startup.\system.exe
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\WinAvXX.exe
((((((((((((((((((((((((( Files Created from 2007-07-17 to 2007-08-17 )))))))))))))))))))))))))))))))
2007-08-13 14:01 <DIR> d-------- C:\DOCUME~1\AVIFUS~1\DoctorWeb
2007-08-13 13:14 <DIR> d--h----- C:\WINDOWS\PIF
2007-08-13 13:07 <DIR> d-------- C:\Downloads
2007-08-13 13:07 <DIR> d-------- C:\Bases
2007-08-13 13:05 <DIR> d-------- C:\Kaspersky
2007-08-12 23:46 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-08-12 10:25 4,522 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-08-12 10:24 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2007-08-12 10:24 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-08-10 14:17 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-09 13:59 <DIR> d---s---- C:\DOCUME~1\Tali\UserData
2007-08-09 13:56 <DIR> d-------- C:\DOCUME~1\Tali\APPLIC~1\Google
2007-08-09 13:53 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Google
2007-08-08 21:07 <DIR> d-------- C:\VundoFix Backups
2007-08-08 21:07 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-08 21:07 <DIR> d-------- C:\Program Files\Dell Support
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Gtek
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\Gtek
2007-08-08 20:40 <DIR> d-------- C:\DOCUME~1\Abba\APPLIC~1\Apple Computer
2007-08-08 16:49 <DIR> d-------- C:\Program Files\Lavasoft(2)
2007-08-08 16:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-08 16:35 <DIR> d-------- C:\DOCUME~1\Guest\UserData
2007-08-08 16:31 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Lavasoft
2007-08-08 15:43 1,048,576 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-08-08 15:43 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sonic
2007-08-08 15:39 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\GTek(2)
2007-08-07 22:02 <DIR> d-------- C:\WINDOWS\ERUNT
2007-08-07 20:11 <DIR> d-------- C:\Program Files\DellSupport
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-13 11:39 --------- d-------- C:\DOCUME~1\AVIFUS~1\APPLIC~1\BitTorrent
2007-08-13 00:49 --------- d-------- C:\Program Files\DIGStream
2007-08-08 21:07 --------- d-------- C:\DOCUME~1\AVIFUS~1\APPLIC~1\Lavasoft
2007-08-08 21:06 --------- d--h----- C:\DOCUME~1\AVIFUS~1\APPLIC~1\GTek
2007-07-09 11:33 --------- d-------- C:\DOCUME~1\AVIFUS~1\APPLIC~1\AdobeUM
2007-07-01 22:31 --------- d-------- C:\Program Files\Winamp
2007-06-26 11:13 851968 --------- C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-26 10:09 658944 --------- C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 02:08 1104896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 09:31 282112 --------- C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-14 14:09 96256 --------- C:\WINDOWS\system32\dllcache\inseng.dll
2007-06-14 14:09 615424 --------- C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-14 14:09 55808 --------- C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-14 14:09 532480 --------- C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-14 14:09 474112 --------- C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-06-14 14:09 449024 --------- C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-14 14:09 39424 --------- C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-06-14 14:09 357888 --------- C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-06-14 14:09 3058688 --------- C:\WINDOWS\system32\dllcache\mshtml.dll
2007-06-14 14:09 251392 --------- C:\WINDOWS\system32\dllcache\iepeers.dll
2007-06-14 14:09 205312 --------- C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-06-14 14:09 16384 --------- C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-14 14:09 151040 --------- C:\WINDOWS\system32\dllcache\cdfview.dll
2007-06-14 14:09 1494528 --------- C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-06-14 14:09 146432 --------- C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-14 14:09 1054208 --------- C:\WINDOWS\system32\dllcache\danim.dll
2007-06-14 14:09 1023488 --------- C:\WINDOWS\system32\dllcache\browseui.dll
2007-06-14 10:07 18432 --------- C:\WINDOWS\system32\dllcache\iedw.exe
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-13 06:23 1033216 --------- C:\WINDOWS\system32\dllcache\explorer.exe
2007-05-17 07:28 549376 --a------ C:\WINDOWS\system32\oleaut32.dll
2007-05-17 07:28 549376 --------- C:\WINDOWS\system32\dllcache\oleaut32.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 13:16]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-25 23:35]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 21:12]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 21:15]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 02:04]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-08-05 21:50]
"XeroxScannerDaemon"="C:\Program Files\Xerox\NWWia\XrxFTPLt.exe" [2001-08-17 22:37]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01]
"DVDTray"="C:\Program Files\HP DVD\Umbrella\DVDTray.exe" [2003-07-23 13:42]
"DVDBitSet"="C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" [2003-12-18 17:37]
"mmtask"="C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe" [2005-03-15 08:58]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-09-13 15:49]
"DIGStream"="C:\Program Files\DIGStream\digstream.exe" []
"DIGServices"="C:\Program Files\ESPNRunTime\DIGServices.exe" [2005-05-19 13:55]
"F-Secure Manager"="C:\Program Files\F-Secure Internet Security\Common\FSM32.exe" [2005-06-02 18:37]
"F-Secure TNB"="C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" [2005-07-18 10:51]
"F-Secure Startup Wizard"="C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.exe" [2005-08-23 09:38]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-23 17:40]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 16:45]
"HostManager"="C:\Program Files\Common Files\AOL\1149391482\ee\AOLSoftware.exe" [2006-04-20 13:10]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 12:59]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 13:00]
"RecordNow!"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"RealPlayer"="C:\Program Files\Real\RealPlayer\realplay.exe" [2006-05-30 22:07]
"Aim6"="C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" [2006-04-20 13:10]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [2006-09-29 22:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-23 11:38]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SRUUninstall"="C:\WINDOWS\system32\msiexec.exe" /L*v C:\WINDOWS\TEMP\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
F-Secure Anti-Virus 2006.lnk - C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe [2005-12-14 20:42:44]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52]
Scan Button.lnk - C:\SCANNER\EXE32\DETECTON.EXE [2004-07-29 23:31:57]
R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys
R0 iaStor;Intel AHCI Controller;C:\WINDOWS\system32\drivers\iaStor.sys
R2 BackWeb Plug-in - 4476822;F-Secure Anti-Virus 2006;C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
R2 DgivEcp;Team MFP Comm Driver;C:\WINDOWS\system32\Drivers\DgivEcp.Sys
R2 F-Secure Filter;F-Secure File System Filter;\??\C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSfilter.sys
R2 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSgk.sys
R2 F-Secure Recognizer;F-Secure File System Recognizer;\??\C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSrec.sys
R3 IntelC51;IntelC51;C:\WINDOWS\system32\DRIVERS\IntelC51.sys
R3 IntelC52;IntelC52;C:\WINDOWS\system32\DRIVERS\IntelC52.sys
R3 IntelC53;IntelC53;C:\WINDOWS\system32\DRIVERS\IntelC53.sys
R3 mohfilt;mohfilt;C:\WINDOWS\system32\DRIVERS\mohfilt.sys
R3 StillCam;Still Serial Digital Camera Driver;C:\WINDOWS\system32\DRIVERS\serscan.sys
S3 hpusbwdm;HP DVD Movie Writer dc3000/dc4000;C:\WINDOWS\system32\DRIVERS\hpusbwdm.sys
S3 Jukebox;Jukebox;C:\WINDOWS\system32\DRIVERS\ctpdusb2.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{00c6bd32-af1c-11db-9fbe-0011112826b8}]
AutoRun\command- G:\CA_Install.exe
Contents of the 'Scheduled Tasks' folder
2007-08-17 04:00:18 C:\WINDOWS\Tasks\Scheduled scanning task.job
2004-12-24 18:42:14 C:\WINDOWS\Tasks\Symantec NetDetect.job - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-17 12:29:09
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-17 12:29:48
C:\ComboFix-quarantined-files.txt ... 2007-08-17 12:29
C:\ComboFix2.txt ... 2007-08-16 10:41
C:\ComboFix3.txt ... 2007-08-16 09:39
--- E O F ---
Hi
"Should I remove them, while my control panel works?"
You can try but some of the folders are removed so that might not work.
"Also, what about the other accounts on the computer? Should I be running combofix and HJT from them?"
Yes and keep computer offline if possible
Tell me if you can find this file, too.
C:\Windows\vtrxxx.dll, where xxx = random numbers?
orange450
2007-08-17, 20:27
Hi Shaba, I removed the entries from Add/Remove programs. I didn't find the C:\windows\vtrXXX.dll file.
Here are the logs from the two other accounts on the computer. It looks like the one from TALI found something.
HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 1:12:21 PM, on 8/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsrw.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1149391482\ee\AOLSoftware.exe
C:\PROGRA~1\F-SECU~1\ANTI-S~1\fsaw.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Tali\Desktop\HijackThis.exe
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [XeroxScannerDaemon] C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1149391482\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - Global Startup: F-Secure Anti-Virus 2006.lnk = C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Scan Button.lnk = C:\SCANNER\EXE32\DETECTON.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure Internet Security\Anti-Spyware\blockpopups.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/RiteAidOneHourPhotoOnline.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {AF087E66-838E-4A97-8A0B-0DDDA5DEA239} (OTAutoInstall Class) - http://trials1.endeavors.com/autodesk/acad2006/clientdownloads/OTAI.CAB
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {D0B5B58D-8CB9-4EDB-8BB0-9D34AEF727CF} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://pc.mywebexpc.com/client/v_mywebex-aa/ra/ieatgpc.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/TrueInstall.exe
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: F-Secure Anti-Virus 2006 (BackWeb Plug-in - 4476822) - F-Secure Internet Security 2005 - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe (file missing)
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
ComboFix log:
ComboFix 07-08-09.3 - "Tali" 2007-08-17 13:09:46.11 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.174 [GMT -4:00]
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\Tali\Desktop.\Find Spyware Remover.lnk
C:\DOCUME~1\Tali\Desktop.\Free Online Dating.lnk
C:\DOCUME~1\Tali\Desktop.\Go to Casino.lnk
((((((((((((((((((((((((( Files Created from 2007-07-17 to 2007-08-17 )))))))))))))))))))))))))))))))
2007-08-13 14:01 <DIR> d-------- C:\DOCUME~1\AVIFUS~1\DoctorWeb
2007-08-13 13:14 <DIR> d--h----- C:\WINDOWS\PIF
2007-08-13 13:07 <DIR> d-------- C:\Downloads
2007-08-13 13:07 <DIR> d-------- C:\Bases
2007-08-13 13:05 <DIR> d-------- C:\Kaspersky
2007-08-12 23:46 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-08-12 10:25 4,522 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-08-12 10:24 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2007-08-12 10:24 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-08-10 14:17 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-09 13:59 <DIR> d---s---- C:\DOCUME~1\Tali\UserData
2007-08-09 13:56 <DIR> d-------- C:\DOCUME~1\Tali\APPLIC~1\Google
2007-08-09 13:53 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Google
2007-08-08 21:07 <DIR> d-------- C:\VundoFix Backups
2007-08-08 21:07 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-08 21:07 <DIR> d-------- C:\Program Files\Dell Support
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Gtek
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\Gtek
2007-08-08 20:40 <DIR> d-------- C:\DOCUME~1\Abba\APPLIC~1\Apple Computer
2007-08-08 16:49 <DIR> d-------- C:\Program Files\Lavasoft(2)
2007-08-08 16:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-08 16:35 <DIR> d-------- C:\DOCUME~1\Guest\UserData
2007-08-08 16:31 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Lavasoft
2007-08-08 15:43 1,048,576 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-08-08 15:43 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sonic
2007-08-08 15:39 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\GTek(2)
2007-08-07 22:02 <DIR> d-------- C:\WINDOWS\ERUNT
2007-08-07 20:11 <DIR> d-------- C:\Program Files\DellSupport
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-17 12:33 --------- d-------- C:\Program Files\BitTorrent
2007-08-13 00:49 --------- d-------- C:\Program Files\DIGStream
2007-08-08 21:06 --------- d-------- C:\DOCUME~1\Tali\APPLIC~1\Gtek
2007-07-01 22:31 --------- d-------- C:\Program Files\Winamp
2007-06-26 11:13 851968 --------- C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-26 10:09 658944 --------- C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 02:08 1104896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 09:31 282112 --------- C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-14 14:09 96256 --------- C:\WINDOWS\system32\dllcache\inseng.dll
2007-06-14 14:09 615424 --------- C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-14 14:09 55808 --------- C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-14 14:09 532480 --------- C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-14 14:09 474112 --------- C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-06-14 14:09 449024 --------- C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-14 14:09 39424 --------- C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-06-14 14:09 357888 --------- C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-06-14 14:09 3058688 --------- C:\WINDOWS\system32\dllcache\mshtml.dll
2007-06-14 14:09 251392 --------- C:\WINDOWS\system32\dllcache\iepeers.dll
2007-06-14 14:09 205312 --------- C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-06-14 14:09 16384 --------- C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-14 14:09 151040 --------- C:\WINDOWS\system32\dllcache\cdfview.dll
2007-06-14 14:09 1494528 --------- C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-06-14 14:09 146432 --------- C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-14 14:09 1054208 --------- C:\WINDOWS\system32\dllcache\danim.dll
2007-06-14 14:09 1023488 --------- C:\WINDOWS\system32\dllcache\browseui.dll
2007-06-14 10:07 18432 --------- C:\WINDOWS\system32\dllcache\iedw.exe
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-13 06:23 1033216 --------- C:\WINDOWS\system32\dllcache\explorer.exe
2007-05-17 07:28 549376 --a------ C:\WINDOWS\system32\oleaut32.dll
2007-05-17 07:28 549376 --------- C:\WINDOWS\system32\dllcache\oleaut32.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 13:16]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-25 23:35]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 21:12]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 21:15]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 02:04]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-08-05 21:50]
"XeroxScannerDaemon"="C:\Program Files\Xerox\NWWia\XrxFTPLt.exe" [2001-08-17 22:37]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01]
"DVDTray"="C:\Program Files\HP DVD\Umbrella\DVDTray.exe" [2003-07-23 13:42]
"DVDBitSet"="C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" [2003-12-18 17:37]
"mmtask"="C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe" [2005-03-15 08:58]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-09-13 15:49]
"DIGStream"="C:\Program Files\DIGStream\digstream.exe" []
"DIGServices"="C:\Program Files\ESPNRunTime\DIGServices.exe" [2005-05-19 13:55]
"F-Secure Manager"="C:\Program Files\F-Secure Internet Security\Common\FSM32.exe" [2005-06-02 18:37]
"F-Secure TNB"="C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" [2005-07-18 10:51]
"F-Secure Startup Wizard"="C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.exe" [2005-08-23 09:38]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-23 17:40]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 16:45]
"HostManager"="C:\Program Files\Common Files\AOL\1149391482\ee\AOLSoftware.exe" [2006-04-20 13:10]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 12:59]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" []
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SRUUninstall"="C:\WINDOWS\system32\msiexec.exe" /L*v C:\WINDOWS\TEMP\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
F-Secure Anti-Virus 2006.lnk - C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe [2005-12-14 20:42:44]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52]
Scan Button.lnk - C:\SCANNER\EXE32\DETECTON.EXE [2004-07-29 23:31:57]
orange450
2007-08-17, 20:28
rest of that combofix log:
R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys
R0 iaStor;Intel AHCI Controller;C:\WINDOWS\system32\drivers\iaStor.sys
R2 BackWeb Plug-in - 4476822;F-Secure Anti-Virus 2006;C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
R2 DgivEcp;Team MFP Comm Driver;C:\WINDOWS\system32\Drivers\DgivEcp.Sys
R2 F-Secure Filter;F-Secure File System Filter;\??\C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSfilter.sys
R2 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSgk.sys
R2 F-Secure Recognizer;F-Secure File System Recognizer;\??\C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSrec.sys
R3 IntelC51;IntelC51;C:\WINDOWS\system32\DRIVERS\IntelC51.sys
R3 IntelC52;IntelC52;C:\WINDOWS\system32\DRIVERS\IntelC52.sys
R3 IntelC53;IntelC53;C:\WINDOWS\system32\DRIVERS\IntelC53.sys
R3 mohfilt;mohfilt;C:\WINDOWS\system32\DRIVERS\mohfilt.sys
R3 StillCam;Still Serial Digital Camera Driver;C:\WINDOWS\system32\DRIVERS\serscan.sys
S3 hpusbwdm;HP DVD Movie Writer dc3000/dc4000;C:\WINDOWS\system32\DRIVERS\hpusbwdm.sys
S3 Jukebox;Jukebox;C:\WINDOWS\system32\DRIVERS\ctpdusb2.sys
Contents of the 'Scheduled Tasks' folder
2007-08-17 04:00:18 C:\WINDOWS\Tasks\Scheduled scanning task.job
2004-12-24 18:42:14 C:\WINDOWS\Tasks\Symantec NetDetect.job - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-17 13:11:01
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-17 13:11:40
C:\ComboFix-quarantined-files.txt ... 2007-08-17 13:11
C:\ComboFix2.txt ... 2007-08-17 13:06
C:\ComboFix3.txt ... 2007-08-17 12:29
--- E O F ---
orange450
2007-08-17, 20:32
Also - I have logged on and off the three accounts on the computer, and the control panel is still working in each of them, and no yellow triangle so far. Of course, the computer has been offline the whole time. I can't thank you enough for the time and trouble you are taking!
HJT log from ABBA account:
Logfile of HijackThis v1.99.1
Scan saved at 1:16:12 PM, on 8/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsrw.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1149391482\ee\AOLSoftware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\F-SECU~1\ANTI-S~1\fsaw.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Documents and Settings\Abba\Desktop\HijackThis.exe
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [XeroxScannerDaemon] C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1149391482\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: F-Secure Anti-Virus 2006.lnk = C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Scan Button.lnk = C:\SCANNER\EXE32\DETECTON.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure Internet Security\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/RiteAidOneHourPhotoOnline.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {AF087E66-838E-4A97-8A0B-0DDDA5DEA239} (OTAutoInstall Class) - http://trials1.endeavors.com/autodesk/acad2006/clientdownloads/OTAI.CAB
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {D0B5B58D-8CB9-4EDB-8BB0-9D34AEF727CF} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://pc.mywebexpc.com/client/v_mywebex-aa/ra/ieatgpc.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/TrueInstall.exe
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: F-Secure Anti-Virus 2006 (BackWeb Plug-in - 4476822) - F-Secure Internet Security 2005 - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe (file missing)
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Combofix log from ABBA account:
ComboFix 07-08-09.3 - "Abba" 2007-08-17 13:04:42.10 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.183 [GMT -4:00]
((((((((((((((((((((((((( Files Created from 2007-07-17 to 2007-08-17 )))))))))))))))))))))))))))))))
2007-08-13 14:01 <DIR> d-------- C:\DOCUME~1\AVIFUS~1\DoctorWeb
2007-08-13 13:14 <DIR> d--h----- C:\WINDOWS\PIF
2007-08-13 13:07 <DIR> d-------- C:\Downloads
2007-08-13 13:07 <DIR> d-------- C:\Bases
2007-08-13 13:05 <DIR> d-------- C:\Kaspersky
2007-08-12 23:46 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-08-12 10:25 4,522 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-08-12 10:24 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2007-08-12 10:24 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-08-10 14:17 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-09 13:59 <DIR> d---s---- C:\DOCUME~1\Tali\UserData
2007-08-09 13:56 <DIR> d-------- C:\DOCUME~1\Tali\APPLIC~1\Google
2007-08-09 13:53 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Google
2007-08-08 21:07 <DIR> d-------- C:\VundoFix Backups
2007-08-08 21:07 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-08 21:07 <DIR> d-------- C:\Program Files\Dell Support
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Gtek
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\Gtek
2007-08-08 20:40 <DIR> d-------- C:\DOCUME~1\Abba\APPLIC~1\Apple Computer
2007-08-08 16:49 <DIR> d-------- C:\Program Files\Lavasoft(2)
2007-08-08 16:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-08 16:35 <DIR> d-------- C:\DOCUME~1\Guest\UserData
2007-08-08 16:31 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Lavasoft
2007-08-08 15:43 1,048,576 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-08-08 15:43 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sonic
2007-08-08 15:39 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\GTek(2)
2007-08-07 22:02 <DIR> d-------- C:\WINDOWS\ERUNT
2007-08-07 20:11 <DIR> d-------- C:\Program Files\DellSupport
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-17 12:33 --------- d-------- C:\Program Files\BitTorrent
2007-08-13 00:49 --------- d-------- C:\Program Files\DIGStream
2007-08-08 21:06 --------- d-------- C:\DOCUME~1\Abba\APPLIC~1\Gtek
2007-07-01 22:31 --------- d-------- C:\Program Files\Winamp
2007-06-26 11:13 851968 --------- C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-26 10:09 658944 --------- C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 02:08 1104896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 09:31 282112 --------- C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-14 14:09 96256 --------- C:\WINDOWS\system32\dllcache\inseng.dll
2007-06-14 14:09 615424 --------- C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-14 14:09 55808 --------- C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-14 14:09 532480 --------- C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-14 14:09 474112 --------- C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-06-14 14:09 449024 --------- C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-14 14:09 39424 --------- C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-06-14 14:09 357888 --------- C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-06-14 14:09 3058688 --------- C:\WINDOWS\system32\dllcache\mshtml.dll
2007-06-14 14:09 251392 --------- C:\WINDOWS\system32\dllcache\iepeers.dll
2007-06-14 14:09 205312 --------- C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-06-14 14:09 16384 --------- C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-14 14:09 151040 --------- C:\WINDOWS\system32\dllcache\cdfview.dll
2007-06-14 14:09 1494528 --------- C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-06-14 14:09 146432 --------- C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-14 14:09 1054208 --------- C:\WINDOWS\system32\dllcache\danim.dll
2007-06-14 14:09 1023488 --------- C:\WINDOWS\system32\dllcache\browseui.dll
2007-06-14 10:07 18432 --------- C:\WINDOWS\system32\dllcache\iedw.exe
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-13 06:23 1033216 --------- C:\WINDOWS\system32\dllcache\explorer.exe
2007-05-17 07:28 549376 --a------ C:\WINDOWS\system32\oleaut32.dll
2007-05-17 07:28 549376 --------- C:\WINDOWS\system32\dllcache\oleaut32.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 13:16]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-25 23:35]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 21:12]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 21:15]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 02:04]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-08-05 21:50]
"XeroxScannerDaemon"="C:\Program Files\Xerox\NWWia\XrxFTPLt.exe" [2001-08-17 22:37]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01]
"DVDTray"="C:\Program Files\HP DVD\Umbrella\DVDTray.exe" [2003-07-23 13:42]
"DVDBitSet"="C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" [2003-12-18 17:37]
"mmtask"="C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe" [2005-03-15 08:58]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-09-13 15:49]
"DIGStream"="C:\Program Files\DIGStream\digstream.exe" []
"DIGServices"="C:\Program Files\ESPNRunTime\DIGServices.exe" [2005-05-19 13:55]
"F-Secure Manager"="C:\Program Files\F-Secure Internet Security\Common\FSM32.exe" [2005-06-02 18:37]
"F-Secure TNB"="C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" [2005-07-18 10:51]
"F-Secure Startup Wizard"="C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.exe" [2005-08-23 09:38]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-23 17:40]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 16:45]
"HostManager"="C:\Program Files\Common Files\AOL\1149391482\ee\AOLSoftware.exe" [2006-04-20 13:10]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 12:59]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-23 11:38]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SRUUninstall"="C:\WINDOWS\system32\msiexec.exe" /L*v C:\WINDOWS\TEMP\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
F-Secure Anti-Virus 2006.lnk - C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe [2005-12-14 20:42:44]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52]
Scan Button.lnk - C:\SCANNER\EXE32\DETECTON.EXE [2004-07-29 23:31:57]
orange450
2007-08-17, 20:33
Rest of the combofix log for ABBA account:
R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys
R0 iaStor;Intel AHCI Controller;C:\WINDOWS\system32\drivers\iaStor.sys
R2 BackWeb Plug-in - 4476822;F-Secure Anti-Virus 2006;C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
R2 DgivEcp;Team MFP Comm Driver;C:\WINDOWS\system32\Drivers\DgivEcp.Sys
R2 F-Secure Filter;F-Secure File System Filter;\??\C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSfilter.sys
R2 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSgk.sys
R2 F-Secure Recognizer;F-Secure File System Recognizer;\??\C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSrec.sys
R3 IntelC51;IntelC51;C:\WINDOWS\system32\DRIVERS\IntelC51.sys
R3 IntelC52;IntelC52;C:\WINDOWS\system32\DRIVERS\IntelC52.sys
R3 IntelC53;IntelC53;C:\WINDOWS\system32\DRIVERS\IntelC53.sys
R3 mohfilt;mohfilt;C:\WINDOWS\system32\DRIVERS\mohfilt.sys
R3 StillCam;Still Serial Digital Camera Driver;C:\WINDOWS\system32\DRIVERS\serscan.sys
S3 hpusbwdm;HP DVD Movie Writer dc3000/dc4000;C:\WINDOWS\system32\DRIVERS\hpusbwdm.sys
S3 Jukebox;Jukebox;C:\WINDOWS\system32\DRIVERS\ctpdusb2.sys
Contents of the 'Scheduled Tasks' folder
2007-08-17 04:00:18 C:\WINDOWS\Tasks\Scheduled scanning task.job
2004-12-24 18:42:14 C:\WINDOWS\Tasks\Symantec NetDetect.job - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-17 13:06:04
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-17 13:06:43
C:\ComboFix-quarantined-files.txt ... 2007-08-17 13:06
C:\ComboFix2.txt ... 2007-08-17 12:29
C:\ComboFix3.txt ... 2007-08-16 10:41
--- E O F ---
Hi
Those look good :)
Next step is that you put computer again online and test all user accounts and tell how they work.
orange450
2007-08-17, 20:55
Hi Shaba, I'm almost afraid to say this - but they seem OK. All this time, my internet home page kept getting changed to the Google search page, but I changed it back to my usual page and it seems to be staying there. I've done the same on the other accounts, and they seem OK. I haven't powered down yet, though! (I'm sure that doesn't make a difference :))
How can I make a donation to Spybot in your honor? I am so impressed and amazed at the job you do!
Hi
Supernews :bigthumb:
Link is here (http://www.spybot.info/en/donate/index.html)
Then you're clean!
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto-updating for the Viewpoint Manager -- the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.
To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.
Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware (http://www.clickz.com/showPage.html?page=3561546).
I recommend that you remove the Viewpoint products; however, decide for yourself. To uninstall the the Viewpoint components (Viewpoint, Viewpoint Manager, Viewpoint Media Player):
Click Start, point to Settings, and then click Control Panel.
In Control Panel, double-click Add or Remove Programs.
In Add or Remove Programs, highlight >>Viewpoint component<< , click Remove.
Do the same for each Viewpoint component.
You can remove all tools we used.
Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
You can find instructions on how to enable and re-enable system restore here:
Managing Windows Millenium System Restore (http://www.bleepingcomputer.com/forums/tutorial63.html)
or
Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)
Re-enable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
See this link for a listing of some online & their stand-alone antivirus programs:
Virus, Spyware, and Malware Protection and Removal Resources (http://www.bleepingcomputer.com/forums/topic405.html)
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls (http://www.bleepingcomputer.com/tutorials/tutorial60.html)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.
Here are some additional utilities that will enhance your safety
IE/Spyad (http://www.spywarewarrior.com/uiuc/resource.htm) <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar (http://toolbar.google.com/) <= Get the free google toolbar to help stop pop up windows.
Comodo BOCLEAN (http://www.comodo.com/boclean/boclean.html) <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)
Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://castlecops.com/postlite7736-.html)
Happy surfing and stay clean!
orange450
2007-08-17, 21:23
Shaba, thank you for everything. Have a great weekend, you certainly deserve it! :)
Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.