View Full Version : homepage hijacked by: http://awesomehomepage.com/newsletter.php?list=positivethoughts
I have been having a problem with my homepage as described in title since last Wednesday. I have Windows Xp SP2 which is updated regularly and automatically. When I found that I had a problem
*I restored my pc to an earlier date previous to Wednesday, but it did not solve the problem.
*I also ran trendmicro housecall online virus scanner and deleted objects it could delete, some could not be healed.
*I did an online Kapersky virus scanner and it provided this log:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, August 31, 2007 12:48:40 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 31/08/2007
Kaspersky Anti-Virus database records: 400642
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 93898
Number of viruses found: 14
Number of infected objects: 68
Number of suspicious objects: 0
Duration of the scan process: 02:11:05
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-08-31_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\lina\.housecall\Quarantine\CA.eTrust.PestPatrol.v5.0.1.5.Anti-Spyware.MultiLanguage.WinALL.Regged.Read.NFO-BLiZZARD.ZIP.bac_a01724/installer.exe/stream/data0001 Infected: Trojan.Win32.VB.ami skipped
C:\Documents and Settings\lina\.housecall\Quarantine\CA.eTrust.PestPatrol.v5.0.1.5.Anti-Spyware.MultiLanguage.WinALL.Regged.Read.NFO-BLiZZARD.ZIP.bac_a01724/installer.exe/stream Infected: Trojan.Win32.VB.ami skipped
C:\Documents and Settings\lina\.housecall\Quarantine\CA.eTrust.PestPatrol.v5.0.1.5.Anti-Spyware.MultiLanguage.WinALL.Regged.Read.NFO-BLiZZARD.ZIP.bac_a01724/installer.exe Infected: Trojan.Win32.VB.ami skipped
C:\Documents and Settings\lina\.housecall\Quarantine\CA.eTrust.PestPatrol.v5.0.1.5.Anti-Spyware.MultiLanguage.WinALL.Regged.Read.NFO-BLiZZARD.ZIP.bac_a01724 ZIP: infected - 3 skipped
C:\Documents and Settings\lina\.housecall\Quarantine\CA.eTrust.PestPatrol.v5.0.1.5.Anti-Spyware.MultiLanguage.WinALL.Regged.Read.NFO-BLiZZARD.ZIP.bac_a01724 CryptFF.b: infected - 3 skipped
C:\Documents and Settings\lina\.housecall\Quarantine\Family.Feud.v1.09.PLUS.1.TRAINER-PiZZA.ZIP.bac_a01724/installer.exe/stream/data0001 Infected: Trojan.Win32.VB.ami skipped
C:\Documents and Settings\lina\.housecall\Quarantine\Family.Feud.v1.09.PLUS.1.TRAINER-PiZZA.ZIP.bac_a01724/installer.exe/stream Infected: Trojan.Win32.VB.ami skipped
C:\Documents and Settings\lina\.housecall\Quarantine\Family.Feud.v1.09.PLUS.1.TRAINER-PiZZA.ZIP.bac_a01724/installer.exe Infected: Trojan.Win32.VB.ami skipped
C:\Documents and Settings\lina\.housecall\Quarantine\Family.Feud.v1.09.PLUS.1.TRAINER-PiZZA.ZIP.bac_a01724 ZIP: infected - 3 skipped
C:\Documents and Settings\lina\.housecall\Quarantine\Family.Feud.v1.09.PLUS.1.TRAINER-PiZZA.ZIP.bac_a01724 CryptFF.b: infected - 3 skipped
C:\Documents and Settings\lina\.housecall\Quarantine\installer.exe.bac_a01724/stream/data0001 Infected: Trojan.Win32.VB.ami skipped
C:\Documents and Settings\lina\.housecall\Quarantine\installer.exe.bac_a01724/stream Infected: Trojan.Win32.VB.ami skipped
C:\Documents and Settings\lina\.housecall\Quarantine\installer.exe.bac_a01724 NSIS: infected - 2 skipped
C:\Documents and Settings\lina\.housecall\Quarantine\installer.exe.bac_a01724 CryptFF.b: infected - 2 skipped
C:\Documents and Settings\lina\.housecall\Quarantine\license.exe.bac_a01724 Infected: not-a-virus:AdWare.Win32.Agent.y skipped
C:\Documents and Settings\lina\.housecall\Quarantine\license.exe.bac_a01960 Infected: not-a-virus:AdWare.Win32.Agent.y skipped
C:\Documents and Settings\lina\.housecall\Quarantine\SmartDraw.Suite.Edition.v7.61.keygen.zip.bac_a01724/installer.exe/stream/data0001 Infected: Trojan.Win32.VB.ami skipped
C:\Documents and Settings\lina\.housecall\Quarantine\SmartDraw.Suite.Edition.v7.61.keygen.zip.bac_a01724/installer.exe/stream Infected: Trojan.Win32.VB.ami skipped
C:\Documents and Settings\lina\.housecall\Quarantine\SmartDraw.Suite.Edition.v7.61.keygen.zip.bac_a01724/installer.exe Infected: Trojan.Win32.VB.ami skipped
C:\Documents and Settings\lina\.housecall\Quarantine\SmartDraw.Suite.Edition.v7.61.keygen.zip.bac_a01724 ZIP: infected - 3 skipped
C:\Documents and Settings\lina\.housecall\Quarantine\SmartDraw.Suite.Edition.v7.61.keygen.zip.bac_a01724 CryptFF.b: infected - 3 skipped
C:\Documents and Settings\lina\.housecall\Quarantine\SmartDraw.v7.10.Suite.Edition.Incl.Keymaker-NiTROUS.ZIP.bac_a01724/installer.exe/stream/data0001 Infected: Trojan.Win32.VB.ami skipped
C:\Documents and Settings\lina\.housecall\Quarantine\SmartDraw.v7.10.Suite.Edition.Incl.Keymaker-NiTROUS.ZIP.bac_a01724/installer.exe/stream Infected: Trojan.Win32.VB.ami skipped
C:\Documents and Settings\lina\.housecall\Quarantine\SmartDraw.v7.10.Suite.Edition.Incl.Keymaker-NiTROUS.ZIP.bac_a01724/installer.exe Infected: Trojan.Win32.VB.ami skipped
C:\Documents and Settings\lina\.housecall\Quarantine\SmartDraw.v7.10.Suite.Edition.Incl.Keymaker-NiTROUS.ZIP.bac_a01724 ZIP: infected - 3 skipped
C:\Documents and Settings\lina\.housecall\Quarantine\SmartDraw.v7.10.Suite.Edition.Incl.Keymaker-NiTROUS.ZIP.bac_a01724 CryptFF.b: infected - 3 skipped
C:\Documents and Settings\lina\.housecall\Quarantine\WinUpdate.exe.bac_a01724/data0006 Infected: not-a-virus:AdWare.Win32.Agent.y skipped
C:\Documents and Settings\lina\.housecall\Quarantine\WinUpdate.exe.bac_a01724 NSIS: infected - 1 skipped
C:\Documents and Settings\lina\.housecall\Quarantine\WinUpdate.exe.bac_a01724 UPX: infected - 1 skipped
C:\Documents and Settings\lina\.housecall\Quarantine\WinUpdate.exe.bac_a01724 PE_Patch.UPX: infected - 1 skipped
C:\Documents and Settings\lina\.housecall\Quarantine\WinUpdate.exe.bac_a01724 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\lina\.housecall6.6\Quarantine\kernel for outlook express_fastest_BitTorrent_downloader.exe.bac_a02424/file12 Infected: Trojan.Win32.Inject.ba skipped
C:\Documents and Settings\lina\.housecall6.6\Quarantine\kernel for outlook express_fastest_BitTorrent_downloader.exe.bac_a02424 Inno: infected - 1 skipped
C:\Documents and Settings\lina\.housecall6.6\Quarantine\kernel for outlook express_fastest_BitTorrent_downloader.exe.bac_a02424 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\lina\Application Data\Microsoft\MSNLiveFav\LiveFavorites.xml Object is locked skipped
C:\Documents and Settings\lina\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\lina\Desktop\My Downloads\school_progs\advancedelearningbuilder326.keygen.zip/crack-inf.exe/data0004 Infected: Trojan-Clicker.Win32.VB.jx skipped
C:\Documents and Settings\lina\Desktop\My Downloads\school_progs\advancedelearningbuilder326.keygen.zip/crack-inf.exe Infected: Trojan-Clicker.Win32.VB.jx skipped
C:\Documents and Settings\lina\Desktop\My Downloads\school_progs\advancedelearningbuilder326.keygen.zip ZIP: infected - 2 skipped
C:\Documents and Settings\lina\Desktop\My Downloads\school_progs\Articulate_Spelling_v1.24_Home_Version-DIGERATI.ZIP/crack-inf.exe/data0004 Infected: Trojan-Clicker.Win32.VB.jx skipped
C:\Documents and Settings\lina\Desktop\My Downloads\school_progs\Articulate_Spelling_v1.24_Home_Version-DIGERATI.ZIP/crack-inf.exe Infected: Trojan-Clicker.Win32.VB.jx skipped
C:\Documents and Settings\lina\Desktop\My Downloads\school_progs\Articulate_Spelling_v1.24_Home_Version-DIGERATI.ZIP ZIP: infected - 2 skipped
C:\Documents and Settings\lina\Desktop\My Downloads\school_progs\clipartfree.exe/WISE0057.BIN Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\Documents and Settings\lina\Desktop\My Downloads\school_progs\clipartfree.exe/WISE0058.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Documents and Settings\lina\Desktop\My Downloads\school_progs\clipartfree.exe/WISE0059.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Documents and Settings\lina\Desktop\My Downloads\school_progs\clipartfree.exe/WISE0060.BIN/data.rar/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351 skipped
C:\Documents and Settings\lina\Desktop\My Downloads\school_progs\clipartfree.exe/WISE0060.BIN/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\Documents and Settings\lina\Desktop\My Downloads\school_progs\clipartfree.exe/WISE0060.BIN/data.rar/whSurvey.exe Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Documents and Settings\lina\Desktop\My Downloads\school_progs\clipartfree.exe/WISE0060.BIN/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.370 skipped
C:\Documents and Settings\lina\Desktop\My Downloads\school_progs\clipartfree.exe/WISE0060.BIN/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Documents and Settings\lina\Desktop\My Downloads\school_progs\clipartfree.exe/WISE0060.BIN/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Documents and Settings\lina\Desktop\My Downloads\school_progs\clipartfree.exe/WISE0060.BIN Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Documents and Settings\lina\Desktop\My Downloads\school_progs\clipartfree.exe/WISE0061.BIN Infected: not-a-virus:Server-Proxy.Win32.MarketScore.k skipped
C:\Documents and Settings\lina\Desktop\My Downloads\school_progs\clipartfree.exe/WISE0062.BIN Infected: not-a-virus:AdWare.Win32.Relevant.a skipped
C:\Documents and Settings\lina\Desktop\My Downloads\school_progs\clipartfree.exe WiseSFX: infected - 12 skipped
C:\Documents and Settings\lina\Desktop\My Downloads\school_progs\clipartfree.exe WiseSFX Dropper: infected - 12 skipped
C:\Documents and Settings\lina\Desktop\My Downloads\school_progs\Random.Test.Generator.Pro.v8.2.WinALL.Regged-SCF.ZIP/crack-inf.exe/data0004 Infected: Trojan-Clicker.Win32.VB.jx skipped
C:\Documents and Settings\lina\Desktop\My Downloads\school_progs\Random.Test.Generator.Pro.v8.2.WinALL.Regged-SCF.ZIP/crack-inf.exe Infected: Trojan-Clicker.Win32.VB.jx skipped
C:\Documents and Settings\lina\Desktop\My Downloads\school_progs\Random.Test.Generator.Pro.v8.2.WinALL.Regged-SCF.ZIP ZIP: infected - 2 skipped
C:\Documents and Settings\lina\Desktop\My Downloads\school_progs\Teachers.Personal.Information.Manager.v1.3.16.WinALL.Incl.Keygen-BRD.ZIP/crack-inf.exe/data0004 Infected: Trojan-Clicker.Win32.VB.jx skipped
C:\Documents and Settings\lina\Desktop\My Downloads\school_progs\Teachers.Personal.Information.Manager.v1.3.16.WinALL.Incl.Keygen-BRD.ZIP/crack-inf.exe Infected: Trojan-Clicker.Win32.VB.jx skipped
C:\Documents and Settings\lina\Desktop\My Downloads\school_progs\Teachers.Personal.Information.Manager.v1.3.16.WinALL.Incl.Keygen-BRD.ZIP ZIP: infected - 2 skipped
C:\Documents and Settings\lina\Desktop\My Downloads\school_progs\WebQuiz.XP.ZIP/crack-inf.exe/data0004 Infected: Trojan-Clicker.Win32.VB.jx skipped
C:\Documents and Settings\lina\Desktop\My Downloads\school_progs\WebQuiz.XP.ZIP/crack-inf.exe Infected: Trojan-Clicker.Win32.VB.jx skipped
C:\Documents and Settings\lina\Desktop\My Downloads\school_progs\WebQuiz.XP.ZIP ZIP: infected - 2 skipped
C:\Documents and Settings\lina\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\lina\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\GatherLogs\MyIndex\MyIndex.248.Crwl Object is locked skipped
C:\Documents and Settings\lina\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\GatherLogs\MyIndex\MyIndex.248.gthr Object is locked skipped
C:\Documents and Settings\lina\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\Build\Indexer\CiFiles\00010001.ci Object is locked skipped
C:\Documents and Settings\lina\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\Build\Indexer\CiFiles\CiPT0000.000 Object is locked skipped
C:\Documents and Settings\lina\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\Build\Indexer\CiFiles\INDEX.000 Object is locked skipped
C:\Documents and Settings\lina\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\Build\Indexer\NlFiles\CiST0000.000 Object is locked skipped
C:\Documents and Settings\lina\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\Build\Indexer\NlFiles\DocId.Map Object is locked skipped
C:\Documents and Settings\lina\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.chk1.gthr Object is locked skipped
C:\Documents and Settings\lina\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.chk2.gthr Object is locked skipped
C:\Documents and Settings\lina\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Ntfy201.gthr Object is locked skipped
C:\Documents and Settings\lina\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Properties\MSS.log Object is locked skipped
C:\Documents and Settings\lina\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Properties\MSStmp.log Object is locked skipped
C:\Documents and Settings\lina\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Properties\RSApp.edb Object is locked skipped
C:\Documents and Settings\lina\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Properties\tmp.edb Object is locked skipped
C:\Documents and Settings\lina\Local Settings\Application Data\Microsoft\Desktop Search\Logs\MAPI.txt Object is locked skipped
C:\Documents and Settings\lina\Local Settings\Application Data\Microsoft\Desktop Search\Temp\rssgthrsvc\Ntf19.tmp Object is locked skipped
C:\Documents and Settings\lina\Local Settings\Application Data\Microsoft\Desktop Search\Temp\rssgthrsvc\Ntf1A.tmp Object is locked skipped
C:\Documents and Settings\lina\Local Settings\Application Data\Microsoft\Desktop Search\Temp\rssgthrsvc\Perflib_Perfdata_2e8.dat Object is locked skipped
C:\Documents and Settings\lina\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\lina\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\lina\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\lina\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\lina\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\lina\My Documents\cracks\CrackServer_WinALL.exe/data0004 Infected: Trojan-Clicker.Win32.VB.jx skipped
C:\Documents and Settings\lina\My Documents\cracks\CrackServer_WinALL.exe NSIS: infected - 1 skipped
C:\Documents and Settings\lina\ntuser.dat Object is locked skipped
C:\Documents and Settings\lina\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{44F73B40-8A04-491A-B572-0F7C03378B94}\RP411\A0123765.EXE Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
C:\System Volume Information\_restore{44F73B40-8A04-491A-B572-0F7C03378B94}\RP426\A0127421.EXE Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
C:\System Volume Information\_restore{44F73B40-8A04-491A-B572-0F7C03378B94}\RP427\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_1c8.dat Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_940.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
*After that I ran SpyBot in SAfe Mode, fixed 2 problems and rebooted.
*Then I used HJT and saved this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:24:02, on 31/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CNAC4LAK.EXE
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\CNAC4RPK.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://awesomehomepage.com/newsletter.php?list=positivethoughts
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.elvira.int.tc
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.elvira.int.tc
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = lina
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SearchToolBHO - {A23BF7EF-4A12-4799-B9CD-72C36EE21983} - C:\Program Files\SearchTool\SearchTool.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WinUpdater] "C:\Program Files\WinUpdater\update.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Diskeeper 9 Professional Edition Registration.lnk = C:\Program Files\Executive Software\Diskeeper\ESIRegister.exe
O4 - Startup: Weather.lnk = C:\Program Files\Weather\Weather.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Canon LBP5000 Status Window.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\CNAC4LAK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll/search.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.cyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1147730576500
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147730668375
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O20 - AppInit_DLLs: Runner.dll,cdcinmhe.dll,Runner.dll,dghccmll.dll,Runner.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
--
End of file - 10114 bytes
Hope I have given you all relevant details so that you can help me get rid of this problem. Regards and Thanks
miekiemoes
2007-09-04, 01:16
Hi,
Go to this page (http://www.bleepingcomputer.com/submit-malware.php?channel=8).
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to it and browse to next file:
C:\Program Files\SearchTool\SearchTool.dll
Select it and click ok:
Then click the Send File button below.
Also, Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.
I have sent the dll file as instructed.
I am posting here HJT Uninstall files list:
1Click DVD Copy Pro 1.0.0.9
3D Home Architect Home Design Deluxe 6
7 Wonders of the Ancient World
Adobe Flash Player 9 ActiveX
Adobe Photoshop 7.0
Adobe Reader 8.1.0
Adobe Shockwave Player
Adobe® Photoshop® Album Starter Edition 3.0
Arabesque
ART-SHOP X-Lite
AVG 7.5
Azteca
Bonus Content - Bathroom Items March 2006
Bonus Content - Bedroom Items February 2006
Bonus Content - Dining Room Items December 2005
Bonus Content - Foyer Items January 2006
Bonus Content - Kitchen Items November 2005
Bonus Content - Media Items
CA eTrust PestPatrol
Canon LBP5000
CFGSmart 1.1
Chicktionary
Chief Architect 10.0 Demo
Chief Architect Content Installer: Living Room Items October 2005
Chuzzle Deluxe 1.0
CleanMyPC - Registry Cleaner
C-Media 3D Audio
Cubology
CuteSITE Builder
Diskeeper Professional Edition
DVD Region+CSS Free 5.9.8.5
Egyptian Addiction
Family Feud
Harvest Mania To Go
HDFSmart 1.8
HHD Software Hex Editor 3.12
HijackThis 2.0.2
HNFSmart 2.4fix2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
HTT Humax Turbo Suite 2.0
HUMAX ZORRO TOOLBOX V2
IDSmart 1.0
Indeo® software
Java Runtime Environment 1.1
Jig Words
Kaspersky Online Scanner
Lesson Planner 1.3.0.14.
LiveUpdate 3.0 (Symantec Corporation)
Luck Charm Deluxe
Mahjong Match
Marvin Symbols for Chief Architect
Merillat(R) Cabinet Doors
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 SR-1 Premium
Microsoft Office XP Professional
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mind Machine
MLS for MsWord v4.0b
Monkey Madness
Mystery Case Files - Prime Suspects
Mystery Solitaire - Secret Island
Nero 6 Ultra Edition
Nessy Demo
Numericon
NVIDIA Windows 2000/XP Display Drivers
OE-Mail Recovery 1.7.5.1
Pantheon
Pat Sajak’s Lucky Letters
Pat Sajak's Lucky Letters
Power MP3 WMA Converter 1.15
PowerDVD
ProShow Gold
Rainbow Mystery
Recover My Files
RegAlyzer
RichFX Player
Scanner
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917537)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926247)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939373)
Shareaza version 2.2.1.0
Slot Words
SmartSound Quicktracks Plugin
Spelling Dictionaries Support For Adobe Reader 8
Spybot - Search & Destroy 1.4
Super WHATword?
Teachers' PRO 5.4
The Cleaner
The Da Vinci Code
The Poppit! Show
Tri-Peaks Solitaire To Go
True Sword 4
miekiemoes
2007-09-04, 15:54
Hi,
Do you have any idea with what this C:\Program Files\SearchTool\SearchTool.dll is related? Did you install it?
It has references to this forum in its strings: http://swnet.spb.ru/board/index.php?act=home
Does this look familiar for you? If so, please let me know where you exactly installed it and what it does.
Also do next please, since there's still a lot of malware present here... * Download Combofix (http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe) to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished and after reboot (in case it asks to reboot), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.
Post the contents of this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
miekiemoes
2007-09-04, 16:05
Sidenote.. Ever wondered why you got infected?
I see you're not afraid of visiting cracksites and other illegal sites, because some cracks are being flagged as malicious.
If you visit cracksites, use cracks, you'll ALWAYS get infected. This not only because of the crack itself, but because one single click entering that site may already download and install a huge malware bundle.
You really have to change your surfing habits though, because these malware bundles may contain a keylogger, collecting all your passwords and installing other random malware, compromising your system including infecting other computers. And this all, because you visited some illegal sites.
Also, keep in mind, malware DAMAGES A LOT! And the damage can't always be repaired, so a format and reinstall is the only solution in such cases.
So is it really worth it? Get illegal software for "free", but compromise/break your computer instead.... :(
Better to avoid this instead and change your surfing habits. Then this wouldn't have happened.
In anyway, please delete next files:
C:\Documents and Settings\lina\Desktop\My Downloads\school_progs\clipartfree.exe
C:\Documents and Settings\lina\Desktop\My Downloads\school_progs\advancedelearningbuilder326.keygen.zip
C:\Documents and Settings\lina\Desktop\My Downloads\school_progs\Articulate_Spelling_v1.24_Home_Version-DIGERATI.ZIP
C:\Documents and Settings\lina\Desktop\My Downloads\school_progs\Random.Test.Generator.Pro.v8.2.WinALL.Regged-SCF.ZIP
C:\Documents and Settings\lina\Desktop\My Downloads\school_progs\Teachers.Personal.Information.Manager.v1.3.16.WinALL.Incl.Keygen-BRD.ZIP
C:\Documents and Settings\lina\Desktop\My Downloads\school_progs\WebQuiz.XP.ZIP
C:\Documents and Settings\lina\My Documents\cracks\CrackServer_WinALL.exe
Also delete this folder Housecall created:
C:\Documents and Settings\lina\.housecall\Quarantine
I have no idea where C:\Program Files\SearchTool\SearchTool.dll came from and don't know the site: http://swnet.spb.ru/board/index.php?act=home
After I deleted the files you told me to delete in your second pose I ran the combofix and got this log:
ComboFix 07-08-30.3 - "lina" 2007-09-04 15:29:26.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.118 [GMT 2:00]
((((((((((((((((((((((((( Files Created from 2007-08-04 to 2007-09-04 )))))))))))))))))))))))))))))))
2007-09-04 01:02 <DIR> d-------- C:\Program Files\ACW
2007-09-03 22:23 <DIR> d-------- C:\WINDOWS\system32\backuped
2007-09-03 22:23 <DIR> d-------- C:\Program Files\True Sword 4
2007-09-03 22:23 <DIR> d-------- C:\DOCUME~1\lina\APPLIC~1\True Sword
2007-09-02 23:30 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-09-02 22:30 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-09-02 09:58 <DIR> d-------- C:\DOCUME~1\lina\APPLIC~1\Uniblue
2007-08-30 17:21 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-08-30 17:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-30 14:27 <DIR> d-------- C:\Program Files\Safer Networking
2007-08-30 11:25 3,188 --a------ C:\WINDOWS\system32\tmp.reg
2007-08-30 03:57 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-30 00:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-30 00:28 <DIR> d-------- C:\Program Files\SearchTool
2007-08-30 00:10 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-08-29 12:48 <DIR> d-------- C:\Program Files\HUMAX ZORRO TOOLBOX V2
2007-08-27 08:10 <DIR> d-------- C:\Program Files\WinUpdater
2007-08-21 20:43 <DIR> d-------- C:\Program Files\Web Page Maker V2
2007-08-21 20:43 <DIR> d-------- C:\DOCUME~1\lina\APPLIC~1\Web Page Maker V2
2007-08-18 14:07 <DIR> d-------- C:\Program Files\Humax Digital
2007-08-18 13:56 <DIR> d-------- C:\Program Files\Change to 5400z_plus
2007-08-18 13:56 43,520 --a------ C:\WINDOWS\system32\HBuilder.exe
2007-08-18 13:56 2,764 --a------ C:\WINDOWS\system32\PQB.bat
2007-08-18 13:56 191 --a------ C:\WINDOWS\system32\pls.reg
2007-08-15 10:14 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-08-15 09:26 <DIR> d-------- C:\Program Files\Florikey V4.0 Beta
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-09-03 21:45 --------- d-------- C:\Program Files\Windows Desktop Search
2007-09-01 16:28 --------- d-------- C:\Program Files\The Cleaner
2007-09-01 01:33 --------- d-------- C:\Program Files\Windows Live Toolbar
2007-08-30 04:20 --------- d-------- C:\Program Files\XoftSpySE
2007-08-18 13:57 --------- d-------- C:\Program Files\Florikey
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-09 19:19 --------- d-------- C:\Program Files\Easy Outlook Express Backup
2007-07-05 14:32 --------- d-------- C:\Program Files\Pat Sajak's Lucky Letters
2007-06-26 08:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-24 11:46 737280 --a--c--- C:\WINDOWS\iun6002.exe
2007-06-19 15:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 12:23 1033216 --a------ C:\WINDOWS\explorer.exe
2001-11-23 12:08 712704 --a--c--- C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
((((((((((((((((((((((((((((( snapshot_2007-09-02_233553.96 )))))))))))))))))))))))))))))))))))))))))
----a-w 81,920 2003-06-06 09:21:56 C:\WINDOWS\eSellerateControl350.dll
----a-w 356,352 2005-10-11 12:40:52 C:\WINDOWS\eSellerateEngine.dll
-c--a-w 17,408 2003-03-31 12:00:00 C:\WINDOWS\$NtServicePackUninstall$\PSAPIOLD.DLL
-c--a-w 23,040 2004-08-03 22:56:46 C:\WINDOWS\ServicePackFiles\i386\PSAPIOLD.DLL
----a-w 227,628 2007-09-04 07:26:23 C:\WINDOWS\system32\inetsrv\MetaBase.bin
----atw 16,384 2007-09-04 07:26:09 C:\WINDOWS\Temp\Perflib_Perfdata_1d4.dat
----atw 16,384 2007-09-02 23:06:53 C:\WINDOWS\Temp\Perflib_Perfdata_884.dat
----a-w 227,626 2007-09-02 21:17:02 C:\WINDOWS\system32\inetsrv\MetaBase.bin
-c--atw 16,384 2006-05-18 14:35:39 C:\WINDOWS\Temp\Perflib_Perfdata_1d4.dat
----atw 16,384 2007-07-04 10:32:14 C:\WINDOWS\Temp\Perflib_Perfdata_884.dat
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UVS10 Preload"="C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe" [2006-03-07 00:52]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 03:01]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"eTrust PestPatrol Active Protection"="C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe" [2004-09-27 07:09]
"DiskeeperSystray"="C:\Program Files\Executive Software\Diskeeper\DkIcon.exe" [2005-07-26 17:52]
"Cmaudio"="cmicnfg.cpl" []
"BigDog303"="C:\WINDOWS\VM303_STI.exe" [2005-06-23 11:13]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-15 08:58]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"WinUpdater"="C:\Program Files\WinUpdater\update.exe" [2007-07-29 20:12]
"NvMediaCenter"="C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit" []
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-01-04 14:17]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]
C:\DOCUME~1\lina\STARTM~1\Programs\Startup\
Diskeeper 9 Professional Edition Registration.lnk - C:\Program Files\Executive Software\Diskeeper\ESIRegister.exe [2005-01-04 14:24:12]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= C:\PROGRA~1\DVDREG~1\DVDShell.dll [2004-10-09 02:18 49152]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-03-13 14:11 233472]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys
R1 as6eio;as6eio;C:\WINDOWS\system32\drivers\as6eio.sys
R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\System32\inetsrv\inetinfo.exe
R3 Brndis;External USB Cable Modem;C:\WINDOWS\system32\DRIVERS\Brndis.sys
R3 ZSMC303;VIMICRO USB PC Camera (ZC0301PLH);C:\WINDOWS\system32\Drivers\usbVM303.sys
S3 NTSIM;NTSIM;\??\C:\WINDOWS\System32\ntsim.sys
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe -k p2psvc
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc
RApcss RpcSs
Contents of the 'Scheduled Tasks' folder
2007-09-03 13:38:00 C:\WINDOWS\Tasks\TC_update.job - C:\Program Files\The Cleaner\cleaner.exe
2007-05-08 21:10:13 C:\WINDOWS\Tasks\XoftSpy.job - C:\Program Files\XoftSpy\XoftSpy.exe
2007-09-04 07:26:33 C:\WINDOWS\Tasks\XoftSpySE 2.job
2007-09-01 08:46:45 C:\WINDOWS\Tasks\XoftSpySE.job - C:\Program Files\XoftSpySE\XoftSpy.exe
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-04 15:31:17
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-09-04 15:32:33
C:\ComboFix-quarantined-files.txt ... 2007-09-04 15:32
C:\ComboFix2.txt ... 2007-09-04 15:08
C:\ComboFix3.txt ... 2007-09-03 00:43
--- E O F ---
This is the HJT log that i did in the end of all:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:35:14, on 04/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\WINDOWS\VM303_STI.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CNAC4LAK.EXE
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\CNAC4RPK.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.elvira.int.tc
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2F85D76C-0569-466F-A488-493E6BD0E955} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WinUpdater] "C:\Program Files\WinUpdater\update.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Diskeeper 9 Professional Edition Registration.lnk = C:\Program Files\Executive Software\Diskeeper\ESIRegister.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Canon LBP5000 Status Window.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\CNAC4LAK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.cyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1147730576500
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147730668375
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
--
End of file - 8188 bytes
Yes, I am very ashamed to say that there was a period when I was addicted to cracks and cracksites. I would download programmes and find a crack for them. Sometimes I did it just for the high of cracking a programme. At times I would then uninstall the prog cos it was no use to me. However, I am getting rid of my addiction, because, as you saaid, it is very dangerous and not worthwhile.
BTW, thanks for helping me. I have to get rid of this problem because it's driving me crazy.
miekiemoes
2007-09-04, 16:47
Ok, since you don't know this SearchTool and I see the folder was created recently, it should go, because that's why I asked a sample in the first place, since it looked suspicious.
There's also some other files and folders that need to go..
I see you already fixed some entries in HijackThis?
anyway,
First and important thing... I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer during HijackThis Cleanup (http://russelltexas.com/malware/teatimer.htm)
Then, Download ResetTeaTimer.bat (http://downloads.subratam.org/ResetTeaTimer.bat).
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.
Then,
Do next please.. * Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:
Folder::
C:\Program Files\SearchTool
C:\Program Files\WinUpdater
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinUpdater"=-
Save this as txtfile CFScript
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
After following yr instructions, pc rebooted and many services seem to have been disabled or deactivated, they are not working. I can't log onto the internet. I get an error window named: Windows Desktop Search Tool Tray Administration and i cant go anywhere from there. Now I have connected the internet cable modem to my laptop and I'm contacting you from here.
I also tried to go back to a restore point but it would't allow me to, it says: System Restore is not protecting your computer I have saved combifix logfile and also hijack this, but cannot get them on this computer.
Help!!
miekiemoes
2007-09-04, 19:18
This is really strange...
Have you been deleting anything else I didn't ask? Because I see you have been fixing entries in your HijackThislog already while I didn't instructed it yet.
I can't log onto the internet. I get an error window named: Windows Desktop Search Tool Tray AdministrationYou have not been deleting the C:\Program Files\Windows Desktop Search folder as well?
Because that error seems to be related with Windows Desktop Search.
Does your Internet Explorer open when the add-ons are disabled? To do this, go to start > all programs > System Tools > Internet Explorer (No Add-ons)
Or rightclick your Internet Explorer icon on your desktop and select the "Start Without add-ons" button there.
This will launch your Internet Explorer in a non add-on mode.
I have not deleted any files except the ones you instructed me to. I tried to access internet explorer without addons but no success.
miekiemoes
2007-09-04, 19:30
Well, actually you did delete some entries I didn't ask to delete though...
From your first HijackThislog:
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SearchToolBHO - {A23BF7EF-4A12-4799-B9CD-72C36EE21983} - C:\Program Files\SearchTool\SearchTool.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
Your second HijackThislog:
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2F85D76C-0569-466F-A488-493E6BD0E955} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
You have been fixing entries in HijackThis that were legitimate.
So, open your HijackThis, select the option backups there and select to restore next entries:
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
then reboot your computer.
miekiemoes
2007-09-04, 19:43
Also restore these please:
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll/search.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
Because you have been fixing them as well.
After some research, the error you are getting is related with the MSN Toolbar Suite - and you have been fixing these entries in HijackThis.
Same problem here: http://forums.spybot.info/showthread.php?t=8034
the only item i found in the backup list was dsweballow. all the others you mentioned are not in the list. i will have a look at the wepage in the forum that you suggested
miekiemoes
2007-09-04, 20:08
Anyway, what I also suggest is, from the computer you're on now - where you can get on the Internet with Internet Explorer, download Firefox: http://www.mozilla-europe.org/nl/products/firefox/
Then put the Firefox installer on USB stick or CD and transfer it to the other computer.
Install Firefox there. That's another browser - so with that one you should be able to surf.
then also post the logs I asked (Combofix log and a new HijackThislog), so I can see what else is now missing from your HijackThislog.
i have installed firefox and am now communicating with you from the pc that has problems.
this is the combofix logfile you had asked for:
ComboFix 07-08-30.3 - "lina" 2007-09-04 15:56:47.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.89 [GMT 2:00]
* Created a new restore point
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Program Files\SearchTool
C:\Program Files\SearchTool\SearchTool.dll
C:\Program Files\WinUpdater
C:\Program Files\WinUpdater\Temp\license.txt
C:\Program Files\WinUpdater\update.exe
((((((((((((((((((((((((( Files Created from 2007-08-04 to 2007-09-04 )))))))))))))))))))))))))))))))
2007-09-04 01:02 <DIR> d-------- C:\Program Files\ACW
2007-09-03 22:23 <DIR> d-------- C:\WINDOWS\system32\backuped
2007-09-03 22:23 <DIR> d-------- C:\Program Files\True Sword 4
2007-09-03 22:23 <DIR> d-------- C:\DOCUME~1\lina\APPLIC~1\True Sword
2007-09-02 23:30 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-09-02 22:30 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-09-02 09:58 <DIR> d-------- C:\DOCUME~1\lina\APPLIC~1\Uniblue
2007-08-30 17:21 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-08-30 17:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-30 14:27 <DIR> d-------- C:\Program Files\Safer Networking
2007-08-30 11:25 3,188 --a------ C:\WINDOWS\system32\tmp.reg
2007-08-30 03:57 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-30 00:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-30 00:10 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-08-29 12:48 <DIR> d-------- C:\Program Files\HUMAX ZORRO TOOLBOX V2
2007-08-21 20:43 <DIR> d-------- C:\Program Files\Web Page Maker V2
2007-08-21 20:43 <DIR> d-------- C:\DOCUME~1\lina\APPLIC~1\Web Page Maker V2
2007-08-18 14:07 <DIR> d-------- C:\Program Files\Humax Digital
2007-08-18 13:56 <DIR> d-------- C:\Program Files\Change to 5400z_plus
2007-08-18 13:56 43,520 --a------ C:\WINDOWS\system32\HBuilder.exe
2007-08-18 13:56 2,764 --a------ C:\WINDOWS\system32\PQB.bat
2007-08-18 13:56 191 --a------ C:\WINDOWS\system32\pls.reg
2007-08-15 10:14 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-08-15 09:26 <DIR> d-------- C:\Program Files\Florikey V4.0 Beta
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-09-03 21:45 --------- d-------- C:\Program Files\Windows Desktop Search
2007-09-01 16:28 --------- d-------- C:\Program Files\The Cleaner
2007-09-01 01:33 --------- d-------- C:\Program Files\Windows Live Toolbar
2007-08-30 04:20 --------- d-------- C:\Program Files\XoftSpySE
2007-08-18 13:57 --------- d-------- C:\Program Files\Florikey
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-09 19:19 --------- d-------- C:\Program Files\Easy Outlook Express Backup
2007-07-05 14:32 --------- d-------- C:\Program Files\Pat Sajak's Lucky Letters
2007-06-26 08:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-24 11:46 737280 --a--c--- C:\WINDOWS\iun6002.exe
2007-06-19 15:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 12:23 1033216 --a------ C:\WINDOWS\explorer.exe
2001-11-23 12:08 712704 --a--c--- C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
((((((((((((((((((((((((((((( snapshot_2007-09-02_233553.96 )))))))))))))))))))))))))))))))))))))))))
----a-w 81,920 2003-06-06 09:21:56 C:\WINDOWS\eSellerateControl350.dll
----a-w 356,352 2005-10-11 12:40:52 C:\WINDOWS\eSellerateEngine.dll
-c--a-w 17,408 2003-03-31 12:00:00 C:\WINDOWS\$NtServicePackUninstall$\PSAPIOLD.DLL
-c--a-w 23,040 2004-08-03 22:56:46 C:\WINDOWS\ServicePackFiles\i386\PSAPIOLD.DLL
----a-w 227,639 2007-09-04 13:59:24 C:\WINDOWS\system32\inetsrv\MetaBase.bin
----atw 16,384 2007-09-04 14:00:49 C:\WINDOWS\Temp\Perflib_Perfdata_188.dat
----atw 16,384 2007-09-04 07:26:09 C:\WINDOWS\Temp\Perflib_Perfdata_1d4.dat
----atw 16,384 2007-09-02 23:06:53 C:\WINDOWS\Temp\Perflib_Perfdata_884.dat
----a-w 227,626 2007-09-02 21:17:02 C:\WINDOWS\system32\inetsrv\MetaBase.bin
-c--atw 16,384 2006-06-22 10:04:28 C:\WINDOWS\Temp\Perflib_Perfdata_188.dat
-c--atw 16,384 2006-05-18 14:35:39 C:\WINDOWS\Temp\Perflib_Perfdata_1d4.dat
----atw 16,384 2007-07-04 10:32:14 C:\WINDOWS\Temp\Perflib_Perfdata_884.dat
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UVS10 Preload"="C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe" [2006-03-07 00:52]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 03:01]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"eTrust PestPatrol Active Protection"="C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe" [2004-09-27 07:09]
"DiskeeperSystray"="C:\Program Files\Executive Software\Diskeeper\DkIcon.exe" [2005-07-26 17:52]
"Cmaudio"="cmicnfg.cpl" []
"BigDog303"="C:\WINDOWS\VM303_STI.exe" [2005-06-23 11:13]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-15 08:58]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"NvMediaCenter"="C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit" []
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-01-04 14:17]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= C:\PROGRA~1\DVDREG~1\DVDShell.dll [2004-10-09 02:18 49152]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-03-13 14:11 233472]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys
R1 as6eio;as6eio;C:\WINDOWS\system32\drivers\as6eio.sys
R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\System32\inetsrv\inetinfo.exe
R3 Brndis;External USB Cable Modem;C:\WINDOWS\system32\DRIVERS\Brndis.sys
R3 ZSMC303;VIMICRO USB PC Camera (ZC0301PLH);C:\WINDOWS\system32\Drivers\usbVM303.sys
S3 NTSIM;NTSIM;\??\C:\WINDOWS\System32\ntsim.sys
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe -k p2psvc
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc
RApcss RpcSs
Contents of the 'Scheduled Tasks' folder
2007-09-04 13:38:00 C:\WINDOWS\Tasks\TC_update.job - C:\Program Files\The Cleaner\cleaner.exe
2007-05-08 21:10:13 C:\WINDOWS\Tasks\XoftSpy.job - C:\Program Files\XoftSpy\XoftSpy.exe
2007-09-04 07:26:33 C:\WINDOWS\Tasks\XoftSpySE 2.job
2007-09-01 08:46:45 C:\WINDOWS\Tasks\XoftSpySE.job - C:\Program Files\XoftSpySE\XoftSpy.exe
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-04 16:01:49
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-09-04 16:03:45 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-04 16:03
C:\ComboFix2.txt ... 2007-09-04 15:32
C:\ComboFix3.txt ... 2007-09-04 15:08
--- E O F ---
This is the HJT file :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:12:19, on 04/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\WINDOWS\VM303_STI.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CNAC4LAK.EXE
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.elvira.int.tc
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2F85D76C-0569-466F-A488-493E6BD0E955} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-73586283-746137067-682003330-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-21-73586283-746137067-682003330-1003 Startup: Diskeeper 9 Professional Edition Registration.lnk = C:\Program Files\Executive Software\Diskeeper\ESIRegister.exe (User '?')
O4 - Startup: Diskeeper 9 Professional Edition Registration.lnk = C:\Program Files\Executive Software\Diskeeper\ESIRegister.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Canon LBP5000 Status Window.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\CNAC4LAK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.cyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1147730576500
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147730668375
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
--
End of file - 7724 bytes
miekiemoes
2007-09-04, 20:36
Well, the malware is gone here now.
Now it's a matter of restoring getting rid of that error in Internet Explorer after you have been fixing these legitimate entries.
What I suggest is, Uninstall Windows Desktop search. Read the instructions here how to do this: (Under the part Uninstalling Windows Desktop search)
http://www.microsoft.com/technet/prodtechnol/windows/search/dtstshoot.mspx
In case you're having problems with uninstalling it, first try to reinstall it again on top of the corrupted one.
If that fails as well read this:
http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=760925&SiteID=1
But once again, and as I already asked you previously, please disable Teatimer, because it may interfere with deletions, uninstalls etc...
First I uninstalled spybot until i fix this prob. then i managed to uninstall windows desktop search from control panel - add/remove programs.
the problem of homepage hijacked is solved, but i still have the other problems, except that the window about windows desktop search tray admin is gone.
what advice do you give me next, please?
miekiemoes
2007-09-04, 21:06
but i still have the other problemsWhat other problems do you mean here?
when i start up the computer the tray at the bottom of the monitor does not work as it used to, example: web windows disappear when i minimize,etc, system restore does not function. if i try to use it, a window comes up saying that system restore is not able to protect my computer. Also when i open a folder i cannot move files from it. there are many other problems.
miekiemoes
2007-09-04, 21:57
And since when did this all happen? Because it's quite confusing since I don't know what other steps you have performed in between. I know you have been fixing entries in HijackThis in between as well, so are there any other steps you have done? Been scanning with another scanner? Using tweaktools, registry cleaning tools etc? Because Combofix isn't the cause here since the two folder it deleted have nothing to do with your problems.
But what I do see is that you have been running Combofix more than once, the first time I asked you to run Combofix.
Why was that? Also, how does it come that you fixed entries in Hijackthis I didn't ask? Or are you receiving help somewhere else as well, and someone else posted these instructions?
I am asking you this, because something got corrupted here and I cannot see what happened here in between.
Anyway, I also suggest you temporary uninstall Pestpatrol. This because 1st, it's a poor scanner and second, the process running in the background does the same as Teatimer, so it interferes with manual modifications.
web windows disappear when i minimizeIs this with other programs as well? If you open a program and minimize it into your tray, do they disappear as well?
Also when i open a folder i cannot move files from itIs this for any folder? Do you get an error or something?
system restore does not function. if i try to use it, a window comes up saying that system restore is not able to protect my computerLooks like System restore is disabled/not running.
Go to start > run and type: services.msc
Scroll to System Restore.
Doubleclick it.
Status of the service should be started, and the startuptype should be set to automatic.
But with this all, I am starting to wonder if your userprofile got corrupted.. Not sure if Windows Desktop Search caused this, because most problems you are talking can be a result of this. I have seen the same problem once before when Google desktop was installed. It corrupted an entire userprofile, also because Registry Cleaners were used in between.
Are there other userprofiles present? If not, try to create another userprofile with admin privileges and let me know if you're having the same problem there.
all this happened when after the last combofix and the pc restarted.
when i minimize an open program it disappears too. seems like the system tray( is it called so?) at the bottom of the screen is not fully functional. System restore is also not functioning. as i told you earlier, when i go to accessories>system tools> system restore a message comes up saying sys rest is not protecting my pc.
I have used combofix more than once yes, but that was before you started your much appreciated help. i haven't asked for help elsewhere, but i did scan my pc with kapersky, f-secure, housecall and combofix before you started to help me.
I cannot move the files in any folder. No error message comes up. I cannot drag and drop.
Now I have installed internet explorer, and that is working properly.
when i typed services.msc in the run browser and clicked, system restore was not in the right window, actually 1/4 of the right window is all blu with an icon of two gear wheels on the top left hand corner. no words, letters or numbers whatsoever.
there are 2 user profiles on y pc (if i'm understanding you correctly) one is administrator and the other lina(with administrative priviliges).
ok found system restore in services.msc. i waslooking in the extended window but now i realized there was another window called standard. yes, startuo is set to automatic
the status for system restore in services is blank. I tried to set it to start but a window comes up:
Could not start the System Restore Service service on Local Computer. Error1068: The dependency service or group failed to start
can you please tell me how to create another user profile?
miekiemoes
2007-09-04, 22:52
but now i realized there was another window called standard. yes, startuo is set to automaticBut is the service started? What does it say next to status of the service? It should be started. In case if it's not started, click the start button under it.
all this happened when after the last combofix and the pc restarted.Yes, but as I already said, I don't see how Combofix should cause this. Main errors were related with your windows Desktop search when you opened Internet Explorer after using Combofix and then I saw that you have been fixing entries in HijackThis in between as well. Combofix did restart your computer, but I guess if you didn't use Combofix and restarted your computer, that you would have had the same problem.
So what I am trying to explain here is, modifications mainly happen after a reboot, so if you fix certain entries in HijackThis, most changes will only show after reboot.
For your programs that won't minimize, go to this page:
http://www.kellys-korner-xp.com/taskbarplus!.htm
There, click the "Minimized Programs Missing" and download the vbs file to your desktop. Once on your desktop, doubleclick the xp_taskbar_desktop_fixall.vbs and let it perform it's job.
Now I have installed internet explorer, and that is working properly.
Now, since you reinstalled Internet Explorer, did you reboot? After reboot, look if drag and drop works again, because this problem can occur if Internet Explorer files become damaged.
miekiemoes
2007-09-04, 23:00
I see you posted in between..
the status for system restore in services is blank. I tried to set it to start but a window comes up:
Could not start the System Restore Service service on Local Computer. Error1068: The dependency service or group failed to startHmm, just found this thread:
http://www.errorforum.com/security-firewall-error/4684-windows-firewall-system-restore-services-desktop-problems.html
It looks like it's exactly the same combinations of problems and this indeed looks like the userprofile got corrupted.
there are 2 user profiles on y pc (if i'm understanding you correctly) one is administrator and the other lina(with administrative priviliges).So, this one is the lina userprofile?
Log off from this userprofile and log in into the administrator userprofile and let me know if you're having the same problems there.
i could only access the administrator userprofile through safe mode. in admin profile the windows still disappear on minimize.
when i went to user options in control panel , it was empty and i could not create a new user profile.
i have noticed another fault. when i click on a link like the ones you send me in yr posts, the link does not work. then i highlight it and right click>copy. but when i try to paste the copied text the PASTE is greyed and i cannot choose it. this happens with both lina and administrator user profiles.
do you think i should uninstall windows and install it again? or should i reformat my pc? i need your expert advice.
another error i have found is that i cannot reply to mail in outlook express. after trying to reply and not succeeding, outlook express closed and will not open anymore.
miekiemoes
2007-09-05, 00:15
I am sorry to hear that more and more problems appear..
Looks like a lot got corrupted - and I guess this is mainly because services are failing to start - most probably because of a corrupted registry/corrupted files.
I really have no clue how this suddenly all happened.. Guess it was already corrupted before.. And as I already explained, it had nothing to do with what Combofix removed - it was mainly what was done to the system before and that last reboot after using Combofix made it final.
No need to reformat - A repair install should normally solve this as well. :)
A repair install doesn't remove your files, but it will be a good idea anyway to backup your important files you don't want to loose - this just in case.
Then read here how to perform a repair install:
http://www.michaelstevenstech.com/XPrepairinstall.htm
Afterwards you should reinstall all Windows updates again.
Sidenote and important note - do not use scanners such as Pestpatrol, True Sword, Uniblue, because I don't like them since I have seen them deleting a lot of false positives as well. Stick with Spybot s&d as your Spyware scanner. Also, don't visit cracksites anymore, because malware is always present there and malware damages A LOT.
i did repair on my pc, but things got only worse. then i reformatted, lost some files because i couldn't copy after the repair.
reformatting ran smoothly. now pc is definitely clean.
thank you for your much appreciated help.
miekiemoes
2007-09-06, 15:01
Good everything is Ok now. Guess the damage was worse than expected.
I just hope you keep in mind not to visit cracksites or other illegal sites anymore.. because that's what I already said in my first post - that's where malware is lurking and malware damages A LOT.
Please read my Prevention page (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here (http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html).
Happy Surfing again!