View Full Version : Am at a Loss -Over 300 Infections. Please Help, i need assist.
Shadows_Light
2007-10-03, 15:01
A brief recap of what's been transpiring: have been running AVG AntiVirus(FREE) for quite awhile. At one point awhile back AGV listed the following:
kernel32.dll change C:\WINDOWS\system32\kernel32.dll changed
user32.dll change C:\WINDOWS\system32\user32.dll changed
shell32.dll change C:\WINDOWS\system32\shell32.dll changed
ntoskml.exe change C:\WINDOWS\system32\ntoskml.exe changed
i'm disabled & have been quite ill, so i thought AVG did what was needed to keep me safe & went about my usual computer activities.
UNTIL: began receiving "Blue Stop Screens", keys on my kybd getting very hard to push, text entries having long delay prior to what i typed showing up, etc (odd things which had not occured prior). Next here's what AVG found & they didn't show up from all of AVG Scans until 9/28/07:
dsbr.jar- 13f7do18-58f5f3c3.zip C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\Cache\Javapi\V1.01 Jar\Java\Byte Verify
SendPhotos.exe C:\Program Files\SendPhotos Trojan horse Downloader.Generic4.ILX
A0018114.exe C:\Systen Volume Information\_restore {593f298f-B7D6-4A3D...
WinAV.exe C:\Program Files\WinAntiVirus Pro 2007\Trojanhorse Generic5.DWA
us0006[1].anr C:\Documents and Settings\Owner\Local Settings\Temporary Internet File Content.IE5\AMVWLA5A Trojan Horse Exploit.Downloader
I've read your "BEFORE YOU POST". I d/l HJT but have not installed yet. Also d/l Spybot program-it showed 315 Infections & asked for Registration#. Unfortunately, that requires a fee to register & i am Flat Broke (seriously!!). In fact, i've gathered many 'home items' to list on an auction site hoping to sell enough to keep electric/phone on. Yet am afraid to do much at all on the computer with all these problems.
Please step in & assist me. I can assure you I will not let your kindness go by the wayside & will make donations or pay you as soon as i am able to.
I am so upset with these computer issues, I cannot think straight as in what to do ... really in dire need of guidance/direction. If this PC blows completely due to these infections/viruses... I'm dead in water... its my only link to the outside world due to disablities which keep me home-bound.
Thank You so much in advance for being here for so many of us in need,
Keyanna
Hello.
Also d/l Spybot program-it showed 315 Infections & asked for Registration#. Unfortunately, that requires a fee to register & i am Flat Broke (seriously!!).
That is not Spybot-S&D but a fake rogue program. Rogue/Suspect Anti-Spyware Products & Web Sites (http://www.spywarewarrior.com/rogue_anti-spyware.htm)
Spybot-Search and Destroy is totally free for personal use.
This is our home page: http://www.safer-networking.org/en/home/index.html
If you can, please run the on-line anti virus scan and produce that log and also the HJT log in order for one of our helpers to assist you.
Best regards.
Shadows_Light
2007-10-04, 21:26
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:13:07 AM, on 10/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\System Doctor\sysmain.exe
C:\Program Files\Common Files\AOL\1190465712\ee\AOLSoftware.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX8530
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX8530
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://auto.search.msn.com/response.asp?MT=enable+wireless+connection&srch=3&prov=&utf8
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: ElnkBhoGuard Class - {00000000-0000-0000-0000-000000000002} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ElnkScamBHO Class - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: ElnkPubBHO Class - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: ElnkProtectionBHO Class - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: ElnkLegacyUninstBHO Class - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [System Doctor] C:\Program Files\System Doctor\sysmain.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1190465712\ee\AOLSoftware.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [HSN Skin Tools Alerts] "C:\Program Files\HSN\bar\1.bin\hsnSkPly.exe" Alerts
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink TotalAccess\Toolbar\SearchUI.dll/search.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1154679137071
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
--
End of file - 10659 bytes
Shadows_Light
2007-10-04, 21:33
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, October 04, 2007 7:07:59 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 4/10/2007
Kaspersky Anti-Virus database records: 427117
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 80606
Number of viruses found: 11
Number of infected objects: 20
Number of suspicious objects: 0
Duration of the scan process: 01:17:07
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\ph Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\variable Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0a\idb\Dancingle5\mydb.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0a\idb\Dancingle5\toolbar.lst Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0a\idb\SNMaster.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0a\organize\CACHE\dancingl01 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0a\organize\dancingle5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0a\organize\dancingle5.abi Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0a\organize\dancingle5.aby Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\3.0\aolstderr.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\3.0\aolstdout.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\3.0\cache.db Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\3.0\ncoc Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\3.0\server.lock Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\AOL\C_AOL 9.0a\IDB\Apps.Lst Object is locked skipped
C:\Documents and Settings\Owner\Application Data\AOL\C_AOL 9.0a\IDB\art.idx Object is locked skipped
C:\Documents and Settings\Owner\Application Data\AOL\C_AOL 9.0a\IDB\sap.dat Object is locked skipped
C:\Documents and Settings\Owner\Application Data\AOL\C_AOL 9.0a\IDB\spool.lst Object is locked skipped
C:\Documents and Settings\Owner\Application Data\AOL\C_AOL 9.0a\IDB\sysnews.lst Object is locked skipped
C:\Documents and Settings\Owner\Application Data\EarthLink\Toolbar\toolbareg.xml Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\WinAntiVirusPro2006FreeInstall.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OPQRSTUV\WinAntiVirusPro2006FreeInstall[1].exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP312\A0025740.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ah skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP314\A0025804.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ah skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP314\A0026151.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ay skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP314\A0026153.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.f skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP314\A0026154.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ay skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP314\A0026155.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP314\A0026156.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP314\A0026157.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP314\A0026159.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ay skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP314\A0026160.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ay skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP315\A0026464.DLL Infected: not-a-virus:AdWare.Win32.MySearch.g skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0026546.dll Infected: not-a-virus:AdWare.Win32.MySearch.g skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP328\A0026814.exe Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP341\A0029433.exe Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP341\A0029477.dll Infected: not-a-virus:FraudTool.Win32.WinAntiVirus.2006 skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP341\A0029482.exe/file01 Infected: Trojan-Downloader.Win32.Agent.alr skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP341\A0029482.exe Inno: infected - 1 skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP341\A0029483.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP347\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_SoftV92 Data Fax Modem with SmartCP.txt Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{0DFBEC2D-F66F-4B21-88C5-7407270DC483}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Hi Shadows_Light
Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Delete following files (if found):
C:\Documents and Settings\Owner\Local Settings\Temp\WinAntiVirusPro2006FreeInstall.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OPQRSTUV\WinAntiVirusPro2006FreeInstall[1].exe
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Then run Kaspersky scanner again and post its report & a fresh hjt log.
Shadows_Light
2007-10-09, 03:59
Hi Blade81, 1st Thank You So Much For Coming To My Aid. I am not sure if you want me to perform anything add'l since the following happened.
I was able to change my file & folder preferences. Soon after, I did locate the first file you wanted deleted. I right clicked to make sure it was indeed correct. Suddenly, my AOL Dialer turned on, wouldn't stop connecting me to web & also "WinAntiVirus Pro 2007 Installer" began d/l and I could not stop either of these actions!!
Next, Sysyem Doctor pops up saying "spyware attack deleted" (i deleted system doctor w/ Spybot S&D before but it keeps returning). It read: Trojan.Adclicker High Risk! The WinAntiVirus Pro 2007 Installer made a full installation for i couldn't stop the action. So far, if all this isn't bad enough; Spybot S&D begins popping up with so many "Registry Change" mesages... so fast, couldn't catch all of them to write them down (printer is not working), I did get a few tidbits if you need them let me know. Last, AVG Free AntiVirus displayed a message as I was attempting to delete the WinAntiVirus Pro 2007 from Control Panels Add/Delete... to the effect of some type of trojan was found???
Sorry to trouble you but felt it best to alert you in case you need me to do anything more along with what you already requested. All that happened really frightened me :sick: As if something took fast & hard control of my PC and wouldn't let go WOW!!
Okay, i am now going to d/l ATF. Run the new "Kaspersky Scan & HJT. Will post them to you soon as they are complete.
Again, Thank You for Being Here :)
Shadow
Okay, I'll wait for the results. We won't give up as long as there's a bit of hope left :)
Shadows_Light
2007-10-09, 10:01
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, October 08, 2007 11:56:43 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 9/10/2007
Kaspersky Anti-Virus database records: 429653
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 83781
Number of viruses found: 12
Number of infected objects: 34
Number of suspicious objects: 0
Duration of the scan process: 01:17:57
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\ph Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\variable Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0a\idb\Dancingle5\mydb.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0a\idb\Dancingle5\toolbar.lst Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0a\idb\SNMaster.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0a\organize\CACHE\dancingl01 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0a\organize\dancingle5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0a\organize\dancingle5.abi Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0a\organize\dancingle5.aby Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\3.0\aolstderr.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\3.0\aolstdout.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\3.0\cache.db Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\3.0\ncoc Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\3.0\server.lock Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\AOL\C_AOL 9.0a\IDB\Apps.Lst Object is locked skipped
C:\Documents and Settings\Owner\Application Data\AOL\C_AOL 9.0a\IDB\art.idx Object is locked skipped
C:\Documents and Settings\Owner\Application Data\AOL\C_AOL 9.0a\IDB\sap.dat Object is locked skipped
C:\Documents and Settings\Owner\Application Data\AOL\C_AOL 9.0a\IDB\spool.lst Object is locked skipped
C:\Documents and Settings\Owner\Application Data\AOL\C_AOL 9.0a\IDB\sysnews.lst Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\WinAntiVirusPro2006FreeInstall.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~freesetup.exe/file01 Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~freesetup.exe/file02/file01 Infected: Trojan-Downloader.Win32.Agent.alr skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~freesetup.exe/file02 Infected: Trojan-Downloader.Win32.Agent.alr skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~freesetup.exe/file18 Infected: not-a-virus:FraudTool.Win32.WinAntiVirus.2006 skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~freesetup.exe/file83 Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~freesetup.exe Inno: infected - 5 skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OPQRSTUV\WinAntiVirusPro2006FreeInstall[1].exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped
C:\Program Files\Common Files\WinAntiVirus Pro 2007\wa7pinst.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\Program Files\Common Files\WinAntiVirus Pro 2007\WAPChk.dll Infected: not-a-virus:FraudTool.Win32.WinAntiVirus.2006 skipped
C:\Program Files\WinAntiVirus Pro 2007\reform.exe/file01 Infected: Trojan-Downloader.Win32.Agent.alr skipped
C:\Program Files\WinAntiVirus Pro 2007\reform.exe Inno: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP312\A0025713.exe Infected: not-a-virus:FraudTool.Win32.RegistrySmart.a skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP312\A0025740.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ah skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP314\A0025804.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ah skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP314\A0026103.exe Infected: not-a-virus:FraudTool.Win32.RegistrySmart.a skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP314\A0026151.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ay skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP314\A0026153.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.f skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP314\A0026154.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ay skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP314\A0026155.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP314\A0026156.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP314\A0026157.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP314\A0026159.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ay skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP314\A0026160.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ay skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP315\A0026464.DLL Infected: not-a-virus:AdWare.Win32.MySearch.g skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0026546.dll Infected: not-a-virus:AdWare.Win32.MySearch.g skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP328\A0026814.exe Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP341\A0028352.rbf Infected: not-a-virus:FraudTool.Win32.RegistrySmart.a skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP341\A0029433.exe Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP341\A0029477.dll Infected: not-a-virus:FraudTool.Win32.WinAntiVirus.2006 skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP341\A0029482.exe/file01 Infected: Trojan-Downloader.Win32.Agent.alr skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP341\A0029482.exe Inno: infected - 1 skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP341\A0029483.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP351\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{68ED2536-99EA-4E07-A695-139FA0E06801}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{79413053-723E-4E3C-BE34-573D1C7F6729}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Shadows_Light
2007-10-09, 10:13
Hi Blade, i tried for 3+ hours to d/l ATF-Cleaner from local you gave & many others i found. Each attempt gave me a "time-out" error. That's reason it's not included. I really tried hard... any suggestionson that part of things? Thanx ~ Shadow
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:03:57 AM, on 10/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\System Doctor\sysmain.exe
C:\Program Files\Common Files\AOL\1190465712\ee\AOLSoftware.exe
C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AOL 9.0a\waol.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\AOL 9.0a\shellmon.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX8530
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX8530
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://auto.search.msn.com/response.asp?MT=enable+wireless+connection&srch=3&prov=&utf8
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: ElnkBhoGuard Class - {00000000-0000-0000-0000-000000000002} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ElnkScamBHO Class - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: ElnkPubBHO Class - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: ElnkProtectionBHO Class - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: IEFW Object - {B5141620-C2B2-4D95-9F0F-134D99C87AB0} - C:\Program Files\WinAntiVirus Pro 2007\IEFWBHO.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: ElnkLegacyUninstBHO Class - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [System Doctor] C:\Program Files\System Doctor\sysmain.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1190465712\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [uwa7pcw] "C:\Program Files\Common Files\WinAntiVirus Pro 2007\uwa7pcw.exe" -c
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [HSN Skin Tools Alerts] "C:\Program Files\HSN\bar\1.bin\hsnSkPly.exe" Alerts
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.0a\AOL.EXE" -b
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink TotalAccess\Toolbar\SearchUI.dll/search.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1154679137071
O17 - HKLM\System\CCS\Services\Tcpip\..\{6F0FFBBF-E2DF-47EA-824D-511760D6896F}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
--
End of file - 11282 bytes
1. Download this file -
combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your
next reply with a fresh hjt log.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause
it to stall
Shadows_Light
2007-10-09, 13:32
ComboFix 07-10-09.3 - Owner 2007-10-09 2:53:08.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.597 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\Documents and Settings\All Users\Application Data\SystemDoctor Free
C:\Documents and Settings\All Users\Application Data\SystemDoctor
C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007
C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007\Data\Abbr
C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007\Data\ProductCode
C:\Documents and Settings\All Users\Desktop\WinAntiVirus Pro 2007.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\WinAntiVirus Pro 2007
C:\Documents and Settings\All Users\Start Menu\Programs\WinAntiVirus Pro 2007\Reinstall or Uninstall WinAntiVirus Pro 2007.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\WinAntiVirus Pro 2007\WinAntiVirus Pro 2007 Manual.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\WinAntiVirus Pro 2007\WinAntiVirus Pro 2007.lnk
C:\Documents and Settings\Owner\Application Data\DriveCleaner Freeware(2)
C:\Documents and Settings\Owner\Application Data\DriveCleaner Freeware(2)\Logs\update.log
C:\Documents and Settings\Owner\Application Data\DriveCleaner Freeware(2)\Logs\update.log
C:\Documents and Settings\Owner\Application Data\SystemDoctor Free
C:\Documents and Settings\Owner\Application Data\SystemDoctor Free\Logs\update.log
C:\Documents and Settings\Owner\Application Data\SystemDoctor Free\Logs\update.log
C:\Documents and Settings\Owner\Application Data\SystemDoctor
C:\Documents and Settings\Owner\Application Data\SystemDoctor\activator_info.txt
C:\Documents and Settings\Owner\Application Data\SystemDoctor\activator_info.txt
C:\Documents and Settings\Owner\Application Data\SystemDoctor\Logs\Activate.log
C:\Documents and Settings\Owner\Application Data\SystemDoctor\Logs\Activate.log
C:\Documents and Settings\Owner\Application Data\SystemDoctor\Logs\update.log
C:\Documents and Settings\Owner\Application Data\SystemDoctor\Logs\update.log
C:\Documents and Settings\Owner\err.log
C:\Documents and Settings\Owner\ResErrors.log
C:\Program Files\Common Files\companion wizard
C:\Program Files\Common Files\Companion Wizard\CompWiz.xml
C:\Program Files\Common Files\companion wizard\CompWiz.xml
C:\Program Files\Common Files\winantivirus pro 2007
C:\Program Files\Common Files\WinAntiVirus Pro 2007\err.log
C:\Program Files\Common Files\winantivirus pro 2007\err.log
C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe
C:\Program Files\Common Files\winantivirus pro 2007\mav_startupmon.exe
C:\Program Files\Common Files\winantivirus pro 2007\wa7pinst.exe
C:\Program Files\Common Files\WinAntiVirus Pro 2007\wa7pinst.exe
C:\Program Files\Common Files\winantivirus pro 2007\WAPChk.dll
C:\Program Files\Common Files\WinAntiVirus Pro 2007\WAPChk.dll
C:\Program Files\winantivirus pro 2007
C:\Program Files\winantivirus pro 2007\Activate.dat
C:\Program Files\WinAntiVirus Pro 2007\Activate.dat
C:\Program Files\winantivirus pro 2007\Activate.dat
C:\Program Files\WinAntiVirus Pro 2007\asmngr.dll
C:\Program Files\winantivirus pro 2007\asmngr.dll
C:\Program Files\winantivirus pro 2007\asmngr.dll
C:\Program Files\winantivirus pro 2007\ASupdater.dat
C:\Program Files\WinAntiVirus Pro 2007\ASupdater.dat
C:\Program Files\winantivirus pro 2007\ASupdater.dat
C:\Program Files\WinAntiVirus Pro 2007\AVupd.exe
C:\Program Files\winantivirus pro 2007\AVupd.exe
C:\Program Files\winantivirus pro 2007\AVupd.exe
C:\Program Files\WinAntiVirus Pro 2007\AWBase\database\enemies.dat
C:\Program Files\winantivirus pro 2007\AWBase\database\enemies.dat
C:\Program Files\winantivirus pro 2007\AWBase\database\enemies.dat
C:\Program Files\winantivirus pro 2007\AWBase\vbpv.dat
C:\Program Files\WinAntiVirus Pro 2007\AWBase\vbpv.dat
C:\Program Files\winantivirus pro 2007\AWBase\vbpv.dat
C:\Program Files\winantivirus pro 2007\BkSites.dat
C:\Program Files\WinAntiVirus Pro 2007\BkSites.dat
C:\Program Files\winantivirus pro 2007\BkSites.dat
C:\Program Files\WinAntiVirus Pro 2007\bnlink.dat
C:\Program Files\winantivirus pro 2007\bnlink.dat
C:\Program Files\winantivirus pro 2007\bnlink.dat
C:\Program Files\winantivirus pro 2007\bpupdater.dat
C:\Program Files\winantivirus pro 2007\bpupdater.dat
C:\Program Files\WinAntiVirus Pro 2007\bpupdater.dat
C:\Program Files\winantivirus pro 2007\CompWiz.exe
C:\Program Files\WinAntiVirus Pro 2007\CompWiz.exe
C:\Program Files\winantivirus pro 2007\CompWiz.exe
C:\Program Files\WinAntiVirus Pro 2007\CompWiz.xml
C:\Program Files\winantivirus pro 2007\CompWiz.xml
C:\Program Files\winantivirus pro 2007\CompWiz.xml
C:\Program Files\winantivirus pro 2007\fat.exe
C:\Program Files\winantivirus pro 2007\fat.exe
C:\Program Files\WinAntiVirus Pro 2007\fat.exe
C:\Program Files\WinAntiVirus Pro 2007\fopn.exe
C:\Program Files\winantivirus pro 2007\fopn.exe
C:\Program Files\winantivirus pro 2007\fopn.exe
C:\Program Files\winantivirus pro 2007\fopn.sys
C:\Program Files\winantivirus pro 2007\fopn.sys
C:\Program Files\WinAntiVirus Pro 2007\fopn.sys
C:\Program Files\winantivirus pro 2007\fopnl.dll
C:\Program Files\WinAntiVirus Pro 2007\fopnl.dll
C:\Program Files\winantivirus pro 2007\fopnl.dll
C:\Program Files\winantivirus pro 2007\forum.dat
C:\Program Files\WinAntiVirus Pro 2007\forum.dat
C:\Program Files\winantivirus pro 2007\forum.dat
C:\Program Files\WinAntiVirus Pro 2007\IEFWBHO.dll
C:\Program Files\winantivirus pro 2007\IEFWBHO.dll
C:\Program Files\winantivirus pro 2007\IEFWBHO.dll
C:\Program Files\winantivirus pro 2007\IH.exe
C:\Program Files\winantivirus pro 2007\IH.exe
C:\Program Files\WinAntiVirus Pro 2007\IH.exe
C:\Program Files\winantivirus pro 2007\integrity.dat
C:\Program Files\winantivirus pro 2007\integrity.dat
C:\Program Files\WinAntiVirus Pro 2007\integrity.dat
C:\Program Files\WinAntiVirus Pro 2007\kb.url
C:\Program Files\winantivirus pro 2007\kb.url
C:\Program Files\winantivirus pro 2007\kb.url
C:\Program Files\winantivirus pro 2007\lapv.dat
C:\Program Files\WinAntiVirus Pro 2007\lapv.dat
C:\Program Files\winantivirus pro 2007\lapv.dat
C:\Program Files\winantivirus pro 2007\License.rtf
C:\Program Files\WinAntiVirus Pro 2007\License.rtf
C:\Program Files\winantivirus pro 2007\License.rtf
C:\Program Files\WinAntiVirus Pro 2007\Online.url
C:\Program Files\winantivirus pro 2007\Online.url
C:\Program Files\winantivirus pro 2007\Online.url
C:\Program Files\winantivirus pro 2007\PGBase\vbpv.dat
C:\Program Files\winantivirus pro 2007\PGBase\vbpv.dat
C:\Program Files\WinAntiVirus Pro 2007\PGBase\vbpv.dat
C:\Program Files\WinAntiVirus Pro 2007\PGE.dat
C:\Program Files\winantivirus pro 2007\PGE.dat
C:\Program Files\winantivirus pro 2007\PGE.dat
C:\Program Files\WinAntiVirus Pro 2007\PGupdater.dat
C:\Program Files\winantivirus pro 2007\PGupdater.dat
C:\Program Files\winantivirus pro 2007\PGupdater.dat
C:\Program Files\WinAntiVirus Pro 2007\plugins\BORLNDMM.DLL
C:\Program Files\winantivirus pro 2007\plugins\BORLNDMM.DLL
C:\Program Files\winantivirus pro 2007\plugins\BORLNDMM.DLL
C:\Program Files\winantivirus pro 2007\plugins\SCANADWR.DLL
C:\Program Files\WinAntiVirus Pro 2007\plugins\SCANADWR.DLL
C:\Program Files\winantivirus pro 2007\plugins\SCANADWR.DLL
C:\Program Files\winantivirus pro 2007\plugins\SCANBCDR.DLL
C:\Program Files\WinAntiVirus Pro 2007\plugins\SCANBCDR.DLL
C:\Program Files\winantivirus pro 2007\plugins\SCANBCDR.DLL
C:\Program Files\winantivirus pro 2007\plugins\SCANDLDR.DLL
C:\Program Files\winantivirus pro 2007\plugins\SCANDLDR.DLL
C:\Program Files\WinAntiVirus Pro 2007\plugins\SCANDLDR.DLL
C:\Program Files\winantivirus pro 2007\plugins\SCANDOS1.DLL
C:\Program Files\winantivirus pro 2007\plugins\SCANDOS1.DLL
C:\Program Files\WinAntiVirus Pro 2007\plugins\SCANDOS1.DLL
C:\Program Files\winantivirus pro 2007\plugins\SCANEMUL.DLL
C:\Program Files\WinAntiVirus Pro 2007\plugins\SCANEMUL.DLL
C:\Program Files\winantivirus pro 2007\plugins\SCANEMUL.DLL
C:\Program Files\winantivirus pro 2007\plugins\SCANFUNC.DLL
C:\Program Files\WinAntiVirus Pro 2007\plugins\SCANFUNC.DLL
C:\Program Files\winantivirus pro 2007\plugins\SCANFUNC.DLL
C:\Program Files\winantivirus pro 2007\plugins\SCANKRNL.DLL
C:\Program Files\winantivirus pro 2007\plugins\SCANKRNL.DLL
C:\Program Files\WinAntiVirus Pro 2007\plugins\SCANKRNL.DLL
C:\Program Files\winantivirus pro 2007\plugins\SCANMCR1.DLL
C:\Program Files\WinAntiVirus Pro 2007\plugins\SCANMCR1.DLL
C:\Program Files\winantivirus pro 2007\plugins\SCANMCR1.DLL
C:\Program Files\WinAntiVirus Pro 2007\plugins\SCANOTHR.DLL
C:\Program Files\winantivirus pro 2007\plugins\SCANOTHR.DLL
C:\Program Files\winantivirus pro 2007\plugins\SCANOTHR.DLL
C:\Program Files\winantivirus pro 2007\plugins\SCANSCR.DLL
C:\Program Files\WinAntiVirus Pro 2007\plugins\SCANSCR.DLL
C:\Program Files\winantivirus pro 2007\plugins\SCANSCR.DLL
C:\Program Files\winantivirus pro 2007\plugins\SCANTOOL.DLL
C:\Program Files\winantivirus pro 2007\plugins\SCANTOOL.DLL
C:\Program Files\WinAntiVirus Pro 2007\plugins\SCANTOOL.DLL
C:\Program Files\winantivirus pro 2007\plugins\SCANTROJ.DLL
C:\Program Files\WinAntiVirus Pro 2007\plugins\SCANTROJ.DLL
C:\Program Files\winantivirus pro 2007\plugins\SCANTROJ.DLL
C:\Program Files\winantivirus pro 2007\plugins\SCANWIN1.DLL
C:\Program Files\WinAntiVirus Pro 2007\plugins\SCANWIN1.DLL
C:\Program Files\winantivirus pro 2007\plugins\SCANWIN1.DLL
C:\Program Files\winantivirus pro 2007\plugins\UNACPU.DLL
C:\Program Files\WinAntiVirus Pro 2007\plugins\UNACPU.DLL
C:\Program Files\winantivirus pro 2007\plugins\UNACPU.DLL
C:\Program Files\winantivirus pro 2007\plugins\UNADBX.DLL
C:\Program Files\winantivirus pro 2007\plugins\UNADBX.DLL
C:\Program Files\WinAntiVirus Pro 2007\plugins\UNADBX.DLL
C:\Program Files\winantivirus pro 2007\plugins\unamscan.dll
C:\Program Files\WinAntiVirus Pro 2007\plugins\unamscan.dll
C:\Program Files\winantivirus pro 2007\plugins\unamscan.dll
C:\Program Files\winantivirus pro 2007\plugins\UNMIME.DLL
C:\Program Files\winantivirus pro 2007\plugins\UNMIME.DLL
C:\Program Files\WinAntiVirus Pro 2007\plugins\UNMIME.DLL
C:\Program Files\WinAntiVirus Pro 2007\plugins\UNPACK.DLL
C:\Program Files\winantivirus pro 2007\plugins\UNPACK.DLL
C:\Program Files\winantivirus pro 2007\plugins\UNPACK.DLL
C:\Program Files\winantivirus pro 2007\plugins\UNPACKS.DLL
C:\Program Files\WinAntiVirus Pro 2007\plugins\UNPACKS.DLL
C:\Program Files\winantivirus pro 2007\plugins\UNPACKS.DLL
C:\Program Files\WinAntiVirus Pro 2007\plugins\UNPACKS2.DLL
C:\Program Files\winantivirus pro 2007\plugins\UNPACKS2.DLL
C:\Program Files\winantivirus pro 2007\plugins\UNPACKS2.DLL
C:\Program Files\WinAntiVirus Pro 2007\plugins\UNPEPACK.DLL
C:\Program Files\winantivirus pro 2007\plugins\UNPEPACK.DLL
C:\Program Files\winantivirus pro 2007\plugins\UNPEPACK.DLL
C:\Program Files\winantivirus pro 2007\plugins\UpDate\UA27601.DLL
C:\Program Files\WinAntiVirus Pro 2007\plugins\UpDate\UA27601.DLL
C:\Program Files\winantivirus pro 2007\plugins\UpDate\UA27601.DLL
C:\Program Files\winantivirus pro 2007\plugins\UpDate\UA27602.DLL
C:\Program Files\WinAntiVirus Pro 2007\plugins\UpDate\UA27602.DLL
C:\Program Files\winantivirus pro 2007\plugins\UpDate\UA27602.DLL
C:\Program Files\WinAntiVirus Pro 2007\plugins\UpDate\UA27603.DLL
C:\Program Files\winantivirus pro 2007\plugins\UpDate\UA27603.DLL
C:\Program Files\winantivirus pro 2007\plugins\UpDate\UA27603.DLL
C:\Program Files\winantivirus pro 2007\plugins\UpDate\UA27604.DLL
C:\Program Files\WinAntiVirus Pro 2007\plugins\UpDate\UA27604.DLL
C:\Program Files\winantivirus pro 2007\plugins\UpDate\UA27604.DLL
C:\Program Files\winantivirus pro 2007\plugins\UpDate\UADAILY.DLL
C:\Program Files\WinAntiVirus Pro 2007\plugins\UpDate\UADAILY.DLL
C:\Program Files\winantivirus pro 2007\plugins\UpDate\UADAILY.DLL
C:\Program Files\winantivirus pro 2007\plugins\vbpv.dat
C:\Program Files\winantivirus pro 2007\plugins\vbpv.dat
C:\Program Files\WinAntiVirus Pro 2007\plugins\vbpv.dat
C:\Program Files\winantivirus pro 2007\pv.dat
C:\Program Files\WinAntiVirus Pro 2007\pv.dat
C:\Program Files\winantivirus pro 2007\pv.dat
C:\Program Files\winantivirus pro 2007\pv.exe
C:\Program Files\winantivirus pro 2007\pv.exe
C:\Program Files\WinAntiVirus Pro 2007\pv.exe
C:\Program Files\WinAntiVirus Pro 2007\rbho.dat
C:\Program Files\winantivirus pro 2007\rbho.dat
C:\Program Files\winantivirus pro 2007\rbho.dat
C:\Program Files\WinAntiVirus Pro 2007\reform.exe
C:\Program Files\winantivirus pro 2007\reform.exe
C:\Program Files\winantivirus pro 2007\reform.exe
C:\Program Files\winantivirus pro 2007\res\cross.gif
C:\Program Files\WinAntiVirus Pro 2007\res\cross.gif
C:\Program Files\winantivirus pro 2007\res\cross.gif
C:\Program Files\winantivirus pro 2007\res\wa7p.gif
C:\Program Files\WinAntiVirus Pro 2007\res\wa7p.gif
C:\Program Files\winantivirus pro 2007\res\wa7p.gif
C:\Program Files\winantivirus pro 2007\Restart.exe
C:\Program Files\winantivirus pro 2007\Restart.exe
C:\Program Files\WinAntiVirus Pro 2007\Restart.exe
C:\Program Files\winantivirus pro 2007\rpt.dll
C:\Program Files\WinAntiVirus Pro 2007\rpt.dll
C:\Program Files\winantivirus pro 2007\rpt.dll
C:\Program Files\WinAntiVirus Pro 2007\scnkrnl.dll
C:\Program Files\winantivirus pro 2007\scnkrnl.dll
C:\Program Files\winantivirus pro 2007\scnkrnl.dll
C:\Program Files\winantivirus pro 2007\Settings.ini
C:\Program Files\WinAntiVirus Pro 2007\Settings.ini
C:\Program Files\winantivirus pro 2007\Settings.ini
C:\Program Files\WinAntiVirus Pro 2007\sqlite3.dll
C:\Program Files\winantivirus pro 2007\sqlite3.dll
C:\Program Files\winantivirus pro 2007\sqlite3.dll
C:\Program Files\WinAntiVirus Pro 2007\sr.log
C:\Program Files\winantivirus pro 2007\sr.log
C:\Program Files\winantivirus pro 2007\sr.log
C:\Program Files\WinAntiVirus Pro 2007\st.dat
C:\Program Files\winantivirus pro 2007\st.dat
C:\Program Files\winantivirus pro 2007\st.dat
C:\Program Files\winantivirus pro 2007\Support.url
C:\Program Files\WinAntiVirus Pro 2007\Support.url
C:\Program Files\winantivirus pro 2007\Support.url
C:\Program Files\WinAntiVirus Pro 2007\UBUpdater.dat
C:\Program Files\winantivirus pro 2007\UBUpdater.dat
C:\Program Files\winantivirus pro 2007\UBUpdater.dat
C:\Program Files\WinAntiVirus Pro 2007\unins000.dat
C:\Program Files\winantivirus pro 2007\unins000.dat
C:\Program Files\winantivirus pro 2007\unins000.dat
C:\Program Files\WinAntiVirus Pro 2007\unins000.exe
C:\Program Files\winantivirus pro 2007\unins000.exe
C:\Program Files\winantivirus pro 2007\unins000.exe
C:\Program Files\winantivirus pro 2007\uninstall.ico
C:\Program Files\WinAntiVirus Pro 2007\uninstall.ico
C:\Program Files\winantivirus pro 2007\uninstall.ico
C:\Program Files\WinAntiVirus Pro 2007\up.dat
C:\Program Files\winantivirus pro 2007\up.dat
C:\Program Files\winantivirus pro 2007\up.dat
C:\Program Files\winantivirus pro 2007\updater.dat
C:\Program Files\WinAntiVirus Pro 2007\updater.dat
C:\Program Files\winantivirus pro 2007\updater.dat
C:\Program Files\winantivirus pro 2007\WAV6COM.dll
C:\Program Files\winantivirus pro 2007\WAV6COM.dll
C:\Program Files\WinAntiVirus Pro 2007\WAV6COM.dll
C:\Program Files\WinAntiVirus Pro 2007\WinAV.xml
C:\Program Files\winantivirus pro 2007\WinAV.xml
C:\Program Files\winantivirus pro 2007\WinAV.xml
C:\Program Files\winantivirus pro 2007\winpgi.dll
C:\Program Files\WinAntiVirus Pro 2007\winpgi.dll
C:\Program Files\winantivirus pro 2007\winpgi.dll
C:\Program Files\WinAntiVirus Pro 2007\worldmap.swf
C:\Program Files\winantivirus pro 2007\worldmap.swf
C:\Program Files\winantivirus pro 2007\worldmap.swf
C:\WINDOWS\system32\av.cpl
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\system32\stera.exe
D:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_FOPN
-------\FOPN
((((((((((((((((((((((((( Files Created from 2007-09-09 to 2007-10-09 )))))))))))))))))))))))))))))))
.
2007-10-09 02:50 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-04 03:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-04 03:54 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-04 00:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-03 07:29 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-28 04:50 <DIR> d-------- C:\Program Files\AOL 9.0a
2007-09-28 04:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-09-28 04:46 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AOL
2007-09-23 01:42 10,920 --a------ C:\aolconnfix.exe
2007-09-22 05:57 <DIR> d-------- C:\Program Files\Common Files\aolback
2007-09-22 05:55 <DIR> d-------- C:\Program Files\AOL 9.0
2007-09-22 04:43 <DIR> d-------- C:\Program Files\Common Files\aolshare
2007-09-22 04:40 <DIR> d--h----- C:\TEMP
Shadows_Light
2007-10-09, 13:33
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-01 19:39 --------- d-----w C:\Documents and Settings\Owner\Application Data\AOL
2007-09-28 11:58 --------- d-----w C:\Program Files\Common Files\AOL
2007-09-28 11:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-09-22 08:23 --------- d-----w C:\Program Files\System Doctor
2007-09-22 08:09 --------- d-----w C:\Program Files\RegistrySmart
2007-09-22 07:56 --------- d-----w C:\Program Files\Pure Networks
2007-09-11 08:51 --------- d-----w C:\Program Files\Paint Shop Pro 5
2007-09-05 23:00 --------- d-----w C:\Documents and Settings\Owner\Application Data\System Doctor
2007-09-05 23:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\System Doctor Free
2007-09-05 23:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\System Doctor
2007-09-04 06:55 --------- d-----w C:\Documents and Settings\Owner\Application Data\RegistrySmart
2007-08-22 10:42 --------- d-----w C:\Program Files\HSN
2007-08-22 06:09 --------- d-----w C:\Documents and Settings\Owner\Application Data\Sammsoft
2007-08-22 05:41 --------- d-----w C:\Program Files\DriveCleaner Freeware
2007-08-11 01:11 --------- d-----w C:\Program Files\Uniblue
2007-04-08 06:56 472 -c--a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-14 04:42]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-09-13 21:29]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 14:49]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-01-31 19:52]
"System Doctor"="C:\Program Files\System Doctor\sysmain.exe" [2007-08-23 12:13]
"HostManager"="C:\Program Files\Common Files\AOL\1190465712\ee\AOLSoftware.exe" [2006-09-25 17:52]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe" [2005-08-16 08:43]
"HSN Skin Tools Alerts"="C:\Program Files\HSN\bar\1.bin\hsnSkPly.exe" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 16:24]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
"AOL Fast Start"="C:\Program Files\AOL 9.0a\AOL.exe" [2007-04-17 23:48]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Power2GoExpress"=NA
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Creating Keepsakes Scrapbook Designer Event Reminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Creating Keepsakes Scrapbook Designer Event Reminder.lnk
backup=C:\WINDOWS\pss\Creating Keepsakes Scrapbook Designer Event Reminder.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk
backup=C:\WINDOWS\pss\Event Reminder.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
"C:\Program Files\America Online 9.0\AOL.EXE" -b
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClientGW]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eSnips]
"C:\Program Files\eSnips\ClientGW.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1145965187\EE\AOLHostManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
%WINDIR%\Creator\Remind_XP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-10-08 10:30:00 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job"
- C:\Program Files\RegistrySmart\RegistrySmart.exe
"2007-09-30 01:11:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-08-11 01:11:41 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://www.gmer.net/)
Rootkit scan 2007-10-09 03:06:13
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-10-09 3:08:18 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-09 03:08
.
--- E O F ---
Shadows_Light
2007-10-09, 13:45
You deserve a Big Hug for your patience with me;) I'm 'green' to all of this... reports, etc. Plus many odd things have occured during some of these Logs, esp ComboFix creating error reports to send - it restarted the PC and Spybot S&D keeps popping up w/ many windows (registry value changes). I only hope i'm clicking the correct response when this happens. What an Angel you are :heart:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:35:31 AM, on 10/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\System Doctor\sysmain.exe
C:\Program Files\Common Files\AOL\1190465712\ee\AOLSoftware.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AOL 9.0a\waol.exe
C:\Program Files\AOL 9.0a\shellmon.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX8530
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX8530
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://auto.search.msn.com/response.asp?MT=enable+wireless+connection&srch=3&prov=&utf8
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: ElnkBhoGuard Class - {00000000-0000-0000-0000-000000000002} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ElnkScamBHO Class - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: ElnkPubBHO Class - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: ElnkProtectionBHO Class - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: ElnkLegacyUninstBHO Class - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [System Doctor] C:\Program Files\System Doctor\sysmain.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1190465712\ee\AOLSoftware.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [HSN Skin Tools Alerts] "C:\Program Files\HSN\bar\1.bin\hsnSkPly.exe" Alerts
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.0a\AOL.EXE" -b
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink TotalAccess\Toolbar\SearchUI.dll/search.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1154679137071
O17 - HKLM\System\CCS\Services\Tcpip\..\{6F0FFBBF-E2DF-47EA-824D-511760D6896F}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
--
End of file - 10328 bytes
Hi
Disable Spybot's TeaTimer (you can re-enable it after we've cleaned the system)
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer
Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update. Don't run AVG yet. Will do it a bit later.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop. Don't run ATF yet. Will do it a bit later.
Open notepad and copy/paste the text in the quotebox below into it:
Folder::
C:\Documents and Settings\Owner\Application Data\System Doctor
C:\Documents and Settings\All Users\Application Data\System Doctor Free
C:\Documents and Settings\All Users\Application Data\System Doctor
C:\Program Files\DriveCleaner Freeware
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"System Doctor"=-
Save this as
CFScript
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Don't select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the
Save Scan Report
button before you did hit the
Apply all Actions
button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot.
Post
-AVG Anti-Spyware log
-a fresh HJT log.
Shadows_Light
2007-10-10, 10:13
Dear Blade81, dear goodness, i so hope i'm doing all of this right. have been working on the instructions since 4pm mst & must admit am feeling like a dumb blonde (but i'm not even blonde!) wanted to contact you to a couple times for clarification but not wanting to bother you. i'll keep on going at it & praying alot! :banghead:
ComboFix 07-10-09.3 - Owner 2007-10-09 23:54:50.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.585 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Program Files\Trend Micro\HijackThis\CFScript.txt
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\System Doctor Free
C:\Documents and Settings\All Users\Application Data\System Doctor Free\Data\hours
C:\Documents and Settings\All Users\Application Data\System Doctor Free\Data\ProductCode
C:\Documents and Settings\All Users\Application Data\System Doctor
C:\Documents and Settings\All Users\Application Data\System Doctor\Data\Abbr
C:\Documents and Settings\All Users\Application Data\System Doctor\Data\ActivationCode
C:\Documents and Settings\All Users\Application Data\System Doctor\Data\cid
C:\Documents and Settings\All Users\Application Data\System Doctor\Data\CustomerEmail
C:\Documents and Settings\All Users\Application Data\System Doctor\Data\CustomerName
C:\Documents and Settings\All Users\Application Data\System Doctor\Data\OID
C:\Documents and Settings\All Users\Application Data\System Doctor\Data\PCID
C:\Documents and Settings\All Users\Application Data\System Doctor\Data\ProductCode
C:\Documents and Settings\All Users\Application Data\System Doctor\Data\Suspicious
C:\Documents and Settings\Owner\Application Data\System Doctor
C:\Documents and Settings\Owner\Application Data\System Doctor\Logs\update.log
C:\Program Files\DriveCleaner Freeware
C:\Program Files\DriveCleaner Freeware\Activate.dat
C:\Program Files\DriveCleaner Freeware\Appbase\AE_CD_Cr.dat
C:\Program Files\DriveCleaner Freeware\Appbase\AReadr4.dat
C:\Program Files\DriveCleaner Freeware\Appbase\AReadr5.dat
C:\Program Files\DriveCleaner Freeware\Appbase\ASDSEEpv.dat
C:\Program Files\DriveCleaner Freeware\Appbase\ASPack.dat
C:\Program Files\DriveCleaner Freeware\Appbase\Babylon.dat
C:\Program Files\DriveCleaner Freeware\Appbase\BDelphi5.dat
C:\Program Files\DriveCleaner Freeware\Appbase\CatchUp.dat
C:\Program Files\DriveCleaner Freeware\Appbase\CBuildr5.dat
C:\Program Files\DriveCleaner Freeware\Appbase\CCGA.dat
C:\Program Files\DriveCleaner Freeware\Appbase\CManager.dat
C:\Program Files\DriveCleaner Freeware\Appbase\CuteFTP4.dat
C:\Program Files\DriveCleaner Freeware\Appbase\CuteHTML.dat
C:\Program Files\DriveCleaner Freeware\Appbase\DAcceler.dat
C:\Program Files\DriveCleaner Freeware\Appbase\DiscJug.dat
C:\Program Files\DriveCleaner Freeware\Appbase\ECDCreat4.dat
C:\Program Files\DriveCleaner Freeware\Appbase\Far.dat
C:\Program Files\DriveCleaner Freeware\Appbase\FFTsks.dat
C:\Program Files\DriveCleaner Freeware\Appbase\FlashFXP.dat
C:\Program Files\DriveCleaner Freeware\Appbase\FrntPage.dat
C:\Program Files\DriveCleaner Freeware\Appbase\FrontPEx.dat
C:\Program Files\DriveCleaner Freeware\Appbase\FtpEXP.dat
C:\Program Files\DriveCleaner Freeware\Appbase\FtpVoya.dat
C:\Program Files\DriveCleaner Freeware\Appbase\GetRight.dat
C:\Program Files\DriveCleaner Freeware\Appbase\GoZilla.dat
C:\Program Files\DriveCleaner Freeware\Appbase\GravMRU.dat
C:\Program Files\DriveCleaner Freeware\Appbase\H_TxtPad.dat
C:\Program Files\DriveCleaner Freeware\Appbase\HomeSite.dat
C:\Program Files\DriveCleaner Freeware\Appbase\HotDogPr.dat
C:\Program Files\DriveCleaner Freeware\Appbase\IconExtr.dat
C:\Program Files\DriveCleaner Freeware\Appbase\iMesh.dat
C:\Program Files\DriveCleaner Freeware\Appbase\ImgReady3.dat
C:\Program Files\DriveCleaner Freeware\Appbase\InsShExp.dat
C:\Program Files\DriveCleaner Freeware\Appbase\JASC_P_P.dat
C:\Program Files\DriveCleaner Freeware\Appbase\KaZaA.dat
C:\Program Files\DriveCleaner Freeware\Appbase\LView.dat
C:\Program Files\DriveCleaner Freeware\Appbase\MacDir.dat
C:\Program Files\DriveCleaner Freeware\Appbase\MacDrWea.dat
C:\Program Files\DriveCleaner Freeware\Appbase\MicAng.dat
C:\Program Files\DriveCleaner Freeware\Appbase\MicDes.dat
C:\Program Files\DriveCleaner Freeware\Appbase\MM_CON.dat
C:\Program Files\DriveCleaner Freeware\Appbase\MMUnDisk.dat
C:\Program Files\DriveCleaner Freeware\Appbase\Morpheus.dat
C:\Program Files\DriveCleaner Freeware\Appbase\MPaint.dat
C:\Program Files\DriveCleaner Freeware\Appbase\MPicPub.dat
C:\Program Files\DriveCleaner Freeware\Appbase\MPImaGal.dat
C:\Program Files\DriveCleaner Freeware\Appbase\MSExplorer.dat
C:\Program Files\DriveCleaner Freeware\Appbase\MSoffice.dat
C:\Program Files\DriveCleaner Freeware\Appbase\MSRegEdit.dat
C:\Program Files\DriveCleaner Freeware\Appbase\MSWMP.dat
C:\Program Files\DriveCleaner Freeware\Appbase\MSWordPad.dat
C:\Program Files\DriveCleaner Freeware\Appbase\Nero.dat
C:\Program Files\DriveCleaner Freeware\Appbase\NetShow.dat
C:\Program Files\DriveCleaner Freeware\Appbase\NTBackup.dat
C:\Program Files\DriveCleaner Freeware\Appbase\pfilelst.xda
C:\Program Files\DriveCleaner Freeware\Appbase\PhotShel.dat
C:\Program Files\DriveCleaner Freeware\Appbase\PHPCoder.dat
C:\Program Files\DriveCleaner Freeware\Appbase\PowerZIP.dat
C:\Program Files\DriveCleaner Freeware\Appbase\RapidBr.dat
C:\Program Files\DriveCleaner Freeware\Appbase\RealAuPl.dat
C:\Program Files\DriveCleaner Freeware\Appbase\RealDown.dat
C:\Program Files\DriveCleaner Freeware\Appbase\SecurCRT.dat
C:\Program Files\DriveCleaner Freeware\Appbase\SL_BlWin.dat
C:\Program Files\DriveCleaner Freeware\Appbase\SmartClr.dat
C:\Program Files\DriveCleaner Freeware\Appbase\Sonique.dat
C:\Program Files\DriveCleaner Freeware\Appbase\StuffIt.dat
C:\Program Files\DriveCleaner Freeware\Appbase\TelepPro.dat
C:\Program Files\DriveCleaner Freeware\Appbase\UGifAnim.dat
C:\Program Files\DriveCleaner Freeware\Appbase\UltraEd.dat
C:\Program Files\DriveCleaner Freeware\Appbase\UMedStud.dat
C:\Program Files\DriveCleaner Freeware\Appbase\UPhImpV.dat
C:\Program Files\DriveCleaner Freeware\Appbase\UPhotoEx.dat
C:\Program Files\DriveCleaner Freeware\Appbase\UVidStud.dat
C:\Program Files\DriveCleaner Freeware\Appbase\VNC.dat
C:\Program Files\DriveCleaner Freeware\Appbase\WebFeret.dat
C:\Program Files\DriveCleaner Freeware\Appbase\WebReap.dat
C:\Program Files\DriveCleaner Freeware\Appbase\WinACE.dat
C:\Program Files\DriveCleaner Freeware\Appbase\WinGate.dat
C:\Program Files\DriveCleaner Freeware\Appbase\WinRAR.dat
C:\Program Files\DriveCleaner Freeware\Appbase\WinZIP.dat
C:\Program Files\DriveCleaner Freeware\Appbase\WiseInst.dat
C:\Program Files\DriveCleaner Freeware\Appbase\wordslst.xda
C:\Program Files\DriveCleaner Freeware\Appbase\YahooPl.dat
C:\Program Files\DriveCleaner Freeware\Appbase\ZipMagic.dat
C:\Program Files\DriveCleaner Freeware\AV.dat
C:\Program Files\DriveCleaner Freeware\bnlink.dat
C:\Program Files\DriveCleaner Freeware\err.log
C:\Program Files\DriveCleaner Freeware\img\button.gif
C:\Program Files\DriveCleaner Freeware\img\button2.gif
C:\Program Files\DriveCleaner Freeware\img\header.gif
C:\Program Files\DriveCleaner Freeware\img\logo.gif
C:\Program Files\DriveCleaner Freeware\img\spacer.gif
C:\Program Files\DriveCleaner Freeware\img\top_line.gif
C:\Program Files\DriveCleaner Freeware\img\top1.jpg
C:\Program Files\DriveCleaner Freeware\img\top2.jpg
C:\Program Files\DriveCleaner Freeware\lapv.dat
C:\Program Files\DriveCleaner Freeware\license.rtf
C:\Program Files\DriveCleaner Freeware\manual.url
C:\Program Files\DriveCleaner Freeware\pv.dat
C:\Program Files\DriveCleaner Freeware\readme.rtf
C:\Program Files\DriveCleaner Freeware\remnag.dat
C:\Program Files\DriveCleaner Freeware\ScanReport.dat
C:\Program Files\DriveCleaner Freeware\Schedule.dat
C:\Program Files\DriveCleaner Freeware\sr.log
C:\Program Files\DriveCleaner Freeware\support.url
C:\Program Files\DriveCleaner Freeware\UDC.xml
C:\Program Files\DriveCleaner Freeware\UDC6.url
C:\Program Files\DriveCleaner Freeware\unins000.dat
C:\Program Files\DriveCleaner Freeware\UninstallPage.html
C:\Program Files\DriveCleaner Freeware\up.dat
C:\Program Files\DriveCleaner Freeware\updater.dat
C:\Program Files\DriveCleaner Freeware\vbpv.dat
.
((((((((((((((((((((((((( Files Created from 2007-09-10 to 2007-10-10 )))))))))))))))))))))))))))))))
.
2007-10-09 22:30 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-09 02:50 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-04 03:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-04 03:54 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-04 00:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-03 07:29 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-28 04:50 <DIR> d-------- C:\Program Files\AOL 9.0a
2007-09-28 04:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-09-28 04:46 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AOL
2007-09-23 01:42 10,920 --a------ C:\aolconnfix.exe
2007-09-22 05:57 <DIR> d-------- C:\Program Files\Common Files\aolback
2007-09-22 05:55 <DIR> d-------- C:\Program Files\AOL 9.0
2007-09-22 04:43 <DIR> d-------- C:\Program Files\Common Files\aolshare
2007-09-22 04:40 <DIR> d--h----- C:\TEMP
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-01 19:39 --------- d-----w C:\Documents and Settings\Owner\Application Data\AOL
2007-09-28 11:58 --------- d-----w C:\Program Files\Common Files\AOL
2007-09-28 11:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-09-22 08:23 --------- d-----w C:\Program Files\System Doctor
2007-09-22 08:09 --------- d-----w C:\Program Files\RegistrySmart
2007-09-22 07:56 --------- d-----w C:\Program Files\Pure Networks
2007-09-11 08:51 --------- d-----w C:\Program Files\Paint Shop Pro 5
2007-09-04 06:55 --------- d-----w C:\Documents and Settings\Owner\Application Data\RegistrySmart
2007-08-22 10:42 --------- d-----w C:\Program Files\HSN
2007-08-22 06:09 --------- d-----w C:\Documents and Settings\Owner\Application Data\Sammsoft
2007-08-11 01:11 --------- d-----w C:\Program Files\Uniblue
2007-04-08 06:56 472 -c--a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-14 04:42]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-09-13 21:29]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 14:49]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-01-31 19:52]
"HostManager"="C:\Program Files\Common Files\AOL\1190465712\ee\AOLSoftware.exe" [2006-09-25 17:52]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe" [2005-08-16 08:43]
"HSN Skin Tools Alerts"="C:\Program Files\HSN\bar\1.bin\hsnSkPly.exe" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 16:24]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"AOL Fast Start"="C:\Program Files\AOL 9.0a\AOL.exe" [2007-04-17 23:48]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Power2GoExpress"=NA
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Creating Keepsakes Scrapbook Designer Event Reminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Creating Keepsakes Scrapbook Designer Event Reminder.lnk
backup=C:\WINDOWS\pss\Creating Keepsakes Scrapbook Designer Event Reminder.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk
backup=C:\WINDOWS\pss\Event Reminder.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
"C:\Program Files\America Online 9.0\AOL.EXE" -b
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClientGW]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eSnips]
"C:\Program Files\eSnips\ClientGW.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1145965187\EE\AOLHostManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
%WINDIR%\Creator\Remind_XP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
*Newly Created Service* - AVGASCLN
.
Contents of the 'Scheduled Tasks' folder
"2007-10-09 10:30:00 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job"
- C:\Program Files\RegistrySmart\RegistrySmart.exe
"2007-10-10 01:11:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-08-11 01:11:41 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-09 23:55:59
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-10-09 23:56:36
C:\ComboFix-quarantined-files.txt ... 2007-10-09 23:56
C:\ComboFix2.txt ... 2007-10-09 23:35
C:\ComboFix3.txt ... 2007-10-09 03:08
.
--- E O F ---
Hi
Thus far you've done it ok. :bigthumb:
Delete following folder:
c:\program files\system doctor
Now just waiting for those AVG report & new hjt log. :)
Shadows_Light
2007-10-10, 11:38
Hiya Blade81, I cannot locate c:\program files\*system doctor* in order to delete it. I know that nasty thing is still in my pc but even doing searches is not exposing itself!
Also, in order to run my AGV AntiVirus Log, need to close all running programs, open windows, folders. I'm am clueless how or which ones to close while still allowing my system to run?
Any feedback is GREATLY appreciated.
Warmly, Shadow
Open notepad and copy/paste the text in the quotebox below into it:
Folder::
C:\Program Files\System Doctor
Save this as
CFScript (overwrite previous one)
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log. That should delete the folder if it exists.
Also, in order to run my AGV AntiVirus Log, need to close all running programs, open windows, folders. I'm am clueless how or which ones to close while still allowing my system to run?
I meant AVG Anti-spyware and not AVG Antivirus log :) You're ready to scan when you've closed browser windows. Don't stress yourself too much with that notification ;)
Shadows_Light
2007-10-10, 12:21
I think System Doctor is finally gone but posted this for your review just in case i overlooked it. I'll have the AVG AntiSpyware & New HTG Logs in just a lil' while;)
ComboFix 07-10-09.3 - Owner 2007-10-10 2:04:22.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.531 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Program Files\Trend Micro\HijackThis\CFScript_used_2007-10-09@23.54.txt
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2007-09-10 to 2007-10-10 )))))))))))))))))))))))))))))))
.
2007-10-09 22:30 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-09 02:50 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-04 03:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-04 03:54 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-04 00:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-03 07:29 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-28 04:50 <DIR> d-------- C:\Program Files\AOL 9.0a
2007-09-28 04:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-09-28 04:46 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AOL
2007-09-23 01:42 10,920 --a------ C:\aolconnfix.exe
2007-09-22 05:57 <DIR> d-------- C:\Program Files\Common Files\aolback
2007-09-22 05:55 <DIR> d-------- C:\Program Files\AOL 9.0
2007-09-22 04:43 <DIR> d-------- C:\Program Files\Common Files\aolshare
2007-09-22 04:40 <DIR> d--h----- C:\TEMP
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-01 19:39 --------- d-----w C:\Documents and Settings\Owner\Application Data\AOL
2007-09-28 11:58 --------- d-----w C:\Program Files\Common Files\AOL
2007-09-28 11:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-09-22 08:09 --------- d-----w C:\Program Files\RegistrySmart
2007-09-22 07:56 --------- d-----w C:\Program Files\Pure Networks
2007-09-11 08:51 --------- d-----w C:\Program Files\Paint Shop Pro 5
2007-09-04 06:55 --------- d-----w C:\Documents and Settings\Owner\Application Data\RegistrySmart
2007-08-22 10:42 --------- d-----w C:\Program Files\HSN
2007-08-22 06:09 --------- d-----w C:\Documents and Settings\Owner\Application Data\Sammsoft
2007-08-11 01:11 --------- d-----w C:\Program Files\Uniblue
2007-04-08 06:56 472 -c--a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
.
((((((((((((((((((((((((((((( snapshot@2007-10-09_ 3.07.26.40 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 621,848 2007-10-08 22:53:12 C:\WINDOWS\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
----a-w 621,848 2007-10-08 22:53:12 C:\WINDOWS\pchealth\helpctr\Config\Cache\Professional_32_1033.dat.bak
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-14 04:42]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-09-13 21:29]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 14:49]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-01-31 19:52]
"HostManager"="C:\Program Files\Common Files\AOL\1190465712\ee\AOLSoftware.exe" [2006-09-25 17:52]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe" [2005-08-16 08:43]
"HSN Skin Tools Alerts"="C:\Program Files\HSN\bar\1.bin\hsnSkPly.exe" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 16:24]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"AOL Fast Start"="C:\Program Files\AOL 9.0a\AOL.exe" [2007-04-17 23:48]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Power2GoExpress"=NA
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Creating Keepsakes Scrapbook Designer Event Reminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Creating Keepsakes Scrapbook Designer Event Reminder.lnk
backup=C:\WINDOWS\pss\Creating Keepsakes Scrapbook Designer Event Reminder.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk
backup=C:\WINDOWS\pss\Event Reminder.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
"C:\Program Files\America Online 9.0\AOL.EXE" -b
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClientGW]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eSnips]
"C:\Program Files\eSnips\ClientGW.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1145965187\EE\AOLHostManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
%WINDIR%\Creator\Remind_XP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
*Newly Created Service* - AVGASCLN
.
Contents of the 'Scheduled Tasks' folder
"2007-10-09 10:30:00 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job"
- C:\Program Files\RegistrySmart\RegistrySmart.exe
"2007-10-10 01:11:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-08-11 01:11:41 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-10 02:05:12
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-10-10 2:05:49
C:\ComboFix-quarantined-files.txt ... 2007-10-10 02:05
C:\ComboFix2.txt ... 2007-10-09 23:56
C:\ComboFix3.txt ... 2007-10-09 23:35
.
--- E O F ---
Shadows_Light
2007-10-10, 14:43
:rolleyes: Dang It! Okay, I really think I made a Boo-Boo on this one. Under ' How To Act ' I did click Reco'd Action & Quarantine from pop-up menu. However after scan ran to completion; it showed Delete under Set All Elements.. i tried but couldn't get it to make the correction back to Quarantine. Hope this has not created a HUGE problem for you. I still don't know how this even happened. I'm sorry if i goofed... have been so cautious. Plus, my logs have been taking longer to post to you as i'm having to write all instructions out (printer not working). Please don't be too angry, i'm trying so hard :red:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 4:14:34 AM 10/10/2007
+ Scan result:
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP341\A0029477.dll -> Adware.Companion : Cleaned.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP352\A0030506.dll -> Adware.Companion : Cleaned.
C:\qoobox\Quarantine\C\Program Files\Common Files\WinAntiVirus Pro 2007\WAPChk.dll.vir -> Adware.Companion : Cleaned.
C:\qoobox\Quarantine\C\Program Files\DriveCleaner Freeware\up.dat.vir -> Adware.DriveCleaner : Cleaned.
C:\qoobox\Quarantine\C\Program Files\DriveCleaner Freeware\vbpv.dat.vir -> Adware.DriveCleaner : Cleaned.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP314\A0025808.dll -> Adware.ErrorSafe : Cleaned.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP341\A0029479.exe -> Adware.SystemDoctor : Cleaned.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP352\A0030465.exe -> Adware.SystemDoctor : Cleaned.
C:\qoobox\Quarantine\C\Program Files\WinAntiVirus Pro 2007\IH.exe.vir -> Adware.SystemDoctor : Cleaned.
C:\qoobox\Quarantine\C\Program Files\WinAntiVirus Pro 2007\st.dat.vir -> Adware.WinAntiVirus : Cleaned.
C:\qoobox\Quarantine\C\Program Files\WinAntiVirus Pro 2007\up.dat.vir -> Adware.WinAntiVirus : Cleaned.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP341\A0029483.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP352\A0030505.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned.
C:\qoobox\Quarantine\C\Program Files\Common Files\WinAntiVirus Pro 2007\wa7pinst.exe.vir -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP328\A0026814.exe -> Not-A-Virus.Downloader.Win32.WinFixer.x : Cleaned.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP341\A0029433.exe -> Not-A-Virus.Downloader.Win32.WinFixer.x : Cleaned.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP352\A0030504.exe -> Not-A-Virus.Downloader.Win32.WinFixer.x : Cleaned.
C:\qoobox\Quarantine\C\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe.vir -> Not-A-Virus.Downloader.Win32.WinFixer.x : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@revsci[2].txt -> TrackingCookie.Revsci : Cleaned.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP315\A0026464.DLL -> Trojan.HSN : Cleaned.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0026546.dll -> Trojan.HSN : Cleaned.
::Report end
Shadows_Light
2007-10-10, 14:45
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:21:48 AM, on 10/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Common Files\AOL\1190465712\ee\AOLSoftware.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX8530
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX8530
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://auto.search.msn.com/response.asp?MT=enable+wireless+connection&srch=3&prov=&utf8
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: ElnkBhoGuard Class - {00000000-0000-0000-0000-000000000002} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ElnkScamBHO Class - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: ElnkPubBHO Class - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: ElnkProtectionBHO Class - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: ElnkLegacyUninstBHO Class - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1190465712\ee\AOLSoftware.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [HSN Skin Tools Alerts] "C:\Program Files\HSN\bar\1.bin\hsnSkPly.exe" Alerts
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink TotalAccess\Toolbar\SearchUI.dll/search.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1154679137071
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
--
End of file - 9994 bytes
You may delete c:\qoobox folder and combofix.exe file now.
Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.
THESE STEPS ARE VERY IMPORTANT
Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6u3 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says
The J2SE Runtime Environment (JRE) allows end-users to run Java applications.
Click the
Download
button to the right.
Check the box that says:
Accept License Agreement.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.
UPDATING WINDOWS AND INTERNET EXPLORER
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.
If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
Make your Internet Explorer more secure
This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
Change the allow paste operations via script to Disable
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.
Comodo BOCLEAN (http://www.comodo.com/boclean/boclean.html) <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
Download Adaware
Adaware is a free program. It scans for known spyware on your computer. These scans should be run at least once every two weeks. For more information, see this tutorial (http://www.bleepingcomputer.com/forums/index.php?showtutorial=48)
The program is available for download here (http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10319876.html?tag=lst-0-1)
Download SpywareBlaster
Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes
kill bits
in the registry, so that certain activex controls can't install.
If you don't know what activex controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
You can download SpywareBlaster here here (http://majorgeeks.com/downloadget.php?id=2859&file=11&evp=61b0e8ad41924a03c37615f4682b4cef)
SpywareBlaster tutorial (http://www.bleepingcomputer.com/forums/tutorial49.html)
Download iespyad
It puts many bad webpages on your restricted zones list. This means that you can still view the
bad
webpages, but the webpages cannot do certain things (such as use javascripts and cookies).
If you need help understanding how it works, there is a tutorial here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)
Download it here (http://www.spywarewarrior.com/uiuc/res/ie-spyad.exe)
hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this (http://www.bleepingcomputer.com/forums/tutorial60.html) webpage out.
See here (http://www.freebyte.com/antivirus/#firewalls) to choose one
Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Run the spybot and adaware regularly. (Once or twice a week minimum.)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Once again, please post and tell me how things are going with your system... problems etc.
Have a great day,
Blade :cool:
Shadows_Light
2007-10-10, 21:00
Good Morning Blade81, First I've gotta tell you... You are AWESOME :crowned: Words are just not enough to Thank You. I'll feel soooo much better when i'm able to make my donation (probably won't be till 1st part of Nov-unless a windfall comes my way -- lol)
Just this question Re: deletion of ComboFix.exe I did so from windows search & of course, it placed it into the Recycle. Only thing is now it won't allow me to delete the other files & folders associated with that program. Also, other ComboFix files have since popped up in the search feature,such as:
combofix-quarantined files C: text doc
download.bleepingcomputer
(2) combofix recyclers
.exe pf file
prefetch pf file
file folders
several text docs
* Also there's now Combofix D:\Recycled
I haven't emtied the Recycle Bin as of yet... wanted to check with you first to make sure the above is normal. It may seem trite to those who are experienced but as i told you i'm green :alien: Always best to ask & not mess up your hard work. Soon as i hear back, i'll proceed to work on your further instructions.
Bunches of Thanks & Big Huggz, Shadow