View Full Version : Symptoms have gone....for now....
but I spent all weekend searching here and finding fixes, and scans to do. I think I got most of it.
Earlier today i was trying to scan with Kaspersky, but whatever had infected my system would reboot me before the scan finished. That also was happening even earlier with Nortons and Spybot, until I used them in safe mode.
It all started with Brave Sentry on Friday. I found a fix for that but I was still getting the false detection from Windows telling me to download a program to remove. After 2 or 3 of those popped up, if I was scanning, the system would reboot. Upon rebooting, my task manager would not work until I scanned with Ad-Aware SE. the 1st 3 detections there would clear up my task manager.
After finally getting most of it cleared up with Spybot, Ad-Aware and Nortons, I downloaded SuperAntispiware and got that to come up clear after a few attempts. Then I downloaded AVG7.5 and that was the best of all. It got rid of the rest of the symptoms. Like I said....so far. <g>
Now though...I can't even get Kaspersky to run. It wont finish initializing....just keeps cycling through the same files trying to load. Probably something I changed since the last time. Anyways....next is my Hijack log. Thanks! :red:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:51:23 PM, on 11/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\dhepfner\Application Data\10161.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,Default_Search_URL = http://www.searchnow.ws/search/
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.sharempeg.com/find/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {D27987B8-7244-4DE0-AE10-39B826B492F1} - C:\WINDOWS\system32\bronto.dll (file missing)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [MSConfig] MSCONFIG35.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [StartUp] C:\WINDOWS\trayicons.exe /optimize speed
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Aimster.lnk = C:\Program Files\Aimster\AimsterCheck.exe
O4 - Global Startup: Internet Directory.lnk = C:\Program Files\Internet CommSuite\SMGui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Dell Home - {9D13B100-26B0-11D4-A31B-0050DA845A2D} - http://www.dellnet.com (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131337196739
O19 - User stylesheet: (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\system32\append.dll
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\comdl32.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
--
End of file - 8170 bytes
:bigthumb:
as soon as Hijack had finished. When I clicked on it to fix it, it warned me about a possible problem that would result....so i ignored it for now. I was just trying to get the Hijack posted first.
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, November 25, 2007 9:55:48 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 26/11/2007
Kaspersky Anti-Virus database records: 465687
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
Scan Statistics:
Total number of scanned objects: 77146
Number of viruses found: 26
Number of infected objects: 76
Number of suspicious objects: 1
Duration of the scan process: 02:34:02
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP0.htm Infected: Exploit.Win32.IMG-ANI.ak skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06E40000.VBN Infected: Trojan.Win32.Qhost.my skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08C80000.VBN/BlackBox.class Infected: Trojan.Java.ClassLoader.z skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08C80000.VBN/VB.class Infected: Trojan.Java.ClassLoader.ak skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08C80000.VBN/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.v skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08C80000.VBN ZIP: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08C80000.VBN CryptZ: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09340000.VBN/Counter.class Infected: Trojan.Java.ClassLoader.i skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09340000.VBN/VerifierBug.class Infected: Trojan.Java.ClassLoader.k skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09340000.VBN/Beyond.class Infected: Trojan.Java.ClassLoader.k skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09340000.VBN ZIP: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09340000.VBN CryptZ: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09340002.VBN/Counter.class Infected: Trojan.Java.ClassLoader.i skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09340002.VBN/VerifierBug.class Infected: Trojan.Java.ClassLoader.k skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09340002.VBN/Beyond.class Infected: Trojan.Java.ClassLoader.k skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09340002.VBN ZIP: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09340002.VBN CryptZ: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09340004.VBN/GetAccess.class Infected: Trojan.Java.ClassLoader.ae skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09340004.VBN ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09340004.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09340006.VBN/GetAccess.class Infected: Trojan-Downloader.Java.OpenConnection.aj skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09340006.VBN/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.aj skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09340006.VBN/NewSecurityClassLoader.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09340006.VBN/NewURLClassLoader.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09340006.VBN ZIP: infected - 4 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09340006.VBN CryptZ: infected - 4 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09340008.VBN/GetAccess.class Infected: Trojan-Downloader.Java.OpenConnection.aj skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09340008.VBN/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.aj skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09340008.VBN/NewSecurityClassLoader.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09340008.VBN/NewURLClassLoader.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09340008.VBN ZIP: infected - 4 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09340008.VBN CryptZ: infected - 4 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0AD00000.VBN Infected: Trojan-Proxy.Win32.Xorpix.cm skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0AF40000.VBN Infected: Trojan-Proxy.Win32.Wopla.ag skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B200000.VBN/Counter.class Infected: Trojan.Java.ClassLoader.i skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B200000.VBN/VerifierBug.class Infected: Trojan.Java.ClassLoader.k skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B200000.VBN/Beyond.class Infected: Trojan.Java.ClassLoader.k skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B200000.VBN ZIP: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B200000.VBN CryptZ: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0BD80000.VBN Infected: Trojan.Win32.Qhost.my skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DFC0000.VBN Infected: P2P-Worm.Win32.SpyBot.gl skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DFC0002.VBN Infected: P2P-Worm.Win32.SpyBot.gl skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DFC0004.VBN Infected: P2P-Worm.Win32.SpyBot.gl skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DFC0006.VBN Infected: P2P-Worm.Win32.SpyBot.gl skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DFC0008.VBN Infected: P2P-Worm.Win32.SpyBot.gl skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DFC000A.VBN Infected: P2P-Worm.Win32.SpyBot.gl skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DFC000C.VBN Infected: P2P-Worm.Win32.SpyBot.gl skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DFC000E.VBN Infected: P2P-Worm.Win32.SpyBot.gl skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DFC0010.VBN Infected: P2P-Worm.Win32.SpyBot.gl skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DFC0012.VBN Infected: P2P-Worm.Win32.SpyBot.gl skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DFC0014.VBN Infected: P2P-Worm.Win32.SpyBot.gl skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DFC0016.VBN/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DFC0016.VBN/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DFC0016.VBN/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.d skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DFC0016.VBN/Beyond.class Infected: Trojan.Java.Needy.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DFC0016.VBN ZIP: infected - 4 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DFC0016.VBN CryptZ: infected - 4 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DFC0018.VBN/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.e skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DFC0018.VBN/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DFC0018.VBN/WebCounter.class Infected: Trojan.Java.ClassLoader.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DFC0018.VBN/a.class Infected: Trojan.Java.Shiwow skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DFC0018.VBN ZIP: infected - 4 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DFC0018.VBN CryptZ: infected - 4 skipped
C:\Documents and Settings\dhepfner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
C:\Documents and Settings\dhepfner\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\dhepfner\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\dhepfner\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\dhepfner\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\dhepfner\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\dhepfner\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\dhepfner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\dhepfner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\dhepfner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\dhepfner\Local Settings\History\History.IE5\MSHist012007112520071126\index.dat Object is locked skipped
C:\Documents and Settings\dhepfner\Local Settings\Temp\ICD1.tmp\99930093.exe Infected: not-a-virus:Porn-Dialer.Win32.AsianRaw.b skipped
C:\Documents and Settings\dhepfner\Local Settings\Temp\temp.fr9E7B\uninst.exe Infected: Packed.Win32.Klone.i skipped
C:\Documents and Settings\dhepfner\Local Settings\Temp\~DF12A6.tmp Object is locked skipped
C:\Documents and Settings\dhepfner\Local Settings\Temp\~DF12AB.tmp Object is locked skipped
C:\Documents and Settings\dhepfner\Local Settings\Temp\~DF311C.tmp Object is locked skipped
C:\Documents and Settings\dhepfner\Local Settings\Temp\~DF619B.tmp Object is locked skipped
C:\Documents and Settings\dhepfner\Local Settings\Temp\~DF6245.tmp Object is locked skipped
C:\Documents and Settings\dhepfner\Local Settings\Temp\~DF847F.tmp Object is locked skipped
C:\Documents and Settings\dhepfner\Local Settings\Temp\~DFD06F.tmp Object is locked skipped
C:\Documents and Settings\dhepfner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\dhepfner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\dhepfner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\dhepfner\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\sex-viewer.exe Infected: not-a-virus:Porn-Dialer.Win32.Generic skipped
C:\WINDOWS\homereg111.reg Infected: Trojan.JS.Seeker.b skipped
C:\WINDOWS\SchedLog.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{739C7C47-9489-43B8-AC5B-6EE505435857}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\AcroIEHelper.dll Infected: Trojan.Win32.LinkReplacer.b skipped
C:\WINDOWS\SYSTEM32\comdl32.exe Object is locked skipped
C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\system.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\asc3550p.sys Object is locked skipped
C:\WINDOWS\SYSTEM32\G9DEC.tmp.exe/data1 Infected: Trojan.Win32.LinkReplacer.b skipped
C:\WINDOWS\SYSTEM32\G9DEC.tmp.exe SIM: infected - 1 skipped
C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped
C:\WINDOWS\SYSTEM32\Sexy Girls-uninstall.exe Infected: not-a-virus:Porn-Dialer.Win32.Generic skipped
C:\WINDOWS\SYSTEM32\sol852.txt Infected: Trojan.Win32.Qhost.zs skipped
C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\nsi13F.exe Suspicious: not-a-virus:Porn-Dialer.Win32.DialerComp skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Hello and welcome to the Forums :)
You're infected.
At first you need to disable a few realtime protections. These may interfere with our cleaning process.
We'll enable these when you're clean...
Disable Spybot S&D Teatimer.
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu select "Advanced Mode"
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer
1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
ComboFix 07-11-19.4C - dhepfner 2007-11-28 21:18:52.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.69 [GMT -8:00]Running from: C:\Documents and Settings\All Users\Desktop\My Briefcase\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users.\documents\settings
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\Program Files\dialers
C:\Program Files\dialers\subcriptions\cancelled.html
C:\WINDOWS\start.exe
C:\WINDOWS\system32\append.dll
C:\WINDOWS\system32\bund1
C:\WINDOWS\system32\ldinfo.ldr
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_ASC3550P
-------\LEGACY_DRIVER
-------\LEGACY_MSUPDATE
-------\LEGACY_POOF
-------\asc3550p
-------\msupdate
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-29 )))))))))))))))))))))))))))))))
.
2007-11-25 20:16 21,575 --a------ C:\Documents and Settings\dhepfner\Application Data\info.dat
2007-11-25 18:49 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-25 14:53 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-25 14:53 <DIR> d-------- C:\Documents and Settings\dhepfner\Application Data\AVG7
2007-11-25 14:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-25 14:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-11-25 13:25 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-25 13:25 <DIR> d-------- C:\Documents and Settings\dhepfner\Application Data\SUPERAntiSpyware.com
2007-11-25 13:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-25 13:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-25 12:53 <DIR> d-------- C:\VundoFix Backups
2007-11-25 10:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-25 10:06 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-11-24 07:52 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-11-23 19:34 <DIR> d-------- C:\Program Files\PCPitstop
2007-11-23 08:07 2,820 --a------ C:\WINDOWS\SYSTEM32\opseti
2007-11-23 07:52 15,872 --a------ C:\WINDOWS\windisk.dll
2007-11-23 07:34 28,417 --a------ C:\WINDOWS\trayicons.exe
2007-11-23 07:34 28,417 --a------ C:\Documents and Settings\dhepfner\wn852.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-29 05:33 18,432 ----a-w C:\WINDOWS\SYSTEM32\append.dll
2007-11-26 00:34 --------- d-----w C:\Program Files\Java
2007-11-25 22:53 499,712 ----a-w C:\WINDOWS\SYSTEM32\msvcp71.dll
2007-11-25 22:53 348,160 ----a-w C:\WINDOWS\SYSTEM32\msvcr71.dll
2007-11-24 22:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-24 03:38 --------- d-----w C:\Program Files\SpywareBlaster
2007-11-23 16:04 289,280 ----a-w C:\WINDOWS\SYSTEM32\libcurl.dll
2007-11-05 14:03 528,896 ----a-w C:\WINDOWS\SYSTEM32\AcroIEHelper.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\dllcache\shell32.dll
2002-04-05 18:37 10,416,160 ----a-w C:\Program Files\system.pca
2002-04-05 17:59 745,504 ----a-w C:\Program Files\user.pca
2000-05-11 04:16 266 --sha-w C:\Program Files\desktop.ini
2000-05-11 04:16 11,079 ---ha-w C:\Program Files\folder.htt
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe" [1999-08-04 00:00]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2006-07-29 19:34]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe" [2001-08-23 12:00 C:\WINDOWS\SYSTEM32\systray.exe]
"vptray"="C:\Program Files\NavNT\vptray.exe" [2001-09-24 08:59]
"MSConfig"="MSCONFIG35.EXE" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 09:54]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 18:05]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-25 14:52]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe" [1999-08-04 00:00]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-25 14:53]
C:\Documents and Settings\dhepfner\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 20:05:35]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\WINDOWS\System32\NavLogon.dll 2001-09-24 08:59 45056 C:\WINDOWS\SYSTEM32\NavLogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\WINDOWS\system32\append.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, append.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"AudioHQ"=C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
"AttuneSysTray"=C:\PROGRA~1\AVEO\ATTUNE\Bin\Attune_st.exe
"SetFirst"=omcamuns setfirst
"Autolaunch"=omcamlch
"StillImageMonitor"=C:\WINDOWS\SYSTEM32\STIMON.EXE
"SideWinderTrayV4"=C:\PROGRA~1\MICRO~10\GAMECO~1\COMMON\SWTRAYV4.EXE
"LoadQM"=loadqm.exe
"Connect2Party"=c:\program files\dialers\connect2party\connect2party.exe /noconnect
R2 cw_vrctl;cw_vrctl;C:\WINDOWS\system32\drivers\cw_vrctl.SYS
R2 WinDriver;WinDriver;C:\WINDOWS\system32\drivers\WINDRVR.SYS
R3 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\bcm42xx5.sys
R3 smc1244;SMC EZ Card 10/100 (SMC1244TX) NT Driver;C:\WINDOWS\system32\DRIVERS\SMC1244.SYS
S3 OVT511;Dual Mode USB Camera ;C:\WINDOWS\system32\Drivers\omcamvid.sys
S3 UsbCmxp;Scientific Atlanta DPX2100 USB Cable Modem;C:\WINDOWS\system32\DRIVERS\sacmxp.sys
*Newly Created Service* - SHAREDACCESS
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>IEPerUser]
RUNDLL32.EXE IEDKCS32.DLL,BrandIE4 SIGNUP
.
Contents of the 'Scheduled Tasks' folder
"2007-11-23 16:51:07 c:\windows\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-08 07:00:00 c:\windows\Tasks\Tune-up Application Start.job"
.
**************************************************************************
catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-28 21:32:47
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-28 21:37:16 - machine was rebooted
.
--- E O F ---
Hi :)
I'll need to check these few suspicious/bad files before we continue.
Please download the Suspicious file Packer (http://www.safer-networking.org/files/sfp.zip) from Safer-Networking.Org and unzip it to your desktop.
Run SFP.exe.
Please copy the following lines into the Step 1: Paste Text window:
C:\WINDOWS\windisk.dll
C:\Documents and Settings\dhepfner\wn852.exe
C:\WINDOWS\system32\drivers\cw_vrctl.SYS
C:\WINDOWS\trayicons.exe
C:\WINDOWS\SYSTEM32\append.dll
then click "Continue".
This will create a .cab file on your desktop named requested-files[Date/Time].cab
Please go to this forum (http://www.thespykiller.co.uk)
There's no need to register. Just start a new topic in the "Uploads" section, titled "request by Jak3".
Add the link of this topic to the message.
Use the Attachment box to upload the cab file from your desktop.
NOTE: You will not see the files that have been uploaded (including the ones you upload yourself) as they only show to the authorised users who can download them
I'll have a look and then we'll continue :bigthumb:
Hi and sorry for the delay, I was away...
Thank you for the upload :)
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\windisk.dll
C:\WINDOWS\trayicons.exe
C:\Documents and Settings\dhepfner\wn852.exe
C:\WINDOWS\SYSTEM32\append.dll
Dirlook::
C:\WINDOWS\SYSTEM32\opseti
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"Connect2Party"=-
Save this as "CFScript"
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
No worries....I was away much of the time also. Here is the combo log:
ComboFix 07-11-19.4C - dhepfner 2007-12-04 20:57:44.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.32 [GMT -8:00]
Running from: C:\Documents and Settings\All Users\Desktop\My Briefcase\ComboFix.exe
Command switches used :: C:\Documents and Settings\dhepfner\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\Documents and Settings\dhepfner\wn852.exe
C:\WINDOWS\SYSTEM32\append.dll
C:\WINDOWS\trayicons.exe
C:\WINDOWS\windisk.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\dhepfner\wn852.exe
C:\WINDOWS\trayicons.exe
C:\WINDOWS\windisk.dll
.
((((((((((((((((((((((((( Files Created from 2007-11-05 to 2007-12-05 )))))))))))))))))))))))))))))))
.
2007-11-28 23:57 16,193,568 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat
2007-11-28 23:57 190,820 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.idx
2007-11-28 23:53 22,129 --a------ C:\Documents and Settings\dhepfner\Application Data\info.dat
2007-11-28 23:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-11-28 23:49 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-11-28 23:49 11,264 --a------ C:\WINDOWS\SYSTEM32\SpOrder.dll
2007-11-28 23:46 353,247 --a------ C:\WINDOWS\SYSTEM32\vsconfig.xml
2007-11-28 23:45 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-11-25 18:49 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-25 16:34 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2007-11-25 14:53 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-25 14:53 <DIR> d-------- C:\Documents and Settings\dhepfner\Application Data\AVG7
2007-11-25 14:53 499,712 --a------ C:\WINDOWS\SYSTEM32\msvcp71.dll
2007-11-25 14:53 348,160 --a------ C:\WINDOWS\SYSTEM32\msvcr71.dll
2007-11-25 14:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-25 14:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-11-25 13:25 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-25 13:25 <DIR> d-------- C:\Documents and Settings\dhepfner\Application Data\SUPERAntiSpyware.com
2007-11-25 13:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-25 13:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-25 12:53 <DIR> d-------- C:\VundoFix Backups
2007-11-25 10:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-24 07:52 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-11-23 19:34 <DIR> d-------- C:\Program Files\PCPitstop
2007-11-23 08:15 852 --a------ C:\WINDOWS\SYSTEM32\3424.lps
2007-11-23 08:07 2,820 --a------ C:\WINDOWS\SYSTEM32\opseti
2007-11-19 09:25 2,852 --a------ C:\WINDOWS\SYSTEM32\AcroIEHelper.xml
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-26 00:34 --------- d-----w C:\Program Files\Java
2007-11-24 22:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-24 03:38 --------- d-----w C:\Program Files\SpywareBlaster
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\dllcache\shell32.dll
2007-09-07 00:14 1,086,952 ----a-w C:\WINDOWS\SYSTEM32\zpeng24.dll
2002-04-05 18:37 10,416,160 ----a-w C:\Program Files\system.pca
2002-04-05 17:59 745,504 ----a-w C:\Program Files\user.pca
2000-05-11 04:16 266 --sha-w C:\Program Files\desktop.ini
2000-05-11 04:16 11,079 ---ha-w C:\Program Files\folder.htt
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\WINDOWS\SYSTEM32\opseti ----
C:\WINDOWS\SYSTEM32\opseti\
((((((((((((((((((((((((((((( snapshot@2007-11-28_21.35.48.73 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-07-19 23:10:28 127,768 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\klif.sys
+ 2007-09-07 00:13:58 796,048 ----a-w C:\WINDOWS\SYSTEM32\libeay32_0.9.6l.dll
- 2007-11-23 16:25:39 37,760 ----a-w C:\WINDOWS\SYSTEM32\perfc009.dat
+ 2007-11-29 05:35:07 37,760 ----a-w C:\WINDOWS\SYSTEM32\perfc009.dat
- 2007-11-23 16:25:39 305,318 ----a-w C:\WINDOWS\SYSTEM32\perfh009.dat
+ 2007-11-29 05:35:07 305,318 ----a-w C:\WINDOWS\SYSTEM32\perfh009.dat
+ 2007-09-07 00:14:04 83,432 ----a-w C:\WINDOWS\SYSTEM32\vsdata.dll
+ 2007-09-07 00:14:28 395,080 ----a-w C:\WINDOWS\SYSTEM32\vsdatant.sys
+ 2007-09-07 00:14:04 157,160 ----a-w C:\WINDOWS\SYSTEM32\vsinit.dll
+ 2007-09-07 00:14:04 103,912 ----a-w C:\WINDOWS\SYSTEM32\vsmonapi.dll
+ 2007-09-07 00:14:04 275,944 ----a-w C:\WINDOWS\SYSTEM32\vspubapi.dll
+ 2007-09-07 00:14:04 71,144 ----a-w C:\WINDOWS\SYSTEM32\vsregexp.dll
+ 2007-09-07 00:14:06 472,552 ----a-w C:\WINDOWS\SYSTEM32\vsutil.dll
+ 2007-09-07 00:14:06 46,568 ----a-w C:\WINDOWS\SYSTEM32\vswmi.dll
+ 2007-09-07 00:14:06 99,816 ----a-w C:\WINDOWS\SYSTEM32\vsxml.dll
+ 2007-09-07 00:14:06 83,432 ----a-w C:\WINDOWS\SYSTEM32\zlcomm.dll
+ 2007-09-07 00:14:08 71,144 ----a-w C:\WINDOWS\SYSTEM32\zlcommdb.dll
+ 2007-11-29 07:53:44 4,212 ---h--w C:\WINDOWS\SYSTEM32\zllictbl.dat
+ 2007-09-07 00:13:56 370,208 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\av.dll
+ 2007-05-31 08:03:30 65,248 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\bases\aphish.dat
+ 2006-06-30 22:47:36 21,568 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\bases\avcmhk4.dll
+ 2007-05-31 08:03:16 77,824 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\CKAHComm.dll
+ 2007-05-31 08:03:16 110,592 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\CKAHrule.dll
+ 2007-05-31 08:03:16 331,776 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\CKAHUM.dll
+ 2007-05-31 08:03:16 38,400 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\FSSync.dll
+ 2007-07-19 23:10:32 110,360 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\instdrivers\w2kxp32\kl1.sys
+ 2007-07-19 23:10:32 186,128 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\instdrivers\w2kxp32\klif.sys
+ 2007-05-31 08:03:48 110,360 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\instdrivers\x32\kl1.sys
+ 2007-07-19 23:10:28 127,768 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\instdrivers\x32\klif.sys
+ 2007-05-31 08:03:50 45,056 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\instdrivers\x32\regcat.exe
+ 2006-09-20 07:12:14 208,960 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\inv.dll
+ 2007-08-25 03:31:48 274,432 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\kave.dll
+ 2006-12-20 02:13:52 1,093,632 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\libeay32.dll
+ 2007-05-31 08:03:20 548,864 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\msvcp80.dll
+ 2007-05-31 08:03:20 626,688 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\msvcr80.dll
+ 2007-05-31 08:03:18 184,320 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\prloader.dll
+ 2007-05-31 08:03:22 90,112 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\prremote.dll
+ 2007-08-25 03:31:48 135,168 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\ScanningProcess.exe
+ 2006-12-20 02:13:52 200,704 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\ssleay32.dll
+ 2007-09-07 00:13:56 99,816 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\camupd.dll
+ 2004-01-30 20:35:08 813,568 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\dbghelp.dll
+ 2007-09-07 00:13:58 128,480 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\fbl.dll
+ 2007-09-07 00:13:58 38,376 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\featuremap.dll
+ 2007-09-07 00:13:58 321,016 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\imsecure.dll
+ 2007-09-07 00:14:30 288,144 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\lib\ConfigWizard.zip.dll
+ 2007-09-07 00:14:30 152,976 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\lib\licenseui.zip.dll
+ 2007-09-07 00:14:30 26,000 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\lib\zlsvc.zip.dll
+ 2007-09-07 00:14:32 1,361,296 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\lib\zpy.zip.dll
+ 2007-09-07 00:14:32 71,056 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\lib\zui.zip.dll
+ 2007-09-07 00:15:50 30,184 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\plugins\rpc_server\rpc_server.dll
+ 2007-09-07 00:15:52 30,216 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\plugins\vsmon_plugin\vsmon_plugin.dll
+ 2007-08-15 23:45:42 714,208 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\qrbase.dll
+ 2007-08-15 23:45:44 787,936 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\qrsrecl.dll
+ 2007-09-07 00:14:00 173,544 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\scheduler.dll
+ 2007-01-11 19:12:08 2,432,259 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\spyware.dat
+ 2007-08-15 23:45:44 1,500,640 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\srescan.dll
+ 2007-06-11 20:44:10 50,416 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\srescan.sys
+ 2007-09-07 00:14:02 456,168 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\ssleay32.dll
+ 2007-09-07 00:15:52 214,528 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\streamapi\httpblocker\httpblocker.dll
+ 2007-09-07 00:15:54 3,266,040 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\streamapi\imslsp\imslsp.dll
+ 2006-09-05 04:59:14 503,875 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\upd_core.dll
+ 2007-08-01 14:30:04 833,248 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\updating.dll
+ 2007-09-07 00:14:18 149,032 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\updclient.exe
+ 2007-01-12 01:31:06 286,787 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\updtrsdk.dll
+ 2007-09-07 00:14:04 108,008 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\vsavpro.dll
+ 2007-09-07 00:14:04 79,336 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\vsdb.dll
+ 2007-09-07 00:14:18 75,304 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
+ 2007-09-07 00:14:04 2,024,936 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\vsmondll.dll
+ 2007-09-07 00:14:06 1,345,000 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\vsruledb.dll
+ 2007-09-07 00:14:06 239,080 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\vsvault.dll
+ 2007-01-11 19:12:08 2,432,259 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\zlasdbup.dat
+ 2007-09-07 00:14:08 177,640 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\zlparser.dll
+ 2007-09-07 00:14:08 79,344 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\zlquarantine.dll
+ 2007-09-07 00:14:08 382,440 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\zlsre.dll
+ 2007-09-07 00:14:08 120,296 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\zlupdate.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe" [1999-08-04 00:00]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2006-07-29 19:34]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe" [2001-08-23 12:00 C:\WINDOWS\SYSTEM32\systray.exe]
"vptray"="C:\Program Files\NavNT\vptray.exe" [2001-09-24 08:59]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 09:54]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 18:05]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-25 14:52]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe" [1999-08-04 00:00]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-25 14:53]
C:\Documents and Settings\dhepfner\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 20:05:35]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\WINDOWS\System32\NavLogon.dll 2001-09-24 08:59 45056 C:\WINDOWS\SYSTEM32\NavLogon.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, append.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"AudioHQ"=C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
"AttuneSysTray"=C:\PROGRA~1\AVEO\ATTUNE\Bin\Attune_st.exe
"SetFirst"=omcamuns setfirst
"Autolaunch"=omcamlch
"StillImageMonitor"=C:\WINDOWS\SYSTEM32\STIMON.EXE
"SideWinderTrayV4"=C:\PROGRA~1\MICRO~10\GAMECO~1\COMMON\SWTRAYV4.EXE
"LoadQM"=loadqm.exe
R2 cw_vrctl;cw_vrctl;C:\WINDOWS\system32\drivers\cw_vrctl.SYS
R2 WinDriver;WinDriver;C:\WINDOWS\system32\drivers\WINDRVR.SYS
R3 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\bcm42xx5.sys
R3 smc1244;SMC EZ Card 10/100 (SMC1244TX) NT Driver;C:\WINDOWS\system32\DRIVERS\SMC1244.SYS
S3 OVT511;Dual Mode USB Camera ;C:\WINDOWS\system32\Drivers\omcamvid.sys
S3 UsbCmxp;Scientific Atlanta DPX2100 USB Cable Modem;C:\WINDOWS\system32\DRIVERS\sacmxp.sys
*Newly Created Service* - NAVENG
*Newly Created Service* - NAVEX15
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>IEPerUser]
RUNDLL32.EXE IEDKCS32.DLL,BrandIE4 SIGNUP
.
Contents of the 'Scheduled Tasks' folder
"2007-11-30 16:51:36 c:\windows\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-02 07:00:00 c:\windows\Tasks\Tune-up Application Start.job"
.
**************************************************************************
catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-04 21:15:41
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-12-04 21:23:04 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-28 21:37
.
--- E O F ---
And here is the Hijack log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:25:59 PM, on 12/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,Default_Search_URL = http://www.searchnow.ws/search/
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.sharempeg.com/find/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Aimster.lnk = C:\Program Files\Aimster\AimsterCheck.exe
O4 - Global Startup: Internet Directory.lnk = C:\Program Files\Internet CommSuite\SMGui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Dell Home - {9D13B100-26B0-11D4-A31B-0050DA845A2D} - http://www.dellnet.com (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131337196739
O19 - User stylesheet: (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
--
End of file - 7410 bytes
Okie looks much better :)
You should print these instructions or save these to a text file. Follow these instructions carefully.
Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Run a scan with Dr.Web CureIt Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, you should now mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable
After the scan, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot the computer in Normal Mode,
Post the Cure-it report and a fresh HijackThis log
I messed up and didnt create the log after the scan. It found 9 items. I'm doing the scan again.......
Hi :)
But were the findings removed? If so, there is no need for a new scan :bigthumb:
Removed and 2 moved.
How about the hijack? Am i clean?? :D:
The good doctor:
A0000670.reg;C:\System Volume Information\_restore{34154613-6B7C-495B-B6CB-DD91A07BB3DA}\RP9;Trojan.Seeker.151;Deleted.;
A0000671.exe;C:\System Volume Information\_restore{34154613-6B7C-495B-B6CB-DD91A07BB3DA}\RP9;Tool.Prockill;Incurable.Moved.;
Hijack:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:51:11 AM, on 12/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,Default_Search_URL = http://www.searchnow.ws/search/
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.sharempeg.com/find/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Aimster.lnk = C:\Program Files\Aimster\AimsterCheck.exe
O4 - Global Startup: Internet Directory.lnk = C:\Program Files\Internet CommSuite\SMGui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Dell Home - {9D13B100-26B0-11D4-A31B-0050DA845A2D} - http://www.dellnet.com (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131337196739
O19 - User stylesheet: (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
--
End of file - 7515 bytes
Tanks!!! :santa:
Hi :)
Ok a few leftovers....
At first you need to disable a few realtime protections. These may interfere with our cleaning process.
We'll enable these when you're clean...
Right click the running icon of Spywareguard in the system tray to open the program. Then go to Menu, File, and choose Exit. It will automatically restart at next boot.
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list. Fix the O6 entries too if you haven't locked Internet Explorer settings on purpose.
R1 - HKCU\Software\Microsoft\Internet Explorer,Default_Search_URL = http://www.searchnow.ws/search/
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.sharempeg.com/find/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
Restart the pc, post a fresh HjT log and let me know how the pc is running :bigthumb:
Seems to be running fine....
HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:36:52 PM, on 12/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Aimster.lnk = C:\Program Files\Aimster\AimsterCheck.exe
O4 - Global Startup: Internet Directory.lnk = C:\Program Files\Internet CommSuite\SMGui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Dell Home - {9D13B100-26B0-11D4-A31B-0050DA845A2D} - http://www.dellnet.com (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131337196739
O19 - User stylesheet: (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
--
End of file - 7032 bytes
:santa:
Hi again, it is looking clean now :)
You can remove the tools we used.
=============
Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.
Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.
Use AVG Anti-Spyware (http://www.ewido.net/en/)
Download and install AVG Anti-Spyware. Update it and scan your computer regularly with it.
Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.
Install SpywareBlaster (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
SpywareBlaster will prevent spyware from being installed.
Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.
Use Firefox browser (http://www.mozilla.org)
Firefox is faster and more secure browser than Internet Explorer.
Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly. How to enable Automatic Updates? (http://www.bleepingcomputer.com/tutorials/tutorial35.html)
Keep your antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) and firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) up-to-date
Scan your computer regularly with you antivirus software.
Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?
Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Stay clean and be safe ;)