View Full Version : virtumonde infection HELP PLEASE!
jimmy1972
2008-02-24, 20:21
Hi, I've tried many times to delete this but it always comes back at startup. I have a lot of blocked registry changes after startup using Spybot and a number of command prompt windows open after startup that have no path . Everything seems to be working inspite of this and virtumonde appears eventually each time (as well as another malware that opens window in explorer). It also seems to change my explorer security settings (it changes to allow all cookies which I have to fix each time I use exporer after start up). There is also an error message when I shut down but in spite of all these "errors" and blocked registry changes my computer seems to be operating OK. My anti-virus just keeps finding and deleting virtumonde viruses. I also already tried the "combofix" software recomended on this messageboard with no change.
Here is my Highjackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:45:04 PM, on 24/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Bell\Security Manager\Fws.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe
C:\Program Files\Bell\Security Manager\Rps.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\lcntklwb.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
c:\windows\system32\rwwnw64d.exe
C:\Program Files\Bell\Sympatico Security Advisor\SSAComHandler.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Program Files\Bell\Security Manager\rpsupdaterR.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/default.aspx?lang=en-CA
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [EPSON Stylus C66 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2S1.EXE /P23 "EPSON Stylus C66 Series" /O6 "USB001" /M "Stylus C66"
O4 - HKLM\..\Run: [EPSON Stylus C88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB002" /M "Stylus C88"
O4 - HKLM\..\Run: [pmnmlkjjgd] Rundll32.exe "C:\WINDOWS\system32\ddaywwur.dll",s
O4 - HKLM\..\Run: [SSA.exe] "C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe" /AUTORUN
O4 - HKLM\..\Run: [Sympatico Security Manager] "C:\Program Files\Bell\Security Manager\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Bell\Security Manager\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [{E5-5B-B9-94-DW}] C:\windows\system32\kjwnw64l.exe DWram
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [bc3e5b3b] rundll32.exe "C:\WINDOWS\system32\ehrxqdqq.dll",b
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\lcntklwb.exe DWram
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\RunOnce: [SpybotDeletingA8952] command /c del "C:\Documents and Settings\Jim\Application Data\AdwareAlert\Log\2008 Feb 21 - 10_41_21 PM_052.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4750] cmd /c del "C:\Documents and Settings\Jim\Application Data\AdwareAlert\Log\2008 Feb 21 - 10_41_21 PM_052.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2474] command /c del "C:\Documents and Settings\Jim\Application Data\AdwareAlert\Log\2008 Feb 21 - 10_41_31 PM_302.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingC819] cmd /c del "C:\Documents and Settings\Jim\Application Data\AdwareAlert\Log\2008 Feb 21 - 10_41_31 PM_302.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2233] command /c del "C:\Documents and Settings\Jim\Application Data\AdwareAlert\Settings\ScanResults.pie"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3576] cmd /c del "C:\Documents and Settings\Jim\Application Data\AdwareAlert\Settings\ScanResults.pie"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4258] command /c del "C:\Program Files\AntiSpywareApp\AntiSpyware.url"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4162] cmd /c del "C:\Program Files\AntiSpywareApp\AntiSpyware.url"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7090] command /c del "C:\Program Files\AntiSpywareApp\vistaCPtasks.xml"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5658] cmd /c del "C:\Program Files\AntiSpywareApp\vistaCPtasks.xml"
O4 - HKCU\..\Run: [AdwareProMFC] C:\Program Files\Ad-Ware Pro\Ad-Ware Pro.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [SpybotDeletingD4256] cmd /c del "C:\Documents and Settings\Jim\Application Data\AdwareAlert\Log\2008 Feb 21 - 10_41_31 PM_302.log"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9245] command /c del "C:\Documents and Settings\Jim\Application Data\AdwareAlert\Settings\ScanResults.pie"
O4 - HKCU\..\RunOnce: [SpybotDeletingD784] cmd /c del "C:\Documents and Settings\Jim\Application Data\AdwareAlert\Settings\ScanResults.pie"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9136] command /c del "C:\Program Files\AntiSpywareApp\AntiSpyware.url"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8493] cmd /c del "C:\Program Files\AntiSpywareApp\AntiSpyware.url"
O4 - HKCU\..\RunOnce: [SpybotDeletingB20] command /c del "C:\Program Files\AntiSpywareApp\vistaCPtasks.xml"
O4 - HKCU\..\RunOnce: [SpybotDeletingD983] cmd /c del "C:\Program Files\AntiSpywareApp\vistaCPtasks.xml"
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\lcntklwb.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - http://fulfillment.puretracks.com/onager.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.photolab.ca/Upload/ImageUploader4.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab.ca/en/Photo/ImageUploader3.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/activex/v2_0_0_9/PCAXSetupv2.0.0.9.cab?
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Sympatico Security Manager Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Bell\Security Manager\rpsupdaterR.exe
O23 - Service: Sympatico Security Manager Firewall (RP_FWS) - Bell Sympatico - C:\Program Files\Bell\Security Manager\Fws.exe
--
End of file - 11148 bytes
Thanks for your help and advice.
Jim
Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.
If you think you have similar problems, please post a log in the HJT forum and wait for help.
Unless informed of in advance, failure to post replies within 5 days will result in this thread being closed.
Hello and welcome to the forums
My name is Katana and I will be helping you to remove any infection(s) that you may have.
Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)
If you can do those three things, everything should go smoothly :D
----------------------------------------------------------------------------------------
SD Fix
Please download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F5 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:
Bleeping Computer ComboFix Tutorial (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
Installed Programs
Please could you give me a list of the programs that are installed.
Start HijackThis
Click on the Misc Tools button
Click on the Open Uninstall Manager button.
You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.
jimmy1972
2008-02-25, 06:15
Thank you for all your help so far. I ran SDFix and here is the log (sorry, I forgot to run hijack this before I ran combofix):
SDFix: Version 1.146
Run by Jim on 24/02/2008 at 09:45 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix\SDFix
Checking Services :
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
C:\PROGRA~1\MSN\LAVUGAS - Deleted
C:\WINDOWS\Fonts\Setup.exe - Deleted
C:\WINDOWS\system32\msnav32.ax - Deleted
C:\WINDOWS\system32\zxdnt3d.cfg - Deleted
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-24 21:53:22
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
Remaining Files :
File Backups: - C:\SDFix\SDFix\backups\backups.zip
Files with Hidden Attributes :
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Fri 21 Jul 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 8 Jul 2006 39,424 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL0001.tmp"
Mon 26 Jun 2006 35,328 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL0002.tmp"
Tue 27 Jun 2006 35,840 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL0003.tmp"
Tue 27 Jun 2006 36,352 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL0004.tmp"
Wed 28 Jun 2006 37,888 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL0005.tmp"
Sat 8 Jul 2006 20,992 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL0006.tmp"
Sun 11 Mar 2007 36,352 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL0007.tmp"
Fri 1 Sep 2006 35,840 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL0032.tmp"
Wed 28 Jun 2006 36,864 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL0058.tmp"
Wed 28 Jun 2006 36,352 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL0502.tmp"
Wed 28 Jun 2006 36,352 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL0806.tmp"
Wed 28 Jun 2006 36,864 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL0818.tmp"
Wed 28 Jun 2006 36,864 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL0838.tmp"
Fri 1 Sep 2006 35,840 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL1083.tmp"
Wed 28 Jun 2006 36,352 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL1160.tmp"
Mon 10 Jul 2006 38,912 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL1755.tmp"
Wed 28 Jun 2006 36,352 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL1774.tmp"
Wed 28 Jun 2006 35,840 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL1859.tmp"
Wed 14 Mar 2007 35,840 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL1863.tmp"
Wed 28 Jun 2006 36,864 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL1908.tmp"
Wed 28 Jun 2006 35,840 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL1960.tmp"
Wed 28 Jun 2006 36,352 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL2005.tmp"
Wed 28 Jun 2006 35,840 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL2128.tmp"
Fri 1 Sep 2006 34,816 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL2372.tmp"
Wed 28 Jun 2006 36,864 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL2427.tmp"
Mon 10 Jul 2006 39,936 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL2514.tmp"
Wed 28 Jun 2006 36,352 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL2650.tmp"
Wed 28 Jun 2006 36,864 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL2913.tmp"
Wed 28 Jun 2006 37,376 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL3014.tmp"
Wed 28 Jun 2006 36,864 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL3181.tmp"
Wed 28 Jun 2006 36,864 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL3207.tmp"
Wed 28 Jun 2006 36,352 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL3639.tmp"
Fri 1 Sep 2006 34,304 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL3894.tmp"
Wed 28 Jun 2006 35,840 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL3897.tmp"
Wed 14 Mar 2007 37,376 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL3915.tmp"
Fri 12 Nov 2004 37,376 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Thu 14 Dec 2006 19,456 ...H. --- "C:\Documents and Settings\Jim\Application Data\Microsoft\Word\~WRL0003.tmp"
Thu 16 Feb 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch5\lock.tmp"
Fri 22 Feb 2008 8 A..H. --- "C:\Documents and Settings\Jim\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Fri 22 Feb 2008 8 A..H. --- "C:\Documents and Settings\Jim\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Fri 22 Feb 2008 8 A..H. --- "C:\Documents and Settings\Jim\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Finished!
Here is the combofix log:
ComboFix 08-02-25.2 - Jim 2008-02-24 22:45:13.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.171 [GMT -5:00]
Running from: C:\Documents and Settings\Jim\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Jim\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\Jim\Start Menu\Programs\Startup\DW_Start.lnk
C:\WINDOWS\system32\awvvt.dll
C:\WINDOWS\system32\bsdmaxmi.dll
C:\WINDOWS\system32\dphohxhh.dll
C:\WINDOWS\system32\imxamdsb.ini
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\tvvwa.ini
C:\WINDOWS\system32\tvvwa.ini2
C:\WINDOWS\system32\winpfz37.sys
C:\WINDOWS\system32\zxdnt3d.cfg
.
((((((((((((((((((((((((( Files Created from 2008-01-25 to 2008-02-25 )))))))))))))))))))))))))))))))
.
2008-02-24 21:41 . 2008-02-24 21:41 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-24 21:33 . 2008-02-24 21:33 <DIR> d-------- C:\SDFix
2008-02-24 12:44 . 2008-02-24 12:44 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-24 00:55 . 2008-02-24 00:55 <DIR> d-------- C:\ComboFix[1]
2008-02-24 00:06 . 2008-02-24 00:58 1,356,210 --ahs---- C:\WINDOWS\system32\eaaskjao.ini
2008-02-23 21:28 . 2008-02-23 21:28 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-23 21:28 . 2008-02-23 22:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-23 15:38 . 2008-02-23 15:38 200,774 --a------ C:\WINDOWS\system32\lcntklwb.exe
2008-02-23 11:57 . 2008-02-23 11:57 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-23 11:57 . 2008-02-23 11:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-23 11:53 . 2008-02-23 11:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-23 11:35 . 2008-02-23 11:35 <DIR> d-------- C:\WINDOWS\Ad-Ware Pro
2008-02-23 10:40 . 2008-02-23 10:40 49,171 --a------ C:\WINDOWS\system32\kjwnw64l.exe
2008-02-23 10:20 . 2008-02-23 12:03 <DIR> d--hs---- C:\WINDOWS\Smlt
2008-02-23 10:20 . 2008-02-23 10:20 49,157 --a------ C:\WINDOWS\system32\rwwnw64d.exe
2008-02-23 10:19 . 2008-02-23 10:19 <DIR> d-------- C:\WINDOWS\system32\xo4
2008-02-23 10:19 . 2008-02-23 10:19 <DIR> d-------- C:\WINDOWS\system32\ap8
2008-02-22 23:03 . 2007-03-06 13:24 55,296 --a------ C:\WINDOWS\system32\drivers\rp_skt32.sys
2008-02-22 23:02 . 2007-04-19 11:36 48,384 --a------ C:\WINDOWS\system32\drivers\rp_pkt32.sys
2008-02-22 22:59 . 2008-02-22 22:59 <DIR> d-------- C:\Program Files\Common Files\Authentium
2008-02-22 22:53 . 2008-02-22 22:53 <DIR> d-------- C:\Program Files\Raxco
2008-02-22 22:53 . 2008-02-22 22:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Raxco
2008-02-22 22:52 . 2008-02-22 22:52 <DIR> d-------- C:\Program Files\CA
2008-02-22 22:50 . 2008-02-23 01:05 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-02-22 22:34 . 2008-02-22 22:35 <DIR> d-------- C:\Program Files\DellSupport
2008-02-22 22:21 . 2008-02-22 22:21 <DIR> d-------- C:\Documents and Settings\Jim\Application Data\InstallShield
2008-02-21 23:35 . 2008-02-21 23:35 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-02-21 22:55 . 2008-02-23 23:16 <DIR> d-------- C:\Documents and Settings\Jim\Application Data\Antispyware
2008-02-21 07:38 . 2008-02-24 11:20 <DIR> d-------- C:\Documents and Settings\Jim\Application Data\AppDate
2008-02-21 07:38 . 2008-02-21 07:38 34,304 --a------ C:\WINDOWS\system32\ddaywwur.dll
2008-02-21 07:38 . 2008-02-21 07:38 34,304 --a------ C:\WINDOWS\ddabaaxu.dll
2008-02-21 07:38 . 2008-02-21 07:38 34,304 --a------ C:\Documents and Settings\Jim\Application Data\awvtttro.dll
2008-02-21 07:38 . 2008-02-24 22:52 340 --a------ C:\WINDOWS\system32\sstsqpoo
2008-02-19 21:05 . 2008-02-19 21:05 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-02-19 20:41 . 2008-02-20 22:22 <DIR> d-------- C:\DVDMovie
2008-02-19 20:39 . 2008-02-19 20:39 <DIR> d-------- C:\Program Files\Xvid
2008-02-19 20:39 . 2008-02-19 20:42 <DIR> d-------- C:\Program Files\AoA DVD Ripper
2008-02-19 20:39 . 2007-06-28 18:52 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-02-19 20:39 . 2007-06-28 18:54 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-02-19 20:39 . 2007-06-28 18:55 77,824 --a------ C:\WINDOWS\system32\xvid.ax
2008-02-19 20:39 . 2002-07-17 09:20 45,056 --a------ C:\WINDOWS\system32\Wnaspi32.dll
2008-02-19 20:39 . 2002-07-17 08:53 16,877 --a------ C:\WINDOWS\system32\drivers\Aspi32.sys
2008-02-19 20:39 . 2002-07-17 16:22 4,455 --a------ C:\WINDOWS\system\Winaspi.dll
2008-02-19 20:39 . 2002-07-17 16:22 3,535 --a------ C:\WINDOWS\system\Wowpost.exe
2008-02-19 20:39 . 2008-02-20 22:16 67 --a------ C:\WINDOWS\AoADVDRipper.INI
2008-02-16 13:32 . 2008-02-16 13:32 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-02-15 21:51 . 2008-02-15 21:51 0 --a------ C:\WINDOWS\system32\Infob.dat
2008-02-15 21:51 . 2008-02-15 21:51 0 --a------ C:\WINDOWS\system32\Infoa.dat
2008-02-15 21:49 . 2008-02-15 21:49 305 --a------ C:\WINDOWS\system32\treeinfo.dat
2008-02-15 21:22 . 2008-02-15 21:22 <DIR> d-------- C:\MyAudio
2008-02-15 21:21 . 2008-02-15 21:22 <DIR> d-------- C:\Program Files\AoA Audio Extractor
2008-02-15 21:21 . 2008-02-20 22:21 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-15 21:17 . 2008-02-15 21:48 <DIR> d-------- C:\Program Files\YouTube Downloader
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-23 15:36 --------- d-----w C:\Program Files\Bonjour
2008-02-23 06:05 --------- d-----w C:\Program Files\LimeWire
2008-02-23 04:08 --------- d-----w C:\Documents and Settings\Jim\Application Data\Bell
2008-02-23 03:55 --------- d--h--w C:\Documents and Settings\Jim\Application Data\Gtek
2008-02-23 03:43 --------- d-----w C:\Program Files\Bell
2008-02-23 03:41 --------- d-----w C:\Documents and Settings\Stephanie\Application Data\Bell
2008-02-23 03:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Bell
2008-02-23 03:35 --------- d-----w C:\Documents and Settings\Stephanie\Application Data\Gtek
2008-02-23 03:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-15 05:14 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-15 04:43 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-01-15 04:18 --------- d-----w C:\Program Files\NetAssistant
2008-01-15 04:12 --------- d-----w C:\Program Files\Jasc Software Inc
2008-01-15 04:08 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-01-15 04:06 --------- d-----w C:\Program Files\WordPerfect Office 12
2008-01-15 04:06 --------- d-----w C:\Program Files\QuickTime
2008-01-15 04:06 --------- d-----w C:\Program Files\Intel
2008-01-15 04:06 --------- d-----w C:\Program Files\EPSON
2008-01-15 04:06 --------- d-----w C:\Program Files\Common Files\AOL
2008-01-15 02:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2005-07-29 21:24 472 --sha-r C:\WINDOWS\Smlt\mA5Q.vbs
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6B21B437-7E93-4BD1-9E0B-B23D58B34A4D}]
2008-02-21 07:38 34304 --a------ C:\WINDOWS\ddabaaxu.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F4FEC76A-BFE1-4A37-1783-7AF51D875EDC}]
C:\Program Files\MSN\lavugas.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdwareProMFC"="C:\Program Files\Ad-Ware Pro\Ad-Ware Pro.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-10-17 20:17 180269]
"StandardInstall"="" []
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 19:42 1404928]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-24 19:47 155648]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-12-20 20:54 278528]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
"EPSON Stylus C66 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2S1.exe" [2004-01-13 03:00 99840]
"EPSON Stylus C88 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.exe" [2005-01-27 03:00 98304]
"pmnmlkjjgd"="C:\WINDOWS\system32\ddaywwur.dll" [2008-02-21 07:38 34304]
"SSA.exe"="C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe" [2007-03-27 10:33 2061816]
"Sympatico Security Manager"="C:\Program Files\Bell\Security Manager\Rps.exe" [2007-08-27 16:57 310000]
"-FreedomNeedsReboot"="C:\Program Files\Bell\Security Manager\ZkRunOnceR.exe" [2007-08-27 16:57 13552]
"{E5-5B-B9-94-DW}"="C:\windows\system32\kjwnw64l.exe" [2008-02-23 10:40 49171]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 01:05 127035]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 16:19 53248]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 03:10 49263]
"bc3e5b3b"="C:\WINDOWS\system32\ehrxqdqq.dll" [ ]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56 65588]
NetAssistant.lnk - C:\Program Files\NetAssistant\bin\matcli.exe [2005-10-04 18:35:39 217088]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli C:\Documents and Settings\Jim\Application Data\awvtttro.dll C:\Documents and Settings\Jim\Application Data\awvtttro.dll C:\Documents and Settings\Jim\Application Data\awvtttro.dll C:\Documents and Settings\Jim\Application Data\awvtttro.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
--a------ 2004-10-22 15:13 393216 C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
R2 ScFBPNT;CanoScan FBP Port Driver;C:\WINDOWS\system32\drivers\ScFBPNT.SYS [2000-02-08 10:33]
S3 Radialpoint Security Services;Sympatico Security Manager;C:\WINDOWS\system32\dllhost.exe [2004-08-04 05:00]
.
Contents of the 'Scheduled Tasks' folder
"2008-02-23 08:00:01 C:\WINDOWS\Tasks\Antispyware Scheduled Scan.job"
- C:\Program Files\AntiSpywareApp\AntiSpyware.ex
- C:\Program Files\AntiSpywareApp
"2005-09-21 01:01:04 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************
jimmy1972
2008-02-25, 06:16
Sorry, the message was too long for one post...
Here is the new hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:02:15 PM, on 24/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Bell\Security Manager\Fws.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Bell\Security Manager\RPS.exe
C:\Program Files\Bell\Sympatico Security Advisor\SSAComHandler.exe
C:\Program Files\Bell\Security Manager\rpsupdaterR.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/default.aspx?lang=en-CA
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Bell\Security Manager\pkR.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6B21B437-7E93-4BD1-9E0B-B23D58B34A4D} - C:\WINDOWS\ddabaaxu.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: 0 - {F4FEC76A-BFE1-4A37-1783-7AF51D875EDC} - C:\Program Files\MSN\lavugas.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [EPSON Stylus C66 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2S1.EXE /P23 "EPSON Stylus C66 Series" /O6 "USB001" /M "Stylus C66"
O4 - HKLM\..\Run: [EPSON Stylus C88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB002" /M "Stylus C88"
O4 - HKLM\..\Run: [pmnmlkjjgd] Rundll32.exe "C:\WINDOWS\system32\ddaywwur.dll",s
O4 - HKLM\..\Run: [SSA.exe] "C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe" /AUTORUN
O4 - HKLM\..\Run: [Sympatico Security Manager] "C:\Program Files\Bell\Security Manager\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Bell\Security Manager\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [{E5-5B-B9-94-DW}] C:\windows\system32\kjwnw64l.exe DWram
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [bc3e5b3b] rundll32.exe "C:\WINDOWS\system32\ehrxqdqq.dll",b
O4 - HKCU\..\Run: [AdwareProMFC] C:\Program Files\Ad-Ware Pro\Ad-Ware Pro.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - http://fulfillment.puretracks.com/onager.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.photolab.ca/Upload/ImageUploader4.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab.ca/en/Photo/ImageUploader3.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/activex/v2_0_0_9/PCAXSetupv2.0.0.9.cab?
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Sympatico Security Manager Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Bell\Security Manager\rpsupdaterR.exe
O23 - Service: Sympatico Security Manager Firewall (RP_FWS) - Bell Sympatico - C:\Program Files\Bell\Security Manager\Fws.exe
--
End of file - 8812 bytes
Finally, here is the uninstall list from hijackthis:
Ad-Aware 2007
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Download Manager 2.0 (Remove Only)
Adobe ExtendScript Toolkit 2
Adobe Flash Player ActiveX
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Photoshop CS3
Adobe Reader 7.0.7
Adobe Setup
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
AoA Audio Extractor 1.0
AoA DVD Ripper
Audacity 1.2.6
Authentium AntiVirus SDK - 2
CodeBaby Player (Remove Only) 1.0.2.15
Deewoo Network Manager removal
Dell Driver Reset Tool
DellSupport
EPSON Printer Software
FreeRIP v2.942
Google Earth
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet for Wired Connections
Internet Explorer Default Page
iPod for Windows 2005-10-12
iPod for Windows 2006-01-10
ISEngineUpdate
iTunes
J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2_03
Learn2 Player (Uninstall Only)
Macromedia Shockwave Player
MGI VideoWave III (Remove Only)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Professional
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MyWay Search Assistant
NetAssistant
PDF Settings
PerfectDisk
Photo Click
PowerDVD 5.5
PPSDKRedistributables
QuickTax 2005
QuickTax 2006
QuickTime
Radialpoint Security Services
RealPlayer
RPS Ad Blocker
RPS AntiFraud
RPS AntiSpyware
RPS AntiVirus
RPS App Detector
RPS AsRealtime
RPS Backup
RPS Burn
RPS Diagnostic Utility
RPS Firewall
RPS ParentalControl
RPS Performance Tool
RPS PopupBlocker
RPS Privacy Manager
RPS RpsCore
RPS Security Cleanup
RPS Zip
ScanCraft CS-P
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
Sonic DLA
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Spybot - Search & Destroy
Staples Copy & Print 1.7
Sympatico Security Advisor 1.5.11
Sympatico Security Manager
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
WebCyberCoach 3.2 Dell
Windows Installer 3.1 (KB893803)
Windows Installer Clean Up
Windows Installer Clean Up
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB893086
WordPerfect Office 12
Xvid 1.1.3 final uninstall
Thanks.
jimmy1972
2008-02-25, 06:20
Sorry, one thing I forgot was that I had trouble installing the xp recovery console. I couldn't find my XP disk and I tried to follow the directions on the site you provided to download it but I couldn't find it. Hopefully that is okay. If you have a suggestion on where to find this program, please let me know.
Thank you again.
Disable Teatimer
First step: Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
If you have Version 1.4, Click on Exit Spybot S&D Resident Second step, For Either Version : Open Spybot S&D
Click Mode, choose Advanced Mode
Go To the bottom of the Vertical Panel on the Left, Click Tools
then, also in left panel, click Resident shows a red/white shield.
If your firewall raises a question, say OK
In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
OK any prompts.
Use File, Exit to terminate Spybot
Reboot your machine for the changes to take effect.
SmitFraud Look
Please download SmitfraudFix (http://siri.urz.free.fr/Fix/SmitfraudFix.exe) (by S!Ri)
Double-click SmitfraudFix.exe.
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm (http://www.beyondlogic.org/consulting/processutil/processutil.htm)
Custom CFScript
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
DirLook::
C:\WINDOWS\system32\xo4
C:\WINDOWS\system32\ap8
C:\Documents and Settings\Jim\Application Data\Antispyware
File::
C:\WINDOWS\Tasks\Antispyware Scheduled Scan.job
C:\WINDOWS\Tasks\ISP signup reminder 1.job
C:\WINDOWS\system32\eaaskjao.ini
C:\WINDOWS\system32\lcntklwb.exe
C:\WINDOWS\system32\kjwnw64l.exe
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\ddaywwur.dll
C:\WINDOWS\ddabaaxu.dll
C:\Documents and Settings\Jim\Application Data\awvtttro.dll
C:\WINDOWS\system32\sstsqpoo
Folder::
C:\WINDOWS\system32\sstsqpoo
C:\WINDOWS\Smlt
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6B21B437-7E93-4BD1-9E0B-B23D58B34A4D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F4FEC76A-BFE1-4A37-1783-7AF51D875EDC}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdwareProMFC"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StandardInstall"=-
"ISUSScheduler"=-
"ISUSPM Startup"=-
"pmnmlkjjgd"=-
"{E5-5B-B9-94-DW}"=-
"bc3e5b3b"=-
Save this as CFScript.txt and place it on your desktop.
http://i51.photobucket.com/albums/f387/Katana_1970/CFScript.gif
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
Update Malwarebytes' Anti-Malware
and Launch Malwarebytes' Anti-Malware
then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
If you accidently close it, the log file is saved here and will be named like this:
C:\\Documents and Settings\\Username\\Application Data\\Malwarebytes\\Malwarebytes' Anti-Malware\\Logs\\mbam-log-date (time).txt
Recovery Console
Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System
http://i266.photobucket.com/albums/ii277/sUBs_/KB310994.gif
Download the file & save it as its originally named, next to ComboFix.exe.
http://i266.photobucket.com/albums/ii277/sUBs_/rc1.gif
Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.
Please do not reboot your machine until we have reviewed the log.
jimmy1972
2008-02-26, 04:25
smitfraud report
SmitFraudFix v2.296
Scan done at 21:22:09.21, 25/02/2008
Run from C:\Documents and Settings\Jim\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Bell\Security Manager\Fws.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe
C:\windows\system32\kjwnw64l.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Bell\Security Manager\rpsupdaterR.exe
C:\WINDOWS\system32\lcntklwb.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jim
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jim\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Jim\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!
IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!
VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.2.1
DNS Server Search Order: 192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{E23A1D00-1A73-4B80-BFCC-AFDA693581C0}: DhcpNameServer=192.168.2.1 192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{E23A1D00-1A73-4B80-BFCC-AFDA693581C0}: DhcpNameServer=192.168.2.1 192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{E23A1D00-1A73-4B80-BFCC-AFDA693581C0}: DhcpNameServer=192.168.2.1 192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 192.168.2.1
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
jimmy1972
2008-02-26, 04:42
combofix log
ComboFix 08-02-25.2 - Jim 2008-02-25 21:28:32.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.183 [GMT -5:00]
Running from: C:\Documents and Settings\Jim\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jim\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\Documents and Settings\Jim\Application Data\awvtttro.dll
C:\WINDOWS\ddabaaxu.dll
C:\WINDOWS\system32\ddaywwur.dll
C:\WINDOWS\system32\eaaskjao.ini
C:\WINDOWS\system32\kjwnw64l.exe
C:\WINDOWS\system32\lcntklwb.exe
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\sstsqpoo
C:\WINDOWS\Tasks\Antispyware Scheduled Scan.job
C:\WINDOWS\Tasks\ISP signup reminder 1.job
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Jim\Application Data\awvtttro.dll
C:\Documents and Settings\Jim\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\Jim\Start Menu\Programs\Startup\DW_Start.lnk
C:\WINDOWS\ddabaaxu.dll
C:\WINDOWS\Smlt
C:\WINDOWS\Smlt\mA5Q.vbs
C:\WINDOWS\system32\awtqp.dll
C:\WINDOWS\system32\btkcsxml.dll
C:\WINDOWS\system32\ddaywwur.dll
C:\WINDOWS\system32\eaaskjao.ini
C:\WINDOWS\system32\hqucdcem.dll
C:\WINDOWS\system32\kjwnw64l.exe
C:\WINDOWS\system32\lcntklwb.exe
C:\WINDOWS\system32\lmxscktb.ini
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\pqtwa.ini
C:\WINDOWS\system32\pqtwa.ini2
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\sstsqpoo
C:\WINDOWS\system32\sstsqpoo\
C:\WINDOWS\system32\urbcobbu.dll
C:\WINDOWS\system32\winpfz37.sys
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\Tasks\Antispyware Scheduled Scan.job
C:\WINDOWS\Tasks\ISP signup reminder 1.job
.
((((((((((((((((((((((((( Files Created from 2008-01-26 to 2008-02-26 )))))))))))))))))))))))))))))))
.
2008-02-25 21:22 . 2008-02-25 21:22 4,770 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-25 21:20 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-25 21:20 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-25 21:20 . 2008-02-22 18:44 86,016 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-25 21:20 . 2008-02-08 10:37 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-25 21:20 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-25 21:20 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-25 21:20 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-25 20:31 . 2008-02-25 21:24 68,402 --a------ C:\WINDOWS\BMbf0d68a7.xml
2008-02-25 20:31 . 2008-02-25 21:28 21 --a------ C:\WINDOWS\pskt.ini
2008-02-24 21:41 . 2008-02-24 21:41 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-24 21:33 . 2008-02-24 21:33 <DIR> d-------- C:\SDFix
2008-02-24 12:44 . 2008-02-24 12:44 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-24 00:55 . 2008-02-24 22:57 <DIR> d-------- C:\ComboFix[1]
2008-02-23 21:28 . 2008-02-23 21:28 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-23 21:28 . 2008-02-23 22:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-23 11:57 . 2008-02-23 11:57 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-23 11:57 . 2008-02-23 11:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-23 11:53 . 2008-02-23 11:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-23 11:35 . 2008-02-23 11:35 <DIR> d-------- C:\WINDOWS\Ad-Ware Pro
2008-02-23 10:19 . 2008-02-23 10:19 <DIR> d-------- C:\WINDOWS\system32\xo4
2008-02-23 10:19 . 2008-02-23 10:19 <DIR> d-------- C:\WINDOWS\system32\ap8
2008-02-22 23:03 . 2007-03-06 13:24 55,296 --a------ C:\WINDOWS\system32\drivers\rp_skt32.sys
2008-02-22 23:02 . 2007-04-19 11:36 48,384 --a------ C:\WINDOWS\system32\drivers\rp_pkt32.sys
2008-02-22 22:59 . 2008-02-22 22:59 <DIR> d-------- C:\Program Files\Common Files\Authentium
2008-02-22 22:53 . 2008-02-22 22:53 <DIR> d-------- C:\Program Files\Raxco
2008-02-22 22:53 . 2008-02-22 22:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Raxco
2008-02-22 22:52 . 2008-02-22 22:52 <DIR> d-------- C:\Program Files\CA
2008-02-22 22:50 . 2008-02-23 01:05 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-02-22 22:34 . 2008-02-22 22:35 <DIR> d-------- C:\Program Files\DellSupport
2008-02-22 22:21 . 2008-02-22 22:21 <DIR> d-------- C:\Documents and Settings\Jim\Application Data\InstallShield
2008-02-21 23:35 . 2008-02-21 23:35 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-02-21 22:55 . 2008-02-23 23:16 <DIR> d-------- C:\Documents and Settings\Jim\Application Data\Antispyware
2008-02-21 07:38 . 2008-02-25 20:29 <DIR> d-------- C:\Documents and Settings\Jim\Application Data\AppDate
2008-02-19 21:05 . 2008-02-19 21:05 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-02-19 20:41 . 2008-02-20 22:22 <DIR> d-------- C:\DVDMovie
2008-02-19 20:39 . 2008-02-19 20:39 <DIR> d-------- C:\Program Files\Xvid
2008-02-19 20:39 . 2008-02-19 20:42 <DIR> d-------- C:\Program Files\AoA DVD Ripper
2008-02-19 20:39 . 2007-06-28 18:52 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-02-19 20:39 . 2007-06-28 18:54 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-02-19 20:39 . 2007-06-28 18:55 77,824 --a------ C:\WINDOWS\system32\xvid.ax
2008-02-19 20:39 . 2002-07-17 09:20 45,056 --a------ C:\WINDOWS\system32\Wnaspi32.dll
2008-02-19 20:39 . 2002-07-17 08:53 16,877 --a------ C:\WINDOWS\system32\drivers\Aspi32.sys
2008-02-19 20:39 . 2002-07-17 16:22 4,455 --a------ C:\WINDOWS\system\Winaspi.dll
2008-02-19 20:39 . 2002-07-17 16:22 3,535 --a------ C:\WINDOWS\system\Wowpost.exe
2008-02-19 20:39 . 2008-02-20 22:16 67 --a------ C:\WINDOWS\AoADVDRipper.INI
2008-02-16 13:32 . 2008-02-16 13:32 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-02-15 21:51 . 2008-02-15 21:51 0 --a------ C:\WINDOWS\system32\Infob.dat
2008-02-15 21:51 . 2008-02-15 21:51 0 --a------ C:\WINDOWS\system32\Infoa.dat
2008-02-15 21:49 . 2008-02-15 21:49 305 --a------ C:\WINDOWS\system32\treeinfo.dat
2008-02-15 21:22 . 2008-02-15 21:22 <DIR> d-------- C:\MyAudio
2008-02-15 21:21 . 2008-02-15 21:22 <DIR> d-------- C:\Program Files\AoA Audio Extractor
2008-02-15 21:21 . 2008-02-20 22:21 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-15 21:17 . 2008-02-15 21:48 <DIR> d-------- C:\Program Files\YouTube Downloader
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-23 15:36 --------- d-----w C:\Program Files\Bonjour
2008-02-23 06:05 --------- d-----w C:\Program Files\LimeWire
2008-02-23 04:08 --------- d-----w C:\Documents and Settings\Jim\Application Data\Bell
2008-02-23 03:55 --------- d--h--w C:\Documents and Settings\Jim\Application Data\Gtek
2008-02-23 03:43 --------- d-----w C:\Program Files\Bell
2008-02-23 03:41 --------- d-----w C:\Documents and Settings\Stephanie\Application Data\Bell
2008-02-23 03:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Bell
2008-02-23 03:35 --------- d-----w C:\Documents and Settings\Stephanie\Application Data\Gtek
2008-02-23 03:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-15 05:14 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-15 04:43 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-01-15 04:18 --------- d-----w C:\Program Files\NetAssistant
2008-01-15 04:12 --------- d-----w C:\Program Files\Jasc Software Inc
2008-01-15 04:08 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-01-15 04:06 --------- d-----w C:\Program Files\WordPerfect Office 12
2008-01-15 04:06 --------- d-----w C:\Program Files\QuickTime
2008-01-15 04:06 --------- d-----w C:\Program Files\Intel
2008-01-15 04:06 --------- d-----w C:\Program Files\EPSON
2008-01-15 04:06 --------- d-----w C:\Program Files\Common Files\AOL
2008-01-15 02:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\Documents and Settings\Jim\Application Data\Antispyware ----
2008-02-21 23:27 643 --a------ C:\Documents and Settings\Jim\Application Data\Antispyware\rs.dat
---- Directory of C:\WINDOWS\system32\ap8 ----
2008-01-30 16:19 183216 --a------ C:\WINDOWS\system32\ap8\yula4403.exe
---- Directory of C:\WINDOWS\system32\xo4 ----
2008-02-14 10:42 49152 --a------ C:\WINDOWS\system32\xo4\dameco3305.exe
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-10-17 20:17 180269]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 19:42 1404928]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-24 19:47 155648]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-12-20 20:54 278528]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
"EPSON Stylus C66 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2S1.exe" [2004-01-13 03:00 99840]
"EPSON Stylus C88 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.exe" [2005-01-27 03:00 98304]
"SSA.exe"="C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe" [2007-03-27 10:33 2061816]
"Sympatico Security Manager"="C:\Program Files\Bell\Security Manager\Rps.exe" [2007-08-27 16:57 310000]
"-FreedomNeedsReboot"="C:\Program Files\Bell\Security Manager\ZkRunOnceR.exe" [2007-08-27 16:57 13552]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 01:05 127035]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 16:19 53248]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 03:10 49263]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56 65588]
NetAssistant.lnk - C:\Program Files\NetAssistant\bin\matcli.exe [2005-10-04 18:35:39 217088]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
--a------ 2004-10-22 15:13 393216 C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
R2 ScFBPNT;CanoScan FBP Port Driver;C:\WINDOWS\system32\drivers\ScFBPNT.SYS [2000-02-08 10:33]
S3 Radialpoint Security Services;Sympatico Security Manager;C:\WINDOWS\system32\dllhost.exe [2004-08-04 05:00]
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-25 21:35:39
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Bell\Security Manager\Fws.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Bell\Sympatico Security Advisor\SSAComHandler.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Program Files\Bell\Security Manager\rpsupdaterR.exe
.
**************************************************************************
.
Completion time: 2008-02-25 21:39:43 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-26 02:39:37
ComboFix2.txt 2008-02-25 03:56:25
ComboFix3.txt 2008-02-24 06:35:07
.
2008-02-13 04:08:45 --- E O F ---
jimmy1972
2008-02-26, 05:32
mbam log
Malwarebytes' Anti-Malware 1.05
Database version: 405
Scan type: Full Scan (C:\|)
Objects scanned: 96043
Time elapsed: 42 minute(s), 17 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 16
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4d25f921-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4d25f921-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4d25f924-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Deewoo Network Manager (Adware.Radio) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (Adware.MyWay) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\Movie Maker\gajulaq89104.dll.vir (Adware.TTC) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP841\A0055187.rbf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP841\A0055188.rbf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP841\A0055190.exe (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP842\A0056227.sys (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP842\A0056229.sys (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP844\A0056767.exe (Adware.TTC) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP844\A0056785.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP844\A0056804.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP845\A0058993.vbs (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP846\A0059087.dll (Adware.TTC) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ap8\yula4403.exe (Adware.RABCO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xo4\dameco3305.exe (Adware.ZenoSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\Ad-Ware Pro Setup Log.txt (Rogue.Ad-WarePro) -> Quarantined and deleted successfully.
C:\WINDOWS\Ad-Ware Pro Uninstall Log.txt (Rogue.Ad-WarePro) -> Quarantined and deleted successfully.
jimmy1972
2008-02-26, 05:37
Finally... combofix log that recovery console has been installed
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
Thanks
OK, we are slowly getting somewhere :bigthumb:
Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html
Read the Requirements and limitations before you click Accept.
Allow the ActiveX download if necessary
Once the database has downloaded, click Next.
Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
Click on "My Computer" and then put the kettle on!
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
Please post the Kaspersky log in your reply
jimmy1972
2008-02-27, 01:24
kaspersky log
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, February 26, 2008 6:23:15 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 26/02/2008
Kaspersky Anti-Virus database records: 582237
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
Scan Statistics:
Total number of scanned objects: 72063
Number of viruses found: 9
Number of infected objects: 42
Number of suspicious objects: 0
Duration of the scan process: 01:09:59
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Bell\Security Manager\Logs\FirewallService02-25-2008--21-35-16.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Bell\Security Manager\Logs\Fw_Session.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Bell\Security Manager\Logs\SafetyConsoleLog02-25-2008--22-37-40.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Bell\Security Manager\Logs\ServiceModel02-25-2008--22-37-40.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentcmn.zip/1-Click Duplicate Delete for Outlook v1.13.zip/Setup.exe Infected: Trojan-Downloader.Win32.VB.bsa skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentcmn.zip/1-Click Duplicate Delete for Outlook v1.13.zip Infected: Trojan-Downloader.Win32.VB.bsa skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentcmn.zip ZIP: infected - 2 skipped
C:\Documents and Settings\Jim\Application Data\Bell\Sympatico Security Advisor\client_gateway.log Object is locked skipped
C:\Documents and Settings\Jim\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Jim\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Jim\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Jim\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Jim\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Jim\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jim\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jim\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jim\Local Settings\Temp\~DFFBA3.tmp Object is locked skipped
C:\Documents and Settings\Jim\Local Settings\Temp\~DFFBE1.tmp Object is locked skipped
C:\Documents and Settings\Jim\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Jim\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jim\ntuser.dat Object is locked skipped
C:\Documents and Settings\Jim\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\CA\PPRT\logs\2008-02-25.csv Object is locked skipped
C:\Program Files\NetAssistant\log\mpbtn.log Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\Fonts\a.zip.vir/Setup.exe Infected: Trojan-Downloader.Win32.VB.bsa skipped
C:\QooBox\Quarantine\C\WINDOWS\Fonts\a.zip.vir ZIP: infected - 1 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ehrxqdqq.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ixe skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hqucdcem.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\kjwnw64l.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\koqpaexe.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\lcntklwb.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.aj skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\meopgxix.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ixf skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rwwnw64d.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\QooBox\Quarantine\catchme2008-02-24_ 13139.00.zip/vtsqo.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-02-24_ 13139.00.zip/xxyayww.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-02-24_ 13139.00.zip ZIP: infected - 2 skipped
C:\SDFix\SDFix\backups\backups.zip/backups/Setup.exe Infected: Trojan-Downloader.Win32.VB.bsa skipped
C:\SDFix\SDFix\backups\backups.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP842\A0056218.exe Infected: not-virus:Hoax.Win32.Renos.awj skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP842\A0056233.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP842\A0056234.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP843\A0056253.exe Infected: Trojan-Downloader.Win32.VB.cgu skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP844\A0056716.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP844\A0056730.exe Infected: Trojan-Downloader.Win32.VB.cgu skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP844\A0056777.exe Infected: Trojan-Downloader.Win32.VB.cgu skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP844\A0056781.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.aj skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP844\A0056799.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.aj skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP845\A0057874.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.aj skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP846\A0059088.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ixe skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP846\A0059089.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP846\A0059090.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ixf skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP846\A0059102.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP846\A0059103.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP847\A0059210.exe Infected: Trojan-Downloader.Win32.VB.bsa skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP847\A0059220.exe Infected: Trojan-Downloader.Win32.VB.bsa skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP850\A0059435.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP850\A0059436.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.aj skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP850\A0059437.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP850\A0059441.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP851\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{439E0F52-7ADA-40B0-B891-FED32FC2A6C4}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\MsDtc\MSDTC.LOG Object is locked skipped
C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
jimmy1972
2008-02-27, 01:27
Thanks again for your help so far!
I'm glad to be making some progress!:bigthumb:
That looks fine, all the items it found have already been taken care of.
Your Java and Adobe is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java and Adobe components and update.
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6u4 from http://java.sun.com/javase/downloads/index.jsp
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Update Adobe Acrobat Reader
Please go to this link Adobe Acrobat Reader Download Link (http://www.adobe.com/products/acrobat/readstep2.html)
Cllick Download
On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
Click the Continue button
Click Run, and click Run again
Next click the Install Now button and follow the on screen prompts
Now close all windows, including your browser.
Double click on the Java installation that you downloaded and follow the prompts.
Remove Programs
Now click Start---Control Panel. Double click Add or Remove Programs. If any of the following programs are listed there,
click on the program to highlight it, and click on remove.
Adobe Reader 7.0.7
J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2_03
Now close the Control Panel.
Reboot your machine.
Please post a final HJT log in your reply
How are things running now ?
jimmy1972
2008-02-27, 02:55
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:52:02 PM, on 26/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Bell\Security Manager\Fws.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe
C:\Program Files\Bell\Security Manager\Rps.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Bell\Sympatico Security Advisor\SSAComHandler.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Program Files\Bell\Security Manager\rpsupdaterR.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/default.aspx?lang=en-CA
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Bell\Security Manager\pkR.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [EPSON Stylus C66 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2S1.EXE /P23 "EPSON Stylus C66 Series" /O6 "USB001" /M "Stylus C66"
O4 - HKLM\..\Run: [EPSON Stylus C88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB002" /M "Stylus C88"
O4 - HKLM\..\Run: [SSA.exe] "C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe" /AUTORUN
O4 - HKLM\..\Run: [Sympatico Security Manager] "C:\Program Files\Bell\Security Manager\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Bell\Security Manager\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - http://fulfillment.puretracks.com/onager.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.photolab.ca/Upload/ImageUploader4.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab.ca/en/Photo/ImageUploader3.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/activex/v2_0_0_9/PCAXSetupv2.0.0.9.cab?
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Sympatico Security Manager Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Bell\Security Manager\rpsupdaterR.exe
O23 - Service: Sympatico Security Manager Firewall (RP_FWS) - Bell Sympatico - C:\Program Files\Bell\Security Manager\Fws.exe
--
End of file - 8594 bytes
Thanks again.
Things are running quite well. The only strange thing is that a program ending window pops up when I restart that says ending program "uipopuphidden"?
Other than that, things seem to be great!:bigthumb:
The only info I can find on "uipopuphidden" relates to security software usually Freedom but also a few others
I notice in your HJT log this line
"O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Bell\Security Manager\ZkRunOnceR.exe"
Have you recently changed your Antivirus ?
It could also be related to Sympatico Security Advisor
Please follow the instructions in the following link to uninstall MSJava.
You only need to follow the guide upto and including step 7 ---- DO NOT EDIT THE REGISTRY MANUALLY
http://www.bleepingcomputer.com/tutorials/tutorial97.html
Create A Registry File
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.
Save it as "All Files" and name it Regfix.reg Please save it on your desktop.
REGEDIT4
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Java VM]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\AdvancedOptions\JAVA_VM]
Make sure there are NO blank lines before REGEDIT4 and ONE blank line at the end/bottom
Double click on Regfix.reg and click Yes at the prompt
Fix With HJT
Close all other windows and then start HiJack This
Click Do A System Scan Only
When it has finished scanning put a check next to the following lines IF still present
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Bell\Security Manager\ZkRunOnceR.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
- Close ALL open windows (especially Internet Explorer!)-
Now click Fix checked
Click yes to any prompts
Close HijackThis
Please post a fresh HJT log in your reply
jimmy1972
2008-02-27, 04:45
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:40:11 PM, on 26/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Bell\Security Manager\Fws.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe
C:\Program Files\Bell\Security Manager\Rps.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Program Files\Bell\Sympatico Security Advisor\SSAComHandler.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Bell\Security Manager\rpsupdaterR.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/default.aspx?lang=en-CA
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Bell\Security Manager\pkR.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [EPSON Stylus C66 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2S1.EXE /P23 "EPSON Stylus C66 Series" /O6 "USB001" /M "Stylus C66"
O4 - HKLM\..\Run: [EPSON Stylus C88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB002" /M "Stylus C88"
O4 - HKLM\..\Run: [SSA.exe] "C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe" /AUTORUN
O4 - HKLM\..\Run: [Sympatico Security Manager] "C:\Program Files\Bell\Security Manager\Rps.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\npjpi160_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\npjpi160_04.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - http://fulfillment.puretracks.com/onager.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.photolab.ca/Upload/ImageUploader4.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab.ca/en/Photo/ImageUploader3.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/activex/v2_0_0_9/PCAXSetupv2.0.0.9.cab?
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Sympatico Security Manager Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Bell\Security Manager\rpsupdaterR.exe
O23 - Service: Sympatico Security Manager Firewall (RP_FWS) - Bell Sympatico - C:\Program Files\Bell\Security Manager\Fws.exe
--
End of file - 8583 bytes
I made an error when I was following your instructions.:sad:
I accidentally went past step 7 when I was uninstalling MSJava. I realized it after I deleted the two items it asked me to (after step 7) and I didn't realize that you could not undo that change. Sorry. I followed their instructions to the end at that point.
I think I did everything else correctly.
As long as you know what you are doing, there is no harm done.
The instructions I gave are just safer for people who have never used the registry.
Congratulations your logs look clean :D
Let's see if I can help you keep it that way
First lets tidy up :D
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
You can also delete any logs we have produced, and empty your Recycle bin.
Enable Teatimer
RIGHT click Link >>> HERE <<< Link (http://downloads.subratam.org/ResetTeaTimer.bat) and select "save as" and save it to your desktop
Double click ResetTeaTimer.bat
Open Spybot S&D
Click Mode, check Advanced Mode
Go To Left Panel, Click Tools, then also in left panel, click Resident
If your firewall raises a question, say OK
check the box labeled Resident Tea-Timer and OK any prompts.
Use File, Exit to terminate Spybot
Reboot your machine for the changes to take effect.
You can now delete ResetTeaTimer.bat
The following is some info to help you stay safe and clean.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )
Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.
http://www.nanoscan.com
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://www.kaspersky.com/kos/eng/partner/71706/kavwebscan.html
!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE (http://secunia.com/software_inspector/) for details
AntiSpyware
AntiSpyware is not the same thing as Antivirus.
Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
Most of the programs in this list have a free (for Home Users ) and paid versions,
it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
Spybot - Search & Destroy (http://www.safer-networking.org/) <<< A must have program It includes host protection and registry protection A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
MalwareBytes Anti-malware (http://www.malwarebytes.org/mbam.php) <<< A New and effective program
a-squared Free (http://www.emsisoft.com/en/software/free/) <<< A good "realtime" or "on demand" scanner
AVG Anti-Spyware 7.5 (http://www.ewido.net/en/) <<< A good "on demand" scanner
superantispyware (http://www.superantispyware.com/) <<< A good "realtime" or "on demand" scanner
Prevention
These programs don't detect malware, they help stop it getting on your machine in the first place.
Each does a different job, so you can have more than one
Winpatrol (http://www.winpatrol.com) An excellent startup manager and then some !! Notifies you if programs are added to startup Allows delayed startup A must have addition
SpywareBlaster 3.5.1 (http://www.javacoolsoftware.com/spywareblaster.html) SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
SpywareGuard 2.2 (http://www.javacoolsoftware.com/spywareguard.html) SpywareGuard provides real-time protection against spyware. Not required if you have other "realtime" antispyware or Winpatrol
ZonedOut (http://www.funkytoad.com/content/view/15/33/) Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
MVPS HOSTS (http://www.mvps.org/winhelp2002/hosts.zip) This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial (http://www.mvps.org/winhelp2002/hosts.htm) by WinHelp2002. Not required if you are using other host file protections
Internet Browsers
Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
Using a different web browser can help stop malware getting on your machine.
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
If you are still using IE6 then either update, or get one of the following.
FireFox (http://www.mozilla.com/en-US/firefox/) With many addons available that make customization easy this is a very popular choice NoScript and AdBlockPlus addons are essential
Opera (http://www.opera.com/) Another popular alternative
Netscape (http://browser.netscape.com/addons) Another popular alternative Also has Addons available
Cleaning Temporary Internet Files and Tracking Cookies
Temporary Internet Files are mainly the files that are downloaded when you open a web page.
Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
It is a good idea to empty the Temporary Internet Files folder on a regular basis.
Tracking Cookies are files that websites use to monitor which sites you visit and how often.
A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords
Both of these can be cleaned manually, but a quicker option is to use a program
ATF Cleaner (http://www.atribune.org/content/view/19/2/) Free and very simple to use
CCleaner (http://www.ccleaner.com/) Free and very flexible, you can chose which cookies to keep
Also PLEASE read this article.......So How Did I Get Infected In The First Place (http://www.malwareremoval.com/forum/viewtopic.php?f=11&t=4959)
The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.
If you follow this advice then (with a bit of luck) you will never have to hear from me again :D
If you could post back one more time to let me know everything is OK, then I can have this thread archived.
Happy surfing K'
jimmy1972
2008-02-28, 04:19
Thank you so much for the days of help fixing my virus/spyware problems! I really appreciate all you have done to clean my computer.
Everything seems great. That uipopuphidden window still appears at shutdown but you were right, it is something to do with freedom (that is the antivirus that sympatico security manager uses). If it becomes a problem, I will contact them about it. Thanks again for everything you have done and all of the time you spent helping me!
:bigthumb:
Cheers,
Jim
If it becomes a problem, I will contact them about it. Thanks again for everything you have done and all of the time you spent helping me!
If you do decide to contact them, we would be interested to hear what the resolution is.
That way we can help others that have the same problem.
If this thread has been closed by then, just PM me and I can have it added.