View Full Version : Zlob.Downloader.vcd Settings
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:59:19 AM, on 3/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Sara\Desktop\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0BA143DA-B2FB-47CB-B605-84259C4F0432} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {1648E328-3E5A-4EA5-A9C6-E5F09EE272DA} - (no file)
O2 - BHO: BrowserCmp - {1D8282E6-BC4F-469B-AAED-7E4FF077AD93} - C:\WINDOWS\system32\iebrowserc.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: BatBHO - {63F7460B-C831-4142-A4AA-5EC303EC4343} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-21-842925246-413027322-839522115-1003\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1206038776171
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O21 - SSODL: bokpkov - {FF451FFE-5621-4899-9EA9-21E245EA5EFE} - C:\WINDOWS\bokpkov.dll
O21 - SSODL: altvxvm - {FE4DC3B0-C921-4164-A976-C35BE472166B} - C:\WINDOWS\altvxvm.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
--
End of file -
7862 bytesKASPERSKY ONLINE SCANNER REPORT
Saturday, March 22, 2008 12:08:51 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 21/03/2008
Kaspersky Anti-Virus database records: 654208
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
Scan Statistics
Total number of scanned objects 197944
Number of viruses found 5
Number of infected objects 12
Number of suspicious objects 0
Duration of the scan process 02:34:41
Infected Object Name Virus Name Last Action
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Sara\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Sara\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Sara\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Sara\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Sara\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Sara\Local Settings\History\History.IE5\MSHist012008032120080322\index.dat Object is locked skipped
C:\Documents and Settings\Sara\Local Settings\Temp\~DF7FAD.tmp Object is locked skipped
C:\Documents and Settings\Sara\Local Settings\Temp\~DF7FB2.tmp Object is locked skipped
C:\Documents and Settings\Sara\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Sara\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Sara\My Documents\My Media\setup.exe/data0009/stream/data0004 Infected: not-a-virus:AdWare.Win32.TrafficSol.t skipped
C:\Documents and Settings\Sara\My Documents\My Media\setup.exe/data0009/stream Infected: not-a-virus:AdWare.Win32.TrafficSol.t skipped
C:\Documents and Settings\Sara\My Documents\My Media\setup.exe/data0009 Infected: not-a-virus:AdWare.Win32.TrafficSol.t skipped
C:\Documents and Settings\Sara\My Documents\My Media\setup.exe/data0010/stream/data0005 Infected: not-a-virus:AdWare.Win32.BHO.wt skipped
C:\Documents and Settings\Sara\My Documents\My Media\setup.exe/data0010/stream/data0006 Infected: not-a-virus:AdWare.Win32.BHO.wt skipped
C:\Documents and Settings\Sara\My Documents\My Media\setup.exe/data0010/stream Infected: not-a-virus:AdWare.Win32.BHO.wt skipped
C:\Documents and Settings\Sara\My Documents\My Media\setup.exe/data0010 Infected: not-a-virus:AdWare.Win32.BHO.wt skipped
C:\Documents and Settings\Sara\My Documents\My Media\setup.exe NSIS: infected - 7 skipped
C:\Documents and Settings\Sara\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Sara\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\altvxvm.dll Infected: not-a-virus:AdWare.Win32.Vapsup.cpy skipped
C:\WINDOWS\bokpkov.dll Infected: not-a-virus:AdWare.Win32.Vapsup.cpy skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{4222EDBB-59DB-4B31-8C60-208FBDD4280E}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\iebrowserc.dll Infected: not-a-virus:AdWare.Win32.Vapsup.awu skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\WINDOWS\SYSTEM\EGDHTML_1020.dll Object is locked skipped
D:\WINDOWS\SYSTEM\SSURF022.DLL Infected: not-a-virus:AdWare.Win32.SafeSurfing.l skipped
Scan process completed.
Hello and welcome to Safer Networking.
My name is km2357 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.
If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.
Please do not start another thread or topic, I will assist you at this thread until we solve your problems.
Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.
I will be back as soon as possible with your first instructions!
Step # 1: Disable Teatimer
Spybot S&D's tea timer normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.
This is a two step process.
First step: Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For Either Version : Open Spybot S&D
Click Mode, choose Advanced Mode
Go To the bottom of the Vertical Panel on the Left, Click Tools
then, also in left panel, click Resident shows a red/white shield.
If your firewall raises a question, say OK
In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
OK any prompts.
Use File, Exit to terminate Spybot
Reboot your machine for the changes to take effect.
Step # 2: Disable Ad-Aware 2007 Service
Please disable the Ad-Aware 2007 Service as it may interfere with the fix.
On your desktop, click Start.
Choose Run.
Type services.msc in the open box and click OK or press Enter.
Scroll down the list of services and double-click Ad-Aware 2007 Service.
In the service properties window that opens, click the STOP button.
Under Startup Type, use the pull down menu and select Manual from the list of options.
Click OK and exit the Services Control Manager.
Reboot your machine for the changes to take effect.
Once your log is clean you can re-enable those settings.
Step # 3 Download and run SmitFraudFix
Using one of the links below download SmitfraudFix (by S!Ri) to your Desktop.
here (http://siri.urz.free.fr/Fix/SmitfraudFix.exe)
or
here (http://downloads.securitycadets.com/SmitfraudFix.exe)
Double-click SmitfraudFix.exe.
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
Step # 4: Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:
1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.
In your next post/reply, I need to see the SmitFraudFix report, the Uninstall List and a fresh HiJackThis Log. Use multiple posts/replies if you can fit them all into one post.
SmitFraudFix v2.307
Scan done at 14:32:19.75, Sat 03/22/2008
Run from C:\Documents and Settings\Sara\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
hosts file corrupted !
127.0.0.1 www.legal-at-spybot.info
127.0.0.1 legal-at-spybot.info
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
C:\WINDOWS\system32\winfrun32.bin FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Sara
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Sara\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Sara\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!
IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!
VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
[!] Suspicious: bokpkov.dll
SSODL: bokpkov - {FF451FFE-5621-4899-9EA9-21E245EA5EFE}
[!] Suspicious: altvxvm.dll
SSODL: altvxvm - {FE4DC3B0-C921-4164-A976-C35BE472166B}
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\system32\\mgmrwmrv.exe,"
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
hijack uninstall list
Ad-Aware 2007
Adobe Download Manager 2.2 (Remove Only)
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
Adobe Shockwave Player
Adobe® Photoshop® Album Starter Edition 3.2
Brother MFL-Pro Suite
CCleaner (remove only)
Digital MultiCam Driver
Diskeeper 2007 Pro Premier
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
IEEE 802.11g USB Wireless LAN Adapter
Intel(R) Extreme Graphics Driver
Intel(R) PRO Network Adapters and Drivers
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Kaspersky Online Scanner
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Expression Web
Microsoft Expression Web
Microsoft Expression Web MUI (English)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Project MUI (English) 2007
Microsoft Office Project Professional 2007
Microsoft Office Project Professional 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Nero 7 Ultra Edition
OverDrive Media Console
PaperPort
PowerDVD
RegScrubXP 3.25
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Excel 2007 (KB946974)
Security Update for Office 2007 (KB947801)
Security Update for Outlook 2007 (KB946983)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
SigmaTel AC97 Audio Drivers
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
Tweak UI
Update for Outlook 2007 Junk Email Filter (kb947945)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
Yahoo! Install Manager
Yahoo! Toolbar
Logfile of Trend Micro HijackThis v2.0.2 (fresh)
Scan saved at 4:51:42 PM, on 3/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Sara\Desktop\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0BA143DA-B2FB-47CB-B605-84259C4F0432} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {1648E328-3E5A-4EA5-A9C6-E5F09EE272DA} - (no file)
O2 - BHO: BrowserCmp - {1D8282E6-BC4F-469B-AAED-7E4FF077AD93} - C:\WINDOWS\system32\iebrowserc.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: BatBHO - {63F7460B-C831-4142-A4AA-5EC303EC4343} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-21-842925246-413027322-839522115-1003\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O21 - SSODL: bokpkov - {FF451FFE-5621-4899-9EA9-21E245EA5EFE} - C:\WINDOWS\bokpkov.dll
O21 - SSODL: altvxvm - {FE4DC3B0-C921-4164-A976-C35BE472166B} - C:\WINDOWS\altvxvm.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
--
End of file - 7035 bytes
Print out these instructions or save them into a notepad on your desktop, because you will not have internet access while in Safe Mode.
Step # 1: Boot into Safe Mode
You can go in Safe Mode by restarting your computer, then continually tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.
Step # 2 Run SmitFraudFix
Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
Warning : running option #2 on a non infected computer will remove your Desktop background.
The hosts section of the log will have a lot of entries, you can edit out that section before posting the log. Just let me know if you do so.
In your next post/reply, I need to see the following:
1. SmitFraudFix Report (C:\rapport.txt)
2. A fresh HiJackThis Log
Use multiple posts, if you can't fit them both into one post.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:24:40 PM, on 3/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Sara\Desktop\HiJackThis.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0BA143DA-B2FB-47CB-B605-84259C4F0432} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {1648E328-3E5A-4EA5-A9C6-E5F09EE272DA} - (no file)
O2 - BHO: BrowserCmp - {1D8282E6-BC4F-469B-AAED-7E4FF077AD93} - C:\WINDOWS\system32\iebrowserc.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: BatBHO - {63F7460B-C831-4142-A4AA-5EC303EC4343} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-21-842925246-413027322-839522115-1003\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O21 - SSODL: bokpkov - {FF451FFE-5621-4899-9EA9-21E245EA5EFE} - C:\WINDOWS\bokpkov.dll (file missing)
O21 - SSODL: altvxvm - {FE4DC3B0-C921-4164-A976-C35BE472166B} - C:\WINDOWS\altvxvm.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
--
End of file - 6449 bytes
SmitFraudFix v2.307
Scan done at 18:17:53.50, Sat 03/22/2008
Run from C:\Documents and Settings\Sara\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» VACFix
VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix
S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» DNS
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
Step # 1 Run CCleaner
CCleaner will remove everything from the temp/temporary folders but please note that it will not make back ups!
Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 48 hours
Then select the items you wish to clean up.
In the Windows Tab:
Clean all entries in the Internet Explorer section except Cookies
Clean all the entries in the Windows Explorer section
Clean all entries in the System section
Clean all entries in the Advanced section
Clean any others that you choose
In the Applications Tab:
Clean all except cookies in the Firefox/Mozilla section if you use it
Clean all in the Opera section if you use it
Clean Sun Java in the Internet Section
Clean any others that you choose
Click the Run Cleaner button.
A pop up box will appear advising this process will permanently delete files from your system.
Click OK and it will scan and clean your system.
Click exit when done.
If it asks you to reboot at the end, click NO
Step # 2: Remove Hijackthis Entries
Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,
O2 - BHO: (no name) - {0BA143DA-B2FB-47CB-B605-84259C4F0432} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {1648E328-3E5A-4EA5-A9C6-E5F09EE272DA} - (no file)
O2 - BHO: BrowserCmp - {1D8282E6-BC4F-469B-AAED-7E4FF077AD93} - C:\WINDOWS\system32\iebrowserc.dll
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: BatBHO - {63F7460B-C831-4142-A4AA-5EC303EC4343} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
03 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O21 - SSODL: bokpkov - {FF451FFE-5621-4899-9EA9-21E245EA5EFE} - C:\WINDOWS\bokpkov.dll (file missing)
O21 - SSODL: altvxvm - {FE4DC3B0-C921-4164-A976-C35BE472166B} - C:\WINDOWS\altvxvm.dll (file missing)
If an Administrator has not set a policy restricting access to Internet Explorer settings and you have not configured any software such as Spybot S & D or a similar program to prevent changing Internet Explorer settings, then you can also fix these O6 entries with HijackThis:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.
Step # 3: Deleting Files/Folders
I need you to use Windows Explorer to delete the files I have marked in Red(if found):
C:\WINDOWS\system32\mgmrwmrv.exe
C:\WINDOWS\system32\iebrowserc.dll
C:\WINDOWS\bokpkov.dll
C:\WINDOWS\altvxvm.dll
Step # 4 Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location.
You can also access the log by doing the following:
Click on the Malwarebytes' Anti-Malware icon to launch the program.
Click on the Logs tab.
Click on the log at the bottom of those listed to highlight it.
Click Open.
In your next post/reply, I need to see the following:
1. Log from the MalwareBytes' scan
2. A fresh HiJackThis Log
Use multiple posts if you can't fit everything into one post.
Happy Easter and thank you for the help so far I appreciate you. This will be the second day the trojan/virus hasnt been able to hijack my computer. Again thanks for your time to help me. Nolene
Malwarebytes' Anti-Malware 1.09
Database version: 528
Scan type: Full Scan (A:\|C:\|D:\|F:\|)
Objects scanned: 223595
Time elapsed: 1 hour(s), 4 minute(s), 34 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 39
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{5b4c3b43-49b6-42a7-a602-f7acdca0d409} (Adware.OneStepSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{f663b917-591f-4172-8d87-3d7d729007ca} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d279bc2b-a85b-4559-8fd9-ddc55f5d402d} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\iebrowsercmp.browsercmp (Adware.RightOnAds) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\iebrowsercmp.browsercmp.1 (Adware.RightOnAds) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c1a6d8b8-93c3-4186-9dd1-13983f9f1d9b} (Adware.RightOnAds) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3160f356-e8c3-4de2-a698-92eeeb3d3400} (Adware.RightOnAds) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\bat.DLL (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\HID_Layer (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IeBrowserCmp.BrowserCmp (Adware.RightOnAds) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ONESTEP_SEARCH_SERVICE (Adware.OneStepSearch) -> Delete on reboot.
Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{b7d3e479-cc68-42b5-a338-938ece35f419} (Adware.Softomate) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Program Files\stc (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\Sysmnt (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Rabio (Adware.Rabio) -> Quarantined and deleted successfully.
Files Infected:
D:\WINDOWS\SYSTEM\ide21201.vxd (Adware.Winad) -> Quarantined and deleted successfully.
C:\Program Files\stc\csv5p070.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\Sysmnt\Ssmgr.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\avifile32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\avisynthex32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\aviwrap32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\bjam.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\browserad.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\cdsm32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\changeurl_30.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\msa64chk.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\msapasrc.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\mssvr.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ntnut.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\saiemod.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\shdocpe.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\shdocpl.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\voiceip.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\winsb.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MSIXU.DLL (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MSNSA32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ntnut32.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\shdocpe.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SIPSPI32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WER8274.DLL (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\apphelp32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\asferror32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\asycfilt32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\athprxy32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ati2dvaa32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ati2dvag32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\audiosrv32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\autodisc32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\licencia.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\telefonos.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\textos.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\winxplogon.sys (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\DcadsSocial-uninstall.exe (Adware.RightOnAds) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sara\Application Data\urlredir.cfg (Adware.RightOnAds) -> Quarantined and deleted successfully.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:07:16 PM, on 3/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Sara\Desktop\HiJackThis.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-21-842925246-413027322-839522115-1003\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
--
End of file - 5509 bytes
Happy Easter to you as well. :)
Print out these instructions or save them into a notepad on your desktop, because you will not have internet access while in Safe Mode.
Step # 1 Update Java
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6u5 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says "The Java SE Runtime Environment (JRE) allows end-users to run Java applications.".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Remove the following old versions of Java:
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
From your desktop double-click on the download to install the newest version.
Step # 2: Boot into Safe Mode
You can go in Safe Mode by restarting your computer, then continually tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.
Step # 3: Remove Hijackthis Entries
Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.
Step # 4: Deleting Files/Folders
Once in Safe Mode, I need you to use Windows Explorer to delete the files I have marked in Red(if found):
C:\WINDOWS\system32\mgmrwmrv.exe
Let me know if you have any trouble deleting the file or if the file is even there.
Reboot your computer back into Normal mode and post a fresh HiJackThis Log (taken in Normal mode) in your next post/reply.
I couldnt find the mgmrwmrv.exe file I couldnt locate it either times or any of the .dll files you asked me to delete on the previous post
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:02:30 AM, on 3/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Documents and Settings\Sara\Desktop\HiJackThis.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-21-842925246-413027322-839522115-1003\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
--
End of file - 5434 bytes
I couldnt find the mgmrwmrv.exe file I couldnt locate it either times or any of the .dll files you asked me to delete on the previous post
Thanks for letting me know. Looking through your latest HJT logs those files appear to be gone/deleted earlier. :)
Step # 1: Download and run ERUNT
You will be downloading ERUNT, a registry backup tool.
For version with the Installer (http://aumha.org/downloads/erunt-setup.exe):
Use the setup program to install ERUNT on your computer
For the zipped version (http://aumha.org/downloads/erunt.zip):
Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.
Note:to restore your registry, go to the folder and start ERDNT.exe
Open Notepad!
Copy and Paste everything from the Quote box into Notepad:
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
"http"=dword:00000003
"https"=dword:00000003
"ftp"=dword:00000003
"file"=dword:00000003
"@ivt"=dword:00000001
Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.
Go to File > Save As
Save File name as Fix.reg
Change Save as Type to All Files and save the file to your desktop.
Close Notepad, and double-click Fix.reg on your Desktop. When it asks if you want to merge the info to the registry, hit YES/OK. Reboot the computer.
Step # 2: Run Kaspersky Online Scan
Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/kos/english/kavwebscan.html)
You must be using Internet Explorer, Kaspersky does not work with Firefox
Click Accept
You will be promted to install an ActiveX component from Kaspersky,
Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make sure that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
Scan Options:
Scan Archives Scan Mail Bases
Click OK
Now under select a target to scan:
Select My Computer
The program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Once finished, save the log to your Desktop as filename KAV.txt
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
In your next post/reply, I need to see the following:
1. The Kaspersky results (KAV.txt)
2. A fresh HiJackThis Log
3. Let me know how your computer is running, any problems?
If you can't fit everything into one post, use multiple posts to get it all in.
I think I did something wrong I didnt get a "quote:" the only thing that opened after I installed or after I ran the ENRUNT program was a install txt. I didnt want to do anything more with it so I wouldnt mess things up even more. Sorry:sad: and the computer is running fine. Just a few bugs to be worked out but I havent been hijacked for a few days already, thanks for that
KASPERSKY ONLINE SCANNER REPORT
Monday, March 24, 2008 7:25:15 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 24/03/2008
Kaspersky Anti-Virus database records: 659498
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
Scan Statistics
Total number of scanned objects 203719
Number of viruses found 5
Number of infected objects 14
Number of suspicious objects 0
Duration of the scan process 02:37:17
Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.bak Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.tmp.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.bak Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.tmp.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.bak Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.tmp.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.bak Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.tmp.LOG Object is locked skipped
C:\Documents and Settings\Sara\Application Data\Ahead\NeroVision\NeroVisionLog.txt Object is locked skipped
C:\Documents and Settings\Sara\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Sara\Desktop\backups\backup-20080323-173145-937.dll Infected: not-a-virus:AdWare.Win32.Vapsup.awu skipped
C:\Documents and Settings\Sara\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Sara\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Sara\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Sara\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Sara\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Sara\Local Settings\Application Data\Microsoft\Windows\UsrClass.bak Object is locked skipped
C:\Documents and Settings\Sara\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Sara\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Sara\Local Settings\Application Data\Microsoft\Windows\UsrClass.tmp.LOG Object is locked skipped
C:\Documents and Settings\Sara\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Sara\Local Settings\History\History.IE5\MSHist012008032420080325\index.dat Object is locked skipped
C:\Documents and Settings\Sara\Local Settings\Temp\hsperfdata_Sara\1880 Object is locked skipped
C:\Documents and Settings\Sara\Local Settings\Temp\~DF539C.tmp Object is locked skipped
C:\Documents and Settings\Sara\Local Settings\Temp\~DF53A1.tmp Object is locked skipped
C:\Documents and Settings\Sara\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Sara\My Documents\My Media\setup.exe/data0009/stream/data0004 Infected: not-a-virus:AdWare.Win32.TrafficSol.t skipped
C:\Documents and Settings\Sara\My Documents\My Media\setup.exe/data0009/stream Infected: not-a-virus:AdWare.Win32.TrafficSol.t skipped
C:\Documents and Settings\Sara\My Documents\My Media\setup.exe/data0009 Infected: not-a-virus:AdWare.Win32.TrafficSol.t skipped
C:\Documents and Settings\Sara\My Documents\My Media\setup.exe/data0010/stream/data0005 Infected: not-a-virus:AdWare.Win32.BHO.wt skipped
C:\Documents and Settings\Sara\My Documents\My Media\setup.exe/data0010/stream/data0006 Infected: not-a-virus:AdWare.Win32.BHO.wt skipped
C:\Documents and Settings\Sara\My Documents\My Media\setup.exe/data0010/stream Infected: not-a-virus:AdWare.Win32.BHO.wt skipped
C:\Documents and Settings\Sara\My Documents\My Media\setup.exe/data0010 Infected: not-a-virus:AdWare.Win32.BHO.wt skipped
C:\Documents and Settings\Sara\My Documents\My Media\setup.exe NSIS: infected - 7 skipped
C:\Documents and Settings\Sara\NTUSER.bak Object is locked skipped
C:\Documents and Settings\Sara\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Sara\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Sara\NTUSER.tmp.LOG Object is locked skipped
C:\Program Files\Grisoft\AVG7\avg7log.log Object is locked skipped
C:\Program Files\Grisoft\AVG7\avg7log.log.lck Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.bak Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.tmp.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.bak Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.tmp.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.bak Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.tmp.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.bak Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.tmp.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.bak Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\system.tmp.LOG Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_6d8.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\WINDOWS\SYSTEM\EGDHTML_1020.dll Object is locked skipped
D:\WINDOWS\SYSTEM\SSURF022.DLL Infected: not-a-virus:AdWare.Win32.SafeSurfing.l skipped
Scan process completed.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:28:53 PM, on 3/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Sara\Desktop\HiJackThis.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-21-842925246-413027322-839522115-1003\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - S-1-5-21-842925246-413027322-839522115-1003 Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User '?')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
--
End of file - 5799 bytes
For Erunt, were you able to properly install it? After it installed did you double-click on Erunt.exe so it could back up your registry?
The part with the quote box you are supposed to do yourself:
Open up Notepad (Start->Programs->Accessories->Notepad).
Copy and Paste everything from the Quote box into Notepad:
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
"http"=dword:00000003
"https"=dword:00000003
"ftp"=dword:00000003
"file"=dword:00000003
"@ivt"=dword:00000001
Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.
Go to File > Save As
Save File name as Fix.reg
Change Save as Type to All Files and save the file to your desktop.
Close Notepad, and double-click Fix.reg on your Desktop. When it asks if you want to merge the info to the registry, hit YES/OK. Reboot the computer.
You can delete Smitfraudfix.exe off of your desktop.
Using Windows Explorer, delete the following files I have marked in red:
C:\Documents and Settings\Sara\Desktop\backups\backup-20080323-173145-937.dll
C:\Documents and Settings\Sara\My Documents\My Media\setup.exe
D:\WINDOWS\SYSTEM\SSURF022.DLL
Let me know if you have any trouble deleting any of the files.
Empty your Recycle Bin.
Post back a fresh HiJackThis Log in your next reply.
Im sorry for being dumb but I cant get to the "quote" part of ERunt. I even tried to reinstall it and didnt get anything but this (Ill only post part of it) :
ERUNT - The Emergency Recovery Utility NT
=========================================
Registry Backup and Restore for Windows NT/2000/2003/XP
v1.1j, 10/20/2005, Freeware
Written by Lars Hederer
e-mail: lars.hederer@t-online.de
Look for the latest version here:
http://www.larshederer.homepage.t-online.de/erunt
To find out what's new in this version, please see the "Version
history" section later in this file.
Introduction
------------
With the invention of Windows 95 Microsoft made the wise decision to organize all computer- and application-specific data which was spread over countless INI files before in a centralized Windows database, called the system "registry". The registry is one of the most important parts in every Windows system today, without which the OS would not even boot. And since the registry is quite sensitive to corruption, it is very advisable to backup its according files from time to time.
In MS-DOS based Windows versions (95, 98, Me) the registry consists of the files SYSTEM.DAT and USER.DAT (and ASSES.DAT in Windows Me). To backup these files, one can easily go to the Windows folder in Explorer and copy the files to a safe location, for example another folder on the hard disk. Microsoft even supplies a utility called ERU which can be used to backup these and a few other critical system files to a safe location.
Also, Windows 9x/Me automatically create backups of the registry at startup, with Windows 95 always backing up the registry from the previous Windows session, and Windows 98/Me maintaining up to five....................
This is not the file is it? It is the only one that comes up that you can read all other files that are saved are .dll or system, security etc. I had saved on my desktop by the date.
Im sorry. Can I uninstall and try to reinstall?
I was able to delete all files on the list you sent with no problems. Only after rebooting it was trying to boot to my A: so I had to restart and reconfigure to boot from C: and after that I had no more problems rebooting.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:11:01 PM, on 3/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Sara\Desktop\HiJackThis.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-21-842925246-413027322-839522115-1003\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - S-1-5-21-842925246-413027322-839522115-1003 Startup: ERUNT AutoBackup.lnk = C:\Downloads\ERUNT\AUTOBACK.EXE (User '?')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Downloads\ERUNT\AUTOBACK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
--
End of file - 5812 bytes
All you do with ERUNT is double-click ERUNT.exe to back-up your registry. There is no "quote:" part in ERUNT, you do that part yourself using Notepad.
Let's try this again:
First, delete Erunt-setup.exe and Erunt.exe from your Desktop (if they are there, if not delete them from wherever you saved and installed them too)
Next, download erunt-setup.exe (http://aumha.org/downloads/erunt-setup.exe) and save it to your Desktop. Double-click the file to begin the installation process. Once that is done, find and double-click on Erunt.exe to back up your registry to a folder of your choice.
After that, do not touch Erunt anymore, we are done using it for this fix.
Everything else from this point on, you'll be doing by yourself:
First, open up Notepad
Copy and Paste everything from the Quote box into Notepad:
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
"http"=dword:00000003
"https"=dword:00000003
"ftp"=dword:00000003
"file"=dword:00000003
"@ivt"=dword:00000001
Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.
Go to File > Save As
Save File name as Fix.reg
Change Save as Type to All Files and save the file to your desktop.
Close Notepad, and double-click Fix.reg on your Desktop. When it asks if you want to merge the info to the registry, hit YES/OK. Reboot the computer.
Post back a fresh HiJackThis Log in your next reply.
Oh god so sorry I get it finally and I did as you said and when I click on the file it asks what program I want to use to open it. So not sure what I have done wrong next. Thanks for the patience
Oh god so sorry I get it finally and I did as you said and when I click on the file it asks what program I want to use to open it. So not sure what I have done wrong next. Thanks for the patience
Let's try this:
Right-click on Fix.reg and select Merge, if it asks you if you want to merge, click Yes/Ok. Then reboot your computer and post a fresh HiJackThis Log.
Let me know if you have any trouble.
I tried it that way also with still the same (Open with:) and so I rebooted anyway and tried it again didnt work I didnt know for sure if you needed this hijack logfile but sent it just in case.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:09:48 PM, on 3/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Sara\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wuauclt.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
--
End of file - 5293 bytes
Let's try another tool. You can go ahead and delete fix.reg from your Desktop.
Step # 1: Download and Run ComboFix
Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Be sure to save ComboFix.exe to your Desktop
When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt in your next post/reply.
its not combofix its stopzilla that it downloaded is that ok?
I did get it downloaded and it wont open says no known program to open program
Let's try this:
Step # 1: Disable Ad-Aware 2007 Service
Please disable the Ad-Aware 2007 Service as it may interfere with the fix.
On your desktop, click Start.
Choose Run.
Type services.msc in the open box and click OK or press Enter.
Scroll down the list of services and double-click Ad-Aware 2007 Service.
In the service properties window that opens, click the STOP button.
Under Startup Type, use the pull down menu and select Manual from the list of options.
Click OK and exit the Services Control Manager.
Reboot your machine for the changes to take effect.
Once your log is clean you can re-enable those settings.
Step # 2: Download and run DAFT
Download Deckard's Association File Tool (DAFT) (http://www.techsupportforum.com/sectools/Deckard/daft.exe) and save it to your desktop:
1. Double-click the daft.exe icon. Read the disclaimer and click OK.
2. Click on the Scan button.
3. If it finds faulty file associations, they will appear in red beside a checkbox. If this occurs, just place a tick in the boxes in question.
4. Click the Fix button.
After Step 2 is done, try running ComboFix again, if it works post the log ( C:\ComboFix.txt ) in your next post. If it doesn't work let me know and if DAFT shows any results/logs be sure to post those in your next post/reply as well.
ComboFix 08-03-25.1 - Sara 2008-03-26 8:23:25.1 - NTFSx86
It worked but I messed up I went down the list of instructions before reading the whole thing first and didnt copy the scan from daft. It had about 5 things in there to fix. Im sorry again. I tried to rescan but it said there was nothing to fix by then.
Running from: C:\Documents and Settings\Sara\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-02-26 to 2008-03-26 )))))))))))))))))))))))))))))))
.
2008-03-25 18:08 . 2008-03-25 18:08 4,608,744 --a------ C:\Program Files\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
2008-03-25 14:37 . 2008-03-25 14:37 <DIR> d-------- C:\Program Files\DVD Region+CSS Free
2008-03-25 14:37 . 2008-03-25 14:48 67 --a------ C:\WINDOWS\DVDRegionFree.INI
2008-03-24 13:22 . 2008-03-24 13:22 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-24 13:22 . 2008-03-24 13:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-24 12:53 . 2008-03-24 12:53 <DIR> d-------- C:\Program Files\ERUNT
2008-03-24 12:52 . 2008-03-24 12:53 791,393 --a------ C:\Program Files\erunt-setup.exe
2008-03-24 00:50 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-24 00:49 . 2008-03-24 00:50 <DIR> d-------- C:\Program Files\Java
2008-03-24 00:49 . 2008-03-24 00:49 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-23 17:41 . 2008-03-23 17:41 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-23 17:41 . 2008-03-23 17:41 <DIR> d-------- C:\Documents and Settings\Sara\Application Data\Malwarebytes
2008-03-23 17:41 . 2008-03-23 17:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-22 01:43 . 2008-03-22 01:43 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-21 20:20 . 2008-03-25 15:40 <DIR> d-------- C:\Documents and Settings\Sara\Application Data\SolSuite
2008-03-21 18:44 . 2008-03-21 18:44 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-21 18:44 . 2008-03-21 18:44 2,549 --a------ C:\WINDOWS\unins000.dat
2008-03-21 18:28 . 2008-03-23 17:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-21 18:27 . 2008-03-21 18:48 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-20 20:26 . 2008-03-21 17:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-03-20 20:15 . 2008-03-21 17:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-20 20:15 . 2008-03-20 20:15 38,473,056 --a------ C:\Program Files\CNET_VSP30days.exe
2008-03-20 20:09 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-20 20:09 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-03-20 12:41 . 2008-03-20 12:41 50 --a------ C:\WINDOWS\BRQIKMON.INI
2008-03-20 12:40 . 2008-03-21 14:50 <DIR> d-------- C:\Documents and Settings\Sara\Application Data\PC-FAX TX
2008-03-19 20:05 . 2004-12-03 01:26 188,416 --a------ C:\WINDOWS\system32\PDRVINST.DLL
2008-03-19 20:05 . 2006-01-17 01:03 126,976 --a------ C:\WINDOWS\system32\BrfxD05a.dll
2008-03-19 20:05 . 2005-06-02 01:09 86,016 --a------ C:\WINDOWS\system32\BrWebIns.dll
2008-03-19 20:05 . 2005-06-02 01:08 69,632 --a------ C:\WINDOWS\system32\BRWEBUP.EXE
2008-03-19 20:05 . 2001-11-15 01:00 6,224 --a------ C:\WINDOWS\CVRPAGE.BMP
2008-03-19 20:05 . 2008-03-21 14:50 0 --a------ C:\WINDOWS\brdfxspd.dat
2008-03-19 20:04 . 2008-03-19 20:04 <DIR> d-------- C:\Program Files\Common Files\ScanSoft Shared
2008-03-19 20:04 . 2008-03-19 20:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ScanSoft
2008-03-19 20:04 . 2003-09-24 11:36 27,019 --a------ C:\WINDOWS\maxlink.ini
2008-03-19 19:58 . 2008-03-19 19:58 0 --------- C:\Bro59.tmp
2008-03-19 19:55 . 2008-03-21 19:58 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-03-19 19:18 . 2008-03-19 20:06 <DIR> d-------- C:\Program Files\Brother
2008-03-19 09:48 . 2008-03-19 09:52 470 --a------ C:\WINDOWS\wininit.ini
2008-03-16 19:35 . 2008-03-16 19:36 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-03-15 16:10 . 2001-08-18 06:00 1,700,352 --------- C:\WINDOWS\system32\GdiPlus.dll
2008-03-15 16:10 . 2002-11-27 18:26 114,688 --------- C:\WINDOWS\system32\jpegcode.dll
2008-03-15 16:10 . 2002-09-06 18:54 53,248 --------- C:\WINDOWS\system32\AccWrap.dll
2008-03-15 16:10 . 2002-10-29 18:21 45,664 --------- C:\WINDOWS\system32\drivers\CoachVc.sys
2008-03-15 16:10 . 2002-11-22 19:45 41,952 --------- C:\WINDOWS\system32\drivers\CoachUsb.sys
2008-03-15 16:10 . 2002-11-21 12:14 39,424 --------- C:\WINDOWS\system32\CoachWia.dll
2008-03-15 16:10 . 2008-03-16 14:05 22 --a------ C:\Program Files\c310.zip
2008-03-15 10:06 . 2008-03-15 10:06 419 --a------ C:\WINDOWS\BRWMARK.INI
2008-03-15 10:06 . 2008-03-15 10:06 27 --a------ C:\WINDOWS\BRPP2KA.INI
2008-03-15 10:05 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-03-15 10:05 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-03-15 10:05 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-03-15 10:05 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-03-15 10:00 . 2008-03-21 14:50 429 --a------ C:\WINDOWS\Brpfx04a.ini
2008-03-15 10:00 . 2008-03-20 12:40 153 --a------ C:\WINDOWS\brpcfx.ini
2008-03-15 10:00 . 2008-03-19 20:06 50 --a------ C:\WINDOWS\system32\bridf06a.dat
2008-03-15 09:59 . 2008-03-19 19:09 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-03-15 09:59 . 2006-02-24 17:27 1,492,480 --a------ C:\WINDOWS\system32\BrWia06a.dll
2008-03-15 09:59 . 2004-12-10 16:35 147,456 --a------ C:\WINDOWS\brunin03.dll
2008-03-15 09:59 . 2006-02-16 18:49 52,736 --a------ C:\WINDOWS\system32\brinsstr.dll
2008-03-15 09:59 . 2005-12-13 10:53 38,912 --a------ C:\WINDOWS\system32\BrUsi06a.dll
2008-03-15 09:59 . 2004-10-15 12:50 15,295 --a------ C:\WINDOWS\system32\drivers\BrScnUsb.sys
2008-03-15 09:57 . 2008-03-15 09:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-03-15 09:56 . 2008-03-19 20:04 <DIR> d-------- C:\Program Files\ScanSoft
2008-03-15 09:55 . 2008-03-15 09:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Brother
2008-03-08 11:09 . 2008-03-08 11:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-08 11:08 . 2008-03-08 11:08 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-27 09:38 . 2001-08-17 23:36 99,328 --a------ C:\WINDOWS\system32\srusd.dll
2008-02-27 09:38 . 2001-08-17 23:36 99,328 --a--c--- C:\WINDOWS\system32\dllcache\srusd.dll
2008-02-27 09:38 . 2001-08-17 23:36 71,680 --a------ C:\WINDOWS\system32\fnfilter.dll
2008-02-27 09:38 . 2001-08-17 23:36 71,680 --a--c--- C:\WINDOWS\system32\dllcache\fnfilter.dll
2008-02-27 09:38 . 2001-08-17 14:53 6,784 --a------ C:\WINDOWS\system32\drivers\serscan.sys
2008-02-27 09:38 . 2001-08-17 14:53 6,784 --a--c--- C:\WINDOWS\system32\dllcache\serscan.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-25 19:29 --------- d-----w C:\Program Files\RegScrubXP
2008-03-22 07:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-21 22:09 --------- d-----w C:\Documents and Settings\Sara\Application Data\AVG7
2008-03-20 22:03 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-20 18:06 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-20 14:47 --------- d-----w C:\Program Files\Incomplete
2008-03-20 02:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-20 02:05 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-19 14:44 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-17 04:58 --------- d-----w C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor
2008-03-08 17:09 --------- d-----w C:\Program Files\Lavasoft
2008-03-08 17:09 --------- d-----w C:\Documents and Settings\Sara\Application Data\Lavasoft
2008-02-27 22:57 729,088 ----a-w C:\WINDOWS\iun6002.exe
2008-02-15 04:49 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-06 20:20 --------- d-----w C:\Program Files\Diskeeper Corporation
2008-02-04 19:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-01-31 06:11 --------- d-----w C:\Program Files\OverDrive Media Console
2008-01-31 06:11 --------- d-----w C:\Documents and Settings\Sara\Application Data\OverDrive
2008-01-11 18:20 553,687 ----a-w C:\Program Files\jv16_regcleaner.exe
2008-01-11 18:07 593,556 ----a-w C:\Program Files\regscrubxpsetup_3.2.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-21 19:26 68856]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-27 12:01 145920]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= C:\Program Files\DVD Region+CSS Free\DVDShell.dll [2004-10-09 15:18 49152]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"21439:TCP"= 21439:TCP:BitComet 21439 TCP
"21439:UDP"= 21439:UDP:BitComet 21439 UDP
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys [2004-10-15 12:50]
S2 UMAXPCLS;Print Port Scanner Driver;C:\WINDOWS\system32\DRIVERS\umaxpcls.sys [2001-08-17 15:58]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00]
S3 WUSB54GPV4SRV;Linksys Home Wireless-G USB Adaptor Driver;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys [2005-10-17 21:50]
S3 ZD1211BU(WLAN);IEEE 802.11g USB Wireless LAN(WLAN);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys [2006-06-27 16:32]
S4 WUSB54Gv42SVC;WUSB54Gv42SVC;"C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv42.exe" []
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder
"2008-03-26 14:00:00 C:\WINDOWS\Tasks\AB7F8E61911401CD.job"
- c:\docume~1\sara\applic~1\bitsdu~1\Show First Intra.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-26 08:26:57
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\tcpsvcs.exe
.
**************************************************************************
.
Completion time: 2008-03-26 8:29:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-26 14:29:38
.
2008-03-22 07:44:35 --- E O F ---
Glad to hear that DAFT worked. :)
Seems your missing an important part of your operating system. Let's get it reinstalled in case you ever need it.
Nothing is going to change on your computer other than we are going to reinstall the Recovery Console.
Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System
http://i266.photobucket.com/albums/ii277/sUBs_/KB310994.gif
Download the file & save it as it's originally named, to your desktop along with ComboFix.exe.
http://i266.photobucket.com/albums/ii277/sUBs_/rc1.gif
Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.
Please do not reboot your machine until I have reviewed the log.
I read thru the install on combofix and it said for me to do this so I already downloaded the microsoft setup file and tried to drag into combofix like it said but it just jumps someplace else on my desktop and combofix wants to run. Do I let combofix go ahead and run again?
After dragging the setup file onto ComboFix, go ahead and follow these steps:
Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.
cf_rc txt
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
The Recovery Console log looks good. :) You can reboot your computer.
After you've rebooted your computer, follow the instructions below:
Step # 1: Download and Run NoLop
Please Download NoLop to your desktop from one of the links below...
Link 1 (http://www.spywareedge.net/nolop/NoLop.exe)
Link 2 (http://www.spywaretimes.com/Tools/startdown/21/)
Link 3 (http://www.greyknight17.com/spy/NoLop.exe)
First close any other programs you have running as this will require a reboot
Double click NoLop.exe to run it.
Now click the button labelled "Search and Destroy"
<<your computer will now be scanned for infected files>>
When scanning is finished you will be prompted to reboot only if infected, Click OK
Now click the "REBOOT" Button.
A Message should popup from NoLop. If not, double click the program again and it will finish.
Please post the contents of C:\NoLop.log
Note: If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx (http://www.boletrice.com/downloads/mscomctl.ocx) to C:\WINDOWS\system32\ folder then rerun the program.
Step # 2: Run CFScript
Please delete the version of ComboFix you have on your computer, I need you to download the latest version of ComboFix by sUBs here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) and save it to your Desktop.
Then, please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
KillAll::
Registry::
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
"http"=dword:00000003
"https"=dword:00000003
"ftp"=dword:00000003
"file"=dword:00000003
"@ivt"=dword:00000001
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
http://i266.photobucket.com/albums/ii277/sUBs_/CFScript.gif
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
In your next post/reply, I need to see the following:
1. The NoLop Log
2. The ComboFix Log that appears after Step 2 has been completed.
3. A fresh HiJackThis Log
Use multiple posts if you can't fit everything into one post.
NoLop! Log by Skate_Punk_21
Fix running from: C:\Documents and Settings\Sara\Desktop
[3/27/2008]
[2:33:24 PM]
---Infection Files Found/Removed---
C:\WINDOWS\tasks\AB7F8E61911401CD.job
Beginning Removal...
Rebooting...
Removing Lop's Leftover Files/Folders...
Editing Registry...
**Fix Complete!**
---Listing AppData sub directories---
C:\Documents and Settings\Administrator\Application Data\Avg7
C:\Documents and Settings\Administrator\Application Data\Identities
C:\Documents and Settings\Administrator\Application Data\Microsoft
C:\Documents and Settings\Administrator\Application Data\Symantec
C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\All Users\Application Data\Avg7
C:\Documents and Settings\All Users\Application Data\Brother
C:\Documents and Settings\All Users\Application Data\Cyberlink
C:\Documents and Settings\All Users\Application Data\Google
C:\Documents and Settings\All Users\Application Data\Grisoft
C:\Documents and Settings\All Users\Application Data\Installshield
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
C:\Documents and Settings\All Users\Application Data\Lavasoft
C:\Documents and Settings\All Users\Application Data\Malwarebytes
C:\Documents and Settings\All Users\Application Data\Mcafee
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Microsoft Help
C:\Documents and Settings\All Users\Application Data\Nero
C:\Documents and Settings\All Users\Application Data\Playfirst
C:\Documents and Settings\All Users\Application Data\Scansoft
C:\Documents and Settings\All Users\Application Data\Siteadvisor
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
C:\Documents and Settings\All Users\Application Data\Temp -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
C:\Documents and Settings\All Users\Application Data\Winferno
C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Localservice\Application Data\Avg7 -- EMPTY Directory
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Networkservice\Application Data\Microsoft
C:\Documents and Settings\Networkservice\Application Data\Symantec
C:\Documents and Settings\Sara\Application Data\Adobe
C:\Documents and Settings\Sara\Application Data\Ahead
C:\Documents and Settings\Sara\Application Data\Avg7
C:\Documents and Settings\Sara\Application Data\Cyberlink
C:\Documents and Settings\Sara\Application Data\Google
C:\Documents and Settings\Sara\Application Data\Gtopala
C:\Documents and Settings\Sara\Application Data\Help
C:\Documents and Settings\Sara\Application Data\Identities
C:\Documents and Settings\Sara\Application Data\Lavasoft -- EMPTY Directory
C:\Documents and Settings\Sara\Application Data\Macromedia
C:\Documents and Settings\Sara\Application Data\Malwarebytes
C:\Documents and Settings\Sara\Application Data\Microsoft
C:\Documents and Settings\Sara\Application Data\Nero
C:\Documents and Settings\Sara\Application Data\Overdrive
C:\Documents and Settings\Sara\Application Data\Pc-fax Tx
C:\Documents and Settings\Sara\Application Data\Solsuite
C:\Documents and Settings\Sara\Application Data\Sun
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:55:43 PM, on 3/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Sara\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
--
End of file - 5499 bytes
ComboFix 08-03-26.3 - Sara 2008-03-27 14:47:23.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.257 [GMT -6:00]
Running from: C:\Documents and Settings\Sara\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Sara\Desktop\cfscripttxt.txt
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2008-02-27 to 2008-03-27 )))))))))))))))))))))))))))))))
.
2008-03-27 14:33 . 2008-03-27 14:35 <DIR> d-------- C:\NoLopBackups
2008-03-26 17:11 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-03-26 17:11 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-03-26 17:11 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-03-26 17:11 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-03-25 18:08 . 2008-03-25 18:08 4,608,744 --a------ C:\Program Files\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
2008-03-25 14:37 . 2008-03-25 14:37 <DIR> d-------- C:\Program Files\DVD Region+CSS Free
2008-03-25 14:37 . 2008-03-27 14:13 67 --a------ C:\WINDOWS\DVDRegionFree.INI
2008-03-24 13:22 . 2008-03-24 13:22 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-24 13:22 . 2008-03-24 13:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-24 12:53 . 2008-03-24 12:53 <DIR> d-------- C:\Program Files\ERUNT
2008-03-24 12:52 . 2008-03-24 12:53 791,393 --a------ C:\Program Files\erunt-setup.exe
2008-03-24 00:50 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-24 00:49 . 2008-03-24 00:50 <DIR> d-------- C:\Program Files\Java
2008-03-24 00:49 . 2008-03-24 00:49 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-23 17:41 . 2008-03-23 17:41 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-23 17:41 . 2008-03-23 17:41 <DIR> d-------- C:\Documents and Settings\Sara\Application Data\Malwarebytes
2008-03-23 17:41 . 2008-03-23 17:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-22 01:43 . 2008-03-22 01:43 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-21 20:20 . 2008-03-25 15:40 <DIR> d-------- C:\Documents and Settings\Sara\Application Data\SolSuite
2008-03-21 18:44 . 2008-03-21 18:44 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-21 18:44 . 2008-03-21 18:44 2,549 --a------ C:\WINDOWS\unins000.dat
2008-03-21 18:28 . 2008-03-23 17:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-21 18:27 . 2008-03-21 18:48 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-20 20:26 . 2008-03-21 17:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-03-20 20:15 . 2008-03-21 17:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-20 20:15 . 2008-03-20 20:15 38,473,056 --a------ C:\Program Files\CNET_VSP30days.exe
2008-03-20 20:09 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-20 20:09 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-03-20 12:41 . 2008-03-20 12:41 50 --a------ C:\WINDOWS\BRQIKMON.INI
2008-03-20 12:40 . 2008-03-21 14:50 <DIR> d-------- C:\Documents and Settings\Sara\Application Data\PC-FAX TX
2008-03-19 20:05 . 2004-12-03 01:26 188,416 --a------ C:\WINDOWS\system32\PDRVINST.DLL
2008-03-19 20:05 . 2006-01-17 01:03 126,976 --a------ C:\WINDOWS\system32\BrfxD05a.dll
2008-03-19 20:05 . 2005-06-02 01:09 86,016 --a------ C:\WINDOWS\system32\BrWebIns.dll
2008-03-19 20:05 . 2005-06-02 01:08 69,632 --a------ C:\WINDOWS\system32\BRWEBUP.EXE
2008-03-19 20:05 . 2001-11-15 01:00 6,224 --a------ C:\WINDOWS\CVRPAGE.BMP
2008-03-19 20:05 . 2008-03-21 14:50 0 --a------ C:\WINDOWS\brdfxspd.dat
2008-03-19 20:04 . 2008-03-19 20:04 <DIR> d-------- C:\Program Files\Common Files\ScanSoft Shared
2008-03-19 20:04 . 2008-03-19 20:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ScanSoft
2008-03-19 20:04 . 2003-09-24 11:36 27,019 --a------ C:\WINDOWS\maxlink.ini
2008-03-19 19:58 . 2008-03-19 19:58 0 --------- C:\Bro59.tmp
2008-03-19 19:55 . 2008-03-21 19:58 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-03-19 19:18 . 2008-03-19 20:06 <DIR> d-------- C:\Program Files\Brother
2008-03-19 09:48 . 2008-03-19 09:52 470 --a------ C:\WINDOWS\wininit.ini
2008-03-16 19:35 . 2008-03-16 19:36 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-03-15 16:10 . 2001-08-18 06:00 1,700,352 --------- C:\WINDOWS\system32\GdiPlus.dll
2008-03-15 16:10 . 2002-11-27 18:26 114,688 --------- C:\WINDOWS\system32\jpegcode.dll
2008-03-15 16:10 . 2002-09-06 18:54 53,248 --------- C:\WINDOWS\system32\AccWrap.dll
2008-03-15 16:10 . 2002-10-29 18:21 45,664 --------- C:\WINDOWS\system32\drivers\CoachVc.sys
2008-03-15 16:10 . 2002-11-22 19:45 41,952 --------- C:\WINDOWS\system32\drivers\CoachUsb.sys
2008-03-15 16:10 . 2002-11-21 12:14 39,424 --------- C:\WINDOWS\system32\CoachWia.dll
2008-03-15 16:10 . 2008-03-16 14:05 22 --a------ C:\Program Files\c310.zip
2008-03-15 10:06 . 2008-03-15 10:06 419 --a------ C:\WINDOWS\BRWMARK.INI
2008-03-15 10:06 . 2008-03-15 10:06 27 --a------ C:\WINDOWS\BRPP2KA.INI
2008-03-15 10:05 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-03-15 10:05 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-03-15 10:05 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-03-15 10:05 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-03-15 10:00 . 2008-03-21 14:50 429 --a------ C:\WINDOWS\Brpfx04a.ini
2008-03-15 10:00 . 2008-03-20 12:40 153 --a------ C:\WINDOWS\brpcfx.ini
2008-03-15 10:00 . 2008-03-19 20:06 50 --a------ C:\WINDOWS\system32\bridf06a.dat
2008-03-15 09:59 . 2008-03-19 19:09 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-03-15 09:59 . 2006-02-24 17:27 1,492,480 --a------ C:\WINDOWS\system32\BrWia06a.dll
2008-03-15 09:59 . 2004-12-10 16:35 147,456 --a------ C:\WINDOWS\brunin03.dll
2008-03-15 09:59 . 2006-02-16 18:49 52,736 --a------ C:\WINDOWS\system32\brinsstr.dll
2008-03-15 09:59 . 2005-12-13 10:53 38,912 --a------ C:\WINDOWS\system32\BrUsi06a.dll
2008-03-15 09:59 . 2004-10-15 12:50 15,295 --a------ C:\WINDOWS\system32\drivers\BrScnUsb.sys
2008-03-15 09:57 . 2008-03-15 09:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-03-15 09:56 . 2008-03-19 20:04 <DIR> d-------- C:\Program Files\ScanSoft
2008-03-15 09:55 . 2008-03-15 09:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Brother
2008-03-08 11:09 . 2008-03-08 11:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-08 11:08 . 2008-03-08 11:08 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-27 09:38 . 2001-08-17 23:36 99,328 --a------ C:\WINDOWS\system32\srusd.dll
2008-02-27 09:38 . 2001-08-17 23:36 99,328 --a--c--- C:\WINDOWS\system32\dllcache\srusd.dll
2008-02-27 09:38 . 2001-08-17 23:36 71,680 --a------ C:\WINDOWS\system32\fnfilter.dll
2008-02-27 09:38 . 2001-08-17 23:36 71,680 --a--c--- C:\WINDOWS\system32\dllcache\fnfilter.dll
2008-02-27 09:38 . 2001-08-17 14:53 6,784 --a------ C:\WINDOWS\system32\drivers\serscan.sys
2008-02-27 09:38 . 2001-08-17 14:53 6,784 --a--c--- C:\WINDOWS\system32\dllcache\serscan.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-27 20:43 --------- d-----w C:\Program Files\RegScrubXP
2008-03-22 07:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-21 22:09 --------- d-----w C:\Documents and Settings\Sara\Application Data\AVG7
2008-03-20 22:03 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-20 18:06 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-20 14:47 --------- d-----w C:\Program Files\Incomplete
2008-03-20 02:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-20 02:05 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-19 14:44 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-17 04:58 --------- d-----w C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor
2008-03-08 17:09 --------- d-----w C:\Program Files\Lavasoft
2008-03-08 17:09 --------- d-----w C:\Documents and Settings\Sara\Application Data\Lavasoft
2008-02-27 22:57 729,088 ----a-w C:\WINDOWS\iun6002.exe
2008-02-15 04:49 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-06 20:20 --------- d-----w C:\Program Files\Diskeeper Corporation
2008-02-04 19:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-01-31 06:11 --------- d-----w C:\Program Files\OverDrive Media Console
2008-01-31 06:11 --------- d-----w C:\Documents and Settings\Sara\Application Data\OverDrive
2008-01-11 18:20 553,687 ----a-w C:\Program Files\jv16_regcleaner.exe
2008-01-11 18:07 593,556 ----a-w C:\Program Files\regscrubxpsetup_3.2.exe
.
((((((((((((((((((((((((((((( snapshot@2008-03-26_ 8.29.25.67 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-27 20:49:53 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_6e4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-21 19:26 68856]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-27 12:01 145920]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= C:\PROGRA~1\DVD Region+CSS Free\DVDShell.dll [2004-10-09 15:18 49152]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"21439:TCP"= 21439:TCP:BitComet 21439 TCP
"21439:UDP"= 21439:UDP:BitComet 21439 UDP
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys [2004-10-15 12:50]
S2 UMAXPCLS;Print Port Scanner Driver;C:\WINDOWS\system32\DRIVERS\umaxpcls.sys [2001-08-17 15:58]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00]
S3 WUSB54GPV4SRV;Linksys Home Wireless-G USB Adaptor Driver;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys [2005-10-17 21:50]
S3 ZD1211BU(WLAN);IEEE 802.11g USB Wireless LAN(WLAN);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys [2006-06-27 16:32]
S4 WUSB54Gv42SVC;WUSB54Gv42SVC;"C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv42.exe" []
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-27 14:50:06
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\tcpsvcs.exe
.
**************************************************************************
.
Completion time: 2008-03-27 14:53:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-27 20:53:39
ComboFix2.txt 2008-03-26 14:29:42
Pre-Run: 4,101,574,656 bytes free
Post-Run: 4,091,527,168 bytes free
.
2008-03-22 07:44:35 --- E O F ---
Hi again.
You need to do the ComboFix part again. The name of the file that you dropped and dragged into ComboFix.exe was wrong, it should be CFScript.txt, you had it as cfscripttxt.txt
Go ahead and delete cfscripttxt.txt from your desktop and follow the steps below, making sure that when you save it in the File Name box, you put just CFScript.txt . And also be sure that "All Files" is selected in the Save as Type box. :)
Then, please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
KillAll::
Registry::
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
"http"=dword:00000003
"https"=dword:00000003
"ftp"=dword:00000003
"file"=dword:00000003
"@ivt"=dword:00000001
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
http://i266.photobucket.com/albums/ii277/sUBs_/CFScript.gif
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Post the resulting ComboFix log and a fresh HiJackThis log as well.
ComboFix 08-03-26.3 - Sara 2008-03-28 16:46:18.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.276 [GMT -6:00]
Running from: C:\Documents and Settings\Sara\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Sara\Desktop\cfscript.txt
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-28 )))))))))))))))))))))))))))))))
.
2008-03-27 14:33 . 2008-03-27 14:35 <DIR> d-------- C:\NoLopBackups
2008-03-26 17:11 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-03-26 17:11 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-03-26 17:11 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-03-26 17:11 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-03-25 18:08 . 2008-03-25 18:08 4,608,744 --a------ C:\Program Files\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
2008-03-25 14:37 . 2008-03-27 14:13 67 --a------ C:\WINDOWS\DVDRegionFree.INI
2008-03-24 12:53 . 2008-03-24 12:53 <DIR> d-------- C:\Program Files\ERUNT
2008-03-24 12:52 . 2008-03-24 12:53 791,393 --a------ C:\Program Files\erunt-setup.exe
2008-03-24 00:50 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-24 00:49 . 2008-03-24 00:50 <DIR> d-------- C:\Program Files\Java
2008-03-24 00:49 . 2008-03-24 00:49 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-23 17:41 . 2008-03-23 17:41 <DIR> d-------- C:\Documents and Settings\Sara\Application Data\Malwarebytes
2008-03-23 17:41 . 2008-03-23 17:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-22 01:43 . 2008-03-22 01:43 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-21 20:20 . 2008-03-25 15:40 <DIR> d-------- C:\Documents and Settings\Sara\Application Data\SolSuite
2008-03-21 18:44 . 2008-03-21 18:44 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-21 18:44 . 2008-03-21 18:44 2,549 --a------ C:\WINDOWS\unins000.dat
2008-03-21 18:28 . 2008-03-23 17:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-21 18:27 . 2008-03-21 18:48 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-20 20:26 . 2008-03-21 17:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-03-20 20:15 . 2008-03-21 17:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-20 20:15 . 2008-03-20 20:15 38,473,056 --a------ C:\Program Files\CNET_VSP30days.exe
2008-03-20 20:09 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-20 20:09 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-03-20 12:41 . 2008-03-20 12:41 50 --a------ C:\WINDOWS\BRQIKMON.INI
2008-03-20 12:40 . 2008-03-21 14:50 <DIR> d-------- C:\Documents and Settings\Sara\Application Data\PC-FAX TX
2008-03-19 20:05 . 2004-12-03 01:26 188,416 --a------ C:\WINDOWS\system32\PDRVINST.DLL
2008-03-19 20:05 . 2006-01-17 01:03 126,976 --a------ C:\WINDOWS\system32\BrfxD05a.dll
2008-03-19 20:05 . 2005-06-02 01:09 86,016 --a------ C:\WINDOWS\system32\BrWebIns.dll
2008-03-19 20:05 . 2005-06-02 01:08 69,632 --a------ C:\WINDOWS\system32\BRWEBUP.EXE
2008-03-19 20:05 . 2001-11-15 01:00 6,224 --a------ C:\WINDOWS\CVRPAGE.BMP
2008-03-19 20:05 . 2008-03-28 15:29 0 --a------ C:\WINDOWS\brdfxspd.dat
2008-03-19 20:04 . 2008-03-19 20:04 <DIR> d-------- C:\Program Files\Common Files\ScanSoft Shared
2008-03-19 20:04 . 2008-03-19 20:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ScanSoft
2008-03-19 20:04 . 2003-09-24 11:36 27,019 --a------ C:\WINDOWS\maxlink.ini
2008-03-19 19:58 . 2008-03-19 19:58 0 --------- C:\Bro59.tmp
2008-03-19 19:55 . 2008-03-21 19:58 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-03-19 19:18 . 2008-03-19 20:06 <DIR> d-------- C:\Program Files\Brother
2008-03-19 09:48 . 2008-03-19 09:52 470 --a------ C:\WINDOWS\wininit.ini
2008-03-16 19:35 . 2008-03-16 19:36 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-03-15 16:10 . 2001-08-18 06:00 1,700,352 --------- C:\WINDOWS\system32\GdiPlus.dll
2008-03-15 16:10 . 2002-11-27 18:26 114,688 --------- C:\WINDOWS\system32\jpegcode.dll
2008-03-15 16:10 . 2002-09-06 18:54 53,248 --------- C:\WINDOWS\system32\AccWrap.dll
2008-03-15 16:10 . 2002-10-29 18:21 45,664 --------- C:\WINDOWS\system32\drivers\CoachVc.sys
2008-03-15 16:10 . 2002-11-22 19:45 41,952 --------- C:\WINDOWS\system32\drivers\CoachUsb.sys
2008-03-15 16:10 . 2002-11-21 12:14 39,424 --------- C:\WINDOWS\system32\CoachWia.dll
2008-03-15 16:10 . 2008-03-16 14:05 22 --a------ C:\Program Files\c310.zip
2008-03-15 10:06 . 2008-03-15 10:06 419 --a------ C:\WINDOWS\BRWMARK.INI
2008-03-15 10:06 . 2008-03-15 10:06 27 --a------ C:\WINDOWS\BRPP2KA.INI
2008-03-15 10:05 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-03-15 10:05 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-03-15 10:05 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-03-15 10:05 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-03-15 10:00 . 2008-03-28 15:34 1,053 --a------ C:\WINDOWS\Brpfx04a.ini
2008-03-15 10:00 . 2008-03-20 12:40 153 --a------ C:\WINDOWS\brpcfx.ini
2008-03-15 10:00 . 2008-03-19 20:06 50 --a------ C:\WINDOWS\system32\bridf06a.dat
2008-03-15 09:59 . 2008-03-19 19:09 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-03-15 09:59 . 2006-02-24 17:27 1,492,480 --a------ C:\WINDOWS\system32\BrWia06a.dll
2008-03-15 09:59 . 2004-12-10 16:35 147,456 --a------ C:\WINDOWS\brunin03.dll
2008-03-15 09:59 . 2006-02-16 18:49 52,736 --a------ C:\WINDOWS\system32\brinsstr.dll
2008-03-15 09:59 . 2005-12-13 10:53 38,912 --a------ C:\WINDOWS\system32\BrUsi06a.dll
2008-03-15 09:59 . 2004-10-15 12:50 15,295 --a------ C:\WINDOWS\system32\drivers\BrScnUsb.sys
2008-03-15 09:57 . 2008-03-15 09:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-03-15 09:56 . 2008-03-19 20:04 <DIR> d-------- C:\Program Files\ScanSoft
2008-03-15 09:55 . 2008-03-15 09:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Brother
2008-03-08 11:09 . 2008-03-08 11:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-08 11:08 . 2008-03-08 11:08 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-28 21:35 --------- d-----w C:\Program Files\RegScrubXP
2008-03-22 21:49 86,528 ----a-w C:\WINDOWS\system32\VACFix.exe
2008-03-22 07:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-21 22:09 --------- d-----w C:\Documents and Settings\Sara\Application Data\AVG7
2008-03-20 22:03 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-20 18:06 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-20 14:47 --------- d-----w C:\Program Files\Incomplete
2008-03-20 02:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-20 02:05 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-19 14:44 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-17 04:58 --------- d-----w C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor
2008-03-15 23:16 82,432 ----a-w C:\WINDOWS\system32\IEDFix.exe
2008-03-12 19:55 40,730 ----a-w C:\WINDOWS\system32\superiorads-uninst.exe
2008-03-08 17:09 --------- d-----w C:\Program Files\Lavasoft
2008-03-08 17:09 --------- d-----w C:\Documents and Settings\Sara\Application Data\Lavasoft
2008-02-27 22:57 729,088 ----a-w C:\WINDOWS\iun6002.exe
2008-02-15 04:49 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-06 20:20 --------- d-----w C:\Program Files\Diskeeper Corporation
2008-02-04 19:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-01-31 06:11 --------- d-----w C:\Program Files\OverDrive Media Console
2008-01-31 06:11 --------- d-----w C:\Documents and Settings\Sara\Application Data\OverDrive
2008-01-11 18:20 553,687 ----a-w C:\Program Files\jv16_regcleaner.exe
2008-01-11 18:07 593,556 ----a-w C:\Program Files\regscrubxpsetup_3.2.exe
2007-12-27 18:02 32 --sha-w C:\WINDOWS\{0C12DB23-1BE2-4364-BFAA-6F5D9129BA61}.dat
2007-12-27 18:05 32 --sha-w C:\WINDOWS\{1B77EDC5-1688-4797-BA2D-7B17CF56CB30}.dat
2007-12-27 18:02 32 --sha-w C:\WINDOWS\{22BE5C96-6912-4844-B877-5B823AD9B260}.dat
2007-12-27 18:04 32 --sha-w C:\WINDOWS\{2E5205F4-C65A-4D26-8D21-D6A2DAA83314}.dat
2007-12-27 18:01 32 --sha-w C:\WINDOWS\{3BD78CE5-4886-4A8D-879E-D3604BF3CBE3}.dat
2007-12-27 18:04 32 --sha-w C:\WINDOWS\{A0337C34-3D4E-449C-8E79-A26151D03235}.dat
2007-12-27 18:02 32 --sha-w C:\WINDOWS\{C354F08C-4F05-4AFA-82AE-342DA03BB497}.dat
2007-12-27 18:02 32 --sha-w C:\WINDOWS\system32\{130E8F94-C662-49ED-AE40-05594E9EFB43}.dat
2007-12-27 18:04 32 --sha-w C:\WINDOWS\system32\{1E4A546D-C55E-4052-A7F5-AE0C5B7534F6}.dat
2007-12-27 18:04 32 --sha-w C:\WINDOWS\system32\{770AD5A9-EAE7-46E2-88C7-7BD6908E39CC}.dat
2007-12-27 18:05 32 --sha-w C:\WINDOWS\system32\{ACB29618-EEF3-4AD4-B2B2-5DBB667C35A1}.dat
2007-12-27 18:02 32 --sha-w C:\WINDOWS\system32\{C71E13F1-33A7-4A76-956F-D297C2A27665}.dat
2007-12-27 18:01 32 --sha-w C:\WINDOWS\system32\{CD413577-1356-422D-AA2E-64C023005796}.dat
2007-12-27 18:02 32 --sha-w C:\WINDOWS\system32\{D4CF1B07-7D22-43F2-A0AF-E389C73077DA}.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-21 19:26 68856]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-27 12:01 145920]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"21439:TCP"= 21439:TCP:BitComet 21439 TCP
"21439:UDP"= 21439:UDP:BitComet 21439 UDP
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys [2004-10-15 12:50]
S2 UMAXPCLS;Print Port Scanner Driver;C:\WINDOWS\system32\DRIVERS\umaxpcls.sys [2001-08-17 15:58]
S3 WUSB54GPV4SRV;Linksys Home Wireless-G USB Adaptor Driver;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys [2005-10-17 21:50]
S3 ZD1211BU(WLAN);IEEE 802.11g USB Wireless LAN(WLAN);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys [2006-06-27 16:32]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-28 16:49:01
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\tcpsvcs.exe
.
**************************************************************************
.
Completion time: 2008-03-28 16:53:18 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-28 22:53:14
ComboFix2.txt 2008-03-27 20:53:45
ComboFix3.txt 2008-03-26 14:29:42
Pre-Run: 4,056,543,232 bytes free
Post-Run: 4,046,598,144 bytes free
.
2008-03-22 07:44:35 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:54:45 PM, on 3/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Sara\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
--
End of file - 5581 bytes
We are very close to being done. Just need to get rid of these lines in the HJT log and then you'll be good to go:
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
Let me ask some of my fellow helpers to see if they have any ideas. I'll be back as soon as I can.
that sounds good. Thanks for being so patient with me
Help its back I ran spybot and there is quite abit in there. I got the same message on my desktop and locked out of my task manager again
Post a fresh HiJackThis Log and the Spybot Log as well for me to look over. What does the message on your Desktop say?
Theres a link to down load a antispyware program displayed across my desktop
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:58:10 AM, on 3/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\All Users\Application Data\cxwzexmn\wlejavqz.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\slidqtgl.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Sara\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {255CC83D-D67A-4217-B804-1C46613A058A} - C:\WINDOWS\system32\jkkLFusr.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: GNX Bingo - {5B9512A7-C919-4035-A08D-8888AA6F5F7A} - C:\WINDOWS\svpekgongrk.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {94BC3D1D-22E9-4744-8ED1-3E08A3B74078} - C:\WINDOWS\system32\ssqPjgeB.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: stfngdvw - {BE39F01C-46FB-4111-9AE9-2F11DC22AF69} - C:\WINDOWS\stfngdvw.dll
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [xthmukzh] C:\WINDOWS\system32\slidqtgl.exe
O4 - HKLM\..\Policies\Explorer\Run: [ZEpzBKFgN1] C:\Documents and Settings\All Users\Application Data\cxwzexmn\wlejavqz.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: ssqPjgeB - C:\WINDOWS\SYSTEM32\ssqPjgeB.dll
O21 - SSODL: sxfnewqb - {E665DDE3-DC65-4628-BAC7-0EDC4EACD70A} - C:\WINDOWS\sxfnewqb.dll
O21 - SSODL: fkdnrwsv - {7C0D3407-91CC-4800-B68F-7647E3608646} - C:\WINDOWS\fkdnrwsv.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
--
End of file - 6540 bytes
--- Search result list ---
Inet Delivery: [SBI $62162B60] User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-842925246-413027322-839522115-1003\Software\Inet Delivery
Inet Delivery: [SBI $6DE54DE3] Uninstall settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-842925246-413027322-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Inet Delivery
Inet Delivery: [SBI $9C3D7D62] Program directory (Directory, nothing done)
C:\Program Files\Inet Delivery\
GoldenPalace.Casino: [SBI $A27AFA55] User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-842925246-413027322-839522115-1003\Software\Golden Palace Casino PT
GoldenPalace.Casino: [SBI $59E76BAB] Uninstall settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-842925246-413027322-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Golden Palace Casino NEW
MagicControl.Agent: [SBI $535C1507] Uninstall settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-842925246-413027322-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mslagent
MagicControl.Agent: [SBI $F133B8D8] Program directory (Directory, nothing done)
C:\WINDOWS\mslagent\
SpySheriff: [SBI $F18F24AD] Class ID (Registry key, nothing done)
HKEY_USERS\S-1-5-21-842925246-413027322-839522115-1003\Software\Classes\CLSID\{0656A137-B161-CADD-9777-E37A75727E78}
SpySheriff: [SBI $D4B25EE3] Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{0656A137-B161-CADD-9777-E37A75727E78}
Smitfraud-C.: [SBI $99A9870C] Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSVPS.MSVPSApp
Smitfraud-C.: [SBI $99A9870C] Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B9512A7-C919-4035-A08D-8888AA6F5F7A}
Smitfraud-C.: [SBI $99A9870C] Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5B9512A7-C919-4035-A08D-8888AA6F5F7A}
Smitfraud-C.gp: [SBI $8419CDF5] Program directory (Directory, nothing done)
C:\Program Files\akl\
Virtumonde.dll: [SBI $8AEDD710] Library (File, nothing done)
C:\WINDOWS\system32\wvUlliGa.dll
Virtumonde.dll: [SBI $E6921A50] Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7283A96B-9275-499F-8AC8-F6338FD49561}
Virtumonde.dll: [SBI $E6921A50] Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7283A96B-9275-499F-8AC8-F6338FD49561}
Microsoft.WindowsSecurityCenter.TaskManager: [SBI $FD4267D3] Settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-842925246-413027322-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
MediaUpdate: [SBI $407258B6] Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{B8C0220D-763D-49A4-95F4-61DFDEC66EE6}
Virtumonde: [SBI $3BE84E58] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-842925246-413027322-839522115-1003\Software\mwc
Win32.Agent.ac: [SBI $DC5E831C] Settings (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{54645654-2225-4455-44A1-9F4543D34545}
Zlob.Downloader.vcd: [SBI $D8DF6192] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VideoPlugin
spybot
--- Search result list ---
Inet Delivery: [SBI $62162B60] User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-842925246-413027322-839522115-1003\Software\Inet Delivery
Inet Delivery: [SBI $6DE54DE3] Uninstall settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-842925246-413027322-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Inet Delivery
Inet Delivery: [SBI $9C3D7D62] Program directory (Directory, nothing done)
C:\Program Files\Inet Delivery\
GoldenPalace.Casino: [SBI $A27AFA55] User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-842925246-413027322-839522115-1003\Software\Golden Palace Casino PT
GoldenPalace.Casino: [SBI $59E76BAB] Uninstall settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-842925246-413027322-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Golden Palace Casino NEW
MagicControl.Agent: [SBI $535C1507] Uninstall settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-842925246-413027322-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mslagent
MagicControl.Agent: [SBI $F133B8D8] Program directory (Directory, nothing done)
C:\WINDOWS\mslagent\
SpySheriff: [SBI $F18F24AD] Class ID (Registry key, nothing done)
HKEY_USERS\S-1-5-21-842925246-413027322-839522115-1003\Software\Classes\CLSID\{0656A137-B161-CADD-9777-E37A75727E78}
SpySheriff: [SBI $D4B25EE3] Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{0656A137-B161-CADD-9777-E37A75727E78}
Smitfraud-C.: [SBI $99A9870C] Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSVPS.MSVPSApp
Smitfraud-C.: [SBI $99A9870C] Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B9512A7-C919-4035-A08D-8888AA6F5F7A}
Smitfraud-C.: [SBI $99A9870C] Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5B9512A7-C919-4035-A08D-8888AA6F5F7A}
Smitfraud-C.gp: [SBI $8419CDF5] Program directory (Directory, nothing done)
C:\Program Files\akl\
Virtumonde.dll: [SBI $8AEDD710] Library (File, nothing done)
C:\WINDOWS\system32\wvUlliGa.dll
Virtumonde.dll: [SBI $E6921A50] Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7283A96B-9275-499F-8AC8-F6338FD49561}
Virtumonde.dll: [SBI $E6921A50] Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7283A96B-9275-499F-8AC8-F6338FD49561}
Microsoft.WindowsSecurityCenter.TaskManager: [SBI $FD4267D3] Settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-842925246-413027322-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
MediaUpdate: [SBI $407258B6] Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{B8C0220D-763D-49A4-95F4-61DFDEC66EE6}
Virtumonde: [SBI $3BE84E58] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-842925246-413027322-839522115-1003\Software\mwc
Win32.Agent.ac: [SBI $DC5E831C] Settings (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{54645654-2225-4455-44A1-9F4543D34545}
Zlob.Downloader.vcd: [SBI $D8DF6192] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VideoPlugin
--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---
2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDMain.exe (1.0.0.5)
2007-10-07 SDShred.exe (1.0.1.2)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2003-02-02 unins000.exe (51.6.0.0)
2008-03-21 unins001.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-01-28 advcheck.dll (1.5.4.5)
2007-04-02 aports.dll (2.1.0.0)
2003-03-16 borlndmm.dll (7.0.4.453)
2003-03-16 delphimm.dll (7.0.4.453)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2003-03-16 UnzDll.dll (1.7.0.8)
2003-03-16 ZipDll.dll (1.7.0.8)
2008-03-26 Includes\Cookies.sbi (*)
2007-12-26 Includes\Dialer.sbi (*)
2008-03-26 Includes\DialerC.sbi (*)
2008-03-26 Includes\HeavyDuty.sbi (*)
2008-03-19 Includes\Hijackers.sbi (*)
2008-03-26 Includes\HijackersC.sbi (*)
2008-02-27 Includes\Keyloggers.sbi (*)
2008-03-26 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-03-26 Includes\Malware.sbi (*)
2008-03-26 Includes\MalwareC.sbi (*)
2008-03-26 Includes\PUPS.sbi (*)
2008-03-26 Includes\PUPSC.sbi (*)
2008-03-26 Includes\Revision.sbi (*)
2008-01-09 Includes\Security.sbi (*)
2008-03-26 Includes\SecurityC.sbi (*)
2008-03-19 Includes\Spybots.sbi (*)
2008-03-26 Includes\SpybotsC.sbi (*)
2007-11-06 Includes\Tracks.uti
2008-03-19 Includes\Trojans.sbi (*)
2008-03-26 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
--- System information ---
Windows XP (Build: 2600) Service Pack 2 (5.1.2600)
/ Windows / SP1: Microsoft Internationalized Domain Names Mitigation APIs
/ Windows / SP1: Microsoft National Language Support Downlevel APIs
/ Windows Media Format 11 SDK: Hotfix for Windows Media Format 11 SDK (KB929399)
/ Windows Media Player 11: Security Update for Windows Media Player 11 (KB936782)
/ Windows Media Player 11: Hotfix for Windows Media Player 11 (KB939683)
/ Windows Media Player 6.4: Security Update for Windows Media Player 6.4 (KB925398)
/ Windows Media Player 9: Security Update for Windows Media Player 9 (KB936782)
/ Windows XP: Security Update for Windows XP (KB941569)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB938127)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB942615)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB944533)
/ Windows XP / SP10: Microsoft Compression Client Pack 1.0 for Windows XP
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB887472
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Windows XP Hotfix - KB890859
/ Windows XP / SP3: Windows XP Hotfix - KB891781
/ Windows XP / SP3: Security Update for Windows XP (KB893756)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Update for Windows XP (KB894391)
/ Windows XP / SP3: Security Update for Windows XP (KB896358)
/ Windows XP / SP3: Security Update for Windows XP (KB896423)
/ Windows XP / SP3: Security Update for Windows XP (KB896428)
/ Windows XP / SP3: Update for Windows XP (KB898461)
/ Windows XP / SP3: Security Update for Windows XP (KB899587)
/ Windows XP / SP3: Security Update for Windows XP (KB899591)
/ Windows XP / SP3: Update for Windows XP (KB900485)
/ Windows XP / SP3: Security Update for Windows XP (KB900725)
/ Windows XP / SP3: Security Update for Windows XP (KB901017)
/ Windows XP / SP3: Security Update for Windows XP (KB901214)
/ Windows XP / SP3: Security Update for Windows XP (KB902400)
/ Windows XP / SP3: Update for Windows XP (KB904942)
/ Windows XP / SP3: Security Update for Windows XP (KB905414)
/ Windows XP / SP3: Security Update for Windows XP (KB905749)
/ Windows XP / SP3: Security Update for Windows XP (KB908519)
/ Windows XP / SP3: Update for Windows XP (KB908531)
/ Windows XP / SP3: Update for Windows XP (KB910437)
/ Windows XP / SP3: Update for Windows XP (KB911280)
/ Windows XP / SP3: Security Update for Windows XP (KB911562)
/ Windows XP / SP3: Security Update for Windows XP (KB911927)
/ Windows XP / SP3: Security Update for Windows XP (KB913580)
/ Windows XP / SP3: Security Update for Windows XP (KB914388)
/ Windows XP / SP3: Security Update for Windows XP (KB914389)
/ Windows XP / SP3: Hotfix for Windows XP (KB915865)
/ Windows XP / SP3: Update for Windows XP (KB916595)
/ Windows XP / SP3: Security Update for Windows XP (KB917953)
/ Windows XP / SP3: Security Update for Windows XP (KB918118)
/ Windows XP / SP3: Security Update for Windows XP (KB918439)
/ Windows XP / SP3: Security Update for Windows XP (KB919007)
/ Windows XP / SP3: Security Update for Windows XP (KB920213)
/ Windows XP / SP3: Security Update for Windows XP (KB920670)
/ Windows XP / SP3: Security Update for Windows XP (KB920683)
/ Windows XP / SP3: Security Update for Windows XP (KB920685)
/ Windows XP / SP3: Update for Windows XP (KB920872)
/ Windows XP / SP3: Security Update for Windows XP (KB921503)
/ Windows XP / SP3: Update for Windows XP (KB922582)
/ Windows XP / SP3: Security Update for Windows XP (KB922819)
/ Windows XP / SP3: Security Update for Windows XP (KB923191)
/ Windows XP / SP3: Security Update for Windows XP (KB923414)
/ Windows XP / SP3: Security Update for Windows XP (KB923980)
/ Windows XP / SP3: Security Update for Windows XP (KB924270)
/ Windows XP / SP3: Security Update for Windows XP (KB924496)
/ Windows XP / SP3: Security Update for Windows XP (KB924667)
/ Windows XP / SP3: Security Update for Windows XP (KB925902)
/ Windows XP / SP3: Hotfix for Windows XP (KB926239)
/ Windows XP / SP3: Security Update for Windows XP (KB926255)
/ Windows XP / SP3: Security Update for Windows XP (KB926436)
/ Windows XP / SP3: Security Update for Windows XP (KB927779)
/ Windows XP / SP3: Security Update for Windows XP (KB927802)
/ Windows XP / SP3: Update for Windows XP (KB927891)
/ Windows XP / SP3: Security Update for Windows XP (KB928255)
/ Windows XP / SP3: Security Update for Windows XP (KB928843)
/ Windows XP / SP3: Security Update for Windows XP (KB929123)
/ Windows XP / SP3: Security Update for Windows XP (KB930178)
/ Windows XP / SP3: Update for Windows XP (KB930916)
/ Windows XP / SP3: Security Update for Windows XP (KB931261)
/ Windows XP / SP3: Security Update for Windows XP (KB931784)
/ Windows XP / SP3: Security Update for Windows XP (KB932168)
/ Windows XP / SP3: Security Update for Windows XP (KB933729)
/ Windows XP / SP3: Security Update for Windows XP (KB935839)
/ Windows XP / SP3: Security Update for Windows XP (KB935840)
/ Windows XP / SP3: Security Update for Windows XP (KB936021)
/ Windows XP / SP3: Update for Windows XP (KB936357)
/ Windows XP / SP3: Security Update for Windows XP (KB937894)
/ Windows XP / SP3: Security Update for Windows XP (KB938127)
/ Windows XP / SP3: Update for Windows XP (KB938828)
/ Windows XP / SP3: Security Update for Windows XP (KB938829)
/ Windows XP / SP3: Security Update for Windows XP (KB941202)
/ Windows XP / SP3: Security Update for Windows XP (KB941568)
/ Windows XP / SP3: Security Update for Windows XP (KB941644)
/ Windows XP / SP3: Security Update for Windows XP (KB942615)
/ Windows XP / SP3: Update for Windows XP (KB942763)
/ Windows XP / SP3: Update for Windows XP (KB942840)
/ Windows XP / SP3: Security Update for Windows XP (KB943055)
/ Windows XP / SP3: Security Update for Windows XP (KB943460)
/ Windows XP / SP3: Security Update for Windows XP (KB943485)
/ Windows XP / SP3: Security Update for Windows XP (KB944653)
/ Windows XP / SP3: Security Update for Windows XP (KB946026)
/ Windows XP / SP3: Update for Windows XP (KB946627)
--- Startup entries list ---
Located: HK_CU:Run, AVG7_Run
where: .DEFAULT...
command: C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE
file: C:\PROGRA~1\Grisoft\AVG7\avgw.exe
size: 145920
MD5: 736A6ED03365EC50815FF8ED6B2E2147
Located: HK_CU:Run, AVG7_Run
where: S-1-5-19...
command: C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE
file: C:\PROGRA~1\Grisoft\AVG7\avgw.exe
size: 145920
MD5: 736A6ED03365EC50815FF8ED6B2E2147
Located: HK_CU:Run, AVG7_Run
where: S-1-5-20...
command: C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE
file: C:\PROGRA~1\Grisoft\AVG7\avgw.exe
size: 145920
MD5: 736A6ED03365EC50815FF8ED6B2E2147
Located: HK_CU:Run, swg
where: S-1-5-21-842925246-413027322-839522115-1003...
command: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
file: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
size: 68856
MD5: E616A6A6E91B0A86F2F6217CDE835FFE
Located: HK_CU:Run, xthmukzh
where: S-1-5-21-842925246-413027322-839522115-1003...
command: C:\WINDOWS\system32\slidqtgl.exe
file: C:\WINDOWS\system32\slidqtgl.exe
size: 106496
MD5: 6BEA8428DA5FDAC8D2F7AE43CE319A37
Located: HK_CU:Run, AVG7_Run
where: S-1-5-18...
command: C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE
file: C:\PROGRA~1\Grisoft\AVG7\avgw.exe
size: 145920
MD5: 736A6ED03365EC50815FF8ED6B2E2147
Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, igfxcui
command: igfxsrvc.dll
file: igfxsrvc.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, ssqPjgeB
command: ssqPjgeB.dll
file: ssqPjgeB.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, WgaLogon
command: WgaLogon.dll
file: WgaLogon.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
--- Browser helper object list ---
{02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Yahoo! Toolbar Helper
description: Yahoo Companion!
classification: Legitimate
known filename: Ycomp*_*_*_*.dll
info link: http://companion.yahoo.com/
info source: TonyKlein
Path: C:\Program Files\Yahoo!\Companion\Installs\cpn\
Long name: yt.dll
Short name:
Date (created): 12/30/2007 11:18:14 PM
Date (last access): 1/15/2008 1:21:34 PM
Date (last write): 10/26/2006 12:28:40 PM
Filesize: 440384
Attributes: archive
MD5: 2785037CE05B63D5607C9D5DFB2FEEE4
CRC32: 9ED93A02
Version: 2006.10.26.1
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Adobe PDF Reader Link Helper
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\
Long name: AcroIEHelper.dll
Short name:
Date (created): 10/23/2006 12:08:42 AM
Date (last access): 2/7/2008 12:23:28 PM
Date (last write): 10/23/2006 12:08:42 AM
Filesize: 62080
Attributes: archive
MD5: C11F6A1F61481E24BE3FDC06EA6F7D2A
CRC32: E388508F
Version: 8.0.0.456
{255CC83D-D67A-4217-B804-1C46613A058A} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name:
Path: C:\WINDOWS\system32\
Long name: jkkLFusr.dll
{53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Spybot-S&D IE Protection
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\Spybot - Search & Destroy\
Long name: SDHelper.dll
Short name:
Date (created): 3/16/2003 1:02:00 AM
Date (last access): 3/21/2008 6:48:46 PM
Date (last write): 1/28/2008 11:43:28 AM
Filesize: 1554256
Attributes: archive
MD5: 5248E02EFBCB64D328647CD00E384B85
CRC32: C1B426A9
Version: 1.5.0.11
{5B9512A7-C919-4035-A08D-8888AA6F5F7A} (GNX Bingo)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: GNX Bingo
Path: C:\WINDOWS\
Long name: svpekgongrk.dll
Short name: SVPEKG~1.DLL
Date (created): 3/28/2008 7:09:06 PM
Date (last access): 3/28/2008 7:09:06 PM
Date (last write): 3/28/2008 6:19:44 PM
Filesize: 249856
Attributes: archive
MD5: B2A7B92248D42AD2EF8A53E99FA053F2
CRC32: 42951D78
{7283A96B-9275-499F-8AC8-F6338FD49561} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name:
Path: C:\WINDOWS\system32\
Long name: wvUlliGa.dll
Short name:
Date (created): 3/29/2008 12:59:58 AM
Date (last access): 3/29/2008 12:59:58 AM
Date (last write): 3/29/2008 1:00:00 AM
Filesize: 268288
Attributes: archive
MD5: E659B3A914231D5936782738CAF56DDE
CRC32: 42E83E1C
{72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Groove GFS Browser Helper
Path: C:\PROGRA~1\MICROS~2\Office12\
Long name: GrooveShellExtensions.dll
Short name: GRA8E1~1.DLL
Date (created): 10/27/2006 2:48:42 AM
Date (last access): 1/15/2008 1:21:34 PM
Date (last write): 10/27/2006 2:48:42 AM
Filesize: 2210608
Attributes: archive
MD5: 786DD1892B553EFE5A004AC39775C851
CRC32: AAD965C9
Version: 12.0.4518.1014
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: SSVHelper Class
Path: C:\Program Files\Java\jre1.6.0_05\bin\
Long name: ssv.dll
Short name:
Date (created): 3/24/2008 12:49:54 AM
Date (last access): 2/22/2008 2:33:32 AM
Date (last write): 2/22/2008 4:25:20 AM
Filesize: 509328
Attributes: archive
MD5: 5B42CB6A121256465B251840FDB1B2FE
CRC32: 6EF0BCE9
Version: 6.0.50.13
{94BC3D1D-22E9-4744-8ED1-3E08A3B74078} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name:
Path: C:\WINDOWS\system32\
Long name: ssqPjgeB.dll
Short name:
Date (created): 3/28/2008 7:08:52 PM
Date (last access): 3/28/2008 7:08:52 PM
Date (last write): 3/28/2008 7:08:52 PM
Filesize: 40448
Attributes: archive
MD5: D58CE94DB3F69AF062E81433E13AE1B7
CRC32: 75FA4495
{AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Google Toolbar Helper
description: Google toolbar
classification: Open for discussion
known filename: googletoolbar.dll<br>googletoolbar*.dll<br>(* = number)<br>googletoolbar_en_*.**-big.dll<br>Googletoolbar_en_*.*.**-deleon.dll
info link: http://toolbar.google.com/
info source: TonyKlein
Path: c:\program files\google\
Long name: GoogleToolbar1.dll
Short name: GOOGLE~1.DLL
Date (created): 1/4/2008 11:51:40 PM
Date (last access): 1/15/2008 1:21:34 PM
Date (last write): 1/4/2008 11:51:40 PM
Filesize: 2403392
Attributes: readonly archive
MD5: 6319F2D4708DBCAE37CFA03DA10782C0
CRC32: D51D8296
Version: 4.0.1601.4978
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Google Toolbar Notifier BHO
Path: C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\
Long name: swg.dll
Short name:
Date (created): 1/21/2008 7:26:02 PM
Date (last access): 1/21/2008 7:26:02 PM
Date (last write): 1/21/2008 7:26:02 PM
Filesize: 323568
Attributes: archive
MD5: 907325051CE9D96D6F0F2766050AD6B2
CRC32: 9287C995
Version: 2.0.1121.2472
--- ActiveX list ---
{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_05
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\jre1.6.0_05\bin\
Long name: npjpi160_05.dll
Short name:
Date (created): 2/22/2008 2:33:32 AM
Date (last access): 2/22/2008 2:33:32 AM
Date (last write): 2/22/2008 4:25:20 AM
Filesize: 132496
Attributes: archive
MD5: 4FDFB86D78994BD71CBB779A7809E9CD
CRC32: 5A0EB880
Version: 6.0.50.13
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\erma.inf
Codebase: http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
description:
classification: Open for discussion
known filename:
info link:
info source: Safer Networking Ltd.
{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_05
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
Path: C:\Program Files\Java\jre1.6.0_05\bin\
Long name: npjpi160_05.dll
Short name:
Date (created): 2/22/2008 2:33:32 AM
Date (last access): 2/22/2008 2:33:32 AM
Date (last write): 2/22/2008 4:25:20 AM
Filesize: 132496
Attributes: archive
MD5: 4FDFB86D78994BD71CBB779A7809E9CD
CRC32: 5A0EB880
Version: 6.0.50.13
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_05
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
description:
classification: Legitimate
known filename: npjpi150_06.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Java\jre1.6.0_05\bin\
Long name: npjpi160_05.dll
Short name:
Date (created): 2/22/2008 2:33:32 AM
Date (last access): 2/22/2008 2:33:32 AM
Date (last write): 2/22/2008 4:25:20 AM
Filesize: 132496
Attributes: archive
MD5: 4FDFB86D78994BD71CBB779A7809E9CD
CRC32: 5A0EB880
Version: 6.0.50.13
--- Process list ---
PID: 0 ( 0) [System]
PID: 664 ( 4) \SystemRoot\System32\smss.exe
size: 50688
PID: 740 ( 664) \??\C:\WINDOWS\system32\csrss.exe
size: 6144
PID: 764 ( 664) \??\C:\WINDOWS\system32\winlogon.exe
size: 502272
PID: 808 ( 764) C:\WINDOWS\system32\services.exe
size: 108032
MD5: C6CE6EEC82F187615D1002BB3BB50ED4
PID: 820 ( 764) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: 84885F9B82F4D55C6146EBF6065D75D2
PID: 992 ( 808) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1072 ( 808) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1184 ( 808) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1268 ( 808) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1396 ( 808) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1564 (1528) C:\WINDOWS\Explorer.EXE
size: 1033216
MD5: 97BD6515465659FF8F3B7BE375B2EA87
PID: 1648 ( 808) C:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: DA81EC57ACD4CDC3D4C51CF3D409AF9F
PID: 1904 (1564) C:\Documents and Settings\All Users\Application Data\cxwzexmn\wlejavqz.exe
size: 36864
MD5: 4687FCD92CACF6684507D9AFBC400AA8
PID: 1912 (1564) C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
size: 68856
MD5: E616A6A6E91B0A86F2F6217CDE835FFE
PID: 1936 (1564) C:\WINDOWS\system32\slidqtgl.exe
size: 106496
MD5: 6BEA8428DA5FDAC8D2F7AE43CE319A37
PID: 1968 ( 808) C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
size: 353280
MD5: 5F4ED1DBA7E1EAECBA443A53DA176485
PID: 1996 ( 808) C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
size: 49664
MD5: 30A14F65DB477DC00A64A5A24E96919C
PID: 2032 ( 808) C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
size: 352768
MD5: F59C5100CB16DB794D5710E8B00629B1
PID: 180 ( 808) C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
size: 921600
MD5: E5BECCD165752E7EC3C8A642A542B4EB
PID: 248 ( 808) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
size: 145184
MD5: 5A432A042DAE460ABE7199B758E8606C
PID: 564 ( 808) C:\WINDOWS\system32\tcpsvcs.exe
size: 19456
MD5: 32933B07FC16D9F778BEE12545FA1B1A
PID: 592 ( 808) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 696 ( 808) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 724 ( 808) C:\WINDOWS\System32\dmadmin.exe
size: 224768
MD5: 554C7CB178FE3BD12450B81AD63ADBC3
PID: 444 ( 808) C:\WINDOWS\System32\alg.exe
size: 44544
MD5: F1958FBF86D5C004CF19A5951A9514B7
PID: 2100 (1564) C:\Program Files\internet explorer\iexplore.exe
size: 625664
MD5: 2703D940A62B731AA220529DD7331A78
PID: 3496 (1564) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 5146448
MD5: 2ECA8CDEED7C82F879E766DA92A3561A
PID: 3736 (1564) C:\WINDOWS\system32\rundll32.exe
size: 33280
MD5: DA285490BBD8A1D0CE6623577D5BA1FF
PID: 4 ( 0) System
--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 3/29/2008 1:29:28 AM
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\windows\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
http://home.microsoft.com/access/autosearch.asp?p=%s
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
C:\windows\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 5: MSAFD Tcpip [TCP/IPv6]
GUID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IPv6 protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 6: MSAFD Tcpip [UDP/IPv6]
GUID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IPv6 protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 7: MSAFD Tcpip [RAW/IPv6]
GUID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IPv6 protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{6514068E-3682-456E-A6D7-27AEF95FA408}] SEQPACKET 9
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{6514068E-3682-456E-A6D7-27AEF95FA408}] DATAGRAM 9
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{5852F9DE-140E-472E-AF6D-1AC369EF1F5F}] SEQPACKET 7
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{5852F9DE-140E-472E-AF6D-1AC369EF1F5F}] DATAGRAM 7
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{66414A4B-9911-47D3-860E-F0C85BB7C63C}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{66414A4B-9911-47D3-860E-F0C85BB7C63C}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{0FDA2B4C-50FB-4AF8-B982-346D2729E66D}] SEQPACKET 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{0FDA2B4C-50FB-4AF8-B982-346D2729E66D}] DATAGRAM 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{67811F43-AD80-47A7-B10F-9AF79C487D7E}] SEQPACKET 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 17: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{67811F43-AD80-47A7-B10F-9AF79C487D7E}] DATAGRAM 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 18: MSAFD NetBIOS [\Device\NetBT_Tcpip_{6514068E-3682-456E-A6D7-27AEF95FA408}] SEQPACKET 10
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 19: MSAFD NetBIOS [\Device\NetBT_Tcpip_{6514068E-3682-456E-A6D7-27AEF95FA408}] DATAGRAM 10
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 20: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5852F9DE-140E-472E-AF6D-1AC369EF1F5F}] SEQPACKET 8
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 21: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5852F9DE-140E-472E-AF6D-1AC369EF1F5F}] DATAGRAM 8
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 22: MSAFD NetBIOS [\Device\NetBT_Tcpip_{0FDA2B4C-50FB-4AF8-B982-346D2729E66D}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 23: MSAFD NetBIOS [\Device\NetBT_Tcpip_{0FDA2B4C-50FB-4AF8-B982-346D2729E66D}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 24: MSAFD NetBIOS [\Device\NetBT_Tcpip_{66414A4B-9911-47D3-860E-F0C85BB7C63C}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 25: MSAFD NetBIOS [\Device\NetBT_Tcpip_{66414A4B-9911-47D3-860E-F0C85BB7C63C}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 26: MSAFD NetBIOS [\Device\NetBT_Tcpip_{80A25BA6-188D-4798-8D99-09841D0806FF}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 27: MSAFD NetBIOS [\Device\NetBT_Tcpip_{80A25BA6-188D-4798-8D99-09841D0806FF}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 28: MSAFD NetBIOS [\Device\NetBT_Tcpip_{82AFFB4B-277D-4F98-BC5A-4392F3F321E8}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 29: MSAFD NetBIOS [\Device\NetBT_Tcpip_{82AFFB4B-277D-4F98-BC5A-4392F3F321E8}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP
Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS
Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace
Namespace Provider 3: PNRP Cloud Namespace Provider
GUID: {03FE89CE-766D-4976-B9C1-BB9BC42C7B4D}
Filename: C:\WINDOWS\system32\pnrpnsp.dll
Namespace Provider 4: PNRP Name Namespace Provider
GUID: {03FE89CD-766D-4976-B9C1-BB9BC42C7B4D}
Filename: C:\WINDOWS\system32\pnrpnsp.dll
Delete ComboFix.exe from your Desktop and download an updated version from here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) and save it to your Desktop.
Next, run ComboFix and post back the ComboFix Log.
Also, run MalwareBytes' AntiMalware again. Before running a full scan, be sure to click Updates, then Check for Updates to make sure you have the latest definitions.
Step # 1: Download and Run a RegFix
Download the file here (http://downloads.subratam.org/Fix-Protocol-zones-ranges.reg) and save it to your Desktop. Double-click it and when it asks you if you want to merge, click Ok/Yes
Reboot your Computer.
In your next post, I need to see the following:
1. ComboFix Log.
2. MalwareBytes' Log
3. A fresh HiJackThis Log
Use multiple posts if need be to fit them all in.
Kinda had a hard time it locked me out of my documents but finally got to the logs to copy them. It has downloaded all the same programs plus more again
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:40:19 PM, on 3/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Documents and Settings\All Users\Application Data\cxwzexmn\wlejavqz.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\tutqlozo.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Sara\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware Reboot] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [nfhqfoas] C:\WINDOWS\system32\tutqlozo.exe
O4 - HKLM\..\Policies\Explorer\Run: [ZEpzBKFgN1] C:\Documents and Settings\All Users\Application Data\cxwzexmn\wlejavqz.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
--
End of file - 4609 bytes
Malwarebytes' Anti-Malware 1.09
Database version: 563
Scan type: Full Scan (C:\|)
Objects scanned: 211954
Time elapsed: 51 minute(s), 46 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 16
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 8
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
c:\WINDOWS\system32\ssqPjgeB.dll (Trojan.FakeAlert) -> Unloaded module successfully.
C:\WINDOWS\fkdnrwsv.dll (Trojan.FakeAlert) -> Unloaded module successfully.
C:\WINDOWS\sxfnewqb.dll (Trojan.FakeAlert) -> Unloaded module successfully.
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{94bc3d1d-22e9-4744-8ed1-3e08a3b74078} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{94bc3d1d-22e9-4744-8ed1-3e08a3b74078} (Trojan.FakeAlert) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ssqpjgeb (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\AdvRemoteDbg (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ONESTEP_SEARCH_SERVICE (Adware.OneStepSearch) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7c0d3407-91cc-4800-b68f-7647e3608646} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{be39f01c-46fb-4111-9ae9-2f11dc22af69} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e665dde3-dc65-4628-bac7-0edc4eacd70a} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5b9512a7-c919-4035-a08d-8888aa6f5f7a} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5b9512a7-c919-4035-a08d-8888aa6f5f7a} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\stfngdvw.bleo (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\stfngdvw.ToolBar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\MSVPS.MSVPSApp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VideoPlugin (Trojan.Fakealert) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{94bc3d1d-22e9-4744-8ed1-3e08a3b74078} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\fkdnrwsv (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{be39f01c-46fb-4111-9ae9-2f11dc22af69} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\sxfnewqb (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\WINDOWS\system32smp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
Files Infected:
c:\WINDOWS\system32\ssqPjgeB.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\System Volume Information\_restore{CC3F1C1E-C032-4245-B818-E8D2A45D6868}\RP9\A0001820.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32smp\msrc.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\dwltqnmx.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\fkdnrwsv.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\stfngdvw.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\sxfnewqb.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\svpekgongrk.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
ComboFix 08-03-29.1 - Sara 2008-03-29 21:40:08.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.226 [GMT -6:00]
Running from: C:\Documents and Settings\Sara\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\a.bat
C:\WINDOWS\base64.tmp
C:\WINDOWS\bdn.com
C:\WINDOWS\FVProtect.exe
C:\WINDOWS\iTunesMusic.exe
C:\WINDOWS\mssecu.exe
C:\WINDOWS\system32\PXHNmnmp.ini2
C:\WINDOWS\system32\rsuFLkkj.ini
C:\WINDOWS\system32\rsuFLkkj.ini2
C:\WINDOWS\system32akttzn.exe
C:\WINDOWS\system32anticipator.dll
C:\WINDOWS\system32awtoolb.dll
C:\WINDOWS\system32bdn.com
C:\WINDOWS\system32bsva-egihsg52.exe
C:\WINDOWS\system32dpcproxy.exe
C:\WINDOWS\system32emesx.dll
C:\WINDOWS\system32h@tkeysh@@k.dll
C:\WINDOWS\system32hoproxy.dll
C:\WINDOWS\system32hxiwlgpm.dat
C:\WINDOWS\system32hxiwlgpm.exe
C:\WINDOWS\system32medup012.dll
C:\WINDOWS\system32medup020.dll
C:\WINDOWS\system32msgp.exe
C:\WINDOWS\system32msnbho.dll
C:\WINDOWS\system32mssecu.exe
C:\WINDOWS\system32msvchost.exe
C:\WINDOWS\system32mtr2.exe
C:\WINDOWS\system32mwin32.exe
C:\WINDOWS\system32netode.exe
C:\WINDOWS\system32newsd32.exe
C:\WINDOWS\system32ps1.exe
C:\WINDOWS\system32psof1.exe
C:\WINDOWS\system32psoft1.exe
C:\WINDOWS\system32regc64.dll
C:\WINDOWS\system32regm64.dll
C:\WINDOWS\system32Rundl1.exe
C:\WINDOWS\system32sncntr.exe
C:\WINDOWS\system32ssurf022.dll
C:\WINDOWS\system32ssvchost.com
C:\WINDOWS\system32ssvchost.exe
C:\WINDOWS\system32sysreq.exe
C:\WINDOWS\system32taack.dat
C:\WINDOWS\system32taack.exe
C:\WINDOWS\system32temp#01.exe
C:\WINDOWS\system32thun.dll
C:\WINDOWS\system32thun32.dll
C:\WINDOWS\system32VBIEWER.OCX
C:\WINDOWS\system32vbsys2.dll
C:\WINDOWS\system32vcatchpi.dll
C:\WINDOWS\system32winlogonpc.exe
C:\WINDOWS\system32winsystem.exe
C:\WINDOWS\system32WINWGPX.EXE
C:\WINDOWS\userconfig9x.dll
C:\WINDOWS\winsystem.exe
C:\WINDOWS\zip1.tmp
C:\WINDOWS\zip2.tmp
C:\WINDOWS\zip3.tmp
C:\WINDOWS\zipped.tmp
.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-30 )))))))))))))))))))))))))))))))
.
2008-03-29 21:36 . 2008-03-29 21:36 <DIR> d-------- C:\Program Files\PC-Cleaner
2008-03-29 21:16 . 2008-03-29 21:16 106,496 --a------ C:\WINDOWS\system32\zylunifg.exe
2008-03-29 00:55 . 2008-03-29 00:55 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-29 00:25 . 2008-03-29 00:25 106,496 --a------ C:\WINDOWS\system32\slidqtgl.exe
2008-03-28 22:10 . 2008-03-28 22:10 98,304 --a------ C:\WINDOWS\system32\uzafibet.exe
2008-03-28 21:14 . 2004-08-03 22:58 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2008-03-28 21:14 . 2004-08-03 22:58 5,504 --a--c--- C:\WINDOWS\system32\dllcache\mstee.sys
2008-03-28 21:11 . 2004-08-04 00:56 90,624 --a------ C:\WINDOWS\system32\kswdmcap.ax
2008-03-28 19:08 . 2008-03-28 19:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\cxwzexmn
2008-03-28 19:08 . 2008-03-28 19:08 110,592 --a------ C:\WINDOWS\system32\yrytyhar.exe
2008-03-27 14:33 . 2008-03-27 14:35 <DIR> d-------- C:\NoLopBackups
2008-03-26 17:11 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-03-26 17:11 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-03-26 17:11 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-03-26 17:11 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-03-25 18:08 . 2008-03-25 18:08 4,608,744 --a------ C:\Program Files\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
2008-03-25 14:37 . 2008-03-27 14:13 67 --a------ C:\WINDOWS\DVDRegionFree.INI
2008-03-24 12:53 . 2008-03-24 12:53 <DIR> d-------- C:\Program Files\ERUNT
2008-03-24 12:52 . 2008-03-24 12:53 791,393 --a------ C:\Program Files\erunt-setup.exe
2008-03-24 00:50 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-24 00:49 . 2008-03-24 00:50 <DIR> d-------- C:\Program Files\Java
2008-03-24 00:49 . 2008-03-24 00:49 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-23 17:41 . 2008-03-23 17:41 <DIR> d-------- C:\Documents and Settings\Sara\Application Data\Malwarebytes
2008-03-23 17:41 . 2008-03-23 17:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-22 14:32 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-03-22 14:32 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-03-22 14:32 . 2008-03-22 15:49 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-03-22 14:32 . 2008-03-15 17:16 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-03-22 14:32 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-03-22 14:32 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-22 14:32 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-22 14:32 . 2008-03-22 18:18 1,140 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-22 01:43 . 2008-03-22 01:43 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-21 20:20 . 2008-03-25 15:40 <DIR> d-------- C:\Documents and Settings\Sara\Application Data\SolSuite
2008-03-21 18:44 . 2008-03-21 18:44 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-21 18:44 . 2008-03-21 18:44 2,549 --a------ C:\WINDOWS\unins000.dat
2008-03-21 18:28 . 2008-03-28 19:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-21 18:27 . 2008-03-21 18:48 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-20 20:26 . 2008-03-21 17:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-03-20 20:15 . 2008-03-21 17:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-20 20:15 . 2008-03-20 20:15 38,473,056 --a------ C:\Program Files\CNET_VSP30days.exe
2008-03-20 20:09 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-20 20:09 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-03-20 12:41 . 2008-03-20 12:41 50 --a------ C:\WINDOWS\BRQIKMON.INI
2008-03-20 12:40 . 2008-03-21 14:50 <DIR> d-------- C:\Documents and Settings\Sara\Application Data\PC-FAX TX
2008-03-19 20:05 . 2004-12-03 01:26 188,416 --a------ C:\WINDOWS\system32\PDRVINST.DLL
2008-03-19 20:05 . 2006-01-17 01:03 126,976 --a------ C:\WINDOWS\system32\BrfxD05a.dll
2008-03-19 20:05 . 2005-06-02 01:09 86,016 --a------ C:\WINDOWS\system32\BrWebIns.dll
2008-03-19 20:05 . 2005-06-02 01:08 69,632 --a------ C:\WINDOWS\system32\BRWEBUP.EXE
2008-03-19 20:05 . 2001-11-15 01:00 6,224 --a------ C:\WINDOWS\CVRPAGE.BMP
2008-03-19 20:05 . 2008-03-28 15:29 0 --a------ C:\WINDOWS\brdfxspd.dat
2008-03-19 20:04 . 2008-03-19 20:04 <DIR> d-------- C:\Program Files\Common Files\ScanSoft Shared
2008-03-19 20:04 . 2008-03-19 20:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ScanSoft
2008-03-19 20:04 . 2003-09-24 11:36 27,019 --a------ C:\WINDOWS\maxlink.ini
2008-03-19 19:58 . 2008-03-19 19:58 0 --------- C:\Bro59.tmp
2008-03-19 19:55 . 2008-03-21 19:58 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-03-19 19:18 . 2008-03-19 20:06 <DIR> d-------- C:\Program Files\Brother
2008-03-19 09:48 . 2008-03-29 10:18 696 --a------ C:\WINDOWS\wininit.ini
2008-03-16 19:35 . 2008-03-16 19:36 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-03-15 16:10 . 2001-08-18 06:00 1,700,352 --a------ C:\WINDOWS\system32\GdiPlus.dll
2008-03-15 16:10 . 2002-11-27 18:26 114,688 --a------ C:\WINDOWS\system32\jpegcode.dll
2008-03-15 16:10 . 2002-09-06 18:54 53,248 --a------ C:\WINDOWS\system32\AccWrap.dll
2008-03-15 16:10 . 2002-10-29 18:21 45,664 --------- C:\WINDOWS\system32\drivers\CoachVc.sys
2008-03-15 16:10 . 2002-11-22 19:45 41,952 --------- C:\WINDOWS\system32\drivers\CoachUsb.sys
2008-03-15 16:10 . 2002-11-21 12:14 39,424 --a------ C:\WINDOWS\system32\CoachWia.dll
2008-03-15 16:10 . 2008-03-16 14:05 22 --a------ C:\Program Files\c310.zip
2008-03-15 10:06 . 2008-03-15 10:06 419 --a------ C:\WINDOWS\BRWMARK.INI
2008-03-15 10:06 . 2008-03-15 10:06 27 --a------ C:\WINDOWS\BRPP2KA.INI
2008-03-15 10:05 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-03-15 10:05 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-03-15 10:05 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-03-15 10:05 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-03-15 10:00 . 2008-03-28 15:34 1,053 --a------ C:\WINDOWS\Brpfx04a.ini
2008-03-15 10:00 . 2008-03-20 12:40 153 --a------ C:\WINDOWS\brpcfx.ini
2008-03-15 10:00 . 2008-03-19 20:06 50 --a------ C:\WINDOWS\system32\bridf06a.dat
2008-03-15 09:59 . 2008-03-19 19:09 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-03-15 09:59 . 2006-02-24 17:27 1,492,480 --a------ C:\WINDOWS\system32\BrWia06a.dll
2008-03-15 09:59 . 2004-12-10 16:35 147,456 --a------ C:\WINDOWS\brunin03.dll
2008-03-15 09:59 . 2006-02-16 18:49 52,736 --a------ C:\WINDOWS\system32\brinsstr.dll
2008-03-15 09:59 . 2005-12-13 10:53 38,912 --a------ C:\WINDOWS\system32\BrUsi06a.dll
2008-03-15 09:59 . 2004-10-15 12:50 15,295 --a------ C:\WINDOWS\system32\drivers\BrScnUsb.sys
2008-03-15 09:57 . 2008-03-15 09:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-03-15 09:56 . 2008-03-19 20:04 <DIR> d-------- C:\Program Files\ScanSoft
2008-03-15 09:55 . 2008-03-15 09:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Brother
2008-03-08 11:09 . 2008-03-08 11:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-08 11:08 . 2008-03-08 11:08 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-27 09:38 . 2001-08-17 23:36 99,328 --a------ C:\WINDOWS\system32\srusd.dll
2008-02-27 09:38 . 2001-08-17 23:36 99,328 --a--c--- C:\WINDOWS\system32\dllcache\srusd.dll
2008-02-27 09:38 . 2001-08-17 23:36 71,680 --a------ C:\WINDOWS\system32\fnfilter.dll
2008-02-27 09:38 . 2001-08-17 23:36 71,680 --a--c--- C:\WINDOWS\system32\dllcache\fnfilter.dll
2008-02-27 09:38 . 2001-08-17 14:53 6,784 --a------ C:\WINDOWS\system32\drivers\serscan.sys
2008-02-27 09:38 . 2001-08-17 14:53 6,784 --a--c--- C:\WINDOWS\system32\dllcache\serscan.sys
2008-02-14 13:06 . 2008-02-14 22:49 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-14 11:50 . 2008-03-25 13:50 <DIR> d-------- C:\Downloads
2008-02-06 19:22 . 2008-03-12 13:55 40,730 --a------ C:\WINDOWS\system32\superiorads-uninst.exe
2008-02-04 13:43 . 2008-02-04 13:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-30 03:37 --------- d-----w C:\Program Files\RegScrubXP
2008-03-22 07:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-21 22:09 --------- d-----w C:\Documents and Settings\Sara\Application Data\AVG7
2008-03-20 22:03 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-20 18:06 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-20 14:47 --------- d-----w C:\Program Files\Incomplete
2008-03-20 02:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-20 02:05 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-19 14:44 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-17 04:58 --------- d-----w C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor
2008-03-08 17:09 --------- d-----w C:\Program Files\Lavasoft
2008-03-08 17:09 --------- d-----w C:\Documents and Settings\Sara\Application Data\Lavasoft
2008-02-27 22:57 729,088 ----a-w C:\WINDOWS\iun6002.exe
2008-02-06 20:20 --------- d-----w C:\Program Files\Diskeeper Corporation
2008-01-31 06:11 --------- d-----w C:\Program Files\OverDrive Media Console
2008-01-31 06:11 --------- d-----w C:\Documents and Settings\Sara\Application Data\OverDrive
2008-01-11 18:20 553,687 ----a-w C:\Program Files\jv16_regcleaner.exe
2008-01-11 18:07 593,556 ----a-w C:\Program Files\regscrubxpsetup_3.2.exe
2007-12-27 18:02 32 --sha-w C:\WINDOWS\{0C12DB23-1BE2-4364-BFAA-6F5D9129BA61}.dat
2007-12-27 18:05 32 --sha-w C:\WINDOWS\{1B77EDC5-1688-4797-BA2D-7B17CF56CB30}.dat
2007-12-27 18:02 32 --sha-w C:\WINDOWS\{22BE5C96-6912-4844-B877-5B823AD9B260}.dat
2007-12-27 18:04 32 --sha-w C:\WINDOWS\{2E5205F4-C65A-4D26-8D21-D6A2DAA83314}.dat
2007-12-27 18:01 32 --sha-w C:\WINDOWS\{3BD78CE5-4886-4A8D-879E-D3604BF3CBE3}.dat
2007-12-27 18:04 32 --sha-w C:\WINDOWS\{A0337C34-3D4E-449C-8E79-A26151D03235}.dat
2007-12-27 18:02 32 --sha-w C:\WINDOWS\{C354F08C-4F05-4AFA-82AE-342DA03BB497}.dat
2007-12-27 18:02 32 --sha-w C:\WINDOWS\system32\{130E8F94-C662-49ED-AE40-05594E9EFB43}.dat
2007-12-27 18:04 32 --sha-w C:\WINDOWS\system32\{1E4A546D-C55E-4052-A7F5-AE0C5B7534F6}.dat
2007-12-27 18:04 32 --sha-w C:\WINDOWS\system32\{770AD5A9-EAE7-46E2-88C7-7BD6908E39CC}.dat
2007-12-27 18:05 32 --sha-w C:\WINDOWS\system32\{ACB29618-EEF3-4AD4-B2B2-5DBB667C35A1}.dat
2007-12-27 18:02 32 --sha-w C:\WINDOWS\system32\{C71E13F1-33A7-4A76-956F-D297C2A27665}.dat
2007-12-27 18:01 32 --sha-w C:\WINDOWS\system32\{CD413577-1356-422D-AA2E-64C023005796}.dat
2007-12-27 18:02 32 --sha-w C:\WINDOWS\system32\{D4CF1B07-7D22-43F2-A0AF-E389C73077DA}.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-21 19:26 68856]
"nfhqfoas"="C:\WINDOWS\system32\tutqlozo.exe" [2008-03-29 21:43 106496]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-27 12:01 145920]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"ZEpzBKFgN1"= C:\Documents and Settings\All Users\Application Data\cxwzexmn\wlejavqz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"21439:TCP"= 21439:TCP:BitComet 21439 TCP
"21439:UDP"= 21439:UDP:BitComet 21439 UDP
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys [2004-10-15 12:50]
S2 UMAXPCLS;Print Port Scanner Driver;C:\WINDOWS\system32\DRIVERS\umaxpcls.sys [2001-08-17 15:58]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00]
S3 WUSB54GPV4SRV;Linksys Home Wireless-G USB Adaptor Driver;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys [2005-10-17 21:50]
S3 ZD1211BU(WLAN);IEEE 802.11g USB Wireless LAN(WLAN);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys [2006-06-27 16:32]
S4 WUSB54Gv42SVC;WUSB54Gv42SVC;"C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv42.exe" []
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-29 21:43:24
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-03-29 21:46:07 - machine was rebooted [Sara]
ComboFix-quarantined-files.txt 2008-03-30 03:46:03
ComboFix2.txt 2008-03-28 22:53:19
ComboFix3.txt 2008-03-27 20:53:45
ComboFix4.txt 2008-03-26 14:29:42
Pre-Run: 4,008,738,816 bytes free
Post-Run: 4,000,813,056 bytes free
.
2008-03-22 07:44:35 --- E O F ---
Try to stay offline as much as possible unless you are checking this thread for my instructions.
Step # 1: Add/Remove Programs
Go to Start-Settings-Control Panel, click on Add Remove Programs. If any of the following programs are listed there, click on the program to highlight it, and click on remove. Then close the Control Panel.
PC-Cleaner
PCCleaner
PC-Cleaner 2007
PC-Cleaner 2008
PCCleaner 2007
PCCleaner 2008
If any of the above are found, uninstall them.
Step # 2: Run CFScript
Please delete the version of ComboFix you have on your computer, I need you to download the latest version of ComboFix by sUBs here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) and save it to your Desktop.
Also delete the CFScript.txt from your Desktop, you will be creating and running a new one.
Then, please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
KillAll::
File::
C:\WINDOWS\system32\zylunifg.exe
C:\WINDOWS\system32\superiorads-uninst.exe
C:\WINDOWS\system32\slidqtgl.exe
C:\WINDOWS\system32\uzafibet.exe
C:\WINDOWS\system32\yrytyhar.exe
C:\WINDOWS\system32\tutqlozo.exe
Folder::
C:\Program Files\PC-Cleaner
C:\Documents and Settings\All Users\Application Data\cxwzexmn
C:\NoLopBackups
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nfhqfoas"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"ZEpzBKFgN1"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"21439:TCP"=-
"21439:UDP"=-
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
http://i266.photobucket.com/albums/ii277/sUBs_/CFScript.gif
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
In your next post/reply, I need to see the following:
1. ComboFix Log that appears after Step 2 has been done.
2. A fresh HiJackThis Log.
ComboFix 08-03-30.3 - Sara 2008-03-31 10:18:38.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.261 [GMT -6:00]
Running from: C:\Documents and Settings\Sara\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Sara\Desktop\cfscript.txt
* Created a new restore point
FILE ::
C:\WINDOWS\system32\slidqtgl.exe
C:\WINDOWS\system32\superiorads-uninst.exe
C:\WINDOWS\system32\tutqlozo.exe
C:\WINDOWS\system32\uzafibet.exe
C:\WINDOWS\system32\yrytyhar.exe
C:\WINDOWS\system32\zylunifg.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\cxwzexmn
C:\Documents and Settings\All Users\Application Data\cxwzexmn\wlejavqz.exe
C:\Documents and Settings\Sara\Desktopblackbird.jpg
C:\Documents and Settings\Sara\DesktopEditorFKWP1.5.exe
C:\Documents and Settings\Sara\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\Sara\Desktopfilemanagerclient.exe
C:\Documents and Settings\Sara\Desktopfkwp1.5.exe
C:\Documents and Settings\Sara\Desktopfkwp2.0.exe
C:\Documents and Settings\Sara\Desktopfwebd.exe
C:\Documents and Settings\Sara\DesktopFWebdEditor.exe
C:\Documents and Settings\Sara\DesktopTrojan.Win32.BlackBird.exe
C:\Documents and Settings\Sara\Desktopvirii
C:\NoLopBackups
C:\NoLopBackups\AB7F8E61911401CD.job.01.infected
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.exe
C:\Program Files\Inet Delivery
C:\Program Files\Inet Delivery\inetdl.exe
C:\Program Files\Inet Delivery\intdel.exe
C:\WINDOWS\a.bat
C:\WINDOWS\base64.tmp
C:\WINDOWS\bdn.com
C:\WINDOWS\FVProtect.exe
C:\WINDOWS\iTunesMusic.exe
C:\WINDOWS\mslagent
C:\WINDOWS\mslagent\2_mslagent.dll
C:\WINDOWS\mslagent\mslagent.exe
C:\WINDOWS\mslagent\uninstall.exe
C:\WINDOWS\mssecu.exe
C:\WINDOWS\system32\slidqtgl.exe
C:\WINDOWS\system32\superiorads-uninst.exe
C:\WINDOWS\system32\tutqlozo.exe
C:\WINDOWS\system32\yrytyhar.exe
C:\WINDOWS\system32\zylunifg.exe
C:\WINDOWS\system32akttzn.exe
C:\WINDOWS\system32anticipator.dll
C:\WINDOWS\system32awtoolb.dll
C:\WINDOWS\system32bdn.com
C:\WINDOWS\system32bsva-egihsg52.exe
C:\WINDOWS\system32dpcproxy.exe
C:\WINDOWS\system32emesx.dll
C:\WINDOWS\system32h@tkeysh@@k.dll
C:\WINDOWS\system32hoproxy.dll
C:\WINDOWS\system32hxiwlgpm.dat
C:\WINDOWS\system32hxiwlgpm.exe
C:\WINDOWS\system32medup012.dll
C:\WINDOWS\system32medup020.dll
C:\WINDOWS\system32msgp.exe
C:\WINDOWS\system32msnbho.dll
C:\WINDOWS\system32mssecu.exe
C:\WINDOWS\system32msvchost.exe
C:\WINDOWS\system32mtr2.exe
C:\WINDOWS\system32mwin32.exe
C:\WINDOWS\system32netode.exe
C:\WINDOWS\system32newsd32.exe
C:\WINDOWS\system32ps1.exe
C:\WINDOWS\system32psof1.exe
C:\WINDOWS\system32psoft1.exe
C:\WINDOWS\system32regc64.dll
C:\WINDOWS\system32regm64.dll
C:\WINDOWS\system32Rundl1.exe
C:\WINDOWS\system32smp
C:\WINDOWS\system32smp\msrc.exe
C:\WINDOWS\system32sncntr.exe
C:\WINDOWS\system32ssurf022.dll
C:\WINDOWS\system32ssvchost.com
C:\WINDOWS\system32ssvchost.exe
C:\WINDOWS\system32sysreq.exe
C:\WINDOWS\system32taack.dat
C:\WINDOWS\system32taack.exe
C:\WINDOWS\system32temp#01.exe
C:\WINDOWS\system32thun.dll
C:\WINDOWS\system32thun32.dll
C:\WINDOWS\system32VBIEWER.OCX
C:\WINDOWS\system32vbsys2.dll
C:\WINDOWS\system32vcatchpi.dll
C:\WINDOWS\system32winlogonpc.exe
C:\WINDOWS\system32winsystem.exe
C:\WINDOWS\system32WINWGPX.EXE
C:\WINDOWS\userconfig9x.dll
C:\WINDOWS\Web\def.htm
C:\WINDOWS\winsystem.exe
C:\WINDOWS\zip1.tmp
C:\WINDOWS\zip2.tmp
C:\WINDOWS\zip3.tmp
C:\WINDOWS\zipped.tmp
.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-31 )))))))))))))))))))))))))))))))
.
2008-03-30 15:33 . 2008-03-30 15:33 90,112 --a------ C:\WINDOWS\system32\kdsryfeh.exe
2008-03-30 11:09 . 2008-03-30 11:09 110,592 --a------ C:\WINDOWS\system32\lajunirw.exe
2008-03-30 08:20 . 2008-03-30 08:20 114,688 --a------ C:\WINDOWS\system32\otmvajkd.exe
2008-03-29 23:53 . 2008-03-29 23:53 110,592 --a------ C:\WINDOWS\system32\ktyhybch.exe
2008-03-29 00:55 . 2008-03-29 00:55 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-28 21:14 . 2004-08-03 22:58 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2008-03-28 21:14 . 2004-08-03 22:58 5,504 --a--c--- C:\WINDOWS\system32\dllcache\mstee.sys
2008-03-28 21:11 . 2004-08-04 00:56 90,624 --a------ C:\WINDOWS\system32\kswdmcap.ax
2008-03-26 17:11 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-03-26 17:11 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-03-26 17:11 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-03-26 17:11 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-03-25 18:08 . 2008-03-25 18:08 4,608,744 --a------ C:\Program Files\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
2008-03-25 14:37 . 2008-03-27 14:13 67 --a------ C:\WINDOWS\DVDRegionFree.INI
2008-03-24 12:53 . 2008-03-24 12:53 <DIR> d-------- C:\Program Files\ERUNT
2008-03-24 12:52 . 2008-03-24 12:53 791,393 --a------ C:\Program Files\erunt-setup.exe
2008-03-24 00:50 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-24 00:49 . 2008-03-24 00:50 <DIR> d-------- C:\Program Files\Java
2008-03-24 00:49 . 2008-03-24 00:49 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-23 17:41 . 2008-03-23 17:41 <DIR> d-------- C:\Documents and Settings\Sara\Application Data\Malwarebytes
2008-03-23 17:41 . 2008-03-23 17:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-22 14:32 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-03-22 14:32 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-03-22 14:32 . 2008-03-22 15:49 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-03-22 14:32 . 2008-03-15 17:16 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-03-22 14:32 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-03-22 14:32 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-22 14:32 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-22 14:32 . 2008-03-22 18:18 1,140 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-22 01:43 . 2008-03-22 01:43 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-21 20:20 . 2008-03-25 15:40 <DIR> d-------- C:\Documents and Settings\Sara\Application Data\SolSuite
2008-03-21 18:44 . 2008-03-21 18:44 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-21 18:44 . 2008-03-21 18:44 2,549 --a------ C:\WINDOWS\unins000.dat
2008-03-21 18:28 . 2008-03-30 19:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-21 18:27 . 2008-03-21 18:48 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-20 20:26 . 2008-03-21 17:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-03-20 20:15 . 2008-03-21 17:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-20 20:15 . 2008-03-20 20:15 38,473,056 --a------ C:\Program Files\CNET_VSP30days.exe
2008-03-20 20:09 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-20 20:09 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-03-20 12:41 . 2008-03-20 12:41 50 --a------ C:\WINDOWS\BRQIKMON.INI
2008-03-20 12:40 . 2008-03-21 14:50 <DIR> d-------- C:\Documents and Settings\Sara\Application Data\PC-FAX TX
2008-03-19 20:05 . 2004-12-03 01:26 188,416 --a------ C:\WINDOWS\system32\PDRVINST.DLL
2008-03-19 20:05 . 2006-01-17 01:03 126,976 --a------ C:\WINDOWS\system32\BrfxD05a.dll
2008-03-19 20:05 . 2005-06-02 01:09 86,016 --a------ C:\WINDOWS\system32\BrWebIns.dll
2008-03-19 20:05 . 2005-06-02 01:08 69,632 --a------ C:\WINDOWS\system32\BRWEBUP.EXE
2008-03-19 20:05 . 2001-11-15 01:00 6,224 --a------ C:\WINDOWS\CVRPAGE.BMP
2008-03-19 20:05 . 2008-03-28 15:29 0 --a------ C:\WINDOWS\brdfxspd.dat
2008-03-19 20:04 . 2008-03-19 20:04 <DIR> d-------- C:\Program Files\Common Files\ScanSoft Shared
2008-03-19 20:04 . 2008-03-19 20:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ScanSoft
2008-03-19 20:04 . 2003-09-24 11:36 27,019 --a------ C:\WINDOWS\maxlink.ini
2008-03-19 19:58 . 2008-03-19 19:58 0 --------- C:\Bro59.tmp
2008-03-19 19:55 . 2008-03-21 19:58 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-03-19 19:18 . 2008-03-19 20:06 <DIR> d-------- C:\Program Files\Brother
2008-03-19 09:48 . 2008-03-29 10:18 696 --a------ C:\WINDOWS\wininit.ini
2008-03-16 19:35 . 2008-03-16 19:36 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-03-15 16:10 . 2001-08-18 06:00 1,700,352 --a------ C:\WINDOWS\system32\GdiPlus.dll
2008-03-15 16:10 . 2002-11-27 18:26 114,688 --a------ C:\WINDOWS\system32\jpegcode.dll
2008-03-15 16:10 . 2002-09-06 18:54 53,248 --a------ C:\WINDOWS\system32\AccWrap.dll
2008-03-15 16:10 . 2002-10-29 18:21 45,664 --------- C:\WINDOWS\system32\drivers\CoachVc.sys
2008-03-15 16:10 . 2002-11-22 19:45 41,952 --------- C:\WINDOWS\system32\drivers\CoachUsb.sys
2008-03-15 16:10 . 2002-11-21 12:14 39,424 --a------ C:\WINDOWS\system32\CoachWia.dll
2008-03-15 16:10 . 2008-03-16 14:05 22 --a------ C:\Program Files\c310.zip
2008-03-15 10:06 . 2008-03-15 10:06 419 --a------ C:\WINDOWS\BRWMARK.INI
2008-03-15 10:06 . 2008-03-15 10:06 27 --a------ C:\WINDOWS\BRPP2KA.INI
2008-03-15 10:05 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-03-15 10:05 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-03-15 10:05 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-03-15 10:05 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-03-15 10:00 . 2008-03-28 15:34 1,053 --a------ C:\WINDOWS\Brpfx04a.ini
2008-03-15 10:00 . 2008-03-20 12:40 153 --a------ C:\WINDOWS\brpcfx.ini
2008-03-15 10:00 . 2008-03-19 20:06 50 --a------ C:\WINDOWS\system32\bridf06a.dat
2008-03-15 09:59 . 2008-03-19 19:09 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-03-15 09:59 . 2006-02-24 17:27 1,492,480 --a------ C:\WINDOWS\system32\BrWia06a.dll
2008-03-15 09:59 . 2004-12-10 16:35 147,456 --a------ C:\WINDOWS\brunin03.dll
2008-03-15 09:59 . 2006-02-16 18:49 52,736 --a------ C:\WINDOWS\system32\brinsstr.dll
2008-03-15 09:59 . 2005-12-13 10:53 38,912 --a------ C:\WINDOWS\system32\BrUsi06a.dll
2008-03-15 09:59 . 2004-10-15 12:50 15,295 --a------ C:\WINDOWS\system32\drivers\BrScnUsb.sys
2008-03-15 09:57 . 2008-03-15 09:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-03-15 09:56 . 2008-03-19 20:04 <DIR> d-------- C:\Program Files\ScanSoft
2008-03-15 09:55 . 2008-03-15 09:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Brother
2008-03-08 11:09 . 2008-03-08 11:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-08 11:08 . 2008-03-08 11:08 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-27 09:38 . 2001-08-17 23:36 99,328 --a------ C:\WINDOWS\system32\srusd.dll
2008-02-27 09:38 . 2001-08-17 23:36 99,328 --a--c--- C:\WINDOWS\system32\dllcache\srusd.dll
2008-02-27 09:38 . 2001-08-17 23:36 71,680 --a------ C:\WINDOWS\system32\fnfilter.dll
2008-02-27 09:38 . 2001-08-17 23:36 71,680 --a--c--- C:\WINDOWS\system32\dllcache\fnfilter.dll
2008-02-27 09:38 . 2001-08-17 14:53 6,784 --a------ C:\WINDOWS\system32\drivers\serscan.sys
2008-02-27 09:38 . 2001-08-17 14:53 6,784 --a--c--- C:\WINDOWS\system32\dllcache\serscan.sys
2008-02-14 13:06 . 2008-02-14 22:49 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-14 11:50 . 2008-03-25 13:50 <DIR> d-------- C:\Downloads
2008-02-04 13:43 . 2008-02-04 13:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-30 18:41 --------- d-----w C:\Program Files\RegScrubXP
2008-03-22 07:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-21 22:09 --------- d-----w C:\Documents and Settings\Sara\Application Data\AVG7
2008-03-20 22:03 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-20 18:06 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-20 14:47 --------- d-----w C:\Program Files\Incomplete
2008-03-20 02:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-20 02:05 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-19 14:44 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-17 04:58 --------- d-----w C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor
2008-03-08 17:09 --------- d-----w C:\Program Files\Lavasoft
2008-03-08 17:09 --------- d-----w C:\Documents and Settings\Sara\Application Data\Lavasoft
2008-02-27 22:57 729,088 ----a-w C:\WINDOWS\iun6002.exe
2008-02-06 20:20 --------- d-----w C:\Program Files\Diskeeper Corporation
2008-01-31 06:11 --------- d-----w C:\Program Files\OverDrive Media Console
2008-01-31 06:11 --------- d-----w C:\Documents and Settings\Sara\Application Data\OverDrive
2008-01-11 18:20 553,687 ----a-w C:\Program Files\jv16_regcleaner.exe
2008-01-11 18:07 593,556 ----a-w C:\Program Files\regscrubxpsetup_3.2.exe
2007-12-27 18:02 32 --sha-w C:\WINDOWS\{0C12DB23-1BE2-4364-BFAA-6F5D9129BA61}.dat
2007-12-27 18:05 32 --sha-w C:\WINDOWS\{1B77EDC5-1688-4797-BA2D-7B17CF56CB30}.dat
2007-12-27 18:02 32 --sha-w C:\WINDOWS\{22BE5C96-6912-4844-B877-5B823AD9B260}.dat
2007-12-27 18:04 32 --sha-w C:\WINDOWS\{2E5205F4-C65A-4D26-8D21-D6A2DAA83314}.dat
2007-12-27 18:01 32 --sha-w C:\WINDOWS\{3BD78CE5-4886-4A8D-879E-D3604BF3CBE3}.dat
2007-12-27 18:04 32 --sha-w C:\WINDOWS\{A0337C34-3D4E-449C-8E79-A26151D03235}.dat
2007-12-27 18:02 32 --sha-w C:\WINDOWS\{C354F08C-4F05-4AFA-82AE-342DA03BB497}.dat
2007-12-27 18:02 32 --sha-w C:\WINDOWS\system32\{130E8F94-C662-49ED-AE40-05594E9EFB43}.dat
2007-12-27 18:04 32 --sha-w C:\WINDOWS\system32\{1E4A546D-C55E-4052-A7F5-AE0C5B7534F6}.dat
2007-12-27 18:04 32 --sha-w C:\WINDOWS\system32\{770AD5A9-EAE7-46E2-88C7-7BD6908E39CC}.dat
2007-12-27 18:05 32 --sha-w C:\WINDOWS\system32\{ACB29618-EEF3-4AD4-B2B2-5DBB667C35A1}.dat
2007-12-27 18:02 32 --sha-w C:\WINDOWS\system32\{C71E13F1-33A7-4A76-956F-D297C2A27665}.dat
2007-12-27 18:01 32 --sha-w C:\WINDOWS\system32\{CD413577-1356-422D-AA2E-64C023005796}.dat
2007-12-27 18:02 32 --sha-w C:\WINDOWS\system32\{D4CF1B07-7D22-43F2-A0AF-E389C73077DA}.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-21 19:26 68856]
"monhsoca"="C:\WINDOWS\system32\kdsryfeh.exe" [2008-03-30 15:33 90112]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-27 12:01 145920]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys [2004-10-15 12:50]
S2 UMAXPCLS;Print Port Scanner Driver;C:\WINDOWS\system32\DRIVERS\umaxpcls.sys [2001-08-17 15:58]
S3 MBAMCatchMe;MBAMCatchMe;C:\Program Files\Malwarebytes' Anti-Malware\catchme.sys [2008-03-19 18:31]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00]
S3 WUSB54GPV4SRV;Linksys Home Wireless-G USB Adaptor Driver;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys [2005-10-17 21:50]
S3 ZD1211BU(WLAN);IEEE 802.11g USB Wireless LAN(WLAN);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys [2006-06-27 16:32]
S4 WUSB54Gv42SVC;WUSB54Gv42SVC;"C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv42.exe" []
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-31 10:21:30
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\tcpsvcs.exe
.
**************************************************************************
.
Completion time: 2008-03-31 10:24:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-31 16:24:48
ComboFix2.txt 2008-03-30 03:46:08
ComboFix3.txt 2008-03-28 22:53:19
ComboFix4.txt 2008-03-27 20:53:45
ComboFix5.txt 2008-03-26 14:29:42
Pre-Run: 4,106,502,144 bytes free
Post-Run: 4,095,488,000 bytes free
.
2008-03-22 07:44:35 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:26:53 AM, on 3/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\kdsryfeh.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Sara\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [monhsoca] C:\WINDOWS\system32\kdsryfeh.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
--
End of file - 4329 bytes
ComboFix got rid of a lot of stuff again, I'm going to have you run another CFScript to get some more. Have you been keeping your computer offline as much as possible?
Step # 1: Run CFScript
Please delete the version of ComboFix you have on your computer, I need you to download the latest version of ComboFix by sUBs here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) and save it to your Desktop.
Also delete the CFScript.txt from your Desktop, you will be creating and running a new one.
Then, please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
KillAll::
File::
C:\WINDOWS\system32\kdsryfeh.exe
C:\WINDOWS\system32\lajunirw.exe
C:\WINDOWS\system32\otmvajkd.exe
C:\WINDOWS\system32\ktyhybch.exe
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"monhsoca"=-
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
http://i266.photobucket.com/albums/ii277/sUBs_/CFScript.gif
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
In your next post/reply, I need to see the following:
1. ComboFix log that appears after Step 1.
2. A fresh HiJackThis Log.
ComboFix 08-03-30.4 - Sara 2008-03-31 13:20:18.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.242 [GMT -6:00]
Running from: C:\Documents and Settings\Sara\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Sara\Desktop\cfscript.txt
* Created a new restore point
FILE ::
C:\WINDOWS\system32\kdsryfeh.exe
C:\WINDOWS\system32\ktyhybch.exe
C:\WINDOWS\system32\lajunirw.exe
C:\WINDOWS\system32\otmvajkd.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\kdsryfeh.exe
C:\WINDOWS\system32\ktyhybch.exe
C:\WINDOWS\system32\lajunirw.exe
C:\WINDOWS\system32\otmvajkd.exe
.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-31 )))))))))))))))))))))))))))))))
.
2008-03-29 00:55 . 2008-03-29 00:55 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-28 21:14 . 2004-08-03 22:58 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2008-03-28 21:14 . 2004-08-03 22:58 5,504 --a--c--- C:\WINDOWS\system32\dllcache\mstee.sys
2008-03-28 21:11 . 2004-08-04 00:56 90,624 --a------ C:\WINDOWS\system32\kswdmcap.ax
2008-03-26 17:11 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-03-26 17:11 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-03-26 17:11 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-03-26 17:11 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-03-25 18:08 . 2008-03-25 18:08 4,608,744 --a------ C:\Program Files\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
2008-03-25 14:37 . 2008-03-27 14:13 67 --a------ C:\WINDOWS\DVDRegionFree.INI
2008-03-24 12:53 . 2008-03-24 12:53 <DIR> d-------- C:\Program Files\ERUNT
2008-03-24 12:52 . 2008-03-24 12:53 791,393 --a------ C:\Program Files\erunt-setup.exe
2008-03-24 00:50 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-24 00:49 . 2008-03-24 00:50 <DIR> d-------- C:\Program Files\Java
2008-03-24 00:49 . 2008-03-24 00:49 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-23 17:41 . 2008-03-23 17:41 <DIR> d-------- C:\Documents and Settings\Sara\Application Data\Malwarebytes
2008-03-23 17:41 . 2008-03-23 17:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-22 14:32 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-03-22 14:32 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-03-22 14:32 . 2008-03-22 15:49 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-03-22 14:32 . 2008-03-15 17:16 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-03-22 14:32 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-03-22 14:32 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-22 14:32 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-22 14:32 . 2008-03-22 18:18 1,140 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-22 01:43 . 2008-03-22 01:43 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-21 20:20 . 2008-03-25 15:40 <DIR> d-------- C:\Documents and Settings\Sara\Application Data\SolSuite
2008-03-21 18:44 . 2008-03-21 18:44 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-21 18:44 . 2008-03-21 18:44 2,549 --a------ C:\WINDOWS\unins000.dat
2008-03-21 18:28 . 2008-03-31 13:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-21 18:27 . 2008-03-21 18:48 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-20 20:26 . 2008-03-21 17:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-03-20 20:15 . 2008-03-21 17:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-20 20:15 . 2008-03-20 20:15 38,473,056 --a------ C:\Program Files\CNET_VSP30days.exe
2008-03-20 20:09 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-20 20:09 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-03-20 12:41 . 2008-03-20 12:41 50 --a------ C:\WINDOWS\BRQIKMON.INI
2008-03-20 12:40 . 2008-03-21 14:50 <DIR> d-------- C:\Documents and Settings\Sara\Application Data\PC-FAX TX
2008-03-19 20:05 . 2004-12-03 01:26 188,416 --a------ C:\WINDOWS\system32\PDRVINST.DLL
2008-03-19 20:05 . 2006-01-17 01:03 126,976 --a------ C:\WINDOWS\system32\BrfxD05a.dll
2008-03-19 20:05 . 2005-06-02 01:09 86,016 --a------ C:\WINDOWS\system32\BrWebIns.dll
2008-03-19 20:05 . 2005-06-02 01:08 69,632 --a------ C:\WINDOWS\system32\BRWEBUP.EXE
2008-03-19 20:05 . 2001-11-15 01:00 6,224 --a------ C:\WINDOWS\CVRPAGE.BMP
2008-03-19 20:05 . 2008-03-28 15:29 0 --a------ C:\WINDOWS\brdfxspd.dat
2008-03-19 20:04 . 2008-03-19 20:04 <DIR> d-------- C:\Program Files\Common Files\ScanSoft Shared
2008-03-19 20:04 . 2008-03-19 20:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ScanSoft
2008-03-19 20:04 . 2003-09-24 11:36 27,019 --a------ C:\WINDOWS\maxlink.ini
2008-03-19 19:58 . 2008-03-19 19:58 0 --------- C:\Bro59.tmp
2008-03-19 19:55 . 2008-03-21 19:58 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-03-19 19:18 . 2008-03-19 20:06 <DIR> d-------- C:\Program Files\Brother
2008-03-19 09:48 . 2008-03-29 10:18 696 --a------ C:\WINDOWS\wininit.ini
2008-03-16 19:35 . 2008-03-16 19:36 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-03-15 16:10 . 2001-08-18 06:00 1,700,352 --a------ C:\WINDOWS\system32\GdiPlus.dll
2008-03-15 16:10 . 2002-11-27 18:26 114,688 --a------ C:\WINDOWS\system32\jpegcode.dll
2008-03-15 16:10 . 2002-09-06 18:54 53,248 --a------ C:\WINDOWS\system32\AccWrap.dll
2008-03-15 16:10 . 2002-10-29 18:21 45,664 --------- C:\WINDOWS\system32\drivers\CoachVc.sys
2008-03-15 16:10 . 2002-11-22 19:45 41,952 --------- C:\WINDOWS\system32\drivers\CoachUsb.sys
2008-03-15 16:10 . 2002-11-21 12:14 39,424 --a------ C:\WINDOWS\system32\CoachWia.dll
2008-03-15 16:10 . 2008-03-16 14:05 22 --a------ C:\Program Files\c310.zip
2008-03-15 10:06 . 2008-03-15 10:06 419 --a------ C:\WINDOWS\BRWMARK.INI
2008-03-15 10:06 . 2008-03-15 10:06 27 --a------ C:\WINDOWS\BRPP2KA.INI
2008-03-15 10:05 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-03-15 10:05 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-03-15 10:05 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-03-15 10:05 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-03-15 10:00 . 2008-03-28 15:34 1,053 --a------ C:\WINDOWS\Brpfx04a.ini
2008-03-15 10:00 . 2008-03-20 12:40 153 --a------ C:\WINDOWS\brpcfx.ini
2008-03-15 10:00 . 2008-03-19 20:06 50 --a------ C:\WINDOWS\system32\bridf06a.dat
2008-03-15 09:59 . 2008-03-19 19:09 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-03-15 09:59 . 2006-02-24 17:27 1,492,480 --a------ C:\WINDOWS\system32\BrWia06a.dll
2008-03-15 09:59 . 2004-12-10 16:35 147,456 --a------ C:\WINDOWS\brunin03.dll
2008-03-15 09:59 . 2006-02-16 18:49 52,736 --a------ C:\WINDOWS\system32\brinsstr.dll
2008-03-15 09:59 . 2005-12-13 10:53 38,912 --a------ C:\WINDOWS\system32\BrUsi06a.dll
2008-03-15 09:59 . 2004-10-15 12:50 15,295 --a------ C:\WINDOWS\system32\drivers\BrScnUsb.sys
2008-03-15 09:57 . 2008-03-15 09:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-03-15 09:56 . 2008-03-19 20:04 <DIR> d-------- C:\Program Files\ScanSoft
2008-03-15 09:55 . 2008-03-15 09:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Brother
2008-03-08 11:09 . 2008-03-08 11:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-08 11:08 . 2008-03-08 11:08 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-27 09:38 . 2001-08-17 23:36 99,328 --a------ C:\WINDOWS\system32\srusd.dll
2008-02-27 09:38 . 2001-08-17 23:36 99,328 --a--c--- C:\WINDOWS\system32\dllcache\srusd.dll
2008-02-27 09:38 . 2001-08-17 23:36 71,680 --a------ C:\WINDOWS\system32\fnfilter.dll
2008-02-27 09:38 . 2001-08-17 23:36 71,680 --a--c--- C:\WINDOWS\system32\dllcache\fnfilter.dll
2008-02-27 09:38 . 2001-08-17 14:53 6,784 --a------ C:\WINDOWS\system32\drivers\serscan.sys
2008-02-27 09:38 . 2001-08-17 14:53 6,784 --a--c--- C:\WINDOWS\system32\dllcache\serscan.sys
2008-02-14 13:06 . 2008-02-14 22:49 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-14 11:50 . 2008-03-25 13:50 <DIR> d-------- C:\Downloads
2008-02-04 13:43 . 2008-02-04 13:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-30 18:41 --------- d-----w C:\Program Files\RegScrubXP
2008-03-22 07:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-21 22:09 --------- d-----w C:\Documents and Settings\Sara\Application Data\AVG7
2008-03-20 22:03 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-20 18:06 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-20 14:47 --------- d-----w C:\Program Files\Incomplete
2008-03-20 02:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-20 02:05 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-19 14:44 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-17 04:58 --------- d-----w C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor
2008-03-08 17:09 --------- d-----w C:\Program Files\Lavasoft
2008-03-08 17:09 --------- d-----w C:\Documents and Settings\Sara\Application Data\Lavasoft
2008-02-27 22:57 729,088 ----a-w C:\WINDOWS\iun6002.exe
2008-02-06 20:20 --------- d-----w C:\Program Files\Diskeeper Corporation
2008-01-31 06:11 --------- d-----w C:\Program Files\OverDrive Media Console
2008-01-31 06:11 --------- d-----w C:\Documents and Settings\Sara\Application Data\OverDrive
2008-01-11 18:20 553,687 ----a-w C:\Program Files\jv16_regcleaner.exe
2008-01-11 18:07 593,556 ----a-w C:\Program Files\regscrubxpsetup_3.2.exe
2007-12-27 18:02 32 --sha-w C:\WINDOWS\{0C12DB23-1BE2-4364-BFAA-6F5D9129BA61}.dat
2007-12-27 18:05 32 --sha-w C:\WINDOWS\{1B77EDC5-1688-4797-BA2D-7B17CF56CB30}.dat
2007-12-27 18:02 32 --sha-w C:\WINDOWS\{22BE5C96-6912-4844-B877-5B823AD9B260}.dat
2007-12-27 18:04 32 --sha-w C:\WINDOWS\{2E5205F4-C65A-4D26-8D21-D6A2DAA83314}.dat
2007-12-27 18:01 32 --sha-w C:\WINDOWS\{3BD78CE5-4886-4A8D-879E-D3604BF3CBE3}.dat
2007-12-27 18:04 32 --sha-w C:\WINDOWS\{A0337C34-3D4E-449C-8E79-A26151D03235}.dat
2007-12-27 18:02 32 --sha-w C:\WINDOWS\{C354F08C-4F05-4AFA-82AE-342DA03BB497}.dat
2007-12-27 18:02 32 --sha-w C:\WINDOWS\system32\{130E8F94-C662-49ED-AE40-05594E9EFB43}.dat
2007-12-27 18:04 32 --sha-w C:\WINDOWS\system32\{1E4A546D-C55E-4052-A7F5-AE0C5B7534F6}.dat
2007-12-27 18:04 32 --sha-w C:\WINDOWS\system32\{770AD5A9-EAE7-46E2-88C7-7BD6908E39CC}.dat
2007-12-27 18:05 32 --sha-w C:\WINDOWS\system32\{ACB29618-EEF3-4AD4-B2B2-5DBB667C35A1}.dat
2007-12-27 18:02 32 --sha-w C:\WINDOWS\system32\{C71E13F1-33A7-4A76-956F-D297C2A27665}.dat
2007-12-27 18:01 32 --sha-w C:\WINDOWS\system32\{CD413577-1356-422D-AA2E-64C023005796}.dat
2007-12-27 18:02 32 --sha-w C:\WINDOWS\system32\{D4CF1B07-7D22-43F2-A0AF-E389C73077DA}.dat
.
((((((((((((((((((((((((((((( snapshot@2008-03-31_10.24.20.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-31 19:22:29 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_6e4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-21 19:26 68856]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-27 12:01 145920]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys [2004-10-15 12:50]
S2 UMAXPCLS;Print Port Scanner Driver;C:\WINDOWS\system32\DRIVERS\umaxpcls.sys [2001-08-17 15:58]
S3 MBAMCatchMe;MBAMCatchMe;C:\Program Files\Malwarebytes' Anti-Malware\catchme.sys [2008-03-19 18:31]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00]
S3 WUSB54GPV4SRV;Linksys Home Wireless-G USB Adaptor Driver;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys [2005-10-17 21:50]
S3 ZD1211BU(WLAN);IEEE 802.11g USB Wireless LAN(WLAN);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys [2006-06-27 16:32]
S4 WUSB54Gv42SVC;WUSB54Gv42SVC;"C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv42.exe" []
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-31 13:22:40
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\tcpsvcs.exe
.
**************************************************************************
.
Completion time: 2008-03-31 13:26:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-31 19:26:50
ComboFix2.txt 2008-03-31 16:24:55
ComboFix3.txt 2008-03-30 03:46:08
ComboFix4.txt 2008-03-28 22:53:19
ComboFix5.txt 2008-03-27 20:53:45
Pre-Run: 4,136,407,040 bytes free
Post-Run: 4,130,152,448 bytes free
.
2008-03-22 07:44:35 --- E O F ---
There were no programs in the control panel add/remove programs that were on the list. I unplug the cable from the computer so no one can go on line
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:58:16 PM, on 3/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Sara\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
--
End of file - 4198 bytes
Your latest HJT and ComboFix Logs look good. :)
I want you to run Kaspersky one more time and post the results from the scan, so can we see if anything else is hiding on your computer and get rid of it. And also let me know how your computer is doing now.
Step # 1: Run Kaspersky Online Scan
Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/kos/english/kavwebscan.html)
You must be using Internet Explorer, Kaspersky does not work with Firefox
Click Accept
You will be promted to install an ActiveX component from Kaspersky,
Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make sure that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
Scan Options:
Scan Archives Scan Mail Bases
Click OK
Now under select a target to scan:
Select My Computer
The program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Once finished, save the log to your Desktop as filename KAV.txt
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
comuter is better since the last combofix. The link hasnt come back to my desktop and the other programs havent downloaded themselves anymore thank you
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, March 31, 2008 9:27:18 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 31/03/2008
Kaspersky Anti-Virus database records: 675122
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
Scan Statistics:
Total number of scanned objects: 201720
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 02:32:14
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Sara\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Sara\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Sara\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Sara\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Sara\Local Settings\History\History.IE5\MSHist012008033120080401\index.dat Object is locked skipped
C:\Documents and Settings\Sara\Local Settings\Temp\~DF7542.tmp Object is locked skipped
C:\Documents and Settings\Sara\Local Settings\Temp\~DF754D.tmp Object is locked skipped
C:\Documents and Settings\Sara\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Sara\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Sara\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Grisoft\AVG7\avg7log.log Object is locked skipped
C:\Program Files\Grisoft\AVG7\avg7log.log.lck Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{CC3F1C1E-C032-4245-B818-E8D2A45D6868}\RP12\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{10AD9FA4-2A21-4945-A21A-C9D84DEB75A0}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_6e4.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\WINDOWS\SYSTEM\EGDHTML_1020.dll Object is locked skipped
D:\System Volume Information\_restore{CC3F1C1E-C032-4245-B818-E8D2A45D6868}\RP12\change.log Object is locked skipped
Scan process completed.
The Kaspersky Log came back clean and you mention that your computer is running fine, it looks like you are good to go. :)
You can delete the following files off your Desktop (if found):
Kav.txt
daft.exe
NoLop.exe
Fix-Protocol-zones-ranges.reg
To remove ComboFix, do the following:
Go to Start > Run - type in ComboFix /u & click OK
Empty your Recyle Bin.
A Firewall is an essential part of computer security and you do not appear to have one running on your system. There are several firewalls that provide better protection than the Windows SP2 firewall.Do not attempt to run two software firewalls since like running two antivirus programs, they will possibly cause problems and conflict with each other.
There are a few firewalls available for free that appear to be good and easy to use:
Comodo (http://www.personalfirewall.comodo.com/)
Jetico Personal Firewall (http://www.jetico.com/jpf2.htm)
Soft perfect (http://www.softperfect.com/products/firewall/)
Sunbelt Kerio Firewall (http://www.sunbelt-software.com/Kerio-Download.cfm)
Please download and install only one!
Once the firewall is installed, check to see that the Windows Firewall is disabled. To do so follow these steps:
1. Click Start, click Run, type Firewall.cpl, and then click OK.
2. On the General tab, check to see if Off (not recommended) is checkmarked/ticked, if it is not, then checkmark/tick the box and click OK
Please take the time to read my All Clean Post.
Please follow these simple steps in order to keep your computer clean and secure:
This is a good time to clear your existing system restore points and establish a new clean restore point: Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Select the More options tab
Choose the option to clean up system restore and OK it.
This will remove all restore points except the new one you just created..
Clearing your restore points is not something you should do on a regular basis. Normally, this process only needs to be done after clearing out an infestation of malware.
Make your Internet Explorer more secure This can be done by following these simple instructions: From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub frames across different domains to Prompt When all these settings have been made, click on the OK button.
If it asks you if you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Set correct settings for files that should be hidden in Windows XP
Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
If unchecked please checkHide protected operating system files (Recommended)
If necessary check "Display content of system folders"
If necessary Uncheck Hide file extensions for known file types.
Click OK
Use An Antivirus Software and Keep It Updated - It is very important that your computer has an antivirus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a day. If you do not update your antivirus software, then it will not be able to catch any of the new variants that may come out.
Visit Microsoft's Windows Update Site Frequently It is important that you visit Microsoft Windows Update (http://www.windowsupdate.com) regularly. This will ensure your computer has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install SpywareBlaster SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. An article on anti-malware products with links for this program and others can be found here:
Computer Safety on line Anti Malware (http://forum.malwareremoval.com/viewtopic.php?p=54#54)
Use an alternative instant messenger program.Trillian (http://www.trillian.cc/) and Miranda IM (http://www.miranda-im.com/) These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
Please read Tony Klein's excellent article: How I got Infected in the First Place (http://forums.subratam.org/index.php?showtopic=5931)
Please read Understanding Spyware, Browser Hijackers, and Dialers (http://www.bleepingcomputer.com/forums/tutorial41.html)
Please read Simple and easy ways to keep your computer safe and secure on the Internet (http://www.bleepingcomputer.com/tutorials/tutorial82.html)
If you are using Internet Explorer, please consider using an alternate browser: Mozilla's Firefox (http://www.mozilla.org/products/firefox) or
Opera (http://www.opera.com/download/).
If you decide to use either FireFox or Opera, it is very important that you keep them up to date and check frequently for updates of the browser of your choice.
Update all these programs regularly Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
If your computer was infected by a website, a program, IM, MSN, or p2p, check this site because it is Time To Fight Back (http://spyware-free.us/2006/01/time-to-fight-back.html). Follow these steps and your potential for being infected again will reduce dramatically.
Here's a good website to read about Malware prevention:
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
Good luck!
Please reply one last time so that I know you have read my post and this thread can be closed.
I have done all that is posted for me to do just have to read thru the posts that are there. All is good now thank you so much for your help.
You're welcome. Glad I was able to help. :)