View Full Version : all messed up
i have no my computer or controll panal virus remover two thousand eight won't go away and there are several other problem but my scans say that the system is clean can you please help:aim tog21121- thanks in advance
heres the hjt log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:54: VIRUS ALERT!, on 7/19/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\USB Disk Win98 Driver\Res.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\VirusRemover2008\VRM2008.exe
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\CBTWlanSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ubpr01.exe
c:\program files\linksys\wpc54gv3\wpc54gv3.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\Joe\LOCALS~1\Temp\PCPC_Setup_Free.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
O2 - BHO: {2b4e4f7f-4472-61fb-aef4-302a67bb1291} - {1921bb76-a203-4fea-bf16-2744f7f4e4b2} - C:\WINDOWS\System32\xvfykl.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Search Enhancement - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - {D46BEAA4-A304-40B3-A9DA-EC7F7F501F25} - C:\Program Files\Web Technologies\iebt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Internet Service - {65742936-8079-408B-9F3C-874B78030A72} - C:\Program Files\Web Technologies\iebr.dll (file missing)
O3 - Toolbar: (no name) - {3FCAEB7D-F8AE-4A67-AE6C-57EE1416BB6D} - (no file)
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USB Disk Win98 Driver\Res.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [lphceosj0e16g] C:\WINDOWS\System32\lphceosj0e16g.exe
O4 - HKLM\..\Run: [2050b7d9] rundll32.exe "C:\WINDOWS\System32\sgmllfjm.dll",b
O4 - HKLM\..\Run: [VirusRemover2008] C:\Program Files\VirusRemover2008\VRM2008.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [wblogon] C:\WINDOWS\System32\ubpr01.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: CBT Wlan Service (CBTWlanSrv) - Unknown owner - C:\WINDOWS\CBTWlanSrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm
--
End of file - 6851 bytes
Baabiouz
2008-07-25, 10:39
Hello kira666
I'll be handling your log to help you get cleaned up. :)
Step #1
Please disable Teatimer as it may interfere with the fix.
First:
Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
Choose Exit Spybot S&D Resident
Second:
Open Spybot S&D
Click Mode, check Advanced Mode
Go To Left Panel, Click Tools, then also in left panel, click Resident
If your firewall raises a question, say OK
Uncheck the box labeled Resident Tea-Timer and OK any prompts.
Use File, Exit to terminate Spybot
Reboot your machine for the changes to take effect.
Once your log is clean you can re-enable those settings in TeaTimer.
Step #2
Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
**Note: It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
--------------------------------------------------------------------
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Step #3
Please download SmitfraudFix (http://siri.urz.free.fr/Fix/SmitfraudFix.exe)
Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm (http://www.beyondlogic.org/consulting/processutil/processutil.htm)
Step #4
Please post Combofix log, Smitfraudfix log and a fresh HijackThis log back here :)
ok im having all sorts of problems i followed your directions but to start of I xcan't find how to turn of the tea timer ans im guessing that that is what won't let the combo fix so can you help me find another way to turn of the teatimer cause its not there the way you told me to
Baabiouz
2008-07-25, 18:24
Where did you get stuck?
Can you do this:
* Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
* Choose Exit Spybot S&D Resident
? That will be enough for combofix. :)
yeah that is where I got stuck I could't right click and go to exit resident plus what is the system tray adzactly is it the start menu
Baabiouz
2008-07-25, 19:20
Hello
Ok. Please try this:
# Navigate to C:\Program Files\Spybot - Search & Destroy and run Spybot.
# Click Mode, check Advanced Mode
# Go To Left Panel, Click Tools, then also in left panel, click Resident
# If your firewall raises a question, say OK
# Uncheck the box labeled Resident Tea-Timer and OK any prompts.
# Use File, Exit to terminate Spybot
# Reboot your machine for the changes to take effect.
did it work?
the other problem is the resident teatimer isn't there to turn off that is another spot that I got stuck
i don't know if it helps but just to let you know I have the free version not the other
Baabiouz
2008-07-25, 19:42
Ok.
Please go to Start > Control Panel > Add/Remove Programs (http://www.bleepingcomputer.com/forums/topic42133.html) and uninstall Spybot Search & Destroy. Reboot computer and do the steps 2,3 and 4 :)
as i stated in the original post I don't have the option of going to control panal
but I can start menu spybot unistall right
nvm about deleting it I found how to turn it off
the tea timer is off but the combo fix still won't run it says Date:error check settings
Baabiouz
2008-07-25, 20:46
# Click on Start > Settings > Control Panel.
# Under Programs, click on Uninstall a program.
____________
For Combofix: Remove old Combofix and download new
i did it but combo fix still won't run if its possible can you walk me through this on aim it would make it easier for the both of us
can you walk me through this on aim it would make it easier for the both of us
Emphatically NO.
ok but can you help me still look control panal dosn't work niether does my computer and the teatimer is off but the program won't work so can you find away around it cause i really need this laptop i am going to use it for school next year and we do alot of online stuff at my school but we have few computers.
ok but can you help me still look control panal dosn't work niether does my computer and the teatimer is off but the program won't work so can you find away around it cause i really need this laptop i am going to use it for school next year and we do alot of online stuff at my school but we have few computers.
Please wait for your helper to respond, the only other suggestion is that you take the machine to a shop.
Regards.
http://forums.spybot.info/showthread.php?t=31576
http://forums.spybot.info/showthread.php?t=31537
Baabiouz
2008-07-26, 00:20
Hello Kira666.
Please be patient. I can't be here all the time.
Please remove your Combofix.exe. Let's run Dss:
Deckard's System Scanner (DSS)
Download Deckard's System Scanner here (http://www.techsupportforum.com/sectools/Deckard/dss.exe) & save to your Desktop. Note: You must be logged onto an account with administrator privileges.
Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post in your next reply.
Please download SmitfraudFix (http://siri.urz.free.fr/Fix/SmitfraudFix.exe)
Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm (http://www.beyondlogic.org/consulting/processutil/processutil.htm)
Please post Smitfraudfix log and Dss logs (main.txt and extra.txt) back here :)
main text
Deckard's System Scanner v20071014.68
Run by Joe on 2008-07-20 06:09:30
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- System Restore --------------------------------------------------------------
Successfully created a Deckard's System Scanner Restore Point.
-- Last 5 Restore Point(s) --
25: 2008-07-20 13:09:54 UTC - RP282 - Deckard's System Scanner Restore Point
24: 2008-07-19 19:52:17 UTC - RP281 - Removed SUPERAntiSpyware Free Edition
23: 2008-07-19 19:50:37 UTC - RP280 - Removed Ad-Aware
22: 2008-07-19 16:33:05 UTC - RP279 - System Checkpoint
21: 2008-07-18 15:33:41 UTC - RP278 - System Checkpoint
-- First Restore Point --
1: 2008-07-15 17:19:43 UTC - RP258 - Installed LAN-Express ASIL IEEE 802.11 Wireless LAN
Backed up registry hives.
Performed disk cleanup.
-- HijackThis (run as Joe.exe) -------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:11: VIRUS ALERT!, on 7/20/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\USB Disk Win98 Driver\Res.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ubpr01.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atievxx.exe
C:\WINDOWS\CBTWlanSrv.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\linksys\wpc54gv3\wpc54gv3.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Documents and Settings\Joe\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Joe.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
O2 - BHO: {2b4e4f7f-4472-61fb-aef4-302a67bb1291} - {1921bb76-a203-4fea-bf16-2744f7f4e4b2} - C:\WINDOWS\System32\xvfykl.dll
O2 - BHO: AOL Search Enhancement - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - {D46BEAA4-A304-40B3-A9DA-EC7F7F501F25} - C:\Program Files\Web Technologies\iebt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {65742936-8079-408B-9F3C-874B78030A72} - (no file)
O3 - Toolbar: (no name) - {3FCAEB7D-F8AE-4A67-AE6C-57EE1416BB6D} - (no file)
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USB Disk Win98 Driver\Res.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [lphceosj0e16g] C:\WINDOWS\System32\lphceosj0e16g.exe
O4 - HKLM\..\Run: [2050b7d9] rundll32.exe "C:\WINDOWS\System32\sgmllfjm.dll",b
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [wblogon] C:\WINDOWS\System32\ubpr01.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: CBT Wlan Service (CBTWlanSrv) - Unknown owner - C:\WINDOWS\CBTWlanSrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm
--
End of file - 5951 bytes
-- File Associations -----------------------------------------------------------
.bat - batfile - DefaultIcon - C:\Program Files\AlienGUIse\Themes\Darkstar Icons\Darkstar.icl,41
.inf - inffile - DefaultIcon - C:\WINDOWS\System32\shell32.dll,69
.ini - inifile - DefaultIcon - C:\Program Files\AlienGUIse\Themes\Darkstar Icons\Darkstar.icl,33
.txt - txtfile - DefaultIcon - C:\Program Files\AlienGUIse\Themes\Darkstar Icons\Darkstar.icl,35
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>
S3 CBPMp50 (CBPMp50 NDIS Protocol Driver) - c:\windows\system32\drivers\cbpmp50.sys (file missing)
S3 ENDETECT - c:\progra~1\fronti~1\fronti~1\app\endetect.sys (file missing)
S3 JL2005C (Dual Mode Camera) - c:\windows\system32\drivers\jl2005c.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
S3 L2XPSR - c:\progra~1\fronti~1\fronti~1\app\l2xpsr.sys (file missing)
S3 LOGNT - c:\progra~1\fronti~1\fronti~1\app\lognt.sys (file missing)
S3 NTSTPL1 - c:\progra~1\fronti~1\fronti~1\app\ntstpl1.sys (file missing)
S3 NTSTPL2 - c:\program files\frontiernet\frontiernet dsl attendant\app\ntstpl2.sys <Not Verified; Network TeleSystems, Inc.; TCP Pro>
S3 TAPBIND - c:\progra~1\fronti~1\fronti~1\app\tapbind1.sys (file missing)
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
R2 CBTWlanSrv (CBT Wlan Service) - c:\windows\cbtwlansrv.exe <Not Verified; ; CBT Wlan Servic Application>
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>
-- Device Manager: Disabled ----------------------------------------------------
No disabled devices found.
-- Scheduled Tasks -------------------------------------------------------------
2008-07-19 23:29:48 266 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job
2008-07-19 23:29:46 388 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job
2008-07-18 17:15:02 386 --a------ C:\WINDOWS\Tasks\1-Click Maintenance.job
-- Files created between 2008-06-20 and 2008-07-20 -----------------------------
2008-07-19 23:36:39 0 d-------- C:\Program Files\1 Click PC Fix
2008-07-19 23:30:00 0 d-------- C:\Documents and Settings\Joe\Application Data\Uniblue
2008-07-19 13:51:34 0 d-------- C:\Program Files\Trend Micro
2008-07-19 12:34:18 0 d-------- C:\Program Files\WallpaperScreensavers.net
2008-07-18 03:16:45 36864 --a------ C:\WINDOWS\System32\wbsys.dll <Not Verified; Stardock.Net, Inc; WindowBlinds 4.x for x86 machines>
2008-07-18 03:16:43 0 d-------- C:\Program Files\Common Files\Stardock
2008-07-18 03:16:42 0 d-------- C:\Program Files\AlienGUIse
2008-07-17 08:12:56 0 d-------- C:\Program Files\VirusRemover2008
2008-07-17 07:23:41 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-17 05:38:54 0 d-------- C:\Documents and Settings\Joe\Application Data\acccore
2008-07-17 05:37:55 0 d-------- C:\Program Files\AIMTunes
2008-07-17 05:37:24 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-07-17 05:36:29 0 d-------- C:\Program Files\AIM Search
2008-07-17 05:36:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-07-17 05:36:03 0 d-------- C:\Program Files\Viewpoint
2008-07-17 05:36:00 0 d-------- C:\Documents and Settings\All Users\Application Data\acccore
2008-07-17 05:34:31 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-07-17 05:34:31 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-07-17 05:33:14 0 d-------- C:\Program Files\Common Files\AOL
2008-07-17 05:32:58 0 d-------- C:\Program Files\AIM6
2008-07-17 04:32:26 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-17 04:31:57 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-07-17 04:31:56 0 d-------- C:\Documents and Settings\Joe\Application Data\SUPERAntiSpyware.com
2008-07-17 04:24:16 0 d-------- C:\Program Files\PCPrivacyCleaner
2008-07-17 00:06:40 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-17 00:03:02 94848 --a------ C:\WINDOWS\System32\sgmllfjm.dll
2008-07-17 00:02:13 116352 --a------ C:\WINDOWS\System32\xvfykl.dll
2008-07-17 00:02:12 116352 --a------ C:\WINDOWS\System32\oltgymag.dll
2008-07-15 10:31:21 113 --a------ C:\tmp2.reg
2008-07-15 10:24:02 0 d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-15 10:22:08 116352 --a------ C:\WINDOWS\System32\pckudo.dll
2008-07-15 10:22:06 116352 --a------ C:\WINDOWS\System32\oidtaude.dll
2008-07-15 10:19:31 417220 --ahs---- C:\WINDOWS\System32\fLlTBJlm.ini2
2008-07-15 10:13:53 163840 --a------ C:\WINDOWS\edel.exe
2008-07-15 10:13:47 0 d-------- C:\Documents and Settings\Joe\Application Data\TmpRecentIcons
2008-07-15 10:13:02 163840 --a------ C:\WINDOWS\erms.exe
2008-07-15 10:13:01 155648 --a------ C:\WINDOWS\agpqlrfm.exe
2008-07-15 10:12:54 60928 --a------ C:\WINDOWS\System32\blphceosj0e16g.scr <Not Verified; Sysinternals; Sysinternals Blue Screen>
2008-07-15 09:56:10 0 d-------- C:\WINDOWS\System32\bits
2008-07-15 09:55:25 0 d-------- C:\WINDOWS\System32\PreInstall
2008-07-15 09:55:15 0 d--h----- C:\WINDOWS\$hf_mig$
2008-07-15 09:54:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2008-07-15 05:23:36 0 d-------- C:\Program Files\Common Files\xing shared
2008-07-15 04:18:23 0 d-------- C:\Documents and Settings\Joe\Application Data\Real
2008-07-14 21:28:46 0 d-------- C:\Program Files\Common Files\Blizzard Entertainment
2008-07-14 21:26:50 335 --a------ C:\WINDOWS\mozregistry.dat
2008-07-14 18:51:48 0 d-------- C:\WINDOWS\System32\SoftwareDistribution
2008-07-14 18:50:18 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-07-14 12:58:41 0 d-------- C:\Program Files\Common Files\Blizzard Entertainment.98e64dfa.temp
2008-07-14 10:20:53 0 d-------- C:\Program Files\Common Files\Blizzard Entertainment.757cb0e5.temp
2008-07-14 09:26:22 0 d-------- C:\WINDOWS\System32\219725
2008-07-14 09:26:21 26624 --a------ C:\WINDOWS\System32\ubpr01.exe
2008-07-14 09:25:37 0 d-------- C:\Program Files\Web Technologies
2008-07-14 09:16:43 0 d-------- C:\Program Files\Common Files\Blizzard Entertainment.2fe54713.temp
2008-07-14 06:57:41 0 d-------- C:\Program Files\Common Files\Blizzard Entertainment.temp
2008-07-13 20:32:05 1160 --a------ C:\WINDOWS\mozver.dat
2008-07-13 17:32:11 0 dr-h----- C:\Documents and Settings\LocalService\Recent
2008-07-13 17:11:37 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-13 17:11:23 0 d-------- C:\Documents and Settings\Joe\Application Data\Mozilla
2008-07-13 17:02:14 33664 --a------ C:\WINDOWS\System32\drivers\BCMWLNPF.SYS <Not Verified; CACE Technologies; WinPcap Netgroup Packet Filter Driver>
2008-07-13 17:02:10 86016 --a------ C:\WINDOWS\System32\preflib.dll
2008-07-13 17:02:07 69632 --a------ C:\WINDOWS\System32\bcmwlpkt.dll <Not Verified; CACE Technologies; WinPcap low level packet library>
2008-07-13 17:02:05 20480 --a------ C:\WINDOWS\System32\WLTRYSVC.EXE
2008-07-13 17:02:04 2129920 --a------ C:\WINDOWS\System32\WLBCGCBPRO731.DLL <Not Verified; BCGSoft Ltd; BCGControlBar Professional Dynamic Link Library>
2008-07-13 17:02:03 757760 --a------ C:\WINDOWS\System32\bcm1xsup.dll
2008-07-13 12:30:10 106496 --a------ C:\WINDOWS\CBTWlanSrv.exe <Not Verified; ; CBT Wlan Servic Application>
2008-07-13 12:30:02 0 d-------- C:\WINDOWS\System32\ReinstallBackups
2008-07-13 12:29:02 0 d-------- C:\Program Files\Linksys
2008-07-13 12:28:24 0 d-------- C:\Documents and Settings\Joe\Application Data\InstallShield
2008-07-13 12:27:40 94208 -----n--- C:\WINDOWS\UITabCtrl.dll <Not Verified; CyberTAN; UITab Contorl DLL>
2008-07-13 12:27:40 126976 -----n--- C:\WINDOWS\UIListCtrl.dll <Not Verified; CyberTAN; UIList Contorl DLL>
2008-07-13 12:27:40 139264 -----n--- C:\WINDOWS\UIButton.dll <Not Verified; CyberTAN; UIButton Control DLL>
2008-07-13 00:28:37 18944 --a------ C:\WINDOWS\System32\ZDCndis5.sys <Not Verified; ZDC., Inc. (ZDC); ZDC Rawether for Windows>
2008-07-13 00:28:37 102400 --a------ C:\WINDOWS\System32\ZDCN50.dll <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2008-07-13 00:28:31 0 d-------- C:\Program Files\LanExpress
-- Find3M Report ---------------------------------------------------------------
2008-06-18 05:38:08 0 d-------- C:\Documents and Settings\Joe\Application Data\Macromedia
2008-06-18 05:17:18 0 d-------- C:\Program Files\Kids Cam Sticker Factory
2008-06-18 05:09:14 0 d-------- C:\Program Files\MyDSC2
2008-06-18 05:09:14 0 d-------- C:\Program Files\Mars
2008-06-18 05:09:12 0 d-------- C:\Program Files\JL2005C
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1921bb76-a203-4fea-bf16-2744f7f4e4b2}]
07/17/2008 00:02: VIRUS ALERT! 116352 --a------ C:\WINDOWS\System32\xvfykl.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22}]
05/29/2008 14:33: VIRUS ALERT! 111968 --a------ C:\Program Files\AIM Search\AOLSearch.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D46BEAA4-A304-40B3-A9DA-EC7F7F501F25}]
C:\Program Files\Web Technologies\iebt.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"USB Storage Toolbox"="C:\Program Files\USB Disk Win98 Driver\Res.EXE" [09/14/2005 20:44: VIRUS ALERT!]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [07/15/2008 05:22: VIRUS ALERT!]
"lphceosj0e16g"="C:\WINDOWS\System32\lphceosj0e16g.exe" []
"2050b7d9"="C:\WINDOWS\System32\sgmllfjm.dll" [07/17/2008 00:03: VIRUS ALERT!]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [08/20/2002 15:08: VIRUS ALERT!]
"wblogon"="C:\WINDOWS\System32\ubpr01.exe" [07/14/2008 09:26: VIRUS ALERT!]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [05/29/2008 14:26: VIRUS ALERT!]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoToolbarCustomize"=1 (0x1)
"StartMenuLogoff"=1 (0x1)
"NoStartMenuMorePrograms"=0 (0x0)
"NoSetFolders"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\Program Files\AlienGUIse\fastload.dll 12/20/2001 23:34: VIRUS ALERT! 24576 C:\Program Files\AlienGUIse\fastload.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\System32\mlJBTlLf
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
-- Hosts -----------------------------------------------------------------------
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
8910 more entries in hosts file.
-- End of Deckard's System Scanner: finished at 2008-07-20 06:13:16 ------------
extra txt
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------
-- System Information ----------------------------------------------------------
Microsoft Windows XP Home Edition (build 2600) SP 1.0
Architecture: X86; Language: English
CPU 0: Intel Pentium III processor
Percentage of Memory in Use: 43%
Physical Memory (total/avail): 543.48 MiB / 308.23 MiB
Pagefile Memory (total/avail): 1326.98 MiB / 1116.77 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1942.05 MiB
A: is Removable (No Media)
C: is Fixed (FAT32) - 5.58 GiB total, 1.48 GiB free.
D: is CDROM (No Media)
\\.\PHYSICALDRIVE0 - TOSHIBA MK6015MAP - 5.59 GiB - 1 partition
\PARTITION0 (bootable) - Unknown - 5.59 GiB - C:
-- Security Center -------------------------------------------------------------
AUOptions is set to notify before install.
-- Environment Variables -------------------------------------------------------
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Joe\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MUSCLEMACHINE
ComSpec=C:\WINDOWS\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Joe
LOGONSERVER=\\MUSCLEMACHINE
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Mozilla Firefox
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0803
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Joe\LOCALS~1\Temp
TMP=C:\DOCUME~1\Joe\LOCALS~1\Temp
USERDOMAIN=MUSCLEMACHINE
USERNAME=Joe
USERPROFILE=C:\Documents and Settings\Joe
windir=C:\WINDOWS
-- User Profiles ---------------------------------------------------------------
Joe (admin)
-- Add/Remove Programs ---------------------------------------------------------
--> "C:\Program Files\Linksys\WPC54Gv3\bcmwlu00.exe" verbose /rootkey="Software\WPC54Gv3\802.11\UninstallInfo" /rootdir="C:\Program Files\Linksys\WPC54Gv3"
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\System32\Macromed\Flash\uninstall_activeX.exe
AIM 6 --> C:\Program Files\AIM6\uninst.exe
AIM Search --> C:\Program Files\AIM Search\uninstaller.exe AIM Search
AIM Toolbar 5.0 --> "C:\Program Files\AOL\AIM Toolbar 5.0\uninstall.exe"
AIMTunes --> C:\Program Files\AIMTunes\Uninstall.exe
AlienGUIse Theme Manager --> C:\PROGRA~1\ALIENG~1\thememgr.exe /uninstallwise
avast! Antivirus --> rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup
Bleach Anime 7 --> "C:\Program Files\WallpaperScreensavers.net\uninstall Bleach_A.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Mozilla Firefox (2.0) --> C:\Program Files\Mozilla Firefox\uninstall\uninst.exe
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Sansa Media Converter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D2A0F8F4-CE50-4857-A21C-3061682B2E87}\Setup.exe" -l0x9
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Uninstall Dual Mode Camera --> "C:\Program Files\JL2005C\unins000.exe"
USB Disk Win98 Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4E79A62F-7A2D-4058-BCE0-94E6B9E2F162}\Setup.exe"
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
WPC54Gv3 - WPC54Gv3 --> C:\Program Files\InstallShield Installation Information\{2A2EDF5F-F3C6-4919-AE34-C08A71AD034A}\setup.exe -runfromtemp -l0x0009 -removeonly
-- Application Event Log -------------------------------------------------------
Event Record #/Type660 / Error
Event Submitted/Written: 07/18/2008 09:10:53 AM
Event ID/Source: 0 / pctsSvc.exe
Event Description:
The service process could not connect to the service controller
Event Record #/Type629 / Error
Event Submitted/Written: 07/18/2008 01:01:03 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application SpybotSD.exe, version 1.6.0.30, hang module SpybotSD.exe, version 1.6.0.30, hang address 0x00005994.
Event Record #/Type628 / Error
Event Submitted/Written: 07/18/2008 01:01:02 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application SpybotSD.exe, version 1.6.0.30, hang module SpybotSD.exe, version 1.6.0.30, hang address 0x00005994.
Event Record #/Type566 / Error
Event Submitted/Written: 07/17/2008 01:45:01 AM
Event ID/Source: 1001 / Application Hang
Event Description:
Fault bucket 21955421.
Event Record #/Type565 / Error
Event Submitted/Written: 07/17/2008 01:44:56 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2800.1106, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
-- Security Event Log ----------------------------------------------------------
No Errors/Warnings found.
-- System Event Log ------------------------------------------------------------
Event Record #/Type21161 / Error
Event Submitted/Written: 07/20/2008 00:52:04 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}
Event Record #/Type21134 / Error
Event Submitted/Written: 07/19/2008 10:25:30 PM
Event ID/Source: 7011 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for a transaction response from the Dnscache service.
Event Record #/Type21133 / Error
Event Submitted/Written: 07/19/2008 10:24:42 PM
Event ID/Source: 7011 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for a transaction response from the Dnscache service.
Event Record #/Type21130 / Error
Event Submitted/Written: 07/19/2008 10:21:50 PM
Event ID/Source: 4321 / NetBT
Event Description:
The name "MSHOME :1d" could not be registered on the Interface with IP address 192.168.0.3.
The machine with the IP address 192.168.0.2 did not allow the name to be claimed by
this machine.
Event Record #/Type21059 / Warning
Event Submitted/Written: 07/19/2008 02:13:46 PM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.
-- End of Deckard's System Scanner: finished at 2008-07-20 06:13:16 ------------
rapport report
SmitFraudFix v2.331
Scan done at 6:22:10.90, Sun 07/20/2008
Run from C:\Documents and Settings\Joe\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\USB Disk Win98 Driver\Res.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ubpr01.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atievxx.exe
C:\WINDOWS\CBTWlanSrv.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\linksys\wpc54gv3\wpc54gv3.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
hosts file corrupted !
127.0.0.1 www.legal-at-spybot.info
127.0.0.1 legal-at-spybot.info
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
C:\WINDOWS\system32\ubpr01.exe FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Joe
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Joe\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
C:\DOCUME~1\ALLUSE~1\STARTM~1\Antivirus Scan.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Spyware Test.url FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\JOE\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
C:\Program Files\Web Technologies\ FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="file:///C:\\WINDOWS\\privacy_danger\\index.htm"
"SubscribedURL"=""
"FriendlyName"="Privacy Protection"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!
IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!
VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!
404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="wbsys.dll"
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Linksys Wireless-G Notebook Adapter WPC54G Ver.3 #2 - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1
DNS Server Search Order: 216.165.129.157
HKLM\SYSTEM\CCS\Services\Tcpip\..\{7EF93257-F238-4804-94E7-25B0361247BB}: DhcpNameServer=192.168.0.1 216.165.129.157
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7EF93257-F238-4804-94E7-25B0361247BB}: DhcpNameServer=192.168.0.1 216.165.129.157
HKLM\SYSTEM\CS2\Services\Tcpip\..\{7EF93257-F238-4804-94E7-25B0361247BB}: DhcpNameServer=192.168.0.1 216.165.129.157
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 216.165.129.157
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 216.165.129.157
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 216.165.129.157
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
thnx
Baabiouz
2008-07-26, 10:31
Hello
Step #1
Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
O2 - BHO: {2b4e4f7f-4472-61fb-aef4-302a67bb1291} - {1921bb76-a203-4fea-bf16-2744f7f4e4b2} - C:\WINDOWS\System32\xvfykl.dll
O2 - BHO: (no name) - {D46BEAA4-A304-40B3-A9DA-EC7F7F501F25} - C:\Program Files\Web Technologies\iebt.dll (file missing)
O3 - Toolbar: (no name) - {65742936-8079-408B-9F3C-874B78030A72} - (no file)
O3 - Toolbar: (no name) - {3FCAEB7D-F8AE-4A67-AE6C-57EE1416BB6D} - (no file)
O4 - HKLM\..\Run: [lphceosj0e16g] C:\WINDOWS\System32\lphceosj0e16g.exe
O4 - HKLM\..\Run: [2050b7d9] rundll32.exe "C:\WINDOWS\System32\sgmllfjm.dll",b
O4 - HKCU\..\Run: [wblogon] C:\WINDOWS\System32\ubpr01.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm
Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.
Step #2
I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto-updating for the Viewpoint Manager -- the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.
To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.
Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware (http://www.clickz.com/showPage.html?page=3561546).
I recommend that you remove the Viewpoint products; however, decide for yourself. To uninstall the the Viewpoint components (Viewpoint, Viewpoint Manager, Viewpoint Media Player):
1. Click Start, point to Settings, and then click Control Panel.
2. In Control Panel, under Programs, click on Uninstall a program.
3. Double-click Viewpoint Media Player to start the uninstalling.
Step #3
Backup Your Registry with ERUNT
Please use the following link and scroll down to ERUNT
http://aumha.org/freeware/freeware.php
Click ERUNT ver. 1.1j to download the Erunt.zip
Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.
Note: to restore your registry, go to the folder and start ERDNT.exe
Please run Notepad and paste the following text into a new file:
REGEDIT4
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.
Step #4
Please download the OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).
Save it to your desktop.
Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
C:\Program Files\VirusRemover2008
C:\WINDOWS\System32\sgmllfjm.dll
C:\WINDOWS\System32\oltgymag.dll
C:\WINDOWS\System32\pckudo.dll
C:\WINDOWS\System32\oidtaude.dll
C:\WINDOWS\System32\fLlTBJlm.ini2
C:\WINDOWS\edel.exe
C:\WINDOWS\erms.exe
C:\WINDOWS\agpqlrfm.exe
C:\WINDOWS\System32\219725
C:\WINDOWS\System32\ubpr01.exe
C:\WINDOWS\System32\mlJBTlLf
C:\WINDOWS\System32\lphceosj0e16g.exe
C:\WINDOWS\System32\xvfykl.dll
Return to OTMoveIt2, right click in the "Paste List Of Files/Folders to Move" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Step #5
You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.
Please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
Warning : running option #2 on a non infected computer will remove your Desktop background.
Step #6
Malwarebytes' Anti-Malware
Download Malwarebytes' Anti-Malware here (http://www.besttechie.net/tools/mbam-setup.exe) and save to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware
Then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please copy and paste the log back into your next reply
Note:
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Or via the Logs tab when Malwarebytes' Anti-Malware is started.
Step #7
Please post Smitfraudfix log, OtMoveIt log, Mbam log and a fresh HijackThis log back here :)
the repport.txt is way to large to post here what do you want me to do
Malwarebytes' Anti-Malware 1.23
Database version: 995
Windows 5.1.2600 Service Pack 1
3:42:59 AM 7/21/2008
mbam-log-7-21-2008 (03-42-59).txt
Scan type: Full Scan (A:\|C:\|D:\|)
Objects scanned: 64344
Time elapsed: 21 minute(s), 14 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 15
Registry Values Infected: 7
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 24
Memory Processes Infected:
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe (Adware.Hotbar) -> Unloaded process successfully.
Memory Modules Infected:
C:\Program Files\The Weather Channel FW\Framework\wxfw.dll (Adware.Hotbar) -> Delete on reboot.
Registry Keys Infected:
HKEY_CLASSES_ROOT\f406.f406mgr (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\f406.f406mgr.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{daed9266-8c28-4c1c-8b58-5c66eff1d302} (Search.Hijack) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b1e22eb8-2ae8-4e8e-96ae-74f2a1764533} (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{bdbebf18-7615-4971-9ac3-bd6ffb7ad6c1} (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dlp.dlpobj (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dlp.dlpobj.1 (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\qndsfmao.bawr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dw4 (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{65742936-8079-408b-9f3c-874b78030a72} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\ (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Program Files\PCPrivacyCleaner (Rogue.PCPrivacyCleaner) -> Quarantined and deleted successfully.
Files Infected:
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Framework\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Joe\Local Settings\Temporary Internet Files\Content.IE5\W9OJKNYV\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Joe\Local Settings\Temporary Internet Files\Content.IE5\HUTV5R32\kb767887[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Framework\WiseInstallUtility.dll (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Framework\TheWeatherChannelUpdate.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Framework\TheWeatherChannelSlnchr.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Framework\TheWeatherChannelqx.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Framework\TheWeatherChannelQC.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Framework\TheWeatherChannelNE.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\07212008_020425\WINDOWS\edel.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\07212008_020425\WINDOWS\erms.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\07212008_020425\WINDOWS\System32\sgmllfjm.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\07212008_020425\WINDOWS\System32\pckudo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\07212008_020425\WINDOWS\System32\oidtaude.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\07212008_020425\WINDOWS\System32\219725\219725.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Joe\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus-2008pro.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\phceosj0e16g.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\blphceosj0e16g.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Joe\Application Data\TmpRecentIcons\antivirus-2008pro.lnk (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Joe\My Documents\My Music\My Music.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Joe\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Joe\My Documents\My Videos\My Video.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Joe\My Documents\My Documents.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\VirusRemover2008 moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\sgmllfjm.dll
C:\WINDOWS\System32\sgmllfjm.dll NOT unregistered.
C:\WINDOWS\System32\sgmllfjm.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\oltgymag.dll
C:\WINDOWS\System32\oltgymag.dll NOT unregistered.
C:\WINDOWS\System32\oltgymag.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\pckudo.dll
C:\WINDOWS\System32\pckudo.dll NOT unregistered.
C:\WINDOWS\System32\pckudo.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\oidtaude.dll
C:\WINDOWS\System32\oidtaude.dll NOT unregistered.
C:\WINDOWS\System32\oidtaude.dll moved successfully.
C:\WINDOWS\System32\fLlTBJlm.ini2 moved successfully.
C:\WINDOWS\edel.exe moved successfully.
C:\WINDOWS\erms.exe moved successfully.
C:\WINDOWS\agpqlrfm.exe moved successfully.
C:\WINDOWS\System32\219725 moved successfully.
C:\WINDOWS\System32\ubpr01.exe moved successfully.
File/Folder C:\WINDOWS\System32\mlJBTlLf not found.
File/Folder C:\WINDOWS\System32\lphceosj0e16g.exe not found.
File/Folder C:\WINDOWS\System32\xvfykl.dll not found.
OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07212008_020425
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:46:59, on 7/21/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atievxx.exe
C:\WINDOWS\CBTWlanSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\Explorer.EXE
c:\program files\linksys\wpc54gv3\wpc54gv3.exe
C:\Program Files\USB Disk Win98 Driver\Res.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\GWHotKey.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Search Enhancement - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USB Disk Win98 Driver\Res.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: CBT Wlan Service (CBTWlanSrv) - Unknown owner - C:\WINDOWS\CBTWlanSrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 4052 bytes
Baabiouz
2008-07-27, 08:55
Hello
Please upload repport.txt here:
http://rapidshare.com/ And post the link to file here :)
http://rapidshare.com/files/132768594/rapport.txt.html
here
Baabiouz
2008-07-27, 11:10
Hi
Step #1
Please download ATF-cleaner (http://www.atribune.org/ccount/click.php?id=1) and save it to your desktop.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Step #2
Please do a scan with Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html)
Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
Click on the Accept button and install any components it needs.
The program will install and then begin downloading the latest definition files.
After the files have been downloaded on the left side of the page in the Scan section select My Computer
This will start the program and scan your system.
The scan will take a while, so be patient and let it run.
Once the scan is complete, click on View scan report
Now, click on the Save Report as button.
Save the file to your desktop.
Copy and paste that information in your next post.
Step #3
Looking over your log, it seems you don't have any evidence of a third party firewall.
As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:
1) ZoneAlarm (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?dc=12bms&ctry=US&lang=en&lid=nav_za)
(At installing Zonealarm, please uncheck this option "include a ZoneAlarm Spy Blocker...". The Toolbar is not recommended... You can read more about it here (http://sunbeltblog.blogspot.com/2007/12/another-security-company-succumbs-to.html).)
2) Agnitum (http://www.agnitum.com/products/outpostfree/download.php)
3) Sunbelt/Kerio (http://www.sunbelt-software.com/Kerio-Download.cfm)
4) Comodo (http://www.personalfirewall.comodo.com/)
(at installing Comodo, please uncheck these options: "Install Comodo SafeSurf..", "Make Comodo my default search provider" and "Make Comodo Search my homepage")
If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.
Step #4
Please post Kaspersky's results and a fresh HijackThis log back here.
the Kaspersky Online Scanner won't work it says to enzble my java program but it is enabled
Baabiouz
2008-07-30, 11:29
Hello
You need to download Java Runtime Enviroment to run Kaspersky webscan. Let's use another scanner:
Panda ActiveScan
(http://www.pandasoftware.com/activescan/com/activescan_principal.htm)
- Once you are on the Panda site, click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Do NOT lose it!
Please, send the Panda activescan report.
srry vaction canh we use another scanner this one is giving me problems
Baabiouz
2008-08-09, 11:21
Hello
Please update Malwarebytes' Anti-Malware and then scan.
Remember download a firewall.
Then please post Mbam report and a fresh HijackThis log back here :)
Malwarebytes' Anti-Malware 1.24
Database version: 1035
Windows 5.1.2600 Service Pack 1
12:39:10 PM 8/9/2008
mbam-log-8-9-2008 (12-39-09).txt
Scan type: Full Scan (A:\|C:\|D:\|)
Objects scanned: 53452
Time elapsed: 29 minute(s), 31 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 13
Registry Data Items Infected: 9
Folders Infected: 1
Files Infected: 11
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d46beaa4-a304-40b3-a9da-ec7f7f501f25} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gamevance (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{1d22e9e4-f771-4b8d-aa68-ba04e8980e07} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a851c98a-6136-4b02-9ec7-22aaf33e7b97} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{da4b6a86-82e7-4a9e-abb9-3b225bc214a4} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7370f91f-6994-4595-9949-601fa2261c8d} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7370f91f-6994-4595-9949-601fa2261c8d} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\DLP.DLL (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{65742936-8079-408b-9f3c-874b78030a72} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{65742936-8079-408b-9f3c-874b78030a72} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphceosj0e16g (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search\searchassistant (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\searchassistant (Trojan.Zlob) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\default_search_url (Trojan.Zlob) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\search page (Trojan.Zlob) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\searchurl (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\default_search_url (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\search page (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\search bar (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\searchurl (Trojan.Zlob) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wblogon (Trojan.Zlob) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchURL (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchURL (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar (Hijack.Search) -> Bad: (http://internetsearchservice.com/ie6.html) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
Folders Infected:
C:\Program Files\Gamevance (Adware.Gamevance) -> Quarantined and deleted successfully.
Files Infected:
C:\Program Files\Gamevance\gvcfglib.dll (Adware.Gamevance) -> Quarantined and deleted successfully.
C:\Program Files\Gamevance\gamevancelib32.dll (Adware.Gamevance) -> Quarantined and deleted successfully.
C:\Program Files\Gamevance\gamevance32.exe (Adware.Gamevance) -> Quarantined and deleted successfully.
C:\Program Files\Gamevance\gvpop.dll (Adware.Gamevance) -> Quarantined and deleted successfully.
C:\Program Files\Gamevance\gvwslib.dll (Adware.Gamevance) -> Quarantined and deleted successfully.
C:\Program Files\Gamevance\gvutil.dll (Adware.Gamevance) -> Quarantined and deleted successfully.
C:\Program Files\Gamevance\gvhlp.dll (Adware.Gamevance) -> Quarantined and deleted successfully.
C:\Program Files\Gamevance\gvun.exe (Adware.Gamevance) -> Quarantined and deleted successfully.
C:\Program Files\Gamevance\ars.cfg (Adware.Gamevance) -> Quarantined and deleted successfully.
C:\Program Files\Gamevance\icon.ico (Adware.Gamevance) -> Quarantined and deleted successfully.
C:\Program Files\Gamevance\gvtl.dll (Adware.Gamevance) -> Quarantined and deleted successfully.
hjt
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:42:08 PM, on 8/9/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\USB Disk Win98 Driver\Res.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\GWHotKey.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AlienGUIse\AlienwareDock\ObjectDock.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atievxx.exe
C:\WINDOWS\CBTWlanSrv.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
c:\program files\linksys\wpc54gv3\wpc54gv3.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: (no name) - {1921bb76-a203-4fea-bf16-2744f7f4e4b2} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Search Enhancement - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: (no name) - {3FCAEB7D-F8AE-4A67-AE6C-57EE1416BB6D} - (no file)
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USB Disk Win98 Driver\Res.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [2050b7d9] rundll32.exe "C:\WINDOWS\System32\sgmllfjm.dll",b
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Alienware Dock.lnk = C:\Program Files\AlienGUIse\AlienwareDock\ObjectDock.exe
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: CBT Wlan Service (CBTWlanSrv) - Unknown owner - C:\WINDOWS\CBTWlanSrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SbPF.Launcher - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 5980 bytes
Baabiouz
2008-08-09, 21:10
Hello
Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
**Note: It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
--------------------------------------------------------------------
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
ComboFix 08-08-08.08 - Joe 2008-08-09 14:28:18.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.298 [GMT -4:00]
Running from: C:\Documents and Settings\Joe\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Joe\Application Data\macromedia\Flash Player\#SharedObjects\F9BLS7FY\interclick.com
C:\Documents and Settings\Joe\Application Data\macromedia\Flash Player\#SharedObjects\F9BLS7FY\interclick.com\ud.sol
C:\Documents and Settings\Joe\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Joe\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\system32\fLlTBJlm.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mjfllmgs.ini
C:\WINDOWS\system32\ykvwcfff.ini
C:\WINDOWS\system32\yuirdoby.ini
.
((((((((((((((((((((((((( Files Created from 2008-07-09 to 2008-08-09 )))))))))))))))))))))))))))))))
.
2008-08-09 13:03 . 2008-08-09 13:03 <DIR> d--hs---- C:\FOUND.001
2008-08-09 01:23 . 2008-08-09 01:23 <DIR> d-------- C:\Program Files\Napster
2008-08-09 01:23 . 2008-08-09 01:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Napster
2008-08-09 00:36 . 2008-08-09 00:36 <DIR> d--hs---- C:\FOUND.000
2008-08-01 18:57 . 2007-07-09 13:26 106,496 --a------ C:\WINDOWS\CBTWlanSrv.exe
2008-08-01 18:56 . 2006-11-30 16:54 2,129,920 --a------ C:\WINDOWS\system32\WLBCGCBPRO731.DLL
2008-08-01 18:56 . 2007-06-26 14:11 1,142,784 --a------ C:\WINDOWS\system32\BCMWLTRY.EXE
2008-08-01 18:56 . 2006-11-30 16:53 757,760 --a------ C:\WINDOWS\system32\bcm1xsup.dll
2008-08-01 18:56 . 2007-06-26 14:11 184,320 --a------ C:\WINDOWS\system32\bcmwlu00.exe
2008-08-01 18:56 . 2006-11-30 16:53 86,016 --a------ C:\WINDOWS\system32\preflib.dll
2008-08-01 18:56 . 2006-11-30 16:53 69,632 --a------ C:\WINDOWS\system32\bcmwlpkt.dll
2008-08-01 18:56 . 2006-11-30 16:54 44,032 --a------ C:\WINDOWS\system32\wltrynt.dll
2008-08-01 18:56 . 2006-11-30 16:53 33,664 --a------ C:\WINDOWS\system32\drivers\BCMWLNPF.SYS
2008-08-01 18:56 . 2007-06-26 14:11 20,480 --a------ C:\WINDOWS\system32\WLTRYSVC.EXE
2008-08-01 18:43 . 2008-08-01 18:43 <DIR> d-------- C:\Program Files\Linksys
2008-08-01 18:32 . 2006-11-30 16:54 610,816 --a------ C:\WINDOWS\system32\drivers\WPC54Gv3.SYS
2008-07-30 14:01 . 2008-07-30 14:01 <DIR> d-------- C:\WINDOWS\Sun
2008-07-30 13:44 . 2008-07-30 13:44 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-07-30 13:44 . 2008-06-21 04:54 269,736 -ra------ C:\WINDOWS\system32\drivers\SbFw.sys
2008-07-30 13:44 . 2008-06-21 04:54 65,576 --a------ C:\WINDOWS\system32\drivers\SbFwIm.sys
2008-07-30 13:40 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-30 13:36 . 2008-07-30 13:36 <DIR> d-------- C:\Program Files\Java
2008-07-30 13:35 . 2008-07-30 13:35 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-30 07:45 . 2008-07-30 07:45 <DIR> d-------- C:\Program Files\Panda Security
2008-07-21 14:29 . 2006-08-18 13:45 68,673 --a------ C:\WINDOWS\AW_XenoMorph1280.jpg
2008-07-21 14:20 . 2005-07-05 17:38 292,197 --a------ C:\WINDOWS\InvaderDark1280.jpg
2008-07-21 09:12 . 2008-07-21 09:12 <DIR> d-------- C:\Program Files\AskSBar
2008-07-21 03:51 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-07-21 03:51 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\dllcache\mouhid.sys
2008-07-21 02:49 . 2008-07-21 02:49 <DIR> d-------- C:\Documents and Settings\Joe\Application Data\Malwarebytes
2008-07-21 02:48 . 2008-07-21 02:48 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-21 02:48 . 2008-07-21 02:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-21 02:48 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-21 02:48 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-21 02:04 . 2008-07-21 02:04 <DIR> d-------- C:\_OTMoveIt
2008-07-20 08:57 . 2008-07-20 08:57 <DIR> d-------- C:\Program Files\The Weather Channel FW
2008-07-20 08:11 . 2008-07-20 08:11 <DIR> d-------- C:\Program Files\Tales of Pirates Online
2008-07-20 08:09 . 2008-07-20 11:12 18 --a------ C:\WINDOWS\gwhotkey.ini
2008-07-20 07:59 . 2001-08-28 12:27 135,168 --a------ C:\WINDOWS\system32\gwhotkey.cpl
2008-07-20 07:59 . 2001-08-28 11:13 98,361 --a------ C:\WINDOWS\GWHotKey.exe
2008-07-20 07:59 . 1998-07-31 15:00 47,104 --a------ C:\WINDOWS\_ISREG32.DLL
2008-07-20 07:59 . 2008-07-20 08:00 147 --a------ C:\WINDOWS\_DEISREG.ISR
2008-07-20 07:58 . 2008-07-20 07:58 <DIR> d-------- C:\Documents and Settings\Joe\WINDOWS
2008-07-20 07:58 . 1998-02-06 22:37 299,520 --a------ C:\WINDOWS\uninst.exe
2008-07-20 07:20 . 2008-07-20 08:10 377,211,403 --a------ C:\top_setup_1.37.exe
2008-07-20 06:22 . 2008-07-21 02:27 632 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-20 06:08 . 2008-07-20 06:08 <DIR> d-------- C:\Deckard
2008-07-19 23:36 . 2008-07-19 23:36 <DIR> d-------- C:\Program Files\1 Click PC Fix
2008-07-19 23:30 . 2008-07-19 23:30 <DIR> d-------- C:\Documents and Settings\Joe\Application Data\Uniblue
2008-07-19 13:51 . 2008-07-19 13:51 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-19 12:34 . 2008-07-19 12:34 <DIR> d-------- C:\Program Files\WallpaperScreensavers.net
2008-07-18 03:26 . 2008-07-18 03:26 5,760,054 --a------ C:\WINDOWS\ALX_1600x1200.bmp
2008-07-18 03:24 . 2008-07-18 03:24 3,932,214 --a------ C:\WINDOWS\AW_XenoMorph1280.bmp
2008-07-18 03:21 . 2005-02-01 14:20 5,760,056 --a------ C:\WINDOWS\Darkstar.bmp
2008-07-18 03:16 . 2008-07-18 03:16 <DIR> d-------- C:\Program Files\Common Files\Stardock
2008-07-18 03:16 . 2008-07-18 03:16 <DIR> d-------- C:\Program Files\AlienGUIse
2008-07-18 03:16 . 2003-02-26 22:27 36,864 --a------ C:\WINDOWS\system32\wbsys.dll
2008-07-18 03:16 . 2008-07-18 03:16 56 --a------ C:\WINDOWS\wb.ini
2008-07-17 08:10 . 2008-07-17 08:11 539 --a------ C:\WINDOWS\wininit.ini
2008-07-17 07:23 . 2008-07-17 07:23 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-17 07:23 . 2008-07-17 07:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-17 05:38 . 2008-07-17 05:38 <DIR> d-------- C:\Documents and Settings\Joe\Application Data\acccore
2008-07-17 05:37 . 2008-07-17 05:37 <DIR> d-------- C:\Program Files\AIMTunes
2008-07-17 05:37 . 2008-07-17 05:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-07-17 05:37 . 2008-07-17 05:37 21 --a------ C:\WINDOWS\atid.ini
2008-07-17 05:36 . 2008-07-17 05:36 <DIR> d-------- C:\Program Files\AIM Search
2008-07-17 05:36 . 2008-07-17 05:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-07-17 05:36 . 2008-07-17 05:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\acccore
2008-07-17 05:34 . 2008-07-17 05:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-07-17 05:34 . 2008-07-17 05:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-07-17 05:33 . 2008-07-17 05:33 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-07-17 05:32 . 2008-07-17 05:33 <DIR> d-------- C:\Program Files\AIM6
2008-07-17 04:32 . 2008-07-17 04:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-17 04:31 . 2008-07-17 04:31 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-17 04:31 . 2008-07-17 04:31 <DIR> d-------- C:\Documents and Settings\Joe\Application Data\SUPERAntiSpyware.com
2008-07-17 00:06 . 2008-07-17 00:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-15 10:31 . 2008-07-15 10:33 113 --a------ C:\tmp2.reg
2008-07-15 10:24 . 2008-07-15 10:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-15 09:56 . 2008-07-15 09:56 <DIR> d-------- C:\WINDOWS\system32\bits
2008-07-15 09:55 . 2008-07-15 09:55 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-07-15 09:55 . 2005-02-24 20:35 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-07-15 09:23 . 2008-07-30 10:27 73 --a------ C:\WINDOWS\cdplayer.ini
2008-07-15 05:23 . 2008-07-15 05:23 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-07-15 03:00 . 2004-07-01 15:08 361,984 --a------ C:\WINDOWS\system32\dllcache\qmgr.dll
2008-07-15 03:00 . 2004-07-01 15:08 331,776 --a------ C:\WINDOWS\system32\winhttp.dll
2008-07-15 03:00 . 2004-07-01 15:08 331,776 --a------ C:\WINDOWS\system32\dllcache\winhttp.dll
2008-07-15 03:00 . 2004-06-30 16:59 158,720 --------- C:\WINDOWS\system32\xpob2res.dll
2008-07-15 03:00 . 2004-07-01 15:08 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2008-07-15 03:00 . 2004-07-01 15:08 17,408 --a------ C:\WINDOWS\system32\dllcache\qmgrprxy.dll
2008-07-15 03:00 . 2004-07-01 15:08 7,680 --------- C:\WINDOWS\system32\dllcache\bitsprx2.dll
2008-07-15 03:00 . 2004-07-01 15:08 7,680 --------- C:\WINDOWS\system32\bitsprx2.dll
2008-07-15 03:00 . 2004-07-01 15:08 7,168 --------- C:\WINDOWS\system32\dllcache\bitsprx3.dll
2008-07-15 03:00 . 2004-07-01 15:08 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2008-07-14 21:28 . 2008-07-14 21:28 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2008-07-14 21:26 . 2008-07-14 21:26 335 --a------ C:\WINDOWS\mozregistry.dat
2008-07-14 18:49 . 2007-07-30 19:19 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2008-07-14 18:49 . 2007-07-30 19:19 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2008-07-14 18:49 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\system32\wuaucpl.cpl
2008-07-14 18:49 . 2007-07-30 19:19 203,096 --a------ C:\WINDOWS\system32\wuweb.dll
2008-07-14 18:49 . 2004-08-03 14:03 186,136 --a------ C:\WINDOWS\system32\wuaueng1.dll
2008-07-14 18:49 . 2004-08-03 14:01 167,704 --a------ C:\WINDOWS\system32\wuauclt1.exe
2008-07-14 18:49 . 2007-07-30 19:18 33,624 --a------ C:\WINDOWS\system32\wups.dll
2008-07-14 12:58 . 2008-07-14 12:58 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment.98e64dfa.temp
2008-07-14 10:20 . 2008-07-14 10:20 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment.757cb0e5.temp
2008-07-14 09:16 . 2008-07-14 09:16 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment.2fe54713.temp
2008-07-14 06:57 . 2008-07-14 06:57 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment.temp
2008-07-13 20:32 . 2008-07-13 20:32 1,160 --a------ C:\WINDOWS\mozver.dat
2008-07-13 17:11 . 2008-07-13 17:11 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-13 17:02 . 2006-11-30 16:53 700,416 --a------ C:\WINDOWS\system32\BCMLogon.dll
2008-07-13 17:02 . 2006-11-30 16:54 89,088 --a------ C:\WINDOWS\system32\ATL71.DLL
2008-07-13 12:29 . 2006-11-28 21:46 27,072 --------- C:\WINDOWS\system32\drivers\CBPSp50.sys
2008-07-13 12:29 . 2004-12-17 13:52 17,992 --------- C:\WINDOWS\system32\drivers\bcm42rly.sys
2008-07-13 12:28 . 2008-07-13 12:28 <DIR> d-------- C:\Documents and Settings\Joe\Application Data\InstallShield
2008-07-13 12:27 . 2001-09-06 05:00 1,700,352 -ra------ C:\WINDOWS\GdiPlus.dll
2008-07-13 12:27 . 2007-05-23 14:39 139,264 --------- C:\WINDOWS\UIButton.dll
2008-07-13 12:27 . 2007-05-23 14:39 126,976 --------- C:\WINDOWS\UIListCtrl.dll
2008-07-13 12:27 . 2007-05-23 14:39 94,208 --------- C:\WINDOWS\UITabCtrl.dll
2008-07-13 02:25 . 2006-11-12 22:41 437,760 -ra------ C:\WINDOWS\system32\drivers\WlanUZXP.sys
2008-07-13 00:28 . 2008-07-13 00:28 <DIR> d-------- C:\Program Files\LanExpress
2008-07-13 00:28 . 2006-11-09 14:12 535,168 --a------ C:\WINDOWS\system32\drivers\WlanUZ64.SYS
2008-07-13 00:28 . 2006-11-09 14:12 102,400 --a------ C:\WINDOWS\system32\ZDCN50.dll
2008-07-13 00:28 . 2006-11-09 14:12 18,944 --a------ C:\WINDOWS\system32\ZDCndis5.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-14 14:14 65,536 ----a-w C:\WINDOWS\DUMPa239.tmp
2008-06-21 08:54 66,600 ----a-r C:\WINDOWS\system32\drivers\sbhips.sys
2008-06-18 09:17 --------- d-----w C:\Program Files\Kids Cam Sticker Factory
2008-06-18 09:09 --------- d-----w C:\Program Files\MyDSC2
2008-06-18 09:09 --------- d-----w C:\Program Files\Mars
2008-06-18 09:09 --------- d-----w C:\Program Files\JL2005C
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2008-07-21 09:12 66912 --a------ C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 15:08 1511453]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-05-29 14:26 50528]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"USB Storage Toolbox"="C:\Program Files\USB Disk Win98 Driver\Res.EXE" [2005-09-14 20:44 65536]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-07-15 05:22 185632]
"Multi-function Keyboard"="GWHotKey.exe" [2001-08-28 11:13 98361 C:\WINDOWS\GWHotKey.exe]
C:\Documents and Settings\Joe\Start Menu\Programs\Startup\
Alienware Dock.lnk - C:\Program Files\AlienGUIse\AlienwareDock\ObjectDock.exe [2008-07-18 03:16:56 2074360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-20 23:34 24576 C:\Program Files\AlienGUIse\fastload.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.JDCT"= jl_jdct.drv
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
R1 SbFw;SbFw;C:\WINDOWS\System32\drivers\SbFw.sys [2008-06-21 04:54]
R1 sbhips;Sunbelt HIPS Driver;C:\WINDOWS\System32\drivers\sbhips.sys [2008-06-21 04:54]
R2 CBTWlanSrv;CBT Wlan Service;C:\WINDOWS\CBTWlanSrv.exe [2007-07-09 13:26]
R2 SbPF.Launcher;SbPF.Launcher;C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe [2008-07-01 10:51]
R2 SPF4;Sunbelt Personal Firewall 4;C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe [2008-07-01 10:51]
R3 CBPSp50;CBPSp50 NDIS Protocol Driver;C:\WINDOWS\System32\Drivers\CBPSp50.sys [2006-11-28 21:46]
R3 Maestro;ESS Maestro2E Audio Driver (WDM);C:\WINDOWS\System32\drivers\essm2e.sys [2002-08-28 23:00]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;C:\WINDOWS\System32\DRIVERS\sbfwim.sys [2008-06-21 04:54]
R3 WPC54Gv3;Linksys Wireless Notebook Adapter WPC54Gv3 Driver;C:\WINDOWS\System32\DRIVERS\WPC54Gv3.SYS [2006-11-30 16:54]
S3 CBPMp50;CBPMp50 NDIS Protocol Driver;C:\WINDOWS\System32\Drivers\CBPMp50.sys []
S3 ENDETECT;ENDETECT;C:\PROGRA~1\FRONTI~1\FRONTI~1\app\ENDETECT.SYS []
S3 JL2005C;Dual Mode Camera;C:\WINDOWS\System32\Drivers\jl2005c.sys [2007-01-26 21:09]
S3 L2XPSR;L2XPSR;C:\PROGRA~1\FRONTI~1\FRONTI~1\app\L2XPSR.SYS []
S3 LOGNT;LOGNT;C:\PROGRA~1\FRONTI~1\FRONTI~1\app\lognt.sys []
S3 NB762_XP;NB 802.11g XG762 1211B Driver;C:\WINDOWS\System32\DRIVERS\WlanUZXP.sys [2006-11-12 22:41]
S3 NTSTPL1;NTSTPL1;C:\PROGRA~1\FRONTI~1\FRONTI~1\app\NTSTPL1.SYS []
S3 NTSTPL2;NTSTPL2;C:\PROGRA~1\FRONTI~1\FRONTI~1\app\NTSTPL2.SYS [2003-08-05 13:56]
S3 TAPBIND;TAPBIND;C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TAPBIND1.SYS []
*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
2008-08-08 C:\WINDOWS\Tasks\1-Click Maintenance.job
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe []
.
- - - - ORPHANS REMOVED - - - -
URLSearchHooks-HookURL - (no file)
URLSearchHooks-Rank - (no file)
BHO-{1921bb76-a203-4fea-bf16-2744f7f4e4b2} - (no file)
HKCU-Run-SUPERAntiSpyware - C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
HKLM-Run-2050b7d9 - C:\WINDOWS\System32\sgmllfjm.dll
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Joe\Application Data\Mozilla\Firefox\Profiles\mbxf21tn.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPAskSBr.dll
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-09 14:37:12
Windows 5.1.2600 Service Pack 1 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\tsd32.dll
.
Completion time: 2008-08-09 14:40:48
ComboFix-quarantined-files.txt 2008-08-09 18:40:38
Pre-Run: 122,126,336 bytes free
Post-Run: 723,808,256 bytes free
237 --- E O F --- 2008-07-15 16:56:50
hjt
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:55:16 PM, on 8/9/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\USB Disk Win98 Driver\Res.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\GWHotKey.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AlienGUIse\AlienwareDock\ObjectDock.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atievxx.exe
C:\WINDOWS\CBTWlanSrv.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe
C:\WINDOWS\explorer.exe
c:\program files\linksys\wpc54gv3\wpc54gv3.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Search Enhancement - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USB Disk Win98 Driver\Res.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Alienware Dock.lnk = C:\Program Files\AlienGUIse\AlienwareDock\ObjectDock.exe
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: CBT Wlan Service (CBTWlanSrv) - Unknown owner - C:\WINDOWS\CBTWlanSrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SbPF.Launcher - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 5308 bytes
Baabiouz
2008-08-09, 22:15
Hello
Please click on Start > Control Panel > Add/Remove Programs (http://www.bleepingcomputer.com/forums/topic42133.html) and uninstall the following programs(if present):
Ask Toolbar
Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.
Then please remove this folder:
C:\Program Files\AskSBar
_______________
Please download Java and then run Kaspersky online scanner:
: Download the latest version of Java Runtime Environment (JRE) (http://java.sun.com/javase/downloads/index.jsp) and save it to your desktop.
Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 7...allows end-users to run Java applications".
Click the "Download" button to the right.
Select your Platform: "Windows".
Select your Language: "Multi-language".
Read the License Agreement, and then check the box that says: "Accept License Agreement".
Click Continue and the page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version.
Please do a scan with Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html)
Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
Click on the Accept button and install any components it needs.
The program will install and then begin downloading the latest definition files.
After the files have been downloaded on the left side of the page in the Scan section select My Computer
This will start the program and scan your system.
The scan will take a while, so be patient and let it run.
Once the scan is complete, click on View scan report
Now, click on the Save Report as button.
Save the file to your desktop.
Copy and paste that information in your next post.
Please post Kaspersky results and a fresh HijackThis log back here :)
when i try to down load the java i keep getting an error screen
Baabiouz
2008-08-11, 17:07
What kind of error?
it goes to an error this paage can not be found screen
Baabiouz
2008-08-13, 06:56
Can you download the file here:
jre-6u7-windows-i586-p.exe (http://cds.sun.com/is-bin/INTERSHOP.enfinity/WFS/CDS-CDS_Developer-Site/en_US/-/USD/VerifyItem-Start/jre-6u7-windows-i586-p.exe?BundledLineItemUUID=EQZIBe.lYzUAAAEbJLIvg7o0&OrderID=x6dIBe.l8xIAAAEbGrIvg7o0&ProductID=BUtIBe.pr_UAAAEaTTMke7Zb&FileName=/jre-6u7-windows-i586-p.exe)
when I go to download it it says that an error occured and I should contact my service provider
Baabiouz
2008-08-14, 20:21
Ok.
Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.
This is only a short scan.
Once the short scan has finished, Click Options > Change settings
Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
Back at the main window, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' i at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:
http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
http://users.telenet.be/bluepatchy/miekiemoes/images/move.gifat the right, and the scan will start.
his will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply
kira666, This topic has been archived due to inactivity.
As it has been five days or more since your last post, and your helper posted a response to which you did not reply, this topic has been archived and will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread.
Applies only to the original poster, anyone else with similar problems please start a new topic.
Thank you Baabiouz. :)