View Full Version : Can't remove Fraud.XPAntivirus
Here is the HJT log for a problem posted under Software/Spybot "Spybot can't remove Fraud.XPAntivrus"
http://forums.spybot.info/showthread.php?t=33891
(Sorry - unsure how to create a link to the other post)
Cheers,
-Will.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:37:41 PM, on 8/09/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\BrmfBAgS.exe
C:\Program Files\Axaware\SpamBully 4 for Outlook Express\sb4service.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\jqnsvwxq\dyjkjmhk.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\zunypsrw.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theage.com.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.searching-4u.com/search_page.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.1852\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SysHlpApl] C:\WINDOWS\system32\tedatkng.exe
O4 - HKCU\..\Run: [ChkSmart] C:\WINDOWS\system32\zunypsrw.exe
O4 - HKCU\..\Run: [dscwin] C:\WINDOWS\system32\rebczgfq.exe
O4 - HKLM\..\Policies\Explorer\Run: [t5F7z2C0Tv] C:\Documents and Settings\All Users\Application Data\jqnsvwxq\dyjkjmhk.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\billmind.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm395XXAU
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\docume~1\davidd~1\locals~1\temp\ntdll64.dll
O10 - Unknown file in Winsock LSP: c:\docume~1\davidd~1\locals~1\temp\ntdll64.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Brother BidiAgent Service for Resource manager (brmfbags) - Brother Industries, Ltd. - C:\WINDOWS\system32\BrmfBAgS.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe (file missing)
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe (file missing)
O23 - Service: ServiceSB4 - Axaware - C:\Program Files\Axaware\SpamBully 4 for Outlook Express\sb4service.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Unknown owner - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe (file missing)
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe (file missing)
O23 - Service: Trend Micro Proxy Service (tmproxy) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe (file missing)
O24 - Desktop Component 0: (no name) - http://www.perpetual.com.au/images/topimage.gif
O24 - Desktop Component 1: (no name) - https://my.bigpond.com/res/images/v7/overview/bg_content.gif
--
End of file - 9929 bytes
Hello and Welcome to the forums!
My name is peku006and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.
Please observe these rules while we work:
If you don't know, stop and ask! Don't keep going on.
Please reply to this thread. Do not start a new topic.
Please continue to respond until I give you the "All Clear"
If you follow these instructions, everything should go smoothly.
1 - Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware
Then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply.
If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
2 - download and run RSIT
Download random's system information tool (RSIT) by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt<- (will be maximized) and info.txt<- (will be minimized)
3 - Status Check
Please reply with
1.the logs from RSIT (log.txt ,info.txt)
2. the Malwarebytes' Anti-Malware Log
description of any problems you are having with your PC
Thanks peku006
Hello!
Do you still need help
It has been three days since my last post.
Do you still need help with this?
Do you need more time?
Are you having problems following my instructions?
Note: If after 48hrs you have not replied to this thread then it will have to be CLOSED!
peku006,
big thanks for sending through a reply - yes I still need the help but was away over the weekend.
I will look through your reply and get back to you asap.
All the best,
-Will.
Ok no problem. Just follow my instructions in my previous post.
Peku,
I've had mixed success.
I ran Malwarebte's Antimalware (call it MBAM for short?) program and it did pick up an infection on the full scan that it had not seen on a quick scan. Log is following.
I ran the RSIT program and saved both logs. However this was before I realised I needed to do a full scan for MBAM. Subsequently when I run RSIT I only get one log - that being log.txt (following) and no info.txt. Even after a reboot.
Go figure?
Let me know if you want to see the info.txt that was generated before the last full scan of MBAM.
Thanks in advance,
-Will.
Malwarebytes' Anti-Malware 1.26
Database version: 1116
Windows 5.1.2600 Service Pack 3
15/09/2008 2:51:51 PM
mbam-log-2008-09-15 (14-51-51).txt
Scan type: Full Scan (C:\|)
Objects scanned: 89839
Time elapsed: 40 minute(s), 28 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\David Dumbrell\Local Settings\TempGenProc\pivcruru.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
----------------------
Logfile of random's system information tool 1.01 (written by random/random)
Run by David Dumbrell at 2008-09-16 10:05:56
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 19 GB (49%) free of 39 GB
Total RAM: 223 MB (40% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:06:20 AM, on 16/09/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\BrmfBAgS.exe
C:\Program Files\Axaware\SpamBully 4 for Outlook Express\sb4service.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\jqnsvwxq\dyjkjmhk.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\David Dumbrell\Desktop\RSIT.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\David Dumbrell.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theage.com.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.searching-4u.com/search_page.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.1852\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SysHlpApl] C:\WINDOWS\system32\tedatkng.exe
O4 - HKCU\..\Run: [ChkSmart] C:\WINDOWS\system32\zunypsrw.exe
O4 - HKCU\..\Run: [dscwin] C:\WINDOWS\system32\rebczgfq.exe
O4 - HKLM\..\Policies\Explorer\Run: [t5F7z2C0Tv] C:\Documents and Settings\All Users\Application Data\jqnsvwxq\dyjkjmhk.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\billmind.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm395XXAU
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\docume~1\davidd~1\locals~1\temp\ntdll64.dll
O10 - Unknown file in Winsock LSP: c:\docume~1\davidd~1\locals~1\temp\ntdll64.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Brother BidiAgent Service for Resource manager (brmfbags) - Brother Industries, Ltd. - C:\WINDOWS\system32\BrmfBAgS.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe (file missing)
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe (file missing)
O23 - Service: ServiceSB4 - Axaware - C:\Program Files\Axaware\SpamBully 4 for Outlook Express\sb4service.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Unknown owner - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe (file missing)
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe (file missing)
O23 - Service: Trend Micro Proxy Service (tmproxy) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe (file missing)
O24 - Desktop Component 0: (no name) - http://www.perpetual.com.au/images/topimage.gif
O24 - Desktop Component 1: (no name) - https://my.bigpond.com/res/images/v7/overview/bg_content.gif
--
End of file - 9903 bytes
Scheduled tasks folder
C:\WINDOWS\tasks\Spybot - Search & Destroy - Scheduled Task.job
Registry dump
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-10-26 440384]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-07-07 1562448]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - c:\program files\google\googletoolbar3.dll [2007-01-19 2403392]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.1852\swg.dll [2008-09-07 651248]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar3.dll [2007-01-19 2403392]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-10-26 440384]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"=C:\WINDOWS\SiSUSBrg.exe [2002-04-26 102400]
"SSBkgdUpdate"=C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe [2003-10-14 155648]
"PaperPort PTD"=C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe [2004-04-14 57393]
"IndexSearch"=C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe [2004-04-14 40960]
"Adobe Photo Downloader"=C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe [2007-03-09 63712]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2002-12-10 77824]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2008-07-20 78008]
"SetDefPrt"=C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe [2004-11-11 49152]
"ControlCenter2.0"=C:\Program Files\Brother\ControlCenter2\brctrcen.exe [2005-01-07 864256]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"t5F7z2C0Tv"=C:\Documents and Settings\All Users\Application Data\jqnsvwxq\dyjkjmhk.exe [2008-08-30 65536]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-07-22 68856]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-14 1695232]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2008-09-05 1576176]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"SysHlpApl"=C:\WINDOWS\system32\tedatkng.exe []
"ChkSmart"=C:\WINDOWS\system32\zunypsrw.exe []
"dscwin"=C:\WINDOWS\system32\rebczgfq.exe []
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Billminder.lnk - C:\Program Files\QUICKENW\billmind.exe
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="sockspy.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL [2008-08-27 352256]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-06-04 77824]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=msapsspc.dllschannel.dlldigest.dllmsnsspc.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\svcWRSSSDK]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=0
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Windows Media Player\wmplayer.exe"="C:\Program Files\Windows Media Player\wmplayer.exe:*:Enabled:Windows Media Player"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\WINDOWS\system32\usmt\migwiz.exe"="C:\WINDOWS\system32\usmt\migwiz.exe:*:Enabled:Files and Settings Transfer Wizard"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
shell\AutoRun\command - E:\Launch.exe /run
File associations
.ini - open - C:\WINDOWS\SYSTEM32\NOTEPAD.EXE %1
.reg - open - regedit.exe "%1" %*
.scr - open - "%1" %*
.txt - open - C:\WINDOWS\SYSTEM32\NOTEPAD.EXE %1
List of files/folders created in the last three months
2008-09-15 13:00:51 ----D---- C:\rsit
2008-09-08 15:37:22 ----D---- C:\Program Files\Trend Micro
2008-09-07 11:42:41 ----SHD---- C:\RECYCLER
2008-09-07 11:02:04 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-06 20:08:11 ----A---- C:\ComboFix.txt
2008-09-06 17:14:32 ----A---- C:\WINDOWS\ntbtlog.txt
2008-09-05 20:11:17 ----A---- C:\WINDOWS\system32\locate.com
2008-09-05 20:10:04 ----D---- C:\MGtools
2008-09-05 19:59:54 ----A---- C:\Boot.bak
2008-09-05 19:59:48 ----D---- C:\cmdcons
2008-09-05 19:58:30 ----D---- C:\WINDOWS\erdnt
2008-09-05 19:57:27 ----D---- C:\QooBox
2008-09-05 19:57:24 ----A---- C:\WINDOWS\zip.exe
2008-09-05 19:57:24 ----A---- C:\WINDOWS\VFind.exe
2008-09-05 19:57:24 ----A---- C:\WINDOWS\swsc.exe
2008-09-05 19:57:24 ----A---- C:\WINDOWS\swreg.exe
2008-09-05 19:57:24 ----A---- C:\WINDOWS\sed.exe
2008-09-05 19:57:24 ----A---- C:\WINDOWS\Nircmd.exe
2008-09-05 19:57:24 ----A---- C:\WINDOWS\grep.exe
2008-09-05 19:57:24 ----A---- C:\WINDOWS\fdsv.exe
2008-09-04 22:04:00 ----A---- C:\MGtools.exe
2008-09-04 21:23:32 ----D---- C:\WINDOWS\Sun
2008-09-04 21:23:31 ----D---- C:\Documents and Settings\David Dumbrell\Application Data\Sun
2008-09-04 21:16:53 ----D---- C:\Program Files\Three Rings Design
2008-09-04 21:16:01 ----A---- C:\WINDOWS\system32\javaws.exe
2008-09-04 21:16:01 ----A---- C:\WINDOWS\system32\javaw.exe
2008-09-04 21:16:01 ----A---- C:\WINDOWS\system32\java.exe
2008-09-04 21:12:03 ----D---- C:\Program Files\Java
2008-09-04 21:11:24 ----D---- C:\Program Files\Common Files\Java
2008-09-04 21:00:41 ----D---- C:\WINDOWS\BDOSCAN8
2008-09-04 20:59:25 ----D---- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-09-04 20:53:50 ----D---- C:\Program Files\CCleaner
2008-09-03 19:02:31 ----A---- C:\WINDOWS\system32\zwdidcjy.exe.dont trust
2008-09-02 19:18:37 ----A---- C:\WINDOWS\system32\bermvgrs.exe.dont trust
2008-08-30 14:50:25 ----D---- C:\Documents and Settings\All Users\Application Data\jqnsvwxq
2008-08-30 14:49:22 ----D---- C:\Program Files\SAV
2008-08-28 14:14:15 ----HDC---- C:\WINDOWS\$NtUninstallKB951978$
2008-08-27 15:45:49 ----D---- C:\WINDOWS\Prefetch
2008-08-27 14:53:51 ----D---- C:\WINDOWS\system32\scripting
2008-08-27 14:53:48 ----D---- C:\WINDOWS\l2schemas
2008-08-27 14:53:47 ----D---- C:\WINDOWS\system32\en
2008-08-26 16:20:57 ----N---- C:\WINDOWS\system32\wmphoto.dll
2008-08-26 16:20:54 ----N---- C:\WINDOWS\system32\wlanapi.dll
2008-08-26 16:20:51 ----N---- C:\WINDOWS\system32\windowscodecsext.dll
2008-08-26 16:20:51 ----N---- C:\WINDOWS\system32\windowscodecs.dll
2008-08-26 16:20:39 ----N---- C:\WINDOWS\system32\tspkg.dll
2008-08-26 16:20:39 ----N---- C:\WINDOWS\system32\tsgqec.dll
2008-08-26 16:20:09 ----N---- C:\WINDOWS\system32\setupn.exe
2008-08-26 16:20:00 ----N---- C:\WINDOWS\system32\rhttpaa.dll
2008-08-26 16:19:56 ----N---- C:\WINDOWS\system32\rasqec.dll
2008-08-26 16:19:53 ----N---- C:\WINDOWS\system32\qutil.dll
2008-08-26 16:19:48 ----N---- C:\WINDOWS\system32\qcliprov.dll
2008-08-26 16:19:48 ----N---- C:\WINDOWS\system32\qagentrt.dll
2008-08-26 16:19:48 ----N---- C:\WINDOWS\system32\qagent.dll
2008-08-26 16:19:42 ----N---- C:\WINDOWS\system32\photometadatahandler.dll
2008-08-26 16:19:34 ----N---- C:\WINDOWS\system32\onex.dll
2008-08-26 16:19:00 ----N---- C:\WINDOWS\system32\napstat.exe
2008-08-26 16:19:00 ----N---- C:\WINDOWS\system32\napmontr.dll
2008-08-26 16:19:00 ----N---- C:\WINDOWS\system32\napipsec.dll
2008-08-26 16:18:58 ----N---- C:\WINDOWS\system32\msxml6r.dll
2008-08-26 16:18:58 ----N---- C:\WINDOWS\system32\msxml6.dll
2008-08-26 16:18:54 ----N---- C:\WINDOWS\system32\msshavmsg.dll
2008-08-26 16:18:54 ----N---- C:\WINDOWS\system32\mssha.dll
2008-08-26 16:18:37 ----N---- C:\WINDOWS\system32\mmcperf.exe
2008-08-26 16:18:36 ----N---- C:\WINDOWS\system32\mmcfxcommon.dll
2008-08-26 16:18:36 ----N---- C:\WINDOWS\system32\mmcex.dll
2008-08-26 16:18:36 ----N---- C:\WINDOWS\system32\microsoft.managementconsole.dll
2008-08-26 16:18:20 ----N---- C:\WINDOWS\system32\l2gpstore.dll
2008-08-26 16:18:19 ----N---- C:\WINDOWS\system32\kmsvc.dll
2008-08-26 16:18:17 ----N---- C:\WINDOWS\system32\kbdpash.dll
2008-08-26 16:18:17 ----N---- C:\WINDOWS\system32\kbdnepr.dll
2008-08-26 16:18:17 ----N---- C:\WINDOWS\system32\kbdiultn.dll
2008-08-26 16:18:16 ----N---- C:\WINDOWS\system32\kbdbhc.dll
2008-08-26 16:17:46 ----A---- C:\WINDOWS\005642_.tmp
2008-08-26 16:17:42 ----N---- C:\WINDOWS\system32\eapsvc.dll
2008-08-26 16:17:42 ----N---- C:\WINDOWS\system32\eapqec.dll
2008-08-26 16:17:42 ----N---- C:\WINDOWS\system32\eappprxy.dll
2008-08-26 16:17:42 ----N---- C:\WINDOWS\system32\eapphost.dll
2008-08-26 16:17:42 ----N---- C:\WINDOWS\system32\eappgnui.dll
2008-08-26 16:17:42 ----N---- C:\WINDOWS\system32\eappcfg.dll
2008-08-26 16:17:42 ----N---- C:\WINDOWS\system32\eapp3hst.dll
2008-08-26 16:17:42 ----N---- C:\WINDOWS\system32\eapolqec.dll
2008-08-26 16:17:35 ----N---- C:\WINDOWS\system32\dot3ui.dll
2008-08-26 16:17:35 ----N---- C:\WINDOWS\system32\dot3svc.dll
2008-08-26 16:17:35 ----N---- C:\WINDOWS\system32\dot3msm.dll
2008-08-26 16:17:35 ----N---- C:\WINDOWS\system32\dot3gpclnt.dll
2008-08-26 16:17:35 ----N---- C:\WINDOWS\system32\dot3dlg.dll
2008-08-26 16:17:35 ----N---- C:\WINDOWS\system32\dot3cfg.dll
2008-08-26 16:17:35 ----N---- C:\WINDOWS\system32\dot3api.dll
2008-08-26 16:17:30 ----N---- C:\WINDOWS\system32\dimsroam.dll
2008-08-26 16:17:30 ----N---- C:\WINDOWS\system32\dimsntfy.dll
2008-08-26 16:17:29 ----N---- C:\WINDOWS\system32\dhcpqec.dll
2008-08-26 16:17:21 ----N---- C:\WINDOWS\system32\credssp.dll
2008-08-26 16:17:09 ----N---- C:\WINDOWS\system32\bitsprx4.dll
2008-08-26 16:17:09 ----N---- C:\WINDOWS\system32\azroles.dll
2008-08-26 16:16:50 ----N---- C:\WINDOWS\system32\aaclient.dll
2008-08-26 15:39:57 ----D---- C:\WINDOWS\system32\CatRoot_bak
2008-08-24 17:05:56 ----D---- C:\WINDOWS\MSREMOTE.SFS
2008-08-15 03:07:58 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2008-08-15 03:07:32 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2008-08-15 03:07:15 ----HDC---- C:\WINDOWS\$NtUninstallKB953839$
2008-08-15 03:07:00 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2008-08-15 03:04:56 ----HDC---- C:\WINDOWS\$NtUninstallKB951072-v2$
2008-08-15 03:04:31 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2008-08-15 03:02:49 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2008-07-09 08:56:50 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2008-07-04 12:03:14 ----D---- C:\Program Files\Common Files\supportsoft
2008-07-04 12:01:57 ----A---- C:\WINDOWS\system32\acXMLParser.dll
2008-07-04 12:01:52 ----A---- C:\WINDOWS\system32\cdintf300.dll
2008-07-04 11:54:57 ----D---- C:\Program Files\Common Files\Intuit
2008-07-04 11:54:57 ----D---- C:\Documents and Settings\All Users\Application Data\Intuit
2008-07-04 11:52:35 ----D---- C:\Documents and Settings\All Users\Application Data\COMMON FILES
2008-07-04 11:42:57 ----RSD---- C:\WINDOWS\assembly
2008-07-04 11:41:30 ----D---- C:\WINDOWS\Microsoft.NET
2008-07-04 11:23:45 ----D---- C:\Documents and Settings\David Dumbrell\Application Data\Download Manager
2008-07-04 11:23:39 ----D---- C:\Program Files\Akamai
2008-06-22 17:07:05 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
List of drivers
R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS\system32\drivers\Aavmker4.sys [2008-07-20 26944]
R1 aswSP;avast! Self Protection; C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-20 78416]
R1 aswTdi;avast! Network Shield Support; C:\WINDOWS\system32\drivers\aswTdi.sys [2008-07-20 42912]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-14 36352]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R1 SiSkp;SiSkp; C:\WINDOWS\system32\drivers\srvkp.sys [2002-04-03 5760]
R1 tmtdi;Trend Micro TDI Driver; C:\WINDOWS\System32\Drivers\tmtdi.sys [2005-01-18 35456]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2002-08-29 12032]
R2 aswFsBlk;aswFsBlk; C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-20 20560]
R2 aswMon2;avast! Standard Shield Support; C:\WINDOWS\system32\drivers\aswMon2.sys [2008-07-20 94416]
R2 SVKP;SVKP; \??\C:\WINDOWS\System32\SVKP.sys []
R2 tm_cfw;Common Firewall Driver; C:\WINDOWS\System32\Drivers\tm_cfw.sys [2005-01-18 838870]
R2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []
R2 Tmpreflt;Tmpreflt; C:\WINDOWS\system32\drivers\Tmpreflt.sys [2005-02-18 25088]
R3 ALCXWDM;Service for Avance AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2002-06-12 654604]
R3 aswRdr;aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [2008-07-20 23152]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver; C:\WINDOWS\system32\drivers\msmpu401.sys [2001-08-18 2944]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2003-10-07 9856]
R3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 SiS315;SiS315; C:\WINDOWS\System32\DRIVERS\sisgrp.sys [2002-04-29 192640]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbohci.sys [2008-04-14 17152]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
S2 BDRSDRV;BDRSDRV; \??\C:\Program Files\Softwin\BitDefender10\bdrsdrv.sys []
S2 Tmfilter;Tmfilter; C:\WINDOWS\system32\drivers\TmXPFlt.sys [2005-02-18 183808]
S3 alcan5ln;Alcatel SpeedTouch(tm) USB ADSL RFC1483 Networking Driver (NDIS); C:\WINDOWS\System32\DRIVERS\alcan5ln.sys [2002-05-03 36960]
S3 alcan5wn;Alcatel SpeedTouch(tm) USB ADSL PPPoA Networking Driver (NDIS); C:\WINDOWS\System32\DRIVERS\alcan5wn.sys [2000-12-14 42880]
S3 alcaudsl;Alcatel Speed Touch ADSL Modem ATM Transport; C:\WINDOWS\System32\DRIVERS\alcaudsl.sys [2002-05-03 735568]
S3 bdfdll;bdfdll; \??\C:\Program Files\Softwin\BitDefender10\bdfdll.sys []
S3 BDFSDRV;BDFSDRV; \??\C:\Program Files\Softwin\BitDefender10\bdfsdrv.sys []
S3 brfilt;Brother MFC Filter Driver; C:\WINDOWS\System32\Drivers\Brfilt.sys [2001-08-17 2944]
S3 brparimg;Brother Multi Function Parallel Image driver; C:\WINDOWS\System32\DRIVERS\BrParImg.sys [2001-08-17 3168]
S3 BrParWdm;Brother WDM Parallel Driver; C:\WINDOWS\System32\Drivers\BrParwdm.sys [2001-08-17 39552]
S3 BrSerWDM;Brother WDM Serial driver; C:\WINDOWS\System32\Drivers\BrSerWdm.sys [2004-11-23 61440]
S3 GMSIPCI;GMSIPCI; \??\D:\INSTALL\GMSIPCI.SYS []
S3 mf;mf; C:\WINDOWS\System32\DRIVERS\mf.sys [2008-04-14 63744]
S3 NTSPPPOE;Efficient Networks Enternet P.P.P.o.E LAN Miniport Driver; C:\WINDOWS\System32\DRIVERS\ntspppoe.sys [2002-03-06 161640]
S3 RAWESR;RAWESR; \??\C:\PROGRA~1\EFFICI~1\ENTERN~1\app\RAWESR.SYS []
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\System32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 TAPBIND;TAPBIND; \??\C:\PROGRA~1\EFFICI~1\ENTERN~1\app\TAPBIND1.SYS []
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
List of services
R2 aswUpdSv;avast! iAVS4 Control Service; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2008-07-20 16056]
R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [2008-07-20 147640]
R2 brmfbags;Brother BidiAgent Service for Resource manager; C:\WINDOWS\system32\BrmfBAgS.exe [2004-09-10 53248]
R2 ServiceSB4;ServiceSB4; C:\Program Files\Axaware\SpamBully 4 for Outlook Express\sb4service.exe [2007-05-30 562584]
R3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2008-07-20 250040]
R3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2008-07-24 348344]
S2 PcCtlCom;Trend Micro Central Control Component; C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe []
S2 PPPoEService;PPPoE Service; C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe []
S2 Tmntsrv;Trend NT Realtime Service; C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe []
S2 TmPfw;Trend Micro Personal Firewall; C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe []
S2 tmproxy;Trend Micro Proxy Service; C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe []
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-04-13 33632]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-04-13 68952]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-07 137200]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2005-11-23 89792]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
-----------------EOF-----------------
Hi Willy_J
Don't worry , you’ve done a good job so
Please send the log from the ComboFix scan located at C:\ComboFix.txt
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
1 - Download and Run LSPFix
Please download LSPFix from here (http://www.cexx.org/LSPFix.exe).
Run the LSPFix.exe that you have just finished downloading.
Check the "I know what I'm doing" box.
In the Keep box you should see one or more instances of ntdll64.dll.
Select every instance of ntdll64.dll and move each one to the Remove box by clicking the ">>" button.
When you are done click "Finish>>".
2 - Remove bad HijackThis entries
Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):
O4 - HKCU\..\Run: [SysHlpApl] C:\WINDOWS\system32\tedatkng.exe
O4 - HKCU\..\Run: [ChkSmart] C:\WINDOWS\system32\zunypsrw.exe
O4 - HKCU\..\Run: [dscwin] C:\WINDOWS\system32\rebczgfq.exe
O4 - HKLM\..\Policies\Explorer\Run: [t5F7z2C0Tv] C:\Documents and Settings\All Users\Application Data\jqnsvwxq\dyjkjmhk.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZRxdm395XXAU
Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.
Reboot your computer to complete the process.
3 - OTMoveIt2
Please download OTMoveIt2.exe (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe) by OldTimer and save it to your desktop.
Double click on OTMoveIt2.exe to run it.
Click the Run...button at the security warning prompt, if given.
Copy / paste all the entries in the Code box below, to the OTMoveIt..."Paste List of Files/Folders to Move" window.
Note: Use the Copy/Paste function...do not manually type the entries...to avoid any typos.
kill explorer
C:\Documents and Settings\All Users\Application Data\jqnsvwxq
C:\WINDOWS\system32\tedatkng.exe
C:\WINDOWS\system32\zunypsrw.exe
C:\WINDOWS\system32\rebczgfq.exe
C:\WINDOWS\ntbtlog.txt
C:\WINDOWS\system32\locate.com
C:\WINDOWS\system32\zwdidcjy.exe
C:\WINDOWS\system32\bermvgrs.exe
C:\WINDOWS\005642_.tmp
start explorer
Click on the MoveIt!...button.
The Results window (under the green bar) will contain the results of the operation.
Click the Exit...button, when done.
Note: If a file or folder can't be moved immediately, you may asked to restart your computer. Please choose Yes.
The "results" log will be automatically saved to... C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log
where mmddyyyy_hhmmss = date and time, when the log was created.
Please copy/paste this log file contents into your next reply.
4 - Download and Run DAFT
Download DAFT by Deckard (http://www.techsupportforum.com/sectools/Deckard/daft.exe) to your Desktop (right-click the link, select Save Target As..., select your Desktop and press Save)
Right-click daft.exe and select Run as administrator to start the program then press OK when the disclaimer appears.
Press the Scan button, place a checkmark in any boxes that appear, then press Fix
Press scan again, you should receive the notice "All associations okay!" - if so, press OK and close the program
If you do not receive the notice, press Save Log and save the report as daft.txt to your Desktop and post a copy with your next response.
5 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad
6 - Status Check
Please reply with
1.the C:\ComboFix.txt
2. the OTMoveIt2 log
3.the daft.txt
4. a fresh HijackThis log
description of any problems you are having with your PC
Thanks peku006
Peku006,
I have to say that judging by the tools we are using this is one ugly thing that got onto the computer.
I have completed the tasks you have given me.
There was 1 example of the ntdll64.dll that was removed by lspfix.
HJT successfully removed the items you listed, and I rebooted afterwards.
OtMoveIt2 had a few errors come up - I assume nothing major - the log file is below anyway. It did not ask for a reboot.
Daft found four items to fix, and on the second scan all was ok. Following your instructions therefore I have not saved a log.
In relation to the combofix log, it is old. I ran it when looking through other help pages on a general fix-it web site and then got firmly smacked around the back of the head from another forum! I have not recevied any instructions to run it in this thread.
Anyway - thanks for your help - the logs are below. I will wait to hear from you again before I connect back up to the internet.
Cheers,
-Will.
ComboFix 08-09-04.08 - David Dumbrell 2008-09-06 20:00:51.3 - NTFSx86
Running from: C:\Documents and Settings\David Dumbrell\Desktop\ComboFix.exe
.
The following files were disabled during the run:
C:\Program Files\Axaware\SpamBully 4 for Outlook Express\hookoecreation.dll
((((((((((((((((((((((((( Files Created from 2008-08-06 to 2008-09-06 )))))))))))))))))))))))))))))))
.
2008-09-06 19:57 . 2008-09-06 19:57 90,112 --a------ C:\WINDOWS\system32\nihwfity.exe
2008-09-06 19:23 . 2008-09-06 19:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-09-06 19:15 . 2008-09-06 19:15 90,112 --a------ C:\WINDOWS\system32\ylahgzqp.exe
2008-09-05 20:11 . 2005-01-14 12:41 11,254 --a------ C:\WINDOWS\system32\locate.com
2008-09-05 20:10 . 2008-09-05 20:12 <DIR> d-------- C:\MGtools
2008-09-05 20:10 . 2008-09-05 20:12 45,724 --a------ C:\MGlogs.zip
2008-09-04 22:04 . 2008-09-04 22:04 1,266,683 --a------ C:\MGtools.exe
2008-09-04 21:26 . 2008-09-04 21:24 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-09-04 21:24 . 2008-09-04 21:27 <DIR> d-------- C:\Documents and Settings\David Dumbrell\.housecall6.6
2008-09-04 21:23 . 2008-09-04 21:23 <DIR> d-------- C:\WINDOWS\Sun
2008-09-04 21:16 . 2008-09-04 21:16 <DIR> d-------- C:\Program Files\Three Rings Design
2008-09-04 21:16 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-09-04 21:12 . 2008-09-04 21:15 <DIR> d-------- C:\Program Files\Java
2008-09-04 21:11 . 2008-09-04 21:11 <DIR> d-------- C:\Program Files\Common Files\Java
2008-09-04 21:00 . 2008-09-04 21:08 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-09-04 20:59 . 2008-09-04 20:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-09-04 20:53 . 2008-09-04 20:55 <DIR> d-------- C:\Program Files\CCleaner
2008-09-03 19:02 . 2008-09-03 19:02 86,016 --a------ C:\WINDOWS\system32\zwdidcjy.exe.dont trust
2008-09-02 19:18 . 2008-09-02 19:18 86,016 --a------ C:\WINDOWS\system32\bermvgrs.exe.dont trust
2008-09-01 21:28 . 2008-09-01 21:28 <DIR> d-------- C:\Documents and Settings\Noelene\Application Data\SUPERAntiSpyware.com
2008-09-01 21:21 . 2008-09-01 21:21 <DIR> d-------- C:\Documents and Settings\Noelene\Application Data\Malwarebytes
2008-08-30 16:41 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-30 14:50 . 2008-08-30 14:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\jqnsvwxq
2008-08-30 14:49 . 2008-08-30 19:40 <DIR> d-------- C:\Program Files\SAV
2008-08-27 18:51 . 2008-06-13 21:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-08-27 18:49 . 2008-04-12 05:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-27 18:49 . 2008-05-09 00:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-08-27 14:53 . 2008-08-27 14:53 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-27 14:53 . 2008-08-27 14:53 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-27 14:53 . 2008-08-27 14:53 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-26 16:20 . 2008-04-14 10:12 712,704 --------- C:\WINDOWS\system32\windowscodecs.dll
2008-08-26 16:20 . 2008-04-14 10:12 346,112 --------- C:\WINDOWS\system32\windowscodecsext.dll
2008-08-26 16:20 . 2008-04-14 10:12 290,304 --------- C:\WINDOWS\system32\rhttpaa.dll
2008-08-26 16:20 . 2008-04-14 10:12 276,992 --------- C:\WINDOWS\system32\wmphoto.dll
2008-08-26 16:20 . 2008-04-14 10:12 69,120 --------- C:\WINDOWS\system32\wlanapi.dll
2008-08-26 16:20 . 2008-04-14 10:12 53,248 --------- C:\WINDOWS\system32\tsgqec.dll
2008-08-26 16:20 . 2008-04-14 10:12 50,688 --------- C:\WINDOWS\system32\tspkg.dll
2008-08-26 16:20 . 2008-04-14 10:12 32,768 --------- C:\WINDOWS\system32\setupn.exe
2008-08-26 16:20 . 2008-04-14 04:40 10,240 --------- C:\WINDOWS\system32\drivers\sffp_mmc.sys
2008-08-26 16:19 . 2008-04-14 10:12 412,160 --------- C:\WINDOWS\system32\photometadatahandler.dll
2008-08-26 16:19 . 2008-04-14 10:12 291,328 --------- C:\WINDOWS\system32\qagentrt.dll
2008-08-26 16:19 . 2008-04-14 10:12 193,024 --------- C:\WINDOWS\system32\napmontr.dll
2008-08-26 16:19 . 2008-04-14 10:12 176,640 --------- C:\WINDOWS\system32\napstat.exe
2008-08-26 16:19 . 2008-04-14 10:12 150,528 --------- C:\WINDOWS\system32\qagent.dll
2008-08-26 16:19 . 2008-04-14 10:12 144,384 --------- C:\WINDOWS\system32\onex.dll
2008-08-26 16:19 . 2008-04-14 10:12 76,800 --------- C:\WINDOWS\system32\qutil.dll
2008-08-26 16:19 . 2008-04-14 10:12 62,464 --------- C:\WINDOWS\system32\qcliprov.dll
2008-08-26 16:19 . 2008-04-14 10:12 61,952 --------- C:\WINDOWS\system32\rasqec.dll
2008-08-26 16:19 . 2008-04-14 10:12 30,208 --------- C:\WINDOWS\system32\napipsec.dll
2008-08-26 16:17 . 2008-04-14 10:11 650,752 --------- C:\WINDOWS\system32\dot3ui.dll
2008-08-26 16:16 . 2008-04-14 10:11 136,192 --------- C:\WINDOWS\system32\aaclient.dll
2008-08-26 15:39 . 2008-08-27 15:40 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-24 18:09 . 2008-08-24 18:09 35,262 --a------ C:\WINDOWS\Noelene.acl
2008-08-24 17:46 . 2008-08-24 17:46 <DIR> d-------- C:\New Folder
2008-08-24 17:23 . 2008-08-24 17:23 12,843 --a------ C:\ddaddress book.csv
2008-08-24 17:05 . 2008-08-24 17:05 <DIR> d-------- C:\WINDOWS\MSREMOTE.SFS
2008-08-22 10:27 . 2008-08-22 10:27 <DIR> dr------- C:\Documents and Settings\Noelene\Application Data\Brother
2008-08-21 18:48 . 2008-09-02 19:08 <DIR> d-------- C:\Documents and Settings\Noelene
2008-08-14 05:45 . 2008-05-02 00:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-06 00:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-05 09:40 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-09-05 05:51 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-05 05:48 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-09-04 10:55 --------- d-----w C:\Program Files\Yahoo!
2008-09-01 14:16 17,200 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-08-30 07:26 --------- d-----w C:\Documents and Settings\David Dumbrell\Application Data\MSN6
2001-02-05 05:00 30,848 ----a-w C:\Documents and Settings\David Dumbrell\cnmss3d.exe
.
((((((((((((((((((((((((((((( snapshot@2008-09-05_20.06.05.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-09-06 09:55:21 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_47c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-22 68856]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-05 1576176]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
"AplAct"="C:\WINDOWS\system32\ylahgzqp.exe" [2008-09-06 90112]
"shwinact"="C:\WINDOWS\system32\nihwfity.exe" [2008-09-06 90112]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-04-26 102400]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2002-12-10 77824]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-20 78008]
"SetDefPrt"="C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 49152]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 864256]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 36040]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"t5F7z2C0Tv"="C:\Documents and Settings\All Users\Application Data\jqnsvwxq\dyjkjmhk.exe" [2008-08-30 65536]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-07-27 113664]
Billminder.lnk - C:\Program Files\QUICKENW\billmind.exe [2005-08-05 25600]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2004-03-27 106560]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-06-04 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-08-27 09:35 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"mnthlpdb"=C:\WINDOWS\system32\vyrihovk.exe
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"setchk"=C:\WINDOWS\system32\xejkxuxm.exe
"DscWin"=C:\WINDOWS\system32\ibszgdqd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"SoundMan"=SOUNDMAN.EXE
"NeroCheck"=C:\WINDOWS\System32\NeroCheck.exe
"KernelFaultCheck"=C:\WINDOWS\system32\dumprep 0 -k
"lphc980j0en73"=C:\WINDOWS\system32\lphc980j0en73.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1129:UDP"= 1129:UDP:Windows Media Format SDK (iexplore.exe)
"1128:UDP"= 1128:UDP:Windows Media Format SDK (iexplore.exe)
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-20 78416]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-20 20560]
R2 ServiceSB4;ServiceSB4;C:\Program Files\Axaware\SpamBully 4 for Outlook Express\sb4service.exe [2007-05-30 562584]
R2 SVKP;SVKP;C:\WINDOWS\System32\SVKP.sys [2004-04-18 2368]
R3 brfilt;Brother MFC Filter Driver;C:\WINDOWS\system32\Drivers\Brfilt.sys [2001-08-17 2944]
R3 brparimg;Brother Multi Function Parallel Image driver;C:\WINDOWS\system32\DRIVERS\BrParImg.sys [2001-08-17 3168]
R3 BrParWdm;Brother WDM Parallel Driver;C:\WINDOWS\system32\Drivers\BrParwdm.sys [2001-08-17 39552]
R3 BrSerWDM;Brother WDM Serial driver;C:\WINDOWS\system32\Drivers\BrSerWdm.sys [2004-11-23 61440]
S2 PPPoEService;PPPoE Service;C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe [ ]
S3 alcan5ln;Alcatel SpeedTouch(tm) USB ADSL RFC1483 Networking Driver (NDIS);C:\WINDOWS\system32\DRIVERS\alcan5ln.sys [2002-05-03 36960]
S3 NTSPPPOE;Efficient Networks Enternet P.P.P.o.E LAN Miniport Driver;C:\WINDOWS\system32\DRIVERS\ntspppoe.sys [2002-03-06 161640]
S3 RAWESR;RAWESR;C:\PROGRA~1\EFFICI~1\ENTERN~1\app\RAWESR.SYS [ ]
S3 TAPBIND;TAPBIND;C:\PROGRA~1\EFFICI~1\ENTERN~1\app\TAPBIND1.SYS [ ]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\David Dumbrell\Application Data\Mozilla\Firefox\Profiles\55ndyv1s.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.theage.com.au/
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-06 20:04:41
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Axaware\SpamBully 4 for Outlook Express\hookoecreation.dll
PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\Program Files\Axaware\SpamBully 4 for Outlook Express\hookoecreation.dll
PROCESS: C:\WINDOWS\system32\csrss.exe
-> C:\Program Files\Axaware\SpamBully 4 for Outlook Express\hookoecreation.dll
.
Completion time: 2008-09-06 20:08:08
ComboFix-quarantined-files.txt 2008-09-06 10:07:57
ComboFix2.txt 2008-09-06 04:01:26
ComboFix3.txt 2008-09-05 10:06:49
Pre-Run: 21,605,363,712 bytes free
Post-Run: 21,596,024,832 bytes free
193 --- E O F --- 2008-08-28 04:15:25
----------------
File/Folder kill explorer not found.
C:\Documents and Settings\All Users\Application Data\jqnsvwxq moved successfully.
File/Folder C:\WINDOWS\system32\tedatkng.exe not found.
File/Folder C:\WINDOWS\system32\zunypsrw.exe not found.
File/Folder C:\WINDOWS\system32\rebczgfq.exe not found.
C:\WINDOWS\ntbtlog.txt moved successfully.
C:\WINDOWS\system32\locate.com moved successfully.
File/Folder C:\WINDOWS\system32\zwdidcjy.exe not found.
File/Folder C:\WINDOWS\system32\bermvgrs.exe not found.
C:\WINDOWS\005642_.tmp moved successfully.
File/Folder start explorer not found.
OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 09162008_172815
-------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:32:41 PM, on 16/09/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\BrmfBAgS.exe
C:\Program Files\Axaware\SpamBully 4 for Outlook Express\sb4service.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theage.com.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.searching-4u.com/search_page.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.1852\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\billmind.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Brother BidiAgent Service for Resource manager (brmfbags) - Brother Industries, Ltd. - C:\WINDOWS\system32\BrmfBAgS.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe (file missing)
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe (file missing)
O23 - Service: ServiceSB4 - Axaware - C:\Program Files\Axaware\SpamBully 4 for Outlook Express\sb4service.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Unknown owner - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe (file missing)
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe (file missing)
O23 - Service: Trend Micro Proxy Service (tmproxy) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe (file missing)
O24 - Desktop Component 0: (no name) - http://www.perpetual.com.au/images/topimage.gif
O24 - Desktop Component 1: (no name) - https://my.bigpond.com/res/images/v7/overview/bg_content.gif
--
End of file - 9185 bytes
Hi Willy_J
You’ve done a good job so far, looks much better, Is problem away ?
1 - Clean temp files
Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.Double-click ATF Cleaner.exe to open it.
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
if you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
if you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program
2 - Kaspersky Online Scan
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.
3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad
4 - Status Check
Please reply with
1. the Kaspersky online scanner report
2. a fresh HijackThis log
Thanks peku006
Peku006,
it will take me a couple of days to get back to you on this.
I've had the pc in at work but will take it home to re-connect to the internet. (Boss is a little concerned about having sick computer on office network).
Will post before the end of the week.
Cheers,
-Will.
Hello!
Do you still need help
It has been fivedays since my last post.
Do you still need help with this?
Do you need more time?
Are you having problems following my instructions?
Note: If after 48hrs you have not replied to this thread then it will have to be CLOSED!
Peku006,
disasters are often never lonely... having moved the pc from work to home, it appears I have fritzed the power supply. It's currently in the shop and I hope to get it back shortly. Old pc I guess.
It might be best we close the thread and when I finally get to re-connect the thing back on the internet I'll see if it is still bamboozled by this trojan or whatever it was.
Thanks for your help by the way - it's great to receive such friendly and helpful advice.
Cheers,
-Will.