PDA

View Full Version : Smitfraud C



clotsyone
2008-10-13, 12:40
Hi, not sure how this happend but i have this on my system and SpyBot finds but can't remove for some reason. I have attached the error file below and hope that someone can give me the way to delete this virus.

Thanks in advance - Kelvin


--- Search result list ---
Hint of the Day: Click the bar at the right of this to see more information! ()


Smitfraud-C.: [SBI $C30A3B68] Type library (Registry key, fixing failed)
HKEY_CLASSES_ROOT\TypeLib\{9233C3C0-1472-4091-A505-5580A23BB4AC}

Smitfraud-C.: [SBI $C30A3B68] Type library (Registry key, fixing failed)
HKEY_CLASSES_ROOT\TypeLib\{9233C3C0-1472-4091-A505-5580A23BB4AC}


--- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---

2008-07-07 blindman.exe (1.0.0.8)
2008-07-07 SDFiles.exe (1.6.0.4)
2008-07-07 SDMain.exe (1.0.0.6)
2008-07-07 SDShred.exe (1.0.2.3)
2008-07-07 SDUpdate.exe (1.6.0.8)
2008-07-07 SDWinSec.exe (1.0.0.12)
2008-07-07 SpybotSD.exe (1.6.0.30)
2008-09-16 TeaTimer.exe (1.6.3.25)
2008-10-12 unins000.exe (51.49.0.0)
2008-07-07 Update.exe (1.6.0.7)
2008-07-07 advcheck.dll (1.6.1.12)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-09-15 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2008-07-07 Tools.dll (2.1.5.7)
2008-09-02 Includes\Adware.sbi (*)
2008-10-07 Includes\AdwareC.sbi (*)
2008-06-03 Includes\Cookies.sbi (*)
2008-09-02 Includes\Dialer.sbi (*)
2008-09-09 Includes\DialerC.sbi (*)
2008-07-23 Includes\HeavyDuty.sbi (*)
2008-09-02 Includes\Hijackers.sbi (*)
2008-10-07 Includes\HijackersC.sbi (*)
2008-09-09 Includes\Keyloggers.sbi (*)
2008-09-30 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-10-08 Includes\Malware.sbi (*)
2008-10-08 Includes\MalwareC.sbi (*)
2008-09-02 Includes\PUPS.sbi (*)
2008-10-07 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2008-06-18 Includes\Security.sbi (*)
2008-09-30 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2008-09-09 Includes\Spyware.sbi (*)
2008-09-23 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2008-09-30 Includes\Trojans.sbi (*)
2008-10-07 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll



--- System information ---
Windows 2003/XPx64 (Build: 3790) Service Pack 2 (5.2.3790)
/ MSXML4SP2: Security update for MSXML4 SP2 (KB936181)


--- Startup entries list ---
Located: HK_LM:Run, Adobe Reader Speed Launcher
command: "E:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
file: E:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe
size: 34672
MD5: 69B16C7B7746BA5C642FC05B3561FC73

Located: HK_LM:Run, avast!
command: E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
file: E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
size: 78008
MD5: 66893067C2FB0505F151D3FCB8EA92B5

Located: HK_LM:Run, JMB36X Configure
command: E:\WINDOWS\SysWOW64\JMRaidSetup.exe boot
file: E:\WINDOWS\SysWOW64\JMRaidSetup.exe
size: 1953792
MD5: C46705CA914F3C8DC27916BA1AFE1866

Located: HK_LM:Run, JMB36X IDE Setup
command: E:\WINDOWS\JM\JMInsIDE.exe
file: E:\WINDOWS\JM\JMInsIDE.exe
size: 36864
MD5: 47BBA427E91CBB98E41A17B38644987C

Located: HK_LM:RunOnce, SpybotSnD
command: "E:\Program Files (x86)\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
file: E:\Program Files (x86)\Spybot - Search & Destroy\SpybotSD.exe
size: 4891472
MD5: 3B1B5D09D3C9C4CD39D4DB06ED7A0855

Located: HK_CU:RunOnce, tscuninstall
where: .DEFAULT...
command: %systemroot%\system32\tscupgrd.exe
file: E:\WINDOWS\system32\tscupgrd.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:RunOnce, tscuninstall
where: S-1-5-19...
command: %systemroot%\system32\tscupgrd.exe
file: E:\WINDOWS\system32\tscupgrd.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:RunOnce, tscuninstall
where: S-1-5-20...
command: %systemroot%\system32\tscupgrd.exe
file: E:\WINDOWS\system32\tscupgrd.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, ctfmon.exe
where: S-1-5-21-1851065067-3386739981-814519529-500...
command: E:\WINDOWS\system32\ctfmon.exe
file: E:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 07C627121E84C7EBF7E38E3A1DBCDEC3

Located: HK_CU:Run, IncrediMail
where: S-1-5-21-1851065067-3386739981-814519529-500...
command: E:\Program Files (x86)\IncrediMail\bin\IncMail.exe /c
file: E:\Program Files (x86)\IncrediMail\bin\IncMail.exe
size: 243072
MD5: 7AD7DAAA39AD39931E5947543084DDF3

Located: HK_CU:Run, MSFox
where: S-1-5-21-1851065067-3386739981-814519529-500...
command: E:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\video255.cfg.exe
file: E:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\video255.cfg.exe
size: 78852
MD5: 6F06F07F733754C8FB86E823F2B3E4D6

Located: HK_CU:Run, SpybotSD TeaTimer
where: S-1-5-21-1851065067-3386739981-814519529-500...
command: E:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
file: E:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
size: 1833296
MD5: 63B3FF83B87AFCEBA89CED54695DA0F6

Located: HK_CU:Run, swg
where: S-1-5-21-1851065067-3386739981-814519529-500...
command: E:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
file: E:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
size: 68856
MD5: E616A6A6E91B0A86F2F6217CDE835FFE

Located: HK_CU:Run, UtilSrv
where: S-1-5-21-1851065067-3386739981-814519529-500...
command: E:\WINDOWS\system32\twbsdwnu.exe
file: E:\WINDOWS\system32\twbsdwnu.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:RunOnce, tscuninstall
where: S-1-5-18...
command: %systemroot%\system32\tscupgrd.exe
file: E:\WINDOWS\system32\tscupgrd.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: Startup (common), Logitech SetPoint.lnk
where: E:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: E:\Program Files\Logitech\SetPoint\SetPoint.exe
file: E:\Program Files\Logitech\SetPoint\SetPoint.exe
size: 1196048
MD5: 834E71F5767213C87976680AACF4ACEE

Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, dimsntfy
command: dimsntfy.dll
file: dimsntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, EFS
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!



--- Browser helper object list ---
{18DF081C-E8AD-4283-A596-FA578C2EBDC3} (AcroIEHelperStub)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: AcroIEHelperStub
CLSID name: Adobe PDF Link Helper
Path: E:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\
Long name: AcroIEHelperShim.dll
Short name: ACROIE~2.DLL
Date (created): 11/06/2008 22:33:16
Date (last access): 13/10/2008 10:08:02
Date (last write): 11/06/2008 22:33:16
Filesize: 75128
Attributes: archive
MD5: E96C752BBA0E22330A43258FC800200E
CRC32: E5D72083
Version: 9.0.0.332

{53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Spybot-S&D IE Protection
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: E:\PROGRA~2\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 12/10/2008 14:57:50
Date (last access): 13/10/2008 10:18:12
Date (last write): 15/09/2008 14:25:44
Filesize: 1562960
Attributes: readonly hidden sysfile archive
MD5: 35F73F1936BDE91F1B6995510A61E7A8
CRC32: BE6A5D15
Version: 1.6.2.14

{AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Google Toolbar Helper
description: Google toolbar
classification: Open for discussion
known filename: googletoolbar.dll<br>googletoolbar*.dll<br>(* = number)<br>googletoolbar_en_*.**-big.dll<br>Googletoolbar_en_*.*.**-deleon.dll
info link: http://toolbar.google.com/
info source: TonyKlein
Path: e:\program files (x86)\google\
Long name: GoogleToolbar1.dll
Short name: GOOGLE~1.DLL
Date (created): 01/10/2008 17:16:24
Date (last access): 13/10/2008 09:21:54
Date (last write): 01/10/2008 17:16:24
Filesize: 2403392
Attributes: readonly archive
MD5: 52DEC141D5FF9A4DD7843C7D4414E4A6
CRC32: 34C22780
Version: 4.0.1601.4978

{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Google Toolbar Notifier BHO
Path: E:\Program Files (x86)\Google\GoogleToolbarNotifier\3.1.807.1746\
Long name: swg.dll
Short name:
Date (created): 09/10/2008 10:16:10
Date (last access): 13/10/2008 10:13:08
Date (last write): 09/10/2008 10:16:10
Filesize: 737776
Attributes: archive
MD5: AB32387A8F8C696A0739768B6B913714
CRC32: F4E76414
Version: 3.1.807.1746



--- ActiveX list ---
{166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control)
DPF name:
CLSID name: Shockwave ActiveX Control
Installer: E:\WINDOWS\Downloaded Program Files\swdir.inf
Codebase: http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
description: Macromedia ShockWave Flash Player 7
classification: Legitimate
known filename: SWDIR.DLL
info link:
info source: Patrick M. Kolla
Path: E:\WINDOWS\SysWow64\Adobe\Director\
Long name: swdir.dll
Short name:
Date (created): 01/10/2008 17:13:08
Date (last access): 12/10/2008 14:17:42
Date (last write): 06/08/2008 16:30:48
Filesize: 202168
Attributes: archive
MD5: B8153BAD2E56C50B147867FA9DAEB095
CRC32: D52113FA
Version: 11.0.0.465

{6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
DPF name:
CLSID name: WUWebControl Class
Installer: E:\WINDOWS\Downloaded Program Files\wuweb.inf
Codebase: http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217235202437
description:
classification: Legitimate
known filename: wuweb.dll
info link:
info source: Safer Networking Ltd.
Path: E:\WINDOWS\SysWow64\
Long name: wuweb.dll
Short name:
Date (created): 28/07/2008 09:11:00
Date (last access): 13/10/2008 10:09:50
Date (last write): 18/07/2008 22:09:44
Filesize: 205000
Attributes: archive
MD5: 4889720E56E85E1FE4659039BB5F6E3F
CRC32: EE278BD5
Version: 7.2.6001.784

{7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist))
DPF name:
CLSID name: Microsoft RDP Client Control (redist)
Installer: E:\WINDOWS\Downloaded Program Files\msrdp.inf
Codebase: https://81.86.26.166/Remote/msrdp.cab
description:
classification: Legitimate
known filename: msrdp.ocx
info link:
info source: Safer Networking Ltd.
Path: E:\WINDOWS\Downloaded Program Files\
Long name: msrdp.ocx
Short name:
Date (created): 24/03/2005 16:27:26
Date (last access): 24/09/2008 12:42:20
Date (last write): 24/03/2005 16:27:26
Filesize: 754176
Attributes: archive
MD5: 9622600F464AE6AE99B44BD0CF58A52F
CRC32: 836C96CA
Version: 5.2.3790.1830

{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} ()
DPF name:
CLSID name:
Installer: E:\WINDOWS\Downloaded Program Files\erma.inf
Codebase: http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
description:
classification: Open for discussion
known filename:
info link:
info source: Safer Networking Ltd.

{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer: E:\WINDOWS\Downloaded Program Files\swflash.inf
Codebase: http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: E:\WINDOWS\SysWow64\Macromed\Flash\
Long name: Flash9f.ocx
Short name:
Date (created): 25/03/2008 03:32:42
Date (last access): 13/10/2008 08:51:46
Date (last write): 25/03/2008 03:32:42
Filesize: 2991488
Attributes: readonly archive
MD5: 48FDF435B8595604E54125B321924510
CRC32: 12335E29
Version: 9.0.124.0



--- Process list ---
PID: 0 ( 0) [System]
PID: 1280 ( 424) E:\Program Files (x86)\Bonjour\mDNSResponder.exe
size: 229376
MD5: 73686FE0B2E0469F89FD2075BE724704
PID: 1532 ( 424) e:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
size: 29178224
MD5: D07C9575726797B0E9069E1108A1C483
PID: 1644 ( 424) e:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
size: 242544
MD5: D2B096CD2F56FAC6EEEED9A77DDF6DC8
PID: 2368 (2236) E:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
size: 68856
MD5: E616A6A6E91B0A86F2F6217CDE835FFE
PID: 1600 (2236) E:\Program Files (x86)\Spybot - Search & Destroy\SpybotSD.exe
size: 4891472
MD5: 3B1B5D09D3C9C4CD39D4DB06ED7A0855
PID: 936 (3064) E:\Program Files\Alwil Software\Avast4\ashSimpl.exe
size: 155832
MD5: EF2CB30A6C64A0CEAF60839C531A2207
PID: 2052 ( 424) E:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
size: 322120
MD5: 11F714F85530A2BD134074DC30E99FCA
PID: 2556 ( 936) E:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 07C627121E84C7EBF7E38E3A1DBCDEC3
PID: 4 ( 0) System
PID: 304 ( 4) E:\WINDOWS\system32\smss.exe
size: 53760
MD5: 97E9B4A202E645E7826BE7597B335C47
PID: 352 ( 304) E:\WINDOWS\system32\csrss.exe
PID: 376 ( 304) E:\WINDOWS\system32\winlogon.exe
PID: 424 ( 376) E:\WINDOWS\system32\services.exe
PID: 436 ( 376) E:\WINDOWS\system32\lsass.exe
PID: 608 ( 424) E:\WINDOWS\system32\svchost.exe
size: 14848
MD5: C09CCFE81DEC9B162533D7184D705682
PID: 680 ( 424) E:\WINDOWS\system32\svchost.exe
size: 14848
MD5: C09CCFE81DEC9B162533D7184D705682
PID: 724 ( 424) E:\WINDOWS\system32\svchost.exe
size: 14848
MD5: C09CCFE81DEC9B162533D7184D705682
PID: 772 ( 424) E:\WINDOWS\system32\svchost.exe
size: 14848
MD5: C09CCFE81DEC9B162533D7184D705682
PID: 808 ( 424) E:\WINDOWS\system32\svchost.exe
size: 14848
MD5: C09CCFE81DEC9B162533D7184D705682
PID: 1192 ( 424) E:\WINDOWS\system32\spoolsv.exe
size: 110080
MD5: 5918677301E62A935A837EC22BA7088C
PID: 1328 ( 424) E:\WINDOWS\system32\svchost.exe
size: 14848
MD5: C09CCFE81DEC9B162533D7184D705682
PID: 1432 ( 424) E:\WINDOWS\system32\inetsrv\inetinfo.exe
PID: 1604 ( 424) E:\WINDOWS\system32\nvsvc64.exe
PID: 1668 ( 424) E:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
size: 156016
MD5: 582F8B13E1042C49A4A5A7BB52F518E4
PID: 1724 ( 424) E:\WINDOWS\system32\svchost.exe
size: 14848
MD5: C09CCFE81DEC9B162533D7184D705682
PID: 1960 ( 424) E:\WINDOWS\system32\svchost.exe
size: 14848
MD5: C09CCFE81DEC9B162533D7184D705682
PID: 2236 (2188) E:\WINDOWS\explorer.exe
size: 1364480
MD5: AE7A08C05F72A9242734C03230A5CD7F
PID: 2244 ( 608) E:\WINDOWS\system32\wbem\wmiprvse.exe
size: 207872
MD5: CE7B5D3CB3682435725CAB1C4D9FB145
PID: 2668 ( 424) E:\WINDOWS\system32\alg.exe
size: 45056
MD5: FD79AFA46B60D32557CB62F6050C2B69
PID: 2176 (2236) E:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 07C627121E84C7EBF7E38E3A1DBCDEC3
PID: 2160 (2236) E:\Program Files\Logitech\SetPoint\SetPoint.exe
size: 1196048
MD5: 834E71F5767213C87976680AACF4ACEE
PID: 2472 ( 376) E:\WINDOWS\system32\taskmgr.exe
size: 168960
MD5: 96BB332BF16E25EF3081491B55FA0F9F
PID: 288 ( 724) E:\WINDOWS\system32\wuauclt.exe


--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 13/10/2008 10:18:46

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
E:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.akroservices.co.uk/
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace

Namespace Provider 3: mdnsNSP
GUID: {B600E6E9-553B-4A19-8696-335E5C896153}
Filename: E:\Program Files (x86)\Bonjour\mdnsNSP.dll
Description: Apple Rendezvous protocol
DB filename: %ProgramFiles%\Rendezvous\bin\mdnsNSP.dll
DB protocol: mdnsNSP

Blade81
2008-10-13, 17:28
BEFORE you POST
(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Download and install TrendMicro HijackThis (http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe)
* Once installed open HijackThis by clicking Start > Programs > HijackThis and click the button labeled
Do a system scan only

* Click the scan button in the lower left hand corner of the interface and HijackThis will quickly scan your system.
* Once the scan is complete the scan button will now read save log. Click this button to save the log file to your PC. Once you select where you would like to save the file it will open in your systems default text editor. Typically this application is Notepad. Post the log here. :)

clotsyone
2008-10-13, 17:39
Hi Blade81, thanks for your assistance.
Below is the file requested..Lets hope it makes more sense to you?
***********************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:36:28, on 13/10/2008
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
E:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.akroservices.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=userinit
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - E:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files (x86)\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - E:\Program Files (x86)\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files (x86)\google\googletoolbar1.dll
O4 - HKLM\..\Run: [JMB36X IDE Setup] E:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [JMB36X Configure] E:\WINDOWS\SysWOW64\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] E:\Program Files (x86)\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [swg] E:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSFox] E:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\video255.cfg.exe
O4 - HKCU\..\Run: [UtilSrv] E:\WINDOWS\system32\twbsdwnu.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://runonce.msn.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217235202437
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://81.86.26.166/Remote/msrdp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - E:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - E:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - E:\WINDOWS\system32\services.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - E:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - E:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: IIS Admin Service (IISADMIN) - Unknown owner - E:\WINDOWS\system32\inetsrv\inetinfo.exe (file missing)
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - E:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - E:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - E:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - E:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - E:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - E:\WINDOWS\system32\nvsvc64.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - E:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - E:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - E:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - E:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - E:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - E:\Program Files (x86)\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: Virtual Disk Service (vds) - Unknown owner - E:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - E:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - E:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

--
End of file - 7386 bytes

clotsyone
2008-10-13, 17:41
Just so you know, i have disabled some program causing the problems so that i could get on with some work. These tend to reactivate on start up.

Blade81
2008-10-13, 17:49
Hi again,

Let's see another log too.

Download random's system information tool (RSIT) by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized, if not you'll find it in c:\rsit folder)

clotsyone
2008-10-13, 17:56
I seem to get an error running this program.
Line -1:
Error: Error parsing function call.

Tried a few times. I am running XP 64 bit - not sure if this is the issue?

Thanks

Blade81
2008-10-14, 07:29
Hi

Yes, that could be the reason.

Disable Spybot's TeaTimer
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode

On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer


Navigate into E:\Program Files (x86)\Trend Micro\HijackThis folder and rename HijackThis.exe file -> whatever.exe.

After that start hjt, do a system scan, check:
O4 - HKCU\..\Run: [MSFox] E:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\video255.cfg.exe
O4 - HKCU\..\Run: E:\WINDOWS\system32\twbsdwnu.exe

Close browsers and fix checked.


Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

Delete following files if found:
E:\Documents and settings\ADMINI~1\Local settings\Temp\video255.cfg.exe (ADMINI~1 is a folder which name begins as Admini)
E:\WINDOWS\system32\twbsdwnu.exe


Download [U]ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).

Post back its report & a fresh hjt log.

clotsyone
2008-10-14, 12:53
Thanks for the instruction i think i carried them out correctly.

First Log..
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, October 14, 2008
Operating System: Microsoft Windows XP Professional x64 Edition Service Pack 2 (build 3790)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, October 14, 2008 05:08:48
Records in database: 1310215
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 114428
Threat name: 1
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 01:06:58


File name / Threat name / Threats count
E:\System Volume Information\_restore{B914C604-5D45-4CA4-AEEE-7E78BCD33CF0}\RP78\A0018076.exe Infected: Trojan.Win32.Agent.agmu 1
E:\WINDOWS\system32\Boo8e8m4.exe Infected: Trojan.Win32.Agent.agmu 1
E:\WINDOWS\SysWOW64\Boo8e8m4.exe Infected: Trojan.Win32.Agent.agmu 1

The selected area was scanned.

Second Log..
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:53:16, on 14/10/2008
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
E:\Program Files\Alwil Software\Avast4\ashServ.exe
E:\WINDOWS\RTHDCPL.EXE
E:\WINDOWS\SysWOW64\ctfmon.exe
E:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
E:\Program Files (x86)\IncrediMail\bin\IMApp.exe
E:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe
E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
E:\Program Files (x86)\Bonjour\mDNSResponder.exe
E:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
E:\Program Files (x86)\Adobe\Adobe Fireworks CS3\Fireworks.exe
E:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
E:\Program Files (x86)\IncrediMail\bin\IncMail.exe
E:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
E:\Program Files (x86)\Trend Micro\HijackThis\waterver.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.akroservices.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=userinit
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - E:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files (x86)\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files (x86)\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - E:\Program Files (x86)\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files (x86)\google\googletoolbar1.dll
O4 - HKLM\..\Run: [JMB36X IDE Setup] E:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [JMB36X Configure] E:\WINDOWS\SysWOW64\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files (x86)\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] E:\Program Files (x86)\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files (x86)\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files (x86)\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://runonce.msn.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217235202437
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://81.86.26.166/Remote/msrdp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - E:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - E:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - E:\WINDOWS\system32\services.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - E:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - E:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: IIS Admin Service (IISADMIN) - Unknown owner - E:\WINDOWS\system32\inetsrv\inetinfo.exe (file missing)
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - E:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - E:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - E:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - E:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - E:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - E:\WINDOWS\system32\nvsvc64.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - E:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - E:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - E:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - E:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - E:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - E:\Program Files (x86)\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: Virtual Disk Service (vds) - Unknown owner - E:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - E:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - E:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

--
End of file - 8390 bytes

Blade81
2008-10-14, 17:29
Hi

Delete these files if found:
E:\WINDOWS\system32\Boo8e8m4.exe
E:\WINDOWS\SysWOW64\Boo8e8m4.exe

Reboot and run Kaspersky online scanner again. Post back its report & a fresh hjt log. How's the system running now?

clotsyone
2008-10-14, 18:52
Here they are:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, October 14, 2008
Operating System: Microsoft Windows XP Professional x64 Edition Service Pack 2 (build 3790)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, October 14, 2008 10:36:49
Records in database: 1310847
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 118127
Threat name: 1
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 01:11:01


File name / Threat name / Threats count
E:\System Volume Information\_restore{B914C604-5D45-4CA4-AEEE-7E78BCD33CF0}\RP78\A0018076.exe Infected: Trojan.Win32.Agent.agmu 1
E:\System Volume Information\_restore{B914C604-5D45-4CA4-AEEE-7E78BCD33CF0}\RP84\A0018549.exe Infected: Trojan.Win32.Agent.agmu 1

The selected area was scanned.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:52:26, on 14/10/2008
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
E:\Program Files\Alwil Software\Avast4\ashServ.exe
E:\WINDOWS\RTHDCPL.EXE
E:\WINDOWS\SysWOW64\ctfmon.exe
E:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
E:\Program Files (x86)\IncrediMail\bin\IMApp.exe
E:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe
E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
E:\Program Files (x86)\Bonjour\mDNSResponder.exe
E:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
E:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
E:\Program Files (x86)\Internet Explorer\iexplore.exe
E:\Program Files (x86)\IncrediMail\bin\IncMail.exe
E:\Program Files (x86)\Trend Micro\HijackThis\waterver.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.akroservices.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=userinit
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - E:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files (x86)\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files (x86)\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - E:\Program Files (x86)\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files (x86)\google\googletoolbar1.dll
O4 - HKLM\..\Run: [JMB36X IDE Setup] E:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [JMB36X Configure] E:\WINDOWS\SysWOW64\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files (x86)\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] E:\Program Files (x86)\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files (x86)\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files (x86)\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://runonce.msn.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217235202437
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://81.86.26.166/Remote/msrdp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - E:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - E:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - E:\WINDOWS\system32\services.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - E:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - E:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: IIS Admin Service (IISADMIN) - Unknown owner - E:\WINDOWS\system32\inetsrv\inetinfo.exe (file missing)
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - E:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - E:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - E:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - E:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - E:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - E:\WINDOWS\system32\nvsvc64.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - E:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - E:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - E:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - E:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - E:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - E:\Program Files (x86)\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: Virtual Disk Service (vds) - Unknown owner - E:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - E:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - E:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

--
End of file - 8283 bytes

Blade81
2008-10-14, 19:27
Hi

Before cleaning those two items in system restore I need to know how the system runs. Are there still signs of infection found?

clotsyone
2008-10-14, 19:58
The system seems to run ok, the only things i have noticed is the shield has gone from the toolbar at the bottom and in our accounts system i get black screens. This runs from SQL Express. Everything else seems OK? No signs of infection with popups or mysterious things happening.

Blade81
2008-10-14, 21:21
Ok. In that case it's time to reset system restore.

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis

That should get rid of those detected items in system restore :)

clotsyone
2008-10-15, 20:12
Hi Blade, Thanks for everything.

It all seemed fine with the scans not reveling anything but i just ran a spybot scan that showed there are 2 entries (Smitfraud) is there anyway to get rid of these?

Thanks

Kelvin

clotsyone
2008-10-15, 20:14
Just in case ..

--- Search result list ---
Hint of the Day: Click the bar at the right of this to see more information! ()


Smitfraud-C.: [SBI $C30A3B68] Type library (Registry key, fixing failed)
HKEY_CLASSES_ROOT\TypeLib\{9233C3C0-1472-4091-A505-5580A23BB4AC}

Smitfraud-C.: [SBI $C30A3B68] Type library (Registry key, fixing failed)
HKEY_CLASSES_ROOT\TypeLib\{9233C3C0-1472-4091-A505-5580A23BB4AC}


--- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---

2008-07-07 blindman.exe (1.0.0.8)
2008-07-07 SDFiles.exe (1.6.0.4)
2008-07-07 SDMain.exe (1.0.0.6)
2008-07-07 SDShred.exe (1.0.2.3)
2008-07-07 SDUpdate.exe (1.6.0.8)
2008-07-07 SDWinSec.exe (1.0.0.12)
2008-07-07 SpybotSD.exe (1.6.0.30)
2008-09-16 TeaTimer.exe (1.6.3.25)
2008-10-12 unins000.exe (51.49.0.0)
2008-07-07 Update.exe (1.6.0.7)
2008-07-07 advcheck.dll (1.6.1.12)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-09-15 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2008-07-07 Tools.dll (2.1.5.7)
2008-09-02 Includes\Adware.sbi (*)
2008-10-14 Includes\AdwareC.sbi (*)
2008-06-03 Includes\Cookies.sbi (*)
2008-09-02 Includes\Dialer.sbi (*)
2008-09-09 Includes\DialerC.sbi (*)
2008-07-23 Includes\HeavyDuty.sbi (*)
2008-09-02 Includes\Hijackers.sbi (*)
2008-10-07 Includes\HijackersC.sbi (*)
2008-09-09 Includes\Keyloggers.sbi (*)
2008-10-14 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-10-08 Includes\Malware.sbi (*)
2008-10-14 Includes\MalwareC.sbi (*)
2008-09-02 Includes\PUPS.sbi (*)
2008-10-14 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2008-06-18 Includes\Security.sbi (*)
2008-09-30 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2008-09-09 Includes\Spyware.sbi (*)
2008-10-14 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2008-10-15 Includes\Trojans.sbi (*)
2008-10-14 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll



--- System information ---
Windows 2003/XPx64 (Build: 3790) Service Pack 2 (5.2.3790)
/ MSXML4SP2: Security update for MSXML4 SP2 (KB936181)


--- Startup entries list ---
Located: HK_LM:Run, Adobe Reader Speed Launcher
command: "E:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
file: E:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe
size: 34672
MD5: 69B16C7B7746BA5C642FC05B3561FC73

Located: HK_LM:Run, avast!
command: E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
file: E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
size: 78008
MD5: 66893067C2FB0505F151D3FCB8EA92B5

Located: HK_LM:Run, JMB36X Configure
command: E:\WINDOWS\SysWOW64\JMRaidSetup.exe boot
file: E:\WINDOWS\SysWOW64\JMRaidSetup.exe
size: 1953792
MD5: C46705CA914F3C8DC27916BA1AFE1866

Located: HK_LM:Run, JMB36X IDE Setup
command: E:\WINDOWS\JM\JMInsIDE.exe
file: E:\WINDOWS\JM\JMInsIDE.exe
size: 36864
MD5: 47BBA427E91CBB98E41A17B38644987C

Located: HK_LM:Run, SunJavaUpdateSched
command: "E:\Program Files (x86)\Java\jre1.6.0_07\bin\jusched.exe"
file: E:\Program Files (x86)\Java\jre1.6.0_07\bin\jusched.exe
size: 144784
MD5: 6AB4C021FBD36DC6764924C312428D97

Located: HK_LM:RunOnce, SpybotSnD
command: "E:\Program Files (x86)\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
file: E:\Program Files (x86)\Spybot - Search & Destroy\SpybotSD.exe
size: 4891472
MD5: 3B1B5D09D3C9C4CD39D4DB06ED7A0855

Located: HK_CU:RunOnce, tscuninstall
where: .DEFAULT...
command: %systemroot%\system32\tscupgrd.exe
file: E:\WINDOWS\system32\tscupgrd.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:RunOnce, tscuninstall
where: S-1-5-19...
command: %systemroot%\system32\tscupgrd.exe
file: E:\WINDOWS\system32\tscupgrd.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:RunOnce, tscuninstall
where: S-1-5-20...
command: %systemroot%\system32\tscupgrd.exe
file: E:\WINDOWS\system32\tscupgrd.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, ctfmon.exe
where: S-1-5-21-1851065067-3386739981-814519529-500...
command: E:\WINDOWS\system32\ctfmon.exe
file: E:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 07C627121E84C7EBF7E38E3A1DBCDEC3

Located: HK_CU:Run, IncrediMail
where: S-1-5-21-1851065067-3386739981-814519529-500...
command: E:\Program Files (x86)\IncrediMail\bin\IncMail.exe /c
file: E:\Program Files (x86)\IncrediMail\bin\IncMail.exe
size: 243072
MD5: 7AD7DAAA39AD39931E5947543084DDF3

Located: HK_CU:Run, SpybotSD TeaTimer
where: S-1-5-21-1851065067-3386739981-814519529-500...
command: E:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
file: E:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
size: 1833296
MD5: 63B3FF83B87AFCEBA89CED54695DA0F6

Located: HK_CU:RunOnce, tscuninstall
where: S-1-5-18...
command: %systemroot%\system32\tscupgrd.exe
file: E:\WINDOWS\system32\tscupgrd.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: Startup (common), Logitech SetPoint.lnk
where: E:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: E:\Program Files\Logitech\SetPoint\SetPoint.exe
file: E:\Program Files\Logitech\SetPoint\SetPoint.exe
size: 1196048
MD5: 834E71F5767213C87976680AACF4ACEE

Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, dimsntfy
command: dimsntfy.dll
file: dimsntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, EFS
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!



--- Browser helper object list ---
{18DF081C-E8AD-4283-A596-FA578C2EBDC3} (AcroIEHelperStub)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: AcroIEHelperStub
CLSID name: Adobe PDF Link Helper
Path: E:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\
Long name: AcroIEHelperShim.dll
Short name: ACROIE~2.DLL
Date (created): 11/06/2008 22:33:16
Date (last access): 15/10/2008 17:51:06
Date (last write): 11/06/2008 22:33:16
Filesize: 75128
Attributes: archive
MD5: E96C752BBA0E22330A43258FC800200E
CRC32: E5D72083
Version: 9.0.0.332

{53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Spybot-S&D IE Protection
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: E:\PROGRA~2\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 12/10/2008 14:57:50
Date (last access): 15/10/2008 17:49:58
Date (last write): 15/09/2008 14:25:44
Filesize: 1562960
Attributes: readonly hidden sysfile archive
MD5: 35F73F1936BDE91F1B6995510A61E7A8
CRC32: BE6A5D15
Version: 1.6.2.14

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: SSVHelper Class
Path: E:\Program Files (x86)\Java\jre1.6.0_07\bin\
Long name: ssv.dll
Short name:
Date (created): 14/10/2008 09:17:20
Date (last access): 15/10/2008 17:54:38
Date (last write): 10/06/2008 04:27:02
Filesize: 509328
Attributes: archive
MD5: F921D875A1CBD69A6A462BA2514BC831
CRC32: 38AC9EE2
Version: 6.0.70.6

{AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Google Toolbar Helper
description: Google toolbar
classification: Open for discussion
known filename: googletoolbar.dll<br>googletoolbar*.dll<br>(* = number)<br>googletoolbar_en_*.**-big.dll<br>Googletoolbar_en_*.*.**-deleon.dll
info link: http://toolbar.google.com/
info source: TonyKlein
Path: e:\program files (x86)\google\
Long name: GoogleToolbar1.dll
Short name: GOOGLE~1.DLL
Date (created): 01/10/2008 17:16:24
Date (last access): 15/10/2008 17:57:12
Date (last write): 01/10/2008 17:16:24
Filesize: 2403392
Attributes: readonly archive
MD5: 52DEC141D5FF9A4DD7843C7D4414E4A6
CRC32: 34C22780
Version: 4.0.1601.4978

{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Google Toolbar Notifier BHO
Path: E:\Program Files (x86)\Google\GoogleToolbarNotifier\3.1.807.1746\
Long name: swg.dll
Short name:
Date (created): 09/10/2008 10:16:10
Date (last access): 15/10/2008 17:54:38
Date (last write): 09/10/2008 10:16:10
Filesize: 737776
Attributes: archive
MD5: AB32387A8F8C696A0739768B6B913714
CRC32: F4E76414
Version: 3.1.807.1746



--- ActiveX list ---
{166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control)
DPF name:
CLSID name: Shockwave ActiveX Control
Installer: E:\WINDOWS\Downloaded Program Files\swdir.inf
Codebase: http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
description: Macromedia ShockWave Flash Player 7
classification: Legitimate
known filename: SWDIR.DLL
info link:
info source: Patrick M. Kolla
Path: E:\WINDOWS\SysWow64\Adobe\Director\
Long name: swdir.dll
Short name:
Date (created): 01/10/2008 17:13:08
Date (last access): 14/10/2008 18:22:48
Date (last write): 06/08/2008 16:30:48
Filesize: 202168
Attributes: archive
MD5: B8153BAD2E56C50B147867FA9DAEB095
CRC32: D52113FA
Version: 11.0.0.465

{6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
DPF name:
CLSID name: WUWebControl Class
Installer: E:\WINDOWS\Downloaded Program Files\wuweb.inf
Codebase: http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217235202437
description:
classification: Legitimate
known filename: wuweb.dll
info link:
info source: Safer Networking Ltd.
Path: E:\WINDOWS\SysWow64\
Long name: wuweb.dll
Short name:
Date (created): 28/07/2008 09:11:00
Date (last access): 15/10/2008 17:52:10
Date (last write): 18/07/2008 22:09:44
Filesize: 205000
Attributes: archive
MD5: 4889720E56E85E1FE4659039BB5F6E3F
CRC32: EE278BD5
Version: 7.2.6001.784

{7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist))
DPF name:
CLSID name: Microsoft RDP Client Control (redist)
Installer: E:\WINDOWS\Downloaded Program Files\msrdp.inf
Codebase: https://81.86.26.166/Remote/msrdp.cab
description:
classification: Legitimate
known filename: msrdp.ocx
info link:
info source: Safer Networking Ltd.
Path: E:\WINDOWS\Downloaded Program Files\
Long name: msrdp.ocx
Short name:
Date (created): 24/03/2005 16:27:26
Date (last access): 14/10/2008 18:18:16
Date (last write): 24/03/2005 16:27:26
Filesize: 754176
Attributes: archive
MD5: 9622600F464AE6AE99B44BD0CF58A52F
CRC32: 836C96CA
Version: 5.2.3790.1830

{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_07
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: E:\Program Files (x86)\Java\jre1.6.0_07\bin\
Long name: npjpi160_07.dll
Short name: NPJPI1~1.DLL
Date (created): 10/06/2008 02:32:34
Date (last access): 14/10/2008 17:07:56
Date (last write): 10/06/2008 04:27:02
Filesize: 132496
Attributes: archive
MD5: 7C83A2809E13950359189767AC9D5DB8
CRC32: 925C2A88
Version: 6.0.70.6

{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} ()
DPF name:
CLSID name:
Installer: E:\WINDOWS\Downloaded Program Files\erma.inf
Codebase: http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
description:
classification: Open for discussion
known filename:
info link:
info source: Safer Networking Ltd.

{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_07
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Path: E:\Program Files (x86)\Java\jre1.6.0_07\bin\
Long name: npjpi160_07.dll
Short name: NPJPI1~1.DLL
Date (created): 10/06/2008 02:32:34
Date (last access): 15/10/2008 18:13:22
Date (last write): 10/06/2008 04:27:02
Filesize: 132496
Attributes: archive
MD5: 7C83A2809E13950359189767AC9D5DB8
CRC32: 925C2A88
Version: 6.0.70.6

{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_07
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
description:
classification: Legitimate
known filename: npjpi150_06.dll
info link:
info source: Safer Networking Ltd.
Path: E:\Program Files (x86)\Java\jre1.6.0_07\bin\
Long name: npjpi160_07.dll
Short name: NPJPI1~1.DLL
Date (created): 10/06/2008 02:32:34
Date (last access): 15/10/2008 18:13:22
Date (last write): 10/06/2008 04:27:02
Filesize: 132496
Attributes: archive
MD5: 7C83A2809E13950359189767AC9D5DB8
CRC32: 925C2A88
Version: 6.0.70.6

{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer: E:\WINDOWS\Downloaded Program Files\swflash.inf
Codebase: http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: E:\WINDOWS\SysWow64\Macromed\Flash\
Long name: Flash9f.ocx
Short name:
Date (created): 25/03/2008 03:32:42
Date (last access): 15/10/2008 18:08:38
Date (last write): 25/03/2008 03:32:42
Filesize: 2991488
Attributes: readonly archive
MD5: 48FDF435B8595604E54125B321924510
CRC32: 12335E29
Version: 9.0.124.0



--- Process list ---
PID: 0 ( 0) [System]
PID: 868 ( 424) E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
size: 16056
MD5: E2323AD197689D607EBC52137B4DFB2E
PID: 884 ( 424) E:\Program Files\Alwil Software\Avast4\ashServ.exe
size: 147640
MD5: 58E57D723BD437049F74408016E1735D
PID: 1624 (1480) E:\WINDOWS\RTHDCPL.EXE
size: 16270848
MD5: EABE00B18DCBEAB7D5B3823FD371F008
PID: 1820 ( 424) E:\Program Files (x86)\Bonjour\mDNSResponder.exe
size: 229376
MD5: 73686FE0B2E0469F89FD2075BE724704
PID: 2032 ( 424) E:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
size: 322120
MD5: 11F714F85530A2BD134074DC30E99FCA
PID: 136 (1724) E:\WINDOWS\SysWOW64\ctfmon.exe
size: 15360
MD5: 07C627121E84C7EBF7E38E3A1DBCDEC3
PID: 440 (1480) E:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
size: 1833296
MD5: 63B3FF83B87AFCEBA89CED54695DA0F6
PID: 2108 ( 132) E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
size: 78008
MD5: 66893067C2FB0505F151D3FCB8EA92B5
PID: 2152 ( 132) E:\Program Files (x86)\Java\jre1.6.0_07\bin\jusched.exe
size: 144784
MD5: 6AB4C021FBD36DC6764924C312428D97
PID: 2188 ( 608) E:\Program Files (x86)\IncrediMail\bin\IMApp.exe
size: 189824
MD5: B019A29934FFE34F44D5D43E76676DA4
PID: 2244 ( 424) e:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
size: 29178224
MD5: D07C9575726797B0E9069E1108A1C483
PID: 2332 ( 424) e:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
size: 242544
MD5: D2B096CD2F56FAC6EEEED9A77DDF6DC8
PID: 2636 (2052) E:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe
size: 77824
MD5: 1A0D9ECF0DCC26D285A4267831E88D58
PID: 944 ( 424) E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
size: 250040
MD5: BCEA9A5EEF52351E1632DD417D3E7308
PID: 1680 ( 424) E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
size: 348344
MD5: B2203D1A09CAC8232780BFCF01A9B853
PID: 3900 (1480) E:\Program Files (x86)\Interprise Solutions\Interprise Suite 2007 Standard Edition\InterpriseSuite.exe
size: 741376
MD5: FE37C0F35BBF84A11EF342EE821FCB3C
PID: 1936 (1480) E:\Program Files (x86)\Spybot - Search & Destroy\SpybotSD.exe
size: 4891472
MD5: 3B1B5D09D3C9C4CD39D4DB06ED7A0855
PID: 1496 (1272) E:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
size: 625664
MD5: 64E376A47763DAEABCDA14BD5B6EA286
PID: 4 ( 0) System
PID: 304 ( 4) E:\WINDOWS\system32\smss.exe
size: 53760
MD5: 97E9B4A202E645E7826BE7597B335C47
PID: 352 ( 304) E:\WINDOWS\system32\csrss.exe
PID: 376 ( 304) E:\WINDOWS\system32\winlogon.exe
PID: 424 ( 376) E:\WINDOWS\system32\services.exe
PID: 436 ( 376) E:\WINDOWS\system32\lsass.exe
PID: 608 ( 424) E:\WINDOWS\system32\svchost.exe
size: 14848
MD5: C09CCFE81DEC9B162533D7184D705682
PID: 664 ( 424) E:\WINDOWS\system32\svchost.exe
size: 14848
MD5: C09CCFE81DEC9B162533D7184D705682
PID: 724 ( 424) E:\WINDOWS\system32\svchost.exe
size: 14848
MD5: C09CCFE81DEC9B162533D7184D705682
PID: 772 ( 424) E:\WINDOWS\system32\svchost.exe
size: 14848
MD5: C09CCFE81DEC9B162533D7184D705682
PID: 820 ( 424) E:\WINDOWS\system32\svchost.exe
size: 14848
MD5: C09CCFE81DEC9B162533D7184D705682
PID: 1200 ( 424) E:\WINDOWS\system32\spoolsv.exe
size: 110080
MD5: 5918677301E62A935A837EC22BA7088C
PID: 1480 (1444) E:\WINDOWS\explorer.exe
size: 1364480
MD5: AE7A08C05F72A9242734C03230A5CD7F
PID: 1640 (1480) E:\WINDOWS\system32\rundll32.exe
size: 34816
MD5: 75139C5E6B968E39A5A35E7003FA7049
PID: 1724 (1480) E:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 07C627121E84C7EBF7E38E3A1DBCDEC3
PID: 1848 ( 424) E:\WINDOWS\system32\svchost.exe
size: 14848
MD5: C09CCFE81DEC9B162533D7184D705682
PID: 2008 ( 424) E:\WINDOWS\system32\inetsrv\inetinfo.exe
PID: 2052 (1480) E:\Program Files\Logitech\SetPoint\SetPoint.exe
size: 1196048
MD5: 834E71F5767213C87976680AACF4ACEE
PID: 2272 ( 424) E:\WINDOWS\system32\nvsvc64.exe
PID: 2380 ( 424) E:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
size: 156016
MD5: 582F8B13E1042C49A4A5A7BB52F518E4
PID: 2444 ( 424) E:\WINDOWS\system32\svchost.exe
size: 14848
MD5: C09CCFE81DEC9B162533D7184D705682
PID: 2652 ( 424) E:\WINDOWS\system32\svchost.exe
size: 14848
MD5: C09CCFE81DEC9B162533D7184D705682
PID: 2980 (2052) E:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
size: 242192
MD5: 91C32C6351956B1FB95C62875F13BDC2
PID: 984 ( 608) E:\WINDOWS\system32\wbem\wmiprvse.exe
size: 207872
MD5: CE7B5D3CB3682435725CAB1C4D9FB145
PID: 3336 ( 424) E:\WINDOWS\system32\alg.exe
size: 45056
MD5: FD79AFA46B60D32557CB62F6050C2B69
PID: 2772 (3900) E:\WINDOWS\splwow64.exe
size: 38400
MD5: 3F3E904C7A57E3A14197192046851C87


--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 15/10/2008 18:13:22

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
E:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.akroservices.co.uk/
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace

Namespace Provider 3: mdnsNSP
GUID: {B600E6E9-553B-4A19-8696-335E5C896153}
Filename: E:\Program Files (x86)\Bonjour\mdnsNSP.dll
Description: Apple Rendezvous protocol
DB filename: %ProgramFiles%\Rendezvous\bin\mdnsNSP.dll
DB protocol: mdnsNSP

Blade81
2008-10-15, 20:20
Hi

Download ERUNT (http://www.softpedia.com/get/Tweak/Registry-Tweak/Erunt-g.shtml)
Save it to your desktop. Run and install this program.

In the box that opens ONLY choose
System registry.

Then click OK.

Click save and then go to File > Exit.
This is so the registry can be restored to this point if we need it. It may take a minute. Just let it go until it's done.

Save text below as fix.reg on Notepad (save it as all files (*.*)) on the Desktop.


REGEDIT4

[-HKEY_CLASSES_ROOT\TypeLib\{9233C3C0-1472-4091-A505-5580A23BB4AC}]


It should look like this -> http://users.telenet.be/bluepatchy/miekiemoes/images/reg.gif

Doubleclick fix.reg, press Yes and ok.

(In case you are unsure how to create a reg file, take a look here (http://www.nellie2.co.uk/file.htm#How_to_Make_a_.Reg_File_) with screenshots.)

Reboot and run Spybot again.

clotsyone
2008-10-15, 20:57
That did it..

Thanks the message received is:

--- Search result list ---
Hint of the Day: Click the bar at the right of this to see more information! ()


Congratulations!: No immediate threats were found. ()



--- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---

I am doing a scan on my partners computer which i wish i hadn't started - showing 21 Trojans, 16 Spyware and 162 PUPS so far about half way done.

Seems to be running ok though?

Blade81
2008-10-15, 21:05
Hi

If system is running ok and you don't have any questions left let me know and I'll archive the topic :)


I am doing a scan on my partners computer which i wish i hadn't started - showing 21 Trojans, 16 Spyware and 162 PUPS so far about half way done.
I assume that's different system, right? You're welcome to post its log to be analyzed but please create a new thread for it (if needed). :)

clotsyone
2008-10-15, 21:06
Thank you - please close this one down..

Great!:)

Blade81
2008-10-15, 21:40
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.