View Full Version : Command Service problems
Hi, any help with this would be greatly appreciated. ive fun spybot search and destroy, and ad aware SE several times, but i keep getting reinfected, spybot cant get rid of command service, and seems to keep getting surf sidekick and tsupdater (i think its called that).
Also, ive tried running some of those online virus scans and they dont seem to load up, the panda one takes me to a page saying to click yes for the active X controll thing, but it never loads. Anyway, heres my hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 3:44:14 AM, on 7/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Promise\FastTrak\FtrakSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Winamp\winampa.exe
C:\dfndrad_5.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\palmOne\HOTSYNC.EXE
C:\Program Files\Opera\Opera.exe
c:\ac3_0010.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Network Monitor\netmon.exe
C:\applicationas\security\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 213.105.224.12
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 213.105.224.12:8080
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrad_5.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdad_5.exe
O4 - HKLM\..\Run: [esubf39b] RUNDLL32.EXE w04b9c81.dll,n 001bf39a0000000a04b9c81
O4 - HKLM\..\Run: [newname] c:\\nwnmad_5.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: FastCheck Monitoring Utility.lnk = C:\Program Files\Promise\FastTrak\RAIDeUtility.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/sites/errorsafe.com/www/pages/scanner/ErrorSafeFreeInstall.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: policies - C:\WINDOWS\system32\nltui2.dll
O23 - Service: Promise FastTrak Log Service (FastTrakSvc) - Promise Technology Inc. - C:\Program Files\Promise\FastTrak\FtrakSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
again, any help would be greatly appreciated.
Welcome aboard.. :)
First you'll definately need an Anti-virus.
---
Please get the free version of AVG (http://www.grisoft.com/us/us_dwnl_free.php).
Download & install it, configure it how you wish, update it. Next, run a scan with it (set it to scan everything it can). Remove/quarantine everything found. Reboot.
---
Download Combofix (http://download.bleepingcomputer.com/sUBs/combofix.exe) to your desktop:
Double-click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply. :bigthumb:
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
OK downloaded and ran that virus program, heres the combofix log (part 1) :)
Start Time= Mon 07/17/2006 14:38:09.25
Running from: C:\Documents and Settings\fenrif\Desktop
QuickScan did not find any signs of infected files
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-07-17 13:29:42 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\AVG7"
2006-07-17 13:28:24 ( .D... ) "C:\Program Files\Grisoft"
2006-07-17 12:26:22 235488 ( ..S.R ) "C:\WINDOWS\system32\e4020edoeh0c0.dll"
2006-07-17 04:35:38 235284 ( A.... ) "C:\WINDOWS\system32\l4p20e7oeh.dll"
2006-07-17 03:43:40 578560 ( A.... ) "C:\Installer2.exe"
2006-07-17 03:43:40 1063 ( A.... ) "C:\WINDOWS\system32\aaa00000.sys"
2006-07-17 03:43:40 1063 ( A.... ) "C:\WINDOWS\system32\aaa00000.sys"
2006-07-16 19:36:18 578560 ( A.... ) "C:\warebundlenewer.exe"
2006-07-15 16:03:58 61440 ( A.... ) "C:\WINDOWS\system32\aaa00000.dll"
2006-07-15 15:09:20 40960 ( A.... ) "C:\WINDOWS\system32\aqcebdip.dll"
2006-07-15 01:12:44 1063 ( A.... ) "C:\WINDOWS\system32\esubf39b.sys"
2006-07-15 01:12:44 1063 ( A.... ) "C:\WINDOWS\system32\esubf39b.sys"
2006-07-15 01:06:08 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\Lavasoft"
2006-07-15 00:46:20 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
2006-07-15 00:13:38 ( .D... ) "C:\Program Files\Common Files\irof"
2006-07-14 23:50:16 ( .D... ) "C:\Program Files\Spyware Doctor"
2006-07-14 23:48:22 ( .D... ) "C:\Program Files\Registry Mechanic"
2006-07-14 11:57:46 ( .D... ) "C:\Program Files\a-squared"
2006-07-14 05:31:32 393914 ( A.... ) "C:\warebundlenew.exe"
2006-07-14 05:31:32 61440 ( A.... ) "C:\WINDOWS\system32\esubf39b.dll"
2006-07-14 05:31:32 34754 ( A.... ) "C:\warebundle2.exe"
2006-07-14 05:30:50 81920 ( A.... ) "C:\dfndrad_5.exe"
2006-07-14 04:51:06 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\PC Tools"
2006-07-13 23:57:28 17331 ( A.... ) "C:\WINDOWS\Pplugin10xa.exe"
2006-07-13 00:42:06 126976 ( A.... ) "C:\WINDOWS\War3Unin.exe"
2006-07-13 00:38:54 ( .D... ) "C:\Program Files\Warcraft III"
2006-07-11 19:04:40 502272 ( A.... ) "C:\WINDOWS\system32\winlogon.exe"
2006-07-11 03:45:12 930 ( A.... ) "C:\Documents and Settings\fenrif\Application Data\enigmarc.lua2"
2006-07-11 03:40:46 ( .D... ) "C:\Program Files\Enigma"
2006-07-08 15:48:56 15973576 ( A.... ) "C:\vtmb_1_2.exe"
2006-07-08 15:30:56 ( .D... ) "C:\Program Files\Activision"
2006-07-06 13:18:38 ( .D... ) "C:\Program Files\palmOne"
2006-07-03 02:28:48 ( .D... ) "C:\Program Files\Turbine"
2006-07-02 03:16:22 ( .D... ) "C:\Program Files\Atari"
2006-06-30 03:36:54 5806971 ( A.... ) "C:\ET_Patch_2_60.exe"
2006-06-29 21:46:22 ( .D... ) "C:\Program Files\Wolfenstein - Enemy Territory"
2006-06-29 21:02:04 270305943 ( A.... ) "C:\WolfET.exe"
2006-06-24 15:46:16 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\dvdcss"
2006-06-22 17:27:56 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\Ahead"
2006-06-22 17:09:38 ( .D... ) "C:\Program Files\UltraISO"
2006-06-22 17:09:38 ( .D... ) "C:\Program Files\Common Files\EZB Systems"
2006-06-21 20:00:12 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\Azureus"
2006-06-20 15:56:02 ( .D... ) "C:\Program Files\D-Fend"
2006-06-20 15:55:46 ( .D... ) "C:\Program Files\DOSBox-0.65"
2006-06-20 15:12:00 ( .D... ) "C:\Program Files\IA"
2006-06-17 03:55:16 31248128 ( A.... ) "C:\back_up.reg"
2006-06-16 02:19:30 ( .D... ) "C:\Program Files\BIOS Utility"
2006-06-16 02:17:40 ( .D... ) "C:\Program Files\Promise"
2006-06-16 01:52:14 ( .D.H. ) "C:\Program Files\Uninstall Information"
2006-06-15 17:34:06 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\Symantec"
2006-06-15 15:24:34 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\AdobeUM"
2006-06-15 15:23:36 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\Adobe"
2006-06-14 17:18:32 ( .D... ) "C:\Program Files\CDex_170b1"
2006-06-14 03:29:24 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\Motive"
2006-06-14 02:52:06 ( .D... ) "C:\Program Files\Common Files\Motive"
2006-06-14 02:51:18 ( .D... ) "C:\Program Files\ntl"
2006-06-12 17:32:12 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\Ableton"
2006-06-12 15:42:10 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\Help"
2006-06-12 12:57:18 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\Macromedia"
2006-06-12 12:40:50 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\Opera"
2006-06-12 12:30:52 ( .D... ) "C:\Program Files\Common Files\Nero"
2006-06-12 05:50:54 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\vlc"
2006-06-12 05:48:18 62 ( A.SH. ) "C:\Documents and Settings\fenrif\Application Data\desktop.ini"
2006-06-12 05:28:20 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\Identities"
2006-06-12 05:28:06 ( .DS.. ) "C:\Documents and Settings\fenrif\Application Data\Microsoft"
2006-06-08 17:38:30 ( .D... ) "C:\Program Files\Ableton"
2006-06-01 19:09:24 208896 ( A.... ) "C:\WINDOWS\system32\NVUNINST.EXE"
2006-06-01 17:22:00 5246976 ( A.... ) "C:\WINDOWS\system32\nvdispsr.dll"
2006-06-01 17:22:00 2977792 ( A.... ) "C:\WINDOWS\system32\nvvitvsr.dll"
2006-06-01 17:22:00 2916352 ( A.... ) "C:\WINDOWS\system32\nvgamesr.dll"
2006-06-01 17:22:00 2859008 ( A.... ) "C:\WINDOWS\system32\nvmoblsr.dll"
2006-06-01 17:22:00 1740800 ( A.... ) "C:\WINDOWS\system32\nvwssr.dll"
2006-06-01 17:22:00 1257472 ( A.... ) "C:\WINDOWS\system32\nvwss.dll"
2006-06-01 17:22:00 462848 ( A.... ) "C:\WINDOWS\system32\nvmccssr.dll"
2006-06-01 17:22:00 208896 ( A.... ) "C:\WINDOWS\system32\nvudisp.exe"
2006-05-28 20:04:56 ( .D... ) "C:\Program Files\igowin"
2006-05-28 19:47:38 ( .D... ) "C:\Program Files\glGo"
2006-05-18 18:27:32 ( .D... ) "C:\Program Files\Darwinia"
2006-05-03 02:56:58 127078 ( A.... ) "C:\WINDOWS\system32\javaws.exe"
2006-05-03 01:19:40 53346 ( A.... ) "C:\WINDOWS\system32\javaw.exe"
2006-05-03 01:19:30 49248 ( A.... ) "C:\WINDOWS\system32\java.exe"
(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))
2006-07-17 12:26 235,488 C:\WINDOWS\system32\e4020edoeh0c0.dll
2006-07-17 04:35 235,284 C:\WINDOWS\system32\l4p20e7oeh.dll
2006-07-17 03:43 578,560 C:\Installer2.exe
2006-07-17 03:18 670,617,600 C:\hiberfil.sys
2006-07-16 19:36 578,560 C:\warebundlenewer.exe
2006-07-15 16:03 61,440 C:\WINDOWS\system32\aaa00000.dll
2006-07-15 16:03 1,063 C:\WINDOWS\system32\aaa00000.sys
2006-07-15 15:09 40,960 C:\WINDOWS\system32\aqcebdip.dll
2006-07-14 23:48 24,576 C:\WINDOWS\system32\STKIT432.DLL
2006-07-14 05:31 61,440 C:\WINDOWS\system32\esubf39b.dll
2006-07-14 05:31 393,914 C:\warebundlenew.exe
2006-07-14 05:31 34,754 C:\warebundle2.exe
2006-07-14 05:31 1,063 C:\WINDOWS\system32\esubf39b.sys
2006-07-14 05:30 81,920 C:\dfndrad_5.exe
2006-07-13 23:57 17,331 C:\WINDOWS\Pplugin10xa.exe
2006-07-13 00:42 126,976 C:\WINDOWS\War3Unin.exe
2006-07-08 15:46 15,973,576 C:\vtmb_1_2.exe
2006-07-03 02:46 61,136 C:\WINDOWS\system32\xinput9_1_0.dll
2006-07-03 02:46 2,337,488 C:\WINDOWS\system32\d3dx9_25.dll
2006-07-03 02:46 2,323,664 C:\WINDOWS\system32\d3dx9_28.dll
2006-07-03 02:46 2,319,568 C:\WINDOWS\system32\d3dx9_27.dll
2006-07-03 02:46 2,297,552 C:\WINDOWS\system32\d3dx9_26.dll
2006-07-03 02:46 2,222,800 C:\WINDOWS\system32\d3dx9_24.dll
2006-06-30 04:00 208,896 C:\WINDOWS\system32\NVUNINST.EXE
2006-06-30 04:00 208,896 C:\WINDOWS\system32\nvudisp.exe
2006-06-30 03:36 5,806,971 C:\ET_Patch_2_60.exe
2006-06-29 17:44 270,305,943 C:\WolfET.exe
2006-06-22 15:41 45,056 C:\WINDOWS\system32\WNASPI32.DLL
2006-06-21 19:58 53,346 C:\WINDOWS\system32\javaw.exe
2006-06-21 19:58 49,248 C:\WINDOWS\system32\java.exe
2006-06-21 19:58 127,078 C:\WINDOWS\system32\javaws.exe
2006-06-21 15:59 569,344 C:\WINDOWS\system32\imagr5.dll
2006-06-21 15:59 544,768 C:\WINDOWS\system32\imagx5.dll
2006-06-21 15:59 38,912 C:\WINDOWS\system32\picn20.dll
2006-06-21 15:59 283,920 C:\WINDOWS\system32\ImagXpr5.dll
2006-06-21 15:59 155,648 C:\WINDOWS\system32\NeroCheck.exe
2006-06-18 16:35 151,552 C:\WINDOWS\system32\pxwma.dll
2006-06-18 16:35 109,568 C:\WINDOWS\system32\pxinsi64.exe
2006-06-18 16:35 108,544 C:\WINDOWS\system32\pxcpyi64.exe
2006-06-15 02:13 929,792 C:\WINDOWS\system32\PRISME5.dll
2006-06-14 02:51 46,352 C:\WINDOWS\setdebug.exe
2006-06-14 02:51 313,856 C:\WINDOWS\system32\dx3j.dll
2006-06-14 02:51 170,768 C:\WINDOWS\system32\jit.dll
2006-06-14 02:51 139,536 C:\WINDOWS\system32\javaee.dll
2006-06-14 02:50 933,648 C:\WINDOWS\system32\msjava.dll
2006-06-14 02:50 49,424 C:\WINDOWS\system32\clspack.exe
2006-06-14 02:50 401,168 C:\WINDOWS\system32\javart.dll
2006-06-14 02:50 34,576 C:\WINDOWS\system32\javaprxy.dll
2006-06-14 02:50 277,776 C:\WINDOWS\system32\vmhelper.dll
2006-06-14 02:50 21,264 C:\WINDOWS\system32\msjdbc10.dll
2006-06-14 02:50 192,784 C:\WINDOWS\system32\javacypt.dll
2006-06-14 02:50 169,232 C:\WINDOWS\system32\jview.exe
2006-06-14 02:50 162,576 C:\WINDOWS\system32\wjview.exe
2006-06-14 02:50 154,384 C:\WINDOWS\system32\msawt.dll
2006-06-14 02:50 15,120 C:\WINDOWS\system32\jdbgmgr.exe
2006-06-14 02:50 113 C:\WINDOWS\system32\zonedon.reg
2006-06-14 02:50 113 C:\WINDOWS\system32\zonedoff.reg
2006-06-12 17:32 499,712 C:\WINDOWS\system32\msvcp71.dll
2006-06-12 17:32 348,160 C:\WINDOWS\system32\msvcr71.dll
2006-06-12 17:32 225,280 C:\WINDOWS\system32\ReWire.dll
2006-06-12 17:32 1,060,864 C:\WINDOWS\system32\MFC71.dll
2006-06-12 16:16 304,128 C:\WINDOWS\IsUninst.exe
2006-06-12 13:11 1,056,768 C:\WINDOWS\system32\RoboEx32.dll
2006-06-12 12:29 24,064 C:\WINDOWS\system32\msxml3a.dll
2006-06-12 06:01 4,096 C:\WINDOWS\system32\ksuser.dll
2006-06-12 05:53 3,921,024 C:\WINDOWS\system32\nv4_disp.dll
2006-06-12 05:52 74,240 C:\WINDOWS\system32\usbui.dll
2006-06-12 05:48 85,020 C:\WINDOWS\system32\dgsetup.dll
2006-06-12 05:48 8,704 C:\WINDOWS\system32\batt.dll
2006-06-12 05:48 8,192 C:\WINDOWS\system32\kbdhept.dll
2006-06-12 05:48 74,752 C:\WINDOWS\system32\storprop.dll
2006-06-12 05:48 7,168 C:\WINDOWS\system32\kbdcz.dll
2006-06-12 05:48 69,120 C:\WINDOWS\NOTEPAD.EXE
2006-06-12 05:48 6,656 C:\WINDOWS\system32\kbdycl.dll
2006-06-12 05:48 6,656 C:\WINDOWS\system32\kbdsl1.dll
2006-06-12 05:48 6,656 C:\WINDOWS\system32\kbdsl.dll
2006-06-12 05:48 6,656 C:\WINDOWS\system32\kbdpl.dll
2006-06-12 05:48 6,656 C:\WINDOWS\system32\kbdhu.dll
2006-06-12 05:48 6,656 C:\WINDOWS\system32\kbdhela3.dll
2006-06-12 05:48 6,656 C:\WINDOWS\system32\kbdcz2.dll
2006-06-12 05:48 6,656 C:\WINDOWS\system32\kbdcz1.dll
2006-06-12 05:48 6,656 C:\WINDOWS\system32\kbdcr.dll
2006-06-12 05:48 6,656 C:\WINDOWS\system32\KBDAL.DLL
2006-06-12 05:48 6,144 C:\WINDOWS\system32\kbdtuq.dll
2006-06-12 05:48 6,144 C:\WINDOWS\system32\kbdtuf.dll
2006-06-12 05:48 6,144 C:\WINDOWS\system32\kbdlv1.dll
2006-06-12 05:48 6,144 C:\WINDOWS\system32\kbdlv.dll
2006-06-12 05:48 6,144 C:\WINDOWS\system32\kbdhela2.dll
2006-06-12 05:48 6,144 C:\WINDOWS\system32\kbdgkl.dll
2006-06-12 05:48 6,144 C:\WINDOWS\system32\kbdest.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdycc.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbduzb.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdur.dll
part 2 of the combofix log
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdtat.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdru1.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdru.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdro.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdpl1.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdmon.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdlt1.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdlt.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdkyr.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdkaz.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdhu1.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdhe319.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdhe220.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdhe.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdbu.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdblr.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdazel.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdaze.dll
2006-06-12 05:48 24,661 C:\WINDOWS\system32\spxcoins.dll
2006-06-12 05:48 176,157 C:\WINDOWS\system32\dgrpsetu.dll
2006-06-12 05:48 15,360 C:\WINDOWS\TASKMAN.EXE
2006-06-12 05:48 13,312 C:\WINDOWS\system32\irclass.dll
2006-06-12 05:48 103,424 C:\WINDOWS\system32\EqnClass.Dll
2006-06-12 05:38 1,006,632,960 C:\pagefile.sys
2006-06-12 05:08 112,128 C:\WINDOWS\system32\mapi32.dll
2006-06-12 05:05 8,192 C:\WINDOWS\system32\bitsprx2.dll
2006-06-12 05:05 7,168 C:\WINDOWS\system32\bitsprx3.dll
2006-06-12 05:05 67,584 C:\WINDOWS\system32\srclient.dll
2006-06-12 05:05 64,512 C:\WINDOWS\system32\acctres.dll
2006-06-12 05:05 6,656 C:\WINDOWS\system32\wuauserv.dll
2006-06-12 05:05 45,568 C:\WINDOWS\system32\safrslv.dll
2006-06-12 05:05 430,592 C:\WINDOWS\system32\wuapi.dll
2006-06-12 05:05 43,520 C:\WINDOWS\system32\safrcdlg.dll
2006-06-12 05:05 43,520 C:\WINDOWS\system32\racpldlg.dll
2006-06-12 05:05 382,464 C:\WINDOWS\system32\qmgr.dll
2006-06-12 05:05 36,864 C:\WINDOWS\system32\wups.dll
2006-06-12 05:05 29,696 C:\WINDOWS\system32\safrdm.dll
2006-06-12 05:05 239,104 C:\WINDOWS\system32\srrstr.dll
2006-06-12 05:05 22,528 C:\WINDOWS\system32\fltMc.exe
2006-06-12 05:05 183,296 C:\WINDOWS\system32\wuaueng1.dll
2006-06-12 05:05 18,944 C:\WINDOWS\system32\qmgrprxy.dll
2006-06-12 05:05 170,496 C:\WINDOWS\system32\srsvc.dll
2006-06-12 05:05 165,888 C:\WINDOWS\system32\wuauclt1.exe
2006-06-12 05:05 16,896 C:\WINDOWS\system32\fltlib.dll
2006-06-12 05:05 16,384 C:\WINDOWS\system32\icfgnt5.dll
2006-06-12 05:05 120,320 C:\WINDOWS\system32\wuweb.dll
2006-06-12 05:05 12,288 C:\WINDOWS\system32\nmevtmsg.dll
2006-06-12 05:05 112,640 C:\WINDOWS\system32\wucltui.dll
2006-06-12 05:05 111,104 C:\WINDOWS\system32\wuauclt.exe
2006-06-12 05:05 11,264 C:\WINDOWS\system32\atrace.dll
2006-06-12 05:05 1,134,592 C:\WINDOWS\system32\wuaueng.dll
2006-06-12 05:04 81,920 C:\WINDOWS\system32\isign32.dll
2006-06-12 05:04 81,920 C:\WINDOWS\system32\ils.dll
2006-06-12 05:04 73,728 C:\WINDOWS\system32\icwdial.dll
2006-06-12 05:04 69,632 C:\WINDOWS\system32\msconf.dll
2006-06-12 05:04 678,400 C:\WINDOWS\system32\inetcomm.dll
2006-06-12 05:04 65,536 C:\WINDOWS\system32\icwphbk.dll
2006-06-12 05:04 48,128 C:\WINDOWS\system32\inetres.dll
2006-06-12 05:04 34,560 C:\WINDOWS\system32\mnmdd.dll
2006-06-12 05:04 32,768 C:\WINDOWS\system32\mnmsrvc.exe
2006-06-12 05:04 32,768 C:\WINDOWS\system32\isrdbg32.dll
2006-06-12 05:04 28,672 C:\WINDOWS\system32\nmmkcert.dll
2006-06-12 05:04 274,944 C:\WINDOWS\system32\mstask.dll
2006-06-12 05:04 274,432 C:\WINDOWS\system32\inetcfg.dll
2006-06-12 05:04 252,928 C:\WINDOWS\system32\msoeacct.dll
2006-06-12 05:04 190,976 C:\WINDOWS\system32\schedsvc.dll
2006-06-12 05:04 12,288 C:\WINDOWS\system32\mstinit.exe
2006-06-12 05:04 105,984 C:\WINDOWS\system32\msoert2.dll
2006-06-12 05:03 5,632 C:\WINDOWS\system32\write.exe
2006-06-12 05:02 949,248 C:\WINDOWS\system32\msdtctm.dll
2006-06-12 05:02 93,696 C:\WINDOWS\system32\tscfgwmi.dll
2006-06-12 05:02 90,112 C:\WINDOWS\system32\mtxoci.dll
2006-06-12 05:02 9,728 C:\WINDOWS\system32\reset.exe
2006-06-12 05:02 87,176 C:\WINDOWS\system32\rdpwsx.dll
2006-06-12 05:02 85,504 C:\WINDOWS\system32\catsrvps.dll
2006-06-12 05:02 82,432 C:\WINDOWS\system32\comrepl.dll
2006-06-12 05:02 80,384 C:\WINDOWS\system32\charmap.exe
2006-06-12 05:02 73,216 C:\WINDOWS\system32\avwav.dll
2006-06-12 05:02 67,072 C:\WINDOWS\system32\rdshost.exe
2006-06-12 05:02 655,360 C:\WINDOWS\system32\mstscax.dll
2006-06-12 05:02 628,224 C:\WINDOWS\system32\catsrvut.dll
2006-06-12 05:02 62,464 C:\WINDOWS\system32\rdpclip.exe
2006-06-12 05:02 62,464 C:\WINDOWS\system32\colbact.dll
2006-06-12 05:02 605,696 C:\WINDOWS\system32\getuname.dll
2006-06-12 05:02 60,416 C:\WINDOWS\system32\remotepg.dll
2006-06-12 05:02 6,144 C:\WINDOWS\system32\msdtc.exe
2006-06-12 05:02 58,880 C:\WINDOWS\system32\msdtclog.dll
2006-06-12 05:02 58,880 C:\WINDOWS\system32\licwmi.dll
2006-06-12 05:02 56,832 C:\WINDOWS\system32\sol.exe
2006-06-12 05:02 56,320 C:\WINDOWS\system32\servdeps.dll
2006-06-12 05:02 55,296 C:\WINDOWS\system32\freecell.exe
2006-06-12 05:02 540,160 C:\WINDOWS\system32\comuid.dll
2006-06-12 05:02 54,272 C:\WINDOWS\system32\stclient.dll
2006-06-12 05:02 538,624 C:\WINDOWS\system32\spider.exe
2006-06-12 05:02 501,248 C:\WINDOWS\system32\clbcatq.dll
2006-06-12 05:02 5,120 C:\WINDOWS\system32\dcomcnfg.exe
2006-06-12 05:02 44,544 C:\WINDOWS\system32\tscupgrd.exe
2006-06-12 05:02 44,544 C:\WINDOWS\system32\hticons.dll
2006-06-12 05:02 425,472 C:\WINDOWS\system32\msdtcprx.dll
2006-06-12 05:02 407,552 C:\WINDOWS\system32\mstsc.exe
2006-06-12 05:02 4,096 C:\WINDOWS\system32\rdpcfgex.dll
2006-06-12 05:02 4,096 C:\WINDOWS\system32\mtxex.dll
2006-06-12 05:02 38,912 C:\WINDOWS\system32\cfgbkend.dll
2006-06-12 05:02 35,328 C:\WINDOWS\system32\winchat.exe
2006-06-12 05:02 345,088 C:\WINDOWS\system32\hypertrm.dll
2006-06-12 05:02 343,040 C:\WINDOWS\system32\mspaint.exe
2006-06-12 05:02 33,792 C:\WINDOWS\system32\regini.exe
2006-06-12 05:02 295,424 C:\WINDOWS\system32\termsrv.dll
2006-06-12 05:02 25,600 C:\WINDOWS\system32\comaddin.dll
2006-06-12 05:02 25,088 C:\WINDOWS\system32\mtxlegih.dll
2006-06-12 05:02 229,888 C:\WINDOWS\system32\catsrv.dll
2006-06-12 05:02 227,840 C:\WINDOWS\system32\avtapi.dll
2006-06-12 05:02 22,016 C:\WINDOWS\system32\qwinsta.exe
2006-06-12 05:02 20,992 C:\WINDOWS\system32\msg.exe
2006-06-12 05:02 20,480 C:\WINDOWS\system32\qprocess.exe
2006-06-12 05:02 20,480 C:\WINDOWS\system32\mtxdm.dll
2006-06-12 05:02 19,968 C:\WINDOWS\system32\rdpsnd.dll
2006-06-12 05:02 185,344 C:\WINDOWS\system32\cmprops.dll
2006-06-12 05:02 183,808 C:\WINDOWS\system32\accwiz.exe
2006-06-12 05:02 17,408 C:\WINDOWS\system32\mmfutil.dll
2006-06-12 05:02 161,280 C:\WINDOWS\system32\msdtcuiu.dll
2006-06-12 05:02 16,896 C:\WINDOWS\system32\tsshutdn.exe
2006-06-12 05:02 16,896 C:\WINDOWS\system32\qappsrv.exe
2006-06-12 05:02 16,384 C:\WINDOWS\system32\tskill.exe
2006-06-12 05:02 16,384 C:\WINDOWS\system32\avmeter.dll
2006-06-12 05:02 15,872 C:\WINDOWS\system32\rwinsta.exe
2006-06-12 05:02 15,872 C:\WINDOWS\system32\cdmodem.dll
2006-06-12 05:02 15,360 C:\WINDOWS\system32\logoff.exe
2006-06-12 05:02 147,968 C:\WINDOWS\system32\rdchost.dll
2006-06-12 05:02 147,456 C:\WINDOWS\system32\comsnap.dll
2006-06-12 05:02 140,800 C:\WINDOWS\system32\sessmgr.exe
2006-06-12 05:02 14,848 C:\WINDOWS\system32\tsdiscon.exe
2006-06-12 05:02 14,848 C:\WINDOWS\system32\tscon.exe
2006-06-12 05:02 14,848 C:\WINDOWS\system32\shadow.exe
2006-06-12 05:02 138,752 C:\WINDOWS\system32\sndvol32.exe
2006-06-12 05:02 131,584 C:\WINDOWS\system32\sndrec32.exe
2006-06-12 05:02 13,824 C:\WINDOWS\system32\rdsaddin.exe
2006-06-12 05:02 126,976 C:\WINDOWS\system32\mshearts.exe
2006-06-12 05:02 123,392 C:\WINDOWS\system32\mplay32.exe
2006-06-12 05:02 119,808 C:\WINDOWS\system32\winmine.exe
2006-06-12 05:02 114,688 C:\WINDOWS\system32\calc.exe
2006-06-12 05:02 110,080 C:\WINDOWS\system32\clbcatex.dll
2006-06-12 05:02 11,776 C:\WINDOWS\system32\xolehlp.dll
2006-06-12 05:02 11,264 C:\WINDOWS\system32\icaapi.dll
2006-06-12 05:02 102,912 C:\WINDOWS\system32\clipbrd.exe
2006-06-12 05:02 1,251,840 C:\WINDOWS\system32\comsvcs.dll
2006-06-12 05:02 1,161 C:\WINDOWS\system32\usrlogon.cmd
2006-06-04 22:40 31,248,128 C:\back_up.reg
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"PRISMSVR.EXE"="\"C:\\WINDOWS\\system32\\PRISMSVR.EXE\" /APPLY"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"defender"="C:\\\\dfndrad_5.exe"
"esubf39b"="RUNDLL32.EXE w04b9c81.dll,n 001bf39a0000000a04b9c81"
"RegistryMechanic"=""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"AAW"=""
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\MSN Gaming Zone\\kyzetety.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\MSN\\howy.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
Contents of the 'Scheduled Tasks' folder
Completion time: Mon 07/17/2006 14:38:33.06
ComboFix ver 06.07.15 - This logfile is located at C:\ComboFix.txt
Weird... Go ahead and delete Combofix.
Please download Look2Me-Destroyer (http://www.atribune.org/ccount/click.php?id=7) to your desktop.
Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.
Please post the contents of C:\Look2Me-Destroyer.txt and a fresh HiJackThis log. :)
If Look2Me-Destroyer does not reopen automatically, reboot and try again.
ok, heres the look2me destroyer log:
Look2Me-Destroyer V1.0.12
Scanning for infected files.....
Scan started at 7/17/2006 3:42:27 PM
Infected! C:\System Volume Information\_restore{6B30774D-5F6E-4FBA-B33C-15A96DD121D0}\RP3\A0001413.dll
Infected! C:\System Volume Information\_restore{6B30774D-5F6E-4FBA-B33C-15A96DD121D0}\RP3\A0001425.dll
Attempting to delete infected files...
Attempting to delete: C:\System Volume Information\_restore{6B30774D-5F6E-4FBA-B33C-15A96DD121D0}\RP3\A0001413.dll
C:\System Volume Information\_restore{6B30774D-5F6E-4FBA-B33C-15A96DD121D0}\RP3\A0001413.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{6B30774D-5F6E-4FBA-B33C-15A96DD121D0}\RP3\A0001425.dll
C:\System Volume Information\_restore{6B30774D-5F6E-4FBA-B33C-15A96DD121D0}\RP3\A0001425.dll Deleted successfully!
Making registry repairs.
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{4602756C-B150-4C00-ADDC-9EADAD2A85A2}"
HKCR\Clsid\{4602756C-B150-4C00-ADDC-9EADAD2A85A2}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{02C8407C-C4C8-4AD0-A7A8-BE064C347394}"
HKCR\Clsid\{02C8407C-C4C8-4AD0-A7A8-BE064C347394}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{CFC68A1C-644A-4769-81B6-5EAC6741A233}"
HKCR\Clsid\{CFC68A1C-644A-4769-81B6-5EAC6741A233}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{353C76F2-A64A-4FFF-A958-49707FC77DED}"
HKCR\Clsid\{353C76F2-A64A-4FFF-A958-49707FC77DED}
Restoring Windows certificates.
Replaced hosts file with default windows hosts file
Restoring SeDebugPrivilege for Administrators - Succeeded
and heres a fresh hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 3:55:30 PM, on 7/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Winamp\winampa.exe
C:\dfndrad_5.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Promise\FastTrak\FtrakSvc.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\palmOne\HOTSYNC.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Opera\Opera.exe
C:\applicationas\security\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 213.105.224.12
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 213.105.224.12:8080
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrad_5.exe
O4 - HKLM\..\Run: [esubf39b] RUNDLL32.EXE w04b9c81.dll,n 001bf39a0000000a04b9c81
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: FastCheck Monitoring Utility.lnk = C:\Program Files\Promise\FastTrak\RAIDeUtility.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/sites/errorsafe.com/www/pages/scanner/ErrorSafeFreeInstall.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Promise FastTrak Log Service (FastTrakSvc) - Promise Technology Inc. - C:\Program Files\Promise\FastTrak\FtrakSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
Okay, go ahead and delete Look2Me-Destroyer :)
Lets continue....
Please print these instructions out, or write them down, as you can't read them during the fix.
1. Please download Ewido Anti-spyware (http://www.ewido.net/en/download/) and save that file to your desktop.
This is a 30 day trial of the program
Once you have downloaded Ewido Anti-spyware, locate the icon on the desktop and double-click it to launch the setup program.
Once the setup is complete you will need run Ewido and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
If you aren't able to finish the update within Ewido for a reason or another, you can install the manual updates here (http://www.ewido.net/en/download/updates/).
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
Select "Automatically generate report after every scan"
Un-select "Only if threats were found"
Close Ewido Anti-spyware, DO NOT run a scan just yet, we will shortly.
==
2. Please download Brute Force Uninstaller (http://www.merijn.org/files/bfu.zip) to your desktop.
Right-click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk ( C: ) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
3. RIGHT-CLICK HERE (http://metallica.geekstogo.com/alcanshorty.bfu) and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).
Do not do anything with these yet!
==
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
==
4. IMPORTANT: Do not open any other windows or programs while Ewido is scanning, it may interfere with the scanning process:
Lauch Ewido Anti-spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
Ewido will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close Ewido.
==
5. Then, please go to Start > My Computer and navigate to the C:\BFU folder.
Start the Brute Force Uninstaller by double-clicking BFU.exe
Behind the scriptline to execute field click the folder icon http://metallica.geekstogo.com/foldericon.png and select alcanshorty.bfu
Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the Complete script execution box to pop up and hit OK.
Press Exit to terminate the BFU program.
Reboot into normal Windows and post the contents of Ewido log that you saved along with a fresh HiJackThis log. :bigthumb:
ok, heres the ewido log:
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 11:14:18 PM 7/17/2006
+ Scan result:
C:\WINDOWS\ZmVucmlm\asappsrv.dll -> Adware.CommAd : Cleaned with backup (quarantined).
C:\WINDOWS\ZmVucmlm\command.exe -> Adware.CommAd : Cleaned with backup (quarantined).
C:\Documents and Settings\fenrif\Local Settings\Temporary Internet Files\Content.IE5\6RMZH8TN\ac3[1].txt -> Adware.IEHelper : Cleaned with backup (quarantined).
C:\WINDOWS\system32\aaa00000.dll -> Adware.IEHelper : Cleaned with backup (quarantined).
C:\WINDOWS\system32\esubf39b.dll -> Adware.IEHelper : Cleaned with backup (quarantined).
C:\Documents and Settings\fenrif\Local Settings\Temporary Internet Files\Content.IE5\0JDVVDPA\Installer[2].exe -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Installer2.exe -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\e4020edoeh0c0.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\l4p20e7oeh.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\warebundlenewer.exe -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Matthew\Application Data\PSGuard.com -> Adware.PSGuard : Cleaned with backup (quarantined).
C:\Documents and Settings\Matthew\Application Data\PSGuard.com\P.S.Guard -> Adware.PSGuard : Cleaned with backup (quarantined).
C:\Documents and Settings\Matthew\Application Data\PSGuard.com\P.S.Guard\Autorun -> Adware.PSGuard : Cleaned with backup (quarantined).
C:\Documents and Settings\Matthew\Application Data\PSGuard.com\P.S.Guard\Autorun\HKCURun -> Adware.PSGuard : Cleaned with backup (quarantined).
C:\Documents and Settings\Matthew\Application Data\PSGuard.com\P.S.Guard\Autorun\HKCURun\RunOnce -> Adware.PSGuard : Cleaned with backup (quarantined).
C:\Documents and Settings\Matthew\Application Data\PSGuard.com\P.S.Guard\Autorun\HKCURun\RunOnceEx -> Adware.PSGuard : Cleaned with backup (quarantined).
C:\Documents and Settings\Matthew\Application Data\PSGuard.com\P.S.Guard\Autorun\HKLMRun -> Adware.PSGuard : Cleaned with backup (quarantined).
C:\Documents and Settings\Matthew\Application Data\PSGuard.com\P.S.Guard\Autorun\HKLMRun\RunOnce -> Adware.PSGuard : Cleaned with backup (quarantined).
C:\Documents and Settings\Matthew\Application Data\PSGuard.com\P.S.Guard\Autorun\HKLMRun\RunOnceEx -> Adware.PSGuard : Cleaned with backup (quarantined).
C:\Documents and Settings\Matthew\Application Data\PSGuard.com\P.S.Guard\Autorun\StartMenuAllUsers -> Adware.PSGuard : Cleaned with backup (quarantined).
C:\Documents and Settings\Matthew\Application Data\PSGuard.com\P.S.Guard\Autorun\StartMenuCurrentUser -> Adware.PSGuard : Cleaned with backup (quarantined).
C:\Documents and Settings\Matthew\Application Data\PSGuard.com\P.S.Guard\BrowserObjects -> Adware.PSGuard : Cleaned with backup (quarantined).
C:\Documents and Settings\Matthew\Start Menu\Programs\WhenU -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Documents and Settings\Matthew\Start Menu\Programs\WhenU\Learn More About WhenU Save.url -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Documents and Settings\Matthew\Start Menu\Programs\WhenU\Learn More About WhenU SaveNow.url -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Documents and Settings\Matthew\Start Menu\Programs\WhenU\Uninstall.lnk -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Documents and Settings\Matthew\Start Menu\Programs\WhenU\WhenU.com Website.url -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\WINDOWS\Pplugin10xa.exe -> Backdoor.Dumaru.E : Cleaned with backup (quarantined).
C:\games\World.Of.Warcraft.CDKEY.AND.60DAY.CARD.GEN.WORKiNG.Reloaded.rar/World.Of.Warcraft.CDKEY.AND.60DAY.CARD.GEN.WORKiNG.Reloaded.exe -> Backdoor.Prorat.19.i : Cleaned with backup (quarantined).
C:\Documents and Settings\fenrif\Local Settings\Temporary Internet Files\Content.IE5\GL28H58T\nwnmad_5[1].exe -> Downloader.Adload.ca : Cleaned with backup (quarantined).
C:\Documents and Settings\fenrif\Local Settings\Temporary Internet Files\Content.IE5\0JDVVDPA\ac3_0010[1].exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\fenrif\Local Settings\Temporary Internet Files\Content.IE5\GL28H58T\al3[1].txt -> Downloader.Small : Cleaned with backup (quarantined).
C:\dfndrad_5.exe -> Hijacker.VB.nh : Cleaned with backup (quarantined).
C:\Documents and Settings\fenrif\Cookies\fenrif@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Documents and Settings\Matthew\Cookies\matthew@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
C:\Documents and Settings\fenrif\Cookies\fenrif@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
C:\Documents and Settings\fenrif\Cookies\fenrif@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
C:\Documents and Settings\Matthew\Cookies\matthew@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
C:\Documents and Settings\fenrif\Cookies\fenrif@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup (quarantined).
C:\Documents and Settings\fenrif\Cookies\fenrif@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned with backup (quarantined).
C:\Documents and Settings\Matthew\Cookies\matthew@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\fenrif\Cookies\fenrif@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\fenrif\Cookies\fenrif@zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
C:\games\Palm Stuff\FullScreen1.04[wh].zip/FullScreen1.04/Setup.exe -> Worm.Bagle.fk : Cleaned with backup (quarantined).
C:\games\Palm Stuff\FullScreen1.04[wh].zip/FullScreen1.04[wh]/Setup.exe -> Worm.Bagle.fk : Cleaned with backup (quarantined).
::Report end
and heres a fresh hijack this:
Logfile of HijackThis v1.99.1
Scan saved at 12:07:13 AM, on 7/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\palmOne\HOTSYNC.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Promise\FastTrak\FtrakSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Opera\Opera.exe
C:\applicationas\security\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 213.105.224.12
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 213.105.224.12:8080
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [esubf39b] RUNDLL32.EXE w04b9c81.dll,n 001bf39a0000000a04b9c81
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: FastCheck Monitoring Utility.lnk = C:\Program Files\Promise\FastTrak\RAIDeUtility.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/sites/errorsafe.com/www/pages/scanner/ErrorSafeFreeInstall.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Promise FastTrak Log Service (FastTrakSvc) - Promise Technology Inc. - C:\Program Files\Promise\FastTrak\FtrakSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
alot of the popups seem to have stopped now :bigthumb:
Please run a scan with HijackThis and check the following objects for removal:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O4 - HKLM\..\Run: [esubf39b] RUNDLL32.EXE w04b9c81.dll,n 001bf39a0000000a04b9c81
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/si...reeInstall.cab
Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis.
---
Please rescan with Combofix and post back with it's report along with a fresh HijackThis log. It will show some useful info :)
ok heres the first part of the combofix log:
Start Time= Tue 07/18/2006 12:15:15.63
Running from: C:\Documents and Settings\fenrif\Desktop
QuickScan did not find any signs of infected files
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-07-17 17:36:48 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0"
2006-07-17 13:29:42 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\AVG7"
2006-07-17 13:28:24 ( .D... ) "C:\Program Files\Grisoft"
2006-07-17 03:43:40 1063 ( A.... ) "C:\WINDOWS\system32\aaa00000.sys"
2006-07-17 03:43:40 1063 ( A.... ) "C:\WINDOWS\system32\aaa00000.sys"
2006-07-15 15:09:20 40960 ( A.... ) "C:\WINDOWS\system32\aqcebdip.dll"
2006-07-15 01:12:44 1063 ( A.... ) "C:\WINDOWS\system32\esubf39b.sys"
2006-07-15 01:12:44 1063 ( A.... ) "C:\WINDOWS\system32\esubf39b.sys"
2006-07-15 01:06:08 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\Lavasoft"
2006-07-15 00:46:20 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
2006-07-15 00:13:38 ( .D... ) "C:\Program Files\Common Files\irof"
2006-07-14 23:50:16 ( .D... ) "C:\Program Files\Spyware Doctor"
2006-07-14 23:48:22 ( .D... ) "C:\Program Files\Registry Mechanic"
2006-07-14 11:57:46 ( .D... ) "C:\Program Files\a-squared"
2006-07-14 05:31:32 393914 ( A.... ) "C:\warebundlenew.exe"
2006-07-14 05:31:32 34754 ( A.... ) "C:\warebundle2.exe"
2006-07-14 04:51:06 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\PC Tools"
2006-07-13 00:42:06 126976 ( A.... ) "C:\WINDOWS\War3Unin.exe"
2006-07-13 00:38:54 ( .D... ) "C:\Program Files\Warcraft III"
2006-07-11 19:04:40 502272 ( A.... ) "C:\WINDOWS\system32\winlogon.exe"
2006-07-11 03:45:12 930 ( A.... ) "C:\Documents and Settings\fenrif\Application Data\enigmarc.lua2"
2006-07-11 03:40:46 ( .D... ) "C:\Program Files\Enigma"
2006-07-08 15:48:56 15973576 ( A.... ) "C:\vtmb_1_2.exe"
2006-07-08 15:30:56 ( .D... ) "C:\Program Files\Activision"
2006-07-06 13:18:38 ( .D... ) "C:\Program Files\palmOne"
2006-07-03 02:28:48 ( .D... ) "C:\Program Files\Turbine"
2006-07-02 03:16:22 ( .D... ) "C:\Program Files\Atari"
2006-06-30 03:36:54 5806971 ( A.... ) "C:\ET_Patch_2_60.exe"
2006-06-29 21:46:22 ( .D... ) "C:\Program Files\Wolfenstein - Enemy Territory"
2006-06-29 21:02:04 270305943 ( A.... ) "C:\WolfET.exe"
2006-06-24 15:46:16 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\dvdcss"
2006-06-22 17:27:56 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\Ahead"
2006-06-22 17:09:38 ( .D... ) "C:\Program Files\UltraISO"
2006-06-22 17:09:38 ( .D... ) "C:\Program Files\Common Files\EZB Systems"
2006-06-21 20:00:12 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\Azureus"
2006-06-20 15:56:02 ( .D... ) "C:\Program Files\D-Fend"
2006-06-20 15:55:46 ( .D... ) "C:\Program Files\DOSBox-0.65"
2006-06-20 15:12:00 ( .D... ) "C:\Program Files\IA"
2006-06-17 03:55:16 31248128 ( A.... ) "C:\back_up.reg"
2006-06-16 02:19:30 ( .D... ) "C:\Program Files\BIOS Utility"
2006-06-16 02:17:40 ( .D... ) "C:\Program Files\Promise"
2006-06-16 01:52:14 ( .D.H. ) "C:\Program Files\Uninstall Information"
2006-06-15 17:34:06 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\Symantec"
2006-06-15 15:24:34 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\AdobeUM"
2006-06-15 15:23:36 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\Adobe"
2006-06-14 17:18:32 ( .D... ) "C:\Program Files\CDex_170b1"
2006-06-14 03:29:24 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\Motive"
2006-06-14 02:52:06 ( .D... ) "C:\Program Files\Common Files\Motive"
2006-06-14 02:51:18 ( .D... ) "C:\Program Files\ntl"
2006-06-12 17:32:12 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\Ableton"
2006-06-12 15:42:10 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\Help"
2006-06-12 12:57:18 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\Macromedia"
2006-06-12 12:40:50 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\Opera"
2006-06-12 12:30:52 ( .D... ) "C:\Program Files\Common Files\Nero"
2006-06-12 05:50:54 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\vlc"
2006-06-12 05:48:18 62 ( A.SH. ) "C:\Documents and Settings\fenrif\Application Data\desktop.ini"
2006-06-12 05:28:20 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\Identities"
2006-06-12 05:28:06 ( .DS.. ) "C:\Documents and Settings\fenrif\Application Data\Microsoft"
2006-06-08 17:38:30 ( .D... ) "C:\Program Files\Ableton"
2006-06-01 19:09:24 208896 ( A.... ) "C:\WINDOWS\system32\NVUNINST.EXE"
2006-06-01 17:22:00 5246976 ( A.... ) "C:\WINDOWS\system32\nvdispsr.dll"
2006-06-01 17:22:00 2977792 ( A.... ) "C:\WINDOWS\system32\nvvitvsr.dll"
2006-06-01 17:22:00 2916352 ( A.... ) "C:\WINDOWS\system32\nvgamesr.dll"
2006-06-01 17:22:00 2859008 ( A.... ) "C:\WINDOWS\system32\nvmoblsr.dll"
2006-06-01 17:22:00 1740800 ( A.... ) "C:\WINDOWS\system32\nvwssr.dll"
2006-06-01 17:22:00 1257472 ( A.... ) "C:\WINDOWS\system32\nvwss.dll"
2006-06-01 17:22:00 462848 ( A.... ) "C:\WINDOWS\system32\nvmccssr.dll"
2006-06-01 17:22:00 208896 ( A.... ) "C:\WINDOWS\system32\nvudisp.exe"
2006-05-28 20:04:56 ( .D... ) "C:\Program Files\igowin"
2006-05-28 19:47:38 ( .D... ) "C:\Program Files\glGo"
2006-05-18 18:27:32 ( .D... ) "C:\Program Files\Darwinia"
2006-05-03 02:56:58 127078 ( A.... ) "C:\WINDOWS\system32\javaws.exe"
2006-05-03 01:19:40 53346 ( A.... ) "C:\WINDOWS\system32\javaw.exe"
2006-05-03 01:19:30 49248 ( A.... ) "C:\WINDOWS\system32\java.exe"
(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))
2006-07-17 23:55 670,617,600 C:\hiberfil.sys
2006-07-15 16:03 1,063 C:\WINDOWS\system32\aaa00000.sys
2006-07-15 15:09 40,960 C:\WINDOWS\system32\aqcebdip.dll
2006-07-14 23:48 24,576 C:\WINDOWS\system32\STKIT432.DLL
2006-07-14 05:31 393,914 C:\warebundlenew.exe
2006-07-14 05:31 34,754 C:\warebundle2.exe
2006-07-14 05:31 1,063 C:\WINDOWS\system32\esubf39b.sys
2006-07-13 00:42 126,976 C:\WINDOWS\War3Unin.exe
2006-07-08 15:46 15,973,576 C:\vtmb_1_2.exe
2006-07-03 02:46 61,136 C:\WINDOWS\system32\xinput9_1_0.dll
2006-07-03 02:46 2,337,488 C:\WINDOWS\system32\d3dx9_25.dll
2006-07-03 02:46 2,323,664 C:\WINDOWS\system32\d3dx9_28.dll
2006-07-03 02:46 2,319,568 C:\WINDOWS\system32\d3dx9_27.dll
2006-07-03 02:46 2,297,552 C:\WINDOWS\system32\d3dx9_26.dll
2006-07-03 02:46 2,222,800 C:\WINDOWS\system32\d3dx9_24.dll
2006-06-30 04:00 208,896 C:\WINDOWS\system32\NVUNINST.EXE
2006-06-30 04:00 208,896 C:\WINDOWS\system32\nvudisp.exe
2006-06-30 03:36 5,806,971 C:\ET_Patch_2_60.exe
2006-06-29 17:44 270,305,943 C:\WolfET.exe
2006-06-22 15:41 45,056 C:\WINDOWS\system32\WNASPI32.DLL
2006-06-21 19:58 53,346 C:\WINDOWS\system32\javaw.exe
2006-06-21 19:58 49,248 C:\WINDOWS\system32\java.exe
2006-06-21 19:58 127,078 C:\WINDOWS\system32\javaws.exe
2006-06-21 15:59 569,344 C:\WINDOWS\system32\imagr5.dll
2006-06-21 15:59 544,768 C:\WINDOWS\system32\imagx5.dll
2006-06-21 15:59 38,912 C:\WINDOWS\system32\picn20.dll
2006-06-21 15:59 283,920 C:\WINDOWS\system32\ImagXpr5.dll
2006-06-21 15:59 155,648 C:\WINDOWS\system32\NeroCheck.exe
2006-06-18 16:35 151,552 C:\WINDOWS\system32\pxwma.dll
2006-06-18 16:35 109,568 C:\WINDOWS\system32\pxinsi64.exe
2006-06-18 16:35 108,544 C:\WINDOWS\system32\pxcpyi64.exe
2006-06-15 02:13 929,792 C:\WINDOWS\system32\PRISME5.dll
2006-06-14 02:51 46,352 C:\WINDOWS\setdebug.exe
2006-06-14 02:51 313,856 C:\WINDOWS\system32\dx3j.dll
2006-06-14 02:51 170,768 C:\WINDOWS\system32\jit.dll
2006-06-14 02:51 139,536 C:\WINDOWS\system32\javaee.dll
2006-06-14 02:50 933,648 C:\WINDOWS\system32\msjava.dll
2006-06-14 02:50 49,424 C:\WINDOWS\system32\clspack.exe
2006-06-14 02:50 401,168 C:\WINDOWS\system32\javart.dll
2006-06-14 02:50 34,576 C:\WINDOWS\system32\javaprxy.dll
2006-06-14 02:50 277,776 C:\WINDOWS\system32\vmhelper.dll
2006-06-14 02:50 21,264 C:\WINDOWS\system32\msjdbc10.dll
2006-06-14 02:50 192,784 C:\WINDOWS\system32\javacypt.dll
2006-06-14 02:50 169,232 C:\WINDOWS\system32\jview.exe
2006-06-14 02:50 162,576 C:\WINDOWS\system32\wjview.exe
2006-06-14 02:50 154,384 C:\WINDOWS\system32\msawt.dll
2006-06-14 02:50 15,120 C:\WINDOWS\system32\jdbgmgr.exe
2006-06-14 02:50 113 C:\WINDOWS\system32\zonedon.reg
2006-06-14 02:50 113 C:\WINDOWS\system32\zonedoff.reg
2006-06-12 17:32 499,712 C:\WINDOWS\system32\msvcp71.dll
2006-06-12 17:32 348,160 C:\WINDOWS\system32\msvcr71.dll
2006-06-12 17:32 225,280 C:\WINDOWS\system32\ReWire.dll
2006-06-12 17:32 1,060,864 C:\WINDOWS\system32\MFC71.dll
2006-06-12 16:16 304,128 C:\WINDOWS\IsUninst.exe
2006-06-12 13:11 1,056,768 C:\WINDOWS\system32\RoboEx32.dll
2006-06-12 12:29 24,064 C:\WINDOWS\system32\msxml3a.dll
2006-06-12 06:01 4,096 C:\WINDOWS\system32\ksuser.dll
2006-06-12 05:53 3,921,024 C:\WINDOWS\system32\nv4_disp.dll
2006-06-12 05:52 74,240 C:\WINDOWS\system32\usbui.dll
2006-06-12 05:48 85,020 C:\WINDOWS\system32\dgsetup.dll
2006-06-12 05:48 8,704 C:\WINDOWS\system32\batt.dll
2006-06-12 05:48 8,192 C:\WINDOWS\system32\kbdhept.dll
2006-06-12 05:48 74,752 C:\WINDOWS\system32\storprop.dll
2006-06-12 05:48 7,168 C:\WINDOWS\system32\kbdcz.dll
2006-06-12 05:48 69,120 C:\WINDOWS\NOTEPAD.EXE
2006-06-12 05:48 6,656 C:\WINDOWS\system32\kbdycl.dll
2006-06-12 05:48 6,656 C:\WINDOWS\system32\kbdsl1.dll
2006-06-12 05:48 6,656 C:\WINDOWS\system32\kbdsl.dll
2006-06-12 05:48 6,656 C:\WINDOWS\system32\kbdpl.dll
2006-06-12 05:48 6,656 C:\WINDOWS\system32\kbdhu.dll
2006-06-12 05:48 6,656 C:\WINDOWS\system32\kbdhela3.dll
2006-06-12 05:48 6,656 C:\WINDOWS\system32\kbdcz2.dll
2006-06-12 05:48 6,656 C:\WINDOWS\system32\kbdcz1.dll
2006-06-12 05:48 6,656 C:\WINDOWS\system32\kbdcr.dll
2006-06-12 05:48 6,656 C:\WINDOWS\system32\KBDAL.DLL
2006-06-12 05:48 6,144 C:\WINDOWS\system32\kbdtuq.dll
2006-06-12 05:48 6,144 C:\WINDOWS\system32\kbdtuf.dll
2006-06-12 05:48 6,144 C:\WINDOWS\system32\kbdlv1.dll
2006-06-12 05:48 6,144 C:\WINDOWS\system32\kbdlv.dll
2006-06-12 05:48 6,144 C:\WINDOWS\system32\kbdhela2.dll
2006-06-12 05:48 6,144 C:\WINDOWS\system32\kbdgkl.dll
2006-06-12 05:48 6,144 C:\WINDOWS\system32\kbdest.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdycc.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbduzb.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdur.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdtat.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdru1.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdru.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdro.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdpl1.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdmon.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdlt1.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdlt.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdkyr.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdkaz.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdhu1.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdhe319.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdhe220.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdhe.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdbu.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdblr.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdazel.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdaze.dll
2006-06-12 05:48 24,661 C:\WINDOWS\system32\spxcoins.dll
2006-06-12 05:48 176,157 C:\WINDOWS\system32\dgrpsetu.dll
2006-06-12 05:48 15,360 C:\WINDOWS\TASKMAN.EXE
2006-06-12 05:48 13,312 C:\WINDOWS\system32\irclass.dll
2006-06-12 05:48 103,424 C:\WINDOWS\system32\EqnClass.Dll
2006-06-12 05:38 1,006,632,960 C:\pagefile.sys
2006-06-12 05:08 112,128 C:\WINDOWS\system32\mapi32.dll
2006-06-12 05:05 8,192 C:\WINDOWS\system32\bitsprx2.dll
2006-06-12 05:05 7,168 C:\WINDOWS\system32\bitsprx3.dll
2006-06-12 05:05 67,584 C:\WINDOWS\system32\srclient.dll
2006-06-12 05:05 64,512 C:\WINDOWS\system32\acctres.dll
2006-06-12 05:05 6,656 C:\WINDOWS\system32\wuauserv.dll
2006-06-12 05:05 45,568 C:\WINDOWS\system32\safrslv.dll
2006-06-12 05:05 430,592 C:\WINDOWS\system32\wuapi.dll
2006-06-12 05:05 43,520 C:\WINDOWS\system32\safrcdlg.dll
2006-06-12 05:05 43,520 C:\WINDOWS\system32\racpldlg.dll
2006-06-12 05:05 382,464 C:\WINDOWS\system32\qmgr.dll
2006-06-12 05:05 36,864 C:\WINDOWS\system32\wups.dll
2006-06-12 05:05 29,696 C:\WINDOWS\system32\safrdm.dll
2006-06-12 05:05 239,104 C:\WINDOWS\system32\srrstr.dll
2006-06-12 05:05 22,528 C:\WINDOWS\system32\fltMc.exe
2006-06-12 05:05 183,296 C:\WINDOWS\system32\wuaueng1.dll
2006-06-12 05:05 18,944 C:\WINDOWS\system32\qmgrprxy.dll
2006-06-12 05:05 170,496 C:\WINDOWS\system32\srsvc.dll
2006-06-12 05:05 165,888 C:\WINDOWS\system32\wuauclt1.exe
2006-06-12 05:05 16,896 C:\WINDOWS\system32\fltlib.dll
2006-06-12 05:05 16,384 C:\WINDOWS\system32\icfgnt5.dll
2006-06-12 05:05 120,320 C:\WINDOWS\system32\wuweb.dll
2006-06-12 05:05 12,288 C:\WINDOWS\system32\nmevtmsg.dll
2006-06-12 05:05 112,640 C:\WINDOWS\system32\wucltui.dll
2006-06-12 05:05 111,104 C:\WINDOWS\system32\wuauclt.exe
2006-06-12 05:05 11,264 C:\WINDOWS\system32\atrace.dll
2006-06-12 05:05 1,134,592 C:\WINDOWS\system32\wuaueng.dll
2006-06-12 05:04 81,920 C:\WINDOWS\system32\isign32.dll
2006-06-12 05:04 81,920 C:\WINDOWS\system32\ils.dll
2006-06-12 05:04 73,728 C:\WINDOWS\system32\icwdial.dll
2006-06-12 05:04 69,632 C:\WINDOWS\system32\msconf.dll
2006-06-12 05:04 678,400 C:\WINDOWS\system32\inetcomm.dll
2006-06-12 05:04 65,536 C:\WINDOWS\system32\icwphbk.dll
2006-06-12 05:04 48,128 C:\WINDOWS\system32\inetres.dll
2006-06-12 05:04 34,560 C:\WINDOWS\system32\mnmdd.dll
2006-06-12 05:04 32,768 C:\WINDOWS\system32\mnmsrvc.exe
2006-06-12 05:04 32,768 C:\WINDOWS\system32\isrdbg32.dll
2006-06-12 05:04 28,672 C:\WINDOWS\system32\nmmkcert.dll
2006-06-12 05:04 274,944 C:\WINDOWS\system32\mstask.dll
2006-06-12 05:04 274,432 C:\WINDOWS\system32\inetcfg.dll
2006-06-12 05:04 252,928 C:\WINDOWS\system32\msoeacct.dll
2006-06-12 05:04 190,976 C:\WINDOWS\system32\schedsvc.dll
2006-06-12 05:04 12,288 C:\WINDOWS\system32\mstinit.exe
2006-06-12 05:04 105,984 C:\WINDOWS\system32\msoert2.dll
2006-06-12 05:03 5,632 C:\WINDOWS\system32\write.exe
2006-06-12 05:02 949,248 C:\WINDOWS\system32\msdtctm.dll
2006-06-12 05:02 93,696 C:\WINDOWS\system32\tscfgwmi.dll
2006-06-12 05:02 90,112 C:\WINDOWS\system32\mtxoci.dll
2006-06-12 05:02 9,728 C:\WINDOWS\system32\reset.exe
2006-06-12 05:02 87,176 C:\WINDOWS\system32\rdpwsx.dll
2006-06-12 05:02 85,504 C:\WINDOWS\system32\catsrvps.dll
2006-06-12 05:02 82,432 C:\WINDOWS\system32\comrepl.dll
2006-06-12 05:02 80,384 C:\WINDOWS\system32\charmap.exe
2006-06-12 05:02 73,216 C:\WINDOWS\system32\avwav.dll
2006-06-12 05:02 67,072 C:\WINDOWS\system32\rdshost.exe
2006-06-12 05:02 655,360 C:\WINDOWS\system32\mstscax.dll
2006-06-12 05:02 628,224 C:\WINDOWS\system32\catsrvut.dll
2006-06-12 05:02 62,464 C:\WINDOWS\system32\rdpclip.exe
2006-06-12 05:02 62,464 C:\WINDOWS\system32\colbact.dll
2006-06-12 05:02 605,696 C:\WINDOWS\system32\getuname.dll
2006-06-12 05:02 60,416 C:\WINDOWS\system32\remotepg.dll
2006-06-12 05:02 6,144 C:\WINDOWS\system32\msdtc.exe
2006-06-12 05:02 58,880 C:\WINDOWS\system32\msdtclog.dll
2006-06-12 05:02 58,880 C:\WINDOWS\system32\licwmi.dll
2006-06-12 05:02 56,832 C:\WINDOWS\system32\sol.exe
2006-06-12 05:02 56,320 C:\WINDOWS\system32\servdeps.dll
2006-06-12 05:02 55,296 C:\WINDOWS\system32\freecell.exe
2006-06-12 05:02 540,160 C:\WINDOWS\system32\comuid.dll
2006-06-12 05:02 54,272 C:\WINDOWS\system32\stclient.dll
2006-06-12 05:02 538,624 C:\WINDOWS\system32\spider.exe
2006-06-12 05:02 501,248 C:\WINDOWS\system32\clbcatq.dll
2006-06-12 05:02 5,120 C:\WINDOWS\system32\dcomcnfg.exe
2006-06-12 05:02 44,544 C:\WINDOWS\system32\tscupgrd.exe
2006-06-12 05:02 44,544 C:\WINDOWS\system32\hticons.dll
2006-06-12 05:02 425,472 C:\WINDOWS\system32\msdtcprx.dll
2006-06-12 05:02 407,552 C:\WINDOWS\system32\mstsc.exe
2006-06-12 05:02 4,096 C:\WINDOWS\system32\rdpcfgex.dll
2006-06-12 05:02 4,096 C:\WINDOWS\system32\mtxex.dll
2006-06-12 05:02 38,912 C:\WINDOWS\system32\cfgbkend.dll
2006-06-12 05:02 35,328 C:\WINDOWS\system32\winchat.exe
2006-06-12 05:02 345,088 C:\WINDOWS\system32\hypertrm.dll
2006-06-12 05:02 343,040 C:\WINDOWS\system32\mspaint.exe
2006-06-12 05:02 33,792 C:\WINDOWS\system32\regini.exe
2006-06-12 05:02 295,424 C:\WINDOWS\system32\termsrv.dll
2006-06-12 05:02 25,600 C:\WINDOWS\system32\comaddin.dll
2006-06-12 05:02 25,088 C:\WINDOWS\system32\mtxlegih.dll
2006-06-12 05:02 229,888 C:\WINDOWS\system32\catsrv.dll
2006-06-12 05:02 227,840 C:\WINDOWS\system32\avtapi.dll
2006-06-12 05:02 22,016 C:\WINDOWS\system32\qwinsta.exe
2006-06-12 05:02 20,992 C:\WINDOWS\system32\msg.exe
2006-06-12 05:02 20,480 C:\WINDOWS\system32\qprocess.exe
2006-06-12 05:02 20,480 C:\WINDOWS\system32\mtxdm.dll
2006-06-12 05:02 19,968 C:\WINDOWS\system32\rdpsnd.dll
2006-06-12 05:02 185,344 C:\WINDOWS\system32\cmprops.dll
2006-06-12 05:02 183,808 C:\WINDOWS\system32\accwiz.exe
2006-06-12 05:02 17,408 C:\WINDOWS\system32\mmfutil.dll
2006-06-12 05:02 161,280 C:\WINDOWS\system32\msdtcuiu.dll
2006-06-12 05:02 16,896 C:\WINDOWS\system32\tsshutdn.exe
2006-06-12 05:02 16,896 C:\WINDOWS\system32\qappsrv.exe
2006-06-12 05:02 16,384 C:\WINDOWS\system32\tskill.exe
2006-06-12 05:02 16,384 C:\WINDOWS\system32\avmeter.dll
2006-06-12 05:02 15,872 C:\WINDOWS\system32\rwinsta.exe
2006-06-12 05:02 15,872 C:\WINDOWS\system32\cdmodem.dll
2006-06-12 05:02 15,360 C:\WINDOWS\system32\logoff.exe
2006-06-12 05:02 147,968 C:\WINDOWS\system32\rdchost.dll
2006-06-12 05:02 147,456 C:\WINDOWS\system32\comsnap.dll
heres part 2:
2006-06-12 05:02 140,800 C:\WINDOWS\system32\sessmgr.exe
2006-06-12 05:02 14,848 C:\WINDOWS\system32\tsdiscon.exe
2006-06-12 05:02 14,848 C:\WINDOWS\system32\tscon.exe
2006-06-12 05:02 14,848 C:\WINDOWS\system32\shadow.exe
2006-06-12 05:02 138,752 C:\WINDOWS\system32\sndvol32.exe
2006-06-12 05:02 131,584 C:\WINDOWS\system32\sndrec32.exe
2006-06-12 05:02 13,824 C:\WINDOWS\system32\rdsaddin.exe
2006-06-12 05:02 126,976 C:\WINDOWS\system32\mshearts.exe
2006-06-12 05:02 123,392 C:\WINDOWS\system32\mplay32.exe
2006-06-12 05:02 119,808 C:\WINDOWS\system32\winmine.exe
2006-06-12 05:02 114,688 C:\WINDOWS\system32\calc.exe
2006-06-12 05:02 110,080 C:\WINDOWS\system32\clbcatex.dll
2006-06-12 05:02 11,776 C:\WINDOWS\system32\xolehlp.dll
2006-06-12 05:02 11,264 C:\WINDOWS\system32\icaapi.dll
2006-06-12 05:02 102,912 C:\WINDOWS\system32\clipbrd.exe
2006-06-12 05:02 1,251,840 C:\WINDOWS\system32\comsvcs.dll
2006-06-12 05:02 1,161 C:\WINDOWS\system32\usrlogon.cmd
2006-06-04 22:40 31,248,128 C:\back_up.reg
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"PRISMSVR.EXE"="\"C:\\WINDOWS\\system32\\PRISMSVR.EXE\" /APPLY"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"RegistryMechanic"=""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"SpybotSnD"="\"C:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe\" /autocheck"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\MSN Gaming Zone\\kyzetety.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\MSN\\howy.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\At1.job
Completion time: Tue 07/18/2006 12:15:37.64
ComboFix ver 06.07.15 - This logfile is located at C:\ComboFix.txt
ComboFix.2006-07-18.121515.txt
and heres a fresh hijack this:
Logfile of HijackThis v1.99.1
Scan saved at 12:19:04 PM, on 7/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\palmOne\HOTSYNC.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Promise\FastTrak\FtrakSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Opera\Opera.exe
C:\applicationas\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 213.105.224.12
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 213.105.224.12:8080
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: FastCheck Monitoring Utility.lnk = C:\Program Files\Promise\FastTrak\RAIDeUtility.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Promise FastTrak Log Service (FastTrakSvc) - Promise Technology Inc. - C:\Program Files\Promise\FastTrak\FtrakSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
Alrighty then.. :)
---
Please run the F-Secure Online Scanner (http://support.f-secure.com/enu/home/ols3.shtml#)
Note: This scanner is for internet explorer only!
Follow the instructions here (http://support.f-secure.com/enu/home/ols3.shtml) for installation.
Accept the License Agreement.
Once the ActiveX installs, click Full System Scan
Once the download completes, the scan will begin automatically.
The scan will take some time to finish, so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and copy & paste the entire report in your next reply.
---
Download GMER (http://www.gmer.net/gmer.zip):
Unzip it and double-click GMER.exe
Click the rootkit-tab and click scan.
Once done, click Copy.
This will copy the results to clipboard.
Paste the results in your next reply along with the F-Secure report.
Hey just a quick question, that F-secure online scanner, ive run it twice now, and each time when i get back to the computer the scan has apparently finished but the window isnt open anymore, and theres no logfile or completion notification. Is that right or is something going wrong there?
Oh and heres the GMER log, ill post the f-secure log after i get back from work if its finished normally. Thanks again for all this help, its very much appreciated! :D
GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-07-18 20:19:23
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.10 ----
SSDT \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys ZwOpenProcess
SSDT \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys ZwTerminateProcess
---- Devices - GMER 1.0.10 ----
Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [F914C85A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F914C85A] avgtdi.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [F914C85A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [F914C85A] avgtdi.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN [F914C85A] avgtdi.sys
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CREATE B61FD400
---- Files - GMER 1.0.10 ----
File C:\System Volume Information\MountPointManagerRemoteDatabase
File C:\System Volume Information\tracking.log
File C:\System Volume Information\_restore{6B30774D-5F6E-4FBA-B33C-15A96DD121D0}
---- EOF - GMER 1.0.10 ----
Ok heres the f-secure scan log:
Scanning Report
Tuesday, July 18, 2006 20:25:24 - 03:47:35
Computer name: MATT
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\
Result: 1 malware found
W32/Backdoor (virus)
C:\APPLICATIONAS\COMIC_BOOK_MANAGER_V1.07.EXE
Statistics
Scanned:
Files: 20865
System: 4307
Not scanned: 4
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 1
Submitted: 0
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\DOCUMENTS AND SETTINGS\FENRIF\LOCAL SETTINGS\TEMP\HSPERFDATA_FENRIF\4024
Options
Scanning engines:
F-Secure AVP: 6.0.171, 2006-07-18
F-Secure Libra: 2.4.1, 2006-07-12
F-Secure Orion: 1.2.37, 2006-07-18
F-Secure Blacklight: 1.0.31, 0000-00-00
F-Secure Pegasus: 1.19.0, 2006-06-05
F-Secure Draco: 1.0.35, 2006-07-10
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
Use Advanced heuristics
Alright.. :)
---
Please download the Killbox by Option^Explicit (http://www.downloads.subratam.org/KillBox.zip).
Note: In the event you already have Killbox, this is a new version that I need you to download.
Save it to your desktop.
Please double-click Killbox.exe to run it.
Select: Delete on Reboot then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\APPLICATIONAS\COMIC_BOOK_MANAGER_V1.07.EXE
C:\WINDOWS\system32\shadow.exe
C:\warebundlenew.exe
C:\warebundle2.exe
C:\WINDOWS\system32\aaa00000.sys
C:\WINDOWS\system32\aqcebdip.dll
C:\WINDOWS\system32\esubf39b.sys
Return to Killbox, go to the File menu, and choose Paste from Clipboard.
Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here (http://www.eudaemonia.me.uk/downloads/Files/missingfilesetup.exe) to download and run missingfilesetup.exe. Then try Killbox again.
---
Please download SmitfraudFix by S!Ri (http://siri.urz.free.fr/Fix/SmitfraudFix.zip)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm (http://www.beyondlogic.org/consulting/processutil/processutil.htm)
OK heres the smartfixfraud logfile, also i did not recieve the PendingFileRenameOperations promp when running killbox :
SmitFraudFix v2.74
Scan done at 12:55:31.80, Wed 07/19/2006
Run from C:\Documents and Settings\fenrif\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\fenrif\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\fenrif\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\MSN Gaming Zone\\kyzetety.html"
"SubscribedURL"=""
"FriendlyName"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\Program Files\\MSN\\howy.html"
"SubscribedURL"=""
"FriendlyName"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
Delete the following files:
C:\Program Files\MSN Gaming Zone\kyzetety.html
C:\Program Files\MSN\howy.html
Empty recycle bin.
---
Please go HERE (http://www.pandasoftware.com/products/activescan.htm) to run Panda's ActiveScan
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report. :)
Incident Status Location
Potentially unwanted tool:Application/Processor Not disinfected C:\applicationas\smitRem.exe[smitRem/Process.exe]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\fenrif\Cookies\fenrif@atdmt[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\fenrif\Desktop\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\fenrif\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Matthew\Cookies\matthew@888[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Matthew\Cookies\matthew@cassava[1].txt
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Matthew\Cookies\matthew@winfixer[2].txt
Clean out temporary files:
Click Start -> Run and type in: cleanmgr
Click "Ok".
Let it scan your system.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only ones checked.
Click "OK" to remove them.
Click "Yes" to confirm the deletion.
Hows the system running? :)
Well all the pop-ups and ads have stopped, and everything seems to be running alot smoother and faster, only now its started restarting itself for no reason. :confused:
For example, i treid to run that cleanmgr, and every time i try and run it the computer restarts before it finishes scanning. Also i have some large zipfile (800meg) that restarts the system every time i try to unzip them. Ive scanned them and there doesnt seem to be any virus inside. One other instance of restarting is when i using DVDshrink to backup a dvd. Any idea what might be causing this?
md usa spybot fan
2006-07-21, 23:45
fenrif:
It appears to me that at lease some of the things that you reported doing when the system restarts may involve the use of substantial amounts of temporary disk storage or paging disk storage (which is a function of the physical memory you have and the memory required by the programs you are running).
How much free disk space do you have and what percentage of the total disk capacity is that? Using Windows Explorer > right click on "Local Disk C:" select "Properties". You will see figures for:
Used space:
Free space:
Capacity:
I would also like you to check the values of "System Properties" "Startup and Recovery" to see if the "System failure" options are setup to record "System Events" and cause a "Blue screen" event rather than just restarts if the problem is serious enough.
Using Windows Explorer > right click on "My Computer" select "Properties". Under the "System failure" options you should see the following (where "■" represents checked options and "□" represents unchecked options):
■ Write an event to the system log
■ Send an administrative alert
□ Automatically restart
If the options are set up as depicted above the Event Viewer may hold a clue to what is happening. Review the "System" events in the "Event Viewer" and see if anything points to the problem that you are experiencing.
Click Start and Control Panel.
If the Control Panel is in category view, click Performance and Maintenance.
Click on Administrative Tools.
Double-click on the Event Viewer.
Click on "System" in the left-hand column (pane).
Are there any events recorded for the Date and Time of the restarts?
If so, double-clicking on the Event will open the Event Properties.
Information in the Description box can be copied by highlighting the information and pressing Ctrl+C will copy this text to the clipboard.
If there is any information from the Event Viewer that you think is pertinent to the cause of the restart problem, feel free to post it.
This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me or your helper a pm and provide a link to the thread. Applies only to the original topic starter.
Thank you Rawe and md usa spybot fan.