Help

A

ALEXSF415

New member
Hi

I can't access my control panel even though I'm using the admin account it will say "Restriction- This operation has been cancelled due to restrictions in effect on this computer. please contact admin."

I also get a pop up saying

Windows Security Alert
Your computer is making unauthorized copies of your system and Internet files. Run scan now to prevent any unauthorised access to your files! Click here to download spyware remover

When I click yes it sends me to h**p://avsystemcare.com
data/?mtrt=avds22&gai=swfeed&gli=6018&gff=pp_1447265044&3&ax=1&ed=1&ex=1&mtrt=null&45080703

I ran search and destroy and It can't get rid of some stuff, like hkey_users\1-5-21....\software\microsoft\windows\currentversion\policies\explorer\nocontrolpanel!=w=0 hkey_local_machine\.....\disableregistrytools!=dword:0
hkey_local_machine\.........|disabletaskmgr!=dword;0

Thanks in advance for any help.:D:
 
Last edited by a moderator:
HI

Please read this link :-

"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)

http://forums.spybot.info/showthread.php?t=288

THEN ...

Please download Combofix: http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
and save to the desktop.

1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new hijackthis log.(which you'll find in the link above)

Notes:
* Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
* Disable script blocking if you have NAV installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.

steam
 
Hi, and thanks for your help

here are the reports you asked for.

One other thing When I went to C:\combofix.txt, it would not let me open it, it said C:\combofix.txt is not a valid win32 application

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:03:41 PM, on 9/29/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Linksys\Wireless-N Network Monitor\NICServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\00THotkey.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\System32\s3hotkey.exe
C:\WINDOWS\System32\S3Tray2.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\kmw_run.exe
C:\WINDOWS\System32\KMW_SHOW.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Linksys\Wireless-N Network Monitor\OdHost.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.sexofactory.com/ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.toshiba.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Linksys Wireless-N Notebook Adapter] C:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Investigador - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.substance.com/save/makeover.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1100911663445
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\cmcache.dat
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NICSer_WPC300N - Unknown owner - C:\Program Files\Linksys\Wireless-N Network Monitor\NICServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Smart Card Helper SCardDrvImapiService (SCardDrvImapiService) - Unknown owner - C:\WINDOWS\System32\acctresh.exe
O23 - Service: WMI Performance Adapter WmiApSrvwinmgmt (WmiApSrvwinmgmt) - Unknown owner - C:\WINDOWS\System32\actxprxyv.exe

--
End of file - 9285 bytes


ComboFix 07-09-30.5 - ALEX 2007-09-29 19:47:31.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.0.1252.1.1033.18.64 [GMT -7:00]
Running from: C:\Documents and Settings\ALEX\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\ALEX\Start Menu\Programs\Startup\system.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\WinAvXX.exe

.
((((((((((((((((((((((((( Files Created from 2007-08-28 to 2007-09-30 )))))))))))))))))))))))))))))))
.

2007-09-29 19:39 59,904 --a------ C:\WINDOWS\boot4384.exe
2007-09-29 17:57 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-28 22:25 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-28 16:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\NetWorkSwitch.temp
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Drag'n Drop CD
2007-09-27 18:47 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-09-26 21:23 46,913 -r-hs---- C:\WINDOWS\system32\acctresh.exe
2007-09-26 16:21 9,728 --a------ C:\WINDOWS\exploeee.exe
2007-09-26 16:21 8,192 --a------ C:\WINDOWS\system32\stdole32.dat
2007-09-26 16:21 53 --ahs---- C:\WINDOWS\system32\4039909485.dat
2007-09-26 16:21 28,672 -r-hs---- C:\WINDOWS\system32\actxprxyv.exe
2007-09-26 15:49 <DIR> d-------- C:\Program Files\Funk Software
2007-09-26 15:49 <DIR> d-------- C:\Program Files\Common Files\Funk Software
2007-09-26 15:48 94,208 --a------ C:\WINDOWS\system32\W32N50CT.DLL
2007-09-26 15:48 543,104 --a------ C:\WINDOWS\system32\drivers\BCMWL5.SYS
2007-09-26 15:48 25,600 --a------ C:\WINDOWS\system32\borlndmm.dll
2007-09-26 15:48 17,142 --a------ C:\WINDOWS\system32\CBTNDIS5.SYS
2007-09-26 15:48 1,706,800 --a------ C:\WINDOWS\system32\GdiPlus.dll
2007-09-26 15:48 1,497,088 --a------ C:\WINDOWS\system32\cc3260mt.dll
2007-09-26 15:48 1,496,064 --a------ C:\WINDOWS\system32\cc3250mt.dll
2007-09-26 15:48 <DIR> d-------- C:\Program Files\Linksys
2007-09-16 18:25 6,144 --a------ C:\WINDOWS\reppor.exe
2007-09-16 18:25 39,424 --a------ C:\WINDOWS\system32\vtr.dll
2007-09-15 21:47 6,144 --a------ C:\WINDOWS\system32\cmcache.dat
2007-09-09 20:34 <DIR> d-------- C:\Program Files\Microsoft Streets and Trips

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-29 00:01 --------- d-------- C:\Program Files\Ivde
2007-09-26 15:48 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-25 09:28 --------- d-------- C:\Program Files\MySpace
2007-08-23 21:57 --------- d-------- C:\Documents and Settings\ALEX\Application Data\MySpace
2007-08-16 19:12 --------- d-------- C:\Program Files\Opera
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2002-09-08 11:11 56832 --ahsc--- C:\Program Files\Thumbs.db
2001-08-18 12:00:00 94,784 -csh--w C:\WINDOWS\twain.dll
2001-08-18 12:00:00 46,592 -csh--w C:\WINDOWS\twain_32.dll
2001-08-18 12:00:00 995,383 --sh--w C:\WINDOWS\system32\mfc42.dll
2001-08-18 12:00:00 50,688 -csh--w C:\WINDOWS\system32\msvcirt.dll
2001-08-18 12:00:00 401,462 --sh--w C:\WINDOWS\system32\msvcp60.dll
2001-08-18 12:00:00 322,560 --sh--w C:\WINDOWS\system32\msvcrt.dll
2001-08-18 12:00:00 569,344 --sh--w C:\WINDOWS\system32\oleaut32.dll
2001-08-18 12:00:00 106,496 --sh--w C:\WINDOWS\system32\olepro32.dll
2001-08-18 12:00:00 9,728 -csh--w C:\WINDOWS\system32\regsvr32.exe
.

-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"00THotkey"="C:\WINDOWS\System32\00THotkey.exe" [2002-04-15 18:35]
"000StTHK"="000StTHK.exe" [2001-06-23 20:28 C:\WINDOWS\system32\000StTHK.exe]
"NAV Agent"="C:\PROGRA~1\NORTON~1\navapw32.exe" [2002-02-27 12:27]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2001-11-14 03:37]
"S3Hotkey"="s3hotkey.exe" [2001-09-12 21:27 C:\WINDOWS\system32\s3hotkey.exe]
"S3TRAY2"="S3Tray2.exe" [2002-02-20 16:38 C:\WINDOWS\system32\S3Tray2.exe]
"TFNF5"="TFNF5.exe" [2001-08-03 18:08 C:\WINDOWS\system32\TFNF5.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2002-03-29 14:40]
"TFncKy"="TFncKy.exe" []
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2002-04-12 11:13]
"Tpwrtray"="TPWRTRAY.EXE" [2002-03-19 20:38 C:\WINDOWS\system32\TPWRTRAY.EXE]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 07:11]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2002-04-09 17:51]
"windows auto update"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 18:28]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 09:38]
"kmw_run.exe"="kmw_run.exe" [2003-05-27 14:48 C:\WINDOWS\system32\kmw_run.exe]
"MSWheel"="" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 04:03]
"Linksys Wireless-N Notebook Adapter"="C:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exe" [2006-04-28 05:55]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-28 23:28]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-01 21:31]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 06:19:24]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]
SpySubtract.lnk - C:\Program Files\interMute\SpySubtract\SpySub.exe [2005-02-01 19:49:19]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 06:19:24]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]
SpySubtract.lnk - C:\Program Files\interMute\SpySubtract\SpySub.exe [2005-02-01 19:49:19]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"= c:\Program Files\interMute\SpySubtract\sshook.dll [2005-02-01 19:49 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\System32\cmcache.dat

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

R0 TVALG;Toshiba Value Added Logical and General Purpose Device Driver;C:\WINDOWS\System32\DRIVERS\TVALG.SYS
R2 NICSer_WPC300N;NICSer_WPC300N;C:\Program Files\Linksys\Wireless-N Network Monitor\NICServ.exe
R3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\System32\CBTNDIS5.SYS
R3 KMW_KBD;Kensington Input Devices Class filter driver;C:\WINDOWS\System32\DRIVERS\KMW_KBD.sys
R3 KMW_SYS;Kensington MouseWorks Mouse filter driver;C:\WINDOWS\System32\DRIVERS\KMW_SYS.sys
R3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINDOWS\System32\DRIVERS\odysseyIM4.sys
R3 TOSHIBASoftModem;TOSHIBA Software Modem;C:\WINDOWS\System32\DRIVERS\LTSM.sys
R3 tsdhd;TOSHIBA SD Card Host Controller Driver;C:\WINDOWS\System32\DRIVERS\tsdhd.sys
R3 WDM_YAMAHAAC97;YAMAHA AC-XG Audio Device;C:\WINDOWS\System32\drivers\yacxgc.sys
S2 SCardDrvImapiService;Smart Card Helper SCardDrvImapiService;C:\WINDOWS\System32\acctresh.exe srv
S2 WmiApSrvwinmgmt;WMI Performance Adapter WmiApSrvwinmgmt;C:\WINDOWS\System32\actxprxyv.exe srv
S3 KMW_USB;Kensington MouseWorks USB filter driver;C:\WINDOWS\System32\DRIVERS\KMW_USB.sys
S3 pciSd;pciSd;C:\WINDOWS\System32\DRIVERS\tossdpci.sys
S3 wlluc48;Wireless LAN PC Card Driver;C:\WINDOWS\System32\DRIVERS\wlluc48.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-19 01:05:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-09-30 02:20:51 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2007-09-29 03:09:47 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exe
"2007-09-30 02:56:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-29 19:55:09
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-29 19:58:49
C:\ComboFix-quarantined-files.txt ... 2007-09-29 19:58
C:\ComboFix2.txt ... 2007-09-29 19:29
.
--- E O F ---


Thanks again
 
Hi

One other thing When I went to C:\combofix.txt, it would not let me open it, it said C:\combofix.txt is not a valid win32 application
Click to expand...

Did you try to "run" the file ?

if you doubleclick on it, or Right click & select "open" ... it should open and show the same text that you posted.

I see you ran Combofix twice ...you posted the log from the last time you ran it, but you actualy ran it half an hour earlier as well... the log will be different when you run it for the first time ...

Please post the log from the first run ... C:\ComboFix2.txt ... note the #2

THEN ...

Download: SmitfraudFix.zip from :-

http://siri.urz.free.fr/Fix/SmitfraudFix.zip (the file contains both English and French versions)

1. Download to your desktop
2. unzip the zip file to your desktop (they will be extracted to a folder called SmitfraudFix
3. Double-click smitfraudfix.cmd
4. Select 1 and hit Enter to create a report of the infected files
5. find the C:\rapport.txt file and post the contents in your next post here...

THEN ...

Download Superantispyware.

http://www.superantispyware.com/

Once downloaded and installed update the definitions
and then run a full system scan quarantine what it finds!

* Double-click SUPERAntiSypware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)

http://www.superantispyware.com/definitions.html

* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.

So please remember to post :-

1. C:\ComboFix2.txt
2. C:\rapport.txt
3. SUPERAntiSpyware Scan Log

steam
 
Hi

The reason I ran combofix twice, is that I couldn't open the log. even if i doubleclick on it, or ight click and select open. It won't let me open combofix or rapport. so what i have been doing is copy the log over to Word and save it, so i can access later.

the popup says C:\combofix2.txt is not a valid win32 application.

I keep getting a pop up that says windows cannot find C:\windows\system32\printer.exe make sure you have typed the name correctly, and try again when it restarts.

I have AVG anti virus that I recently downloaded and I found several items in the virus vault, one of them is C:\windows\system32\printer.exe I don't know if I should move it back or leave it in the vault, there are about 25 items in there, I'll post what's in the vault, sorry if it wasn't necessary for me to post this.

please let me know if I should disable AVG or not, also if I don't disable itshould I scan my computer with AVG or will it interfer with your reports.

Please advise me if I should start making copies of the stuff on my computer so I won't lose them.

Thanks for all your help.

Trojan horse SHeur.PXY C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe 9/30/2007 13:23 autorun.exe 7.5 KB
Trojan horse SHeur.PXY C:\WINDOWS\System32\winavxx.exe 9/30/2007 14:21 winavxx.exe 7.5 KB
Trojan horse SHeur.PXY C:\Documents and Settings\ALEX\Start Menu\Programs\Startup\system.exe 9/30/2007 14:21 system.exe 7.5 KB
Trojan horse SHeur.PXY C:\qoobox\Quarantine\C\Documents and Settings\ALEX\Start Menu\Programs\Startup\system.exe.vir 9/30/2007 14:21 system.exe.vir 7.5 KB
Trojan horse SHeur.PXY C:\qoobox\Quarantine\C\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe.vir 9/30/2007 14:21 autorun.exe.vir 7.5 KB
Trojan horse Downloader.Small.AJY C:\qoobox\Quarantine\C\WINDOWS\explore.exe.vir 9/30/2007 14:21 explore.exe.vir 9.5 KB
Trojan horse SHeur.PXY C:\qoobox\Quarantine\C\WINDOWS\system32\printer.exe.vir 9/30/2007 14:21 printer.exe.vir 7.5 KB
Trojan horse SHeur.PXY C:\qoobox\Quarantine\C\WINDOWS\system32\winavxx.exe.vir 9/30/2007 14:21 winavxx.exe.vir 7.5 KB
Trojan horse Downloader.Small.AJY C:\WINDOWS\exploeee.exe 9/30/2007 14:21 exploeee.exe 9.5 KB
Trojan horse Dropper.Agent.2.R C:\WINDOWS\wupdsnff.exe 9/30/2007 14:21 wupdsnff.exe 160 KB
Trojan horse Dropper.Small.5.D C:\WINDOWS\LastGood\notepad.exe 9/30/2007 14:21 notepad.exe 23.84 KB
Virus found Win32/PolyCrypt C:\WINDOWS\system32\acctresh.exe 9/30/2007 14:21 acctresh.exe 45.81 KB
Trojan horse Generic4.LVM C:\WINDOWS\system32\cmcache.dat 9/30/2007 14:21 cmcache.dat 6 KB
Trojan horse SHeur.PXY C:\WINDOWS\system32\printer.exe 9/30/2007 14:21 printer.exe 7.5 KB
Trojan horse Generic7.JGV C:\WINDOWS\system32\systems.txt 9/30/2007 14:21 systems.txt 8 KB
Trojan horse Generic8.CQT C:\WINDOWS\system32\vtr.dll 9/30/2007 14:21 vtr.dll 38.5 KB
Trojan horse SHeur.LFS C:\WINDOWS\system32\printer.exe 9/28/2007 23:40 printer.exe 7.5 KB
Trojan horse Small.P C:\Program Files\Ivde\Mcdutc.exe 9/29/2007 0:01 Mcdutc.exe 36.63 KB
Trojan horse Downloader.Agent.5.E C:\WINDOWS\System32\neth.exe 9/29/2007 0:01 neth.exe 53.28 KB
Trojan horse Dropper.Agent.2.AM C:\counter.cab 9/29/2007 0:01 counter.cab 30.79 KB
Trojan horse SHeur.LFS C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\system.exe 9/29/2007 0:01 system.exe 7.5 KB
Trojan horse Downloader.Small.AJY C:\Documents and Settings\ALEX\Start Menu\Programs\Startup\info.exe 9/29/2007 0:01 info.exe 9.5 KB
Trojan horse SHeur.LFS C:\Documents and Settings\ALEX\Start Menu\Programs\Startup\system.exe 9/29/2007 0:01 system.exe 7.5 KB
Trojan horse SHeur.LFS C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe 9/29/2007 0:01 autorun.exe 7.5 KB
Trojan horse Downloader.Small.AJY C:\Documents and Settings\All Users\Start Menu\Programs\Startup\info.exe 9/29/2007 0:01 info.exe 9.5 KB





While I was running SmitfraudFix a pop up came up that said registry editing has been disabled by your administrator, I clicked on ok. It popped up about 8 times.

SmitFraudFix v2.234

Scan done at 17:53:55.61, Sun 09/30/2007
Run from C:\Documents and Settings\ALEX\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Linksys\Wireless-N Network Monitor\NICServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\00THotkey.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\System32\s3hotkey.exe
C:\WINDOWS\System32\S3Tray2.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\kmw_run.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\WINDOWS\System32\KMW_SHOW.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Linksys\Wireless-N Network Monitor\OdHost.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Java\jre1.5.0_08\bin\jucheck.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

192.168.200.3 download.microsoft.com
192.168.200.3 downloads.microsoft.com
192.168.200.3 go.microsoft.com
192.168.200.3 microsoft.com
192.168.200.3 msdn.microsoft.com
192.168.200.3 office.microsoft.com
192.168.200.3 support.microsoft.com
192.168.200.3 windowsupdate.microsoft.com
192.168.200.3 www.microsoft.com
192.168.200.3 pandasoftware.com
192.168.200.3 www.pandasoftware.com

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\stdole32.dat FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\ALEX


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\ALEX\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ALEX\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\WINDOWS\\System32\\cmcache.dat"


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Linksys Wireless-N Notebook Adapter WPC300N - Packet Scheduler Miniport
DNS Server Search Order: 68.2.16.30
DNS Server Search Order: 68.2.16.25
DNS Server Search Order: 68.6.16.30

HKLM\SYSTEM\CCS\Services\Tcpip\..\{7ED71048-472C-42CE-85A9-7FB9DD764F9B}: DhcpNameServer=68.2.16.30 68.2.16.25 68.6.16.30
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7ED71048-472C-42CE-85A9-7FB9DD764F9B}: DhcpNameServer=68.2.16.30 68.2.16.25 68.6.16.30
HKLM\SYSTEM\CS3\Services\Tcpip\..\{7ED71048-472C-42CE-85A9-7FB9DD764F9B}: DhcpNameServer=68.2.16.30 68.2.16.25 68.6.16.30
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.2.16.30 68.2.16.25 68.6.16.30
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.2.16.30 68.2.16.25 68.6.16.30
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.2.16.30 68.2.16.25 68.6.16.30


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/30/2007 at 08:52 PM

Application Version : 3.9.1008

Core Rules Database Version : 3259
Trace Rules Database Version: 1317

Scan type : Complete Scan
Total Scan Time : 02:15:32

Memory items scanned : 504
Memory threats detected : 0
Registry items scanned : 5428
Registry threats detected : 0
File items scanned : 74835
File threats detected : 22

Adware.Tracking Cookie
C:\Documents and Settings\ALEX\Cookies\alex@anad.tacoda[1].txt
C:\Documents and Settings\ALEX\Cookies\alex@ads.monster[1].txt
C:\Documents and Settings\ALEX\Cookies\alex@ad[1].txt
C:\Documents and Settings\ALEX\Cookies\alex@cgi-bin[2].txt
C:\Documents and Settings\ALEX\Cookies\alex@web4.realtracker[2].txt
C:\Documents and Settings\ALEX\Cookies\alex@atdmt[2].txt
C:\Documents and Settings\ALEX\Cookies\alex@perf.overture[1].txt
C:\Documents and Settings\ALEX\Cookies\alex@windowsmedia[1].txt
C:\Documents and Settings\ALEX\Cookies\alex@questionmarket[2].txt
C:\Documents and Settings\ALEX\Cookies\alex@overture[1].txt
C:\Documents and Settings\ALEX\Cookies\alex@heavycom.122.2o7[1].txt
C:\Documents and Settings\ALEX\Cookies\alex@msnportal.112.2o7[1].txt
C:\Documents and Settings\ALEX\Cookies\alex@partner2profit[1].txt
C:\Documents and Settings\ALEX\Cookies\alex@ads.pointroll[2].txt
C:\Documents and Settings\ALEX\Cookies\alex@adopt.euroclick[1].txt
C:\Documents and Settings\ALEX\Cookies\alex@starware[1].txt
C:\Documents and Settings\ALEX\Cookies\alex@ads.addynamix[1].txt
C:\Documents and Settings\ALEX\Cookies\alex@adinterax[1].txt

Adware.Starware
C:\DOCUMENTS AND SETTINGS\ALEX\DESKTOP\EXCESS\NEW FOLDER\MAPS-1.EXE
C:\DOCUMENTS AND SETTINGS\ALEX\DESKTOP\EXCESS\NEW FOLDER\MAPS.EXE

MBKWBar Toolbar
C:\PROGRAM FILES\MBKWBAR\IETOOLBAR.DLL

Adware.eXactAdvertising-Installer
C:\WINDOWS\SYSTB.EXE
 
HI

The reason I ran combofix twice, is that I couldn't open the log. even if i doubleclick on it, or ight click and select open. It won't let me open combofix or rapport. so what i have been doing is copy the log over to Word and save it, so i can access later.

the popup says C:\combofix2.txt is not a valid win32 application.

I keep getting a pop up that says windows cannot find C:\windows\system32\printer.exe make sure you have typed the name correctly, and try again when it restarts.

I have AVG anti virus that I recently downloaded and I found several items in the virus vault, one of them is C:\windows\system32\printer.exe I don't know if I should move it back or leave it in the vault, there are about 25 items in there, I'll post what's in the vault, sorry if it wasn't necessary for me to post this.

please let me know if I should disable AVG or not, also if I don't disable itshould I scan my computer with AVG or will it interfer with your reports.

Please advise me if I should start making copies of the stuff on my computer so I won't lose them.

Thanks for all your help.
Click to expand...

1. It looks like your file association for text files is messed up ... we'll need to fix that first, so that you can post the logs...

2. DO NOT replace C:\windows\system32\printer.exe ... it part of the malware causing this problem...

3. no need to turn off AVG, but don't run anymore scans with it yet...

Are these entries in the AVG vault then ... ?

Trojan horse SHeur.PXY C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe 9/30/2007 13:23 autorun.exe 7.5 KB
Trojan horse SHeur.PXY C:\WINDOWS\System32\winavxx.exe 9/30/2007 14:21 winavxx.exe 7.5 KB
Trojan horse SHeur.PXY C:\Documents and Settings\ALEX\Start Menu\Programs\Startup\system.exe 9/30/2007 14:21 system.exe 7.5 KB
Trojan horse SHeur.PXY C:\qoobox\Quarantine\C\Documents and Settings\ALEX\Start Menu\Programs\Startup\system.exe.vir 9/30/2007 14:21 system.exe.vir 7.5 KB
Trojan horse SHeur.PXY C:\qoobox\Quarantine\C\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe.vir 9/30/2007 14:21 autorun.exe.vir 7.5 KB
Trojan horse Downloader.Small.AJY C:\qoobox\Quarantine\C\WINDOWS\explore.exe.vir 9/30/2007 14:21 explore.exe.vir 9.5 KB
Trojan horse SHeur.PXY C:\qoobox\Quarantine\C\WINDOWS\system32\printer.exe.vir 9/30/2007 14:21 printer.exe.vir 7.5 KB
Trojan horse SHeur.PXY C:\qoobox\Quarantine\C\WINDOWS\system32\winavxx.exe.vir 9/30/2007 14:21 winavxx.exe.vir 7.5 KB
etc, etc,

If so ... Don't move any back ..... they are all malware ...

4. It's always a good idea to make copies of your personal files, however No urgent need to make copies of your personal files yet ... usually this is quite easily dealt with, however yours is the most stubborn I've seen up to now ...

OK .... lets get your file associations sorted ...

Download DAFT and save it to your Desktop.

Double-click the daft.exe icon. Read the disclaimer and click okay.

Click on the Scan button.

-----------
  1. Download DAFT and save it to your Desktop.
  2. Double-click the daft.exe icon. Read the disclaimer and click okay.
  3. Click on the Scan button.

    at this point it may say "all associations Okay" (doubtful) ... on which case click OK & close the program with the X

    IF txt is shown as needing repairing Place a checkmark in the box next to the entry ...

    [*]Click the Fix button.
    [*]Re-scan and save a logfile. By default, it will save as daft.txt.
Post the contents of that file with your next post.

You will find daft.txt in the same place as the daft.exe file

steam
 
Hi

I ran Daft, and it siad that all associations okay. When avg scans on it's own when I open a file, should i click ignore, heal. Please advise me on what to do

Thank you
 
HI

"all associations okay" ... well that's a surprise ...

When avg scans on it's own when I open a file, should i click ignore, heal. Please advise me on what to do
Click to expand...

What files are we talking about ?

If the file will heal ... then it's safe to do that ... if not, then send to quarantine ... if the file is malware, it can do no harm once quarantined, then you can empty you quarantine folder at a later date, thus deleting the file.

I've another program I want you to run, which will also produce a text file ... seeing as we are having problems opening text files... I want you to attach the text files from now on ... I will be able to open them & post them for you.

Download Deckard's System Scanner (formerly Comboscan) to your Desktop.

1. Close all applications and windows.
2. Double-click on comboscan.exe to run it, and follow the prompts.
3. When the scan is complete, a text file will open - ComboScan.txt
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of ComboScan.txt in your next reply.
5. A folder, C:\ComboScan, will also open. In it will be another text file, Supplementary.txt.
6. Please copy and paste the contents of Supplementary.txt to your post.


Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

steam
 
Hi

I couldn't attach the main.txt cause it's over the size limit.

Deckard's System Scanner v20070905.67
Run by ALEX on 2007-10-02 16:07:10
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
18: 2007-10-02 23:07:28 UTC - RP541 - Deckard's System Scanner Restore Point
17: 2007-10-01 01:29:00 UTC - RP540 - Installed SUPERAntiSpyware Free Edition
16: 2007-09-30 05:58:49 UTC - RP539 - Removed Norton AntiVirus 2002
15: 2007-09-30 01:01:04 UTC - RP538 - ComboFix created restore point
14: 2007-09-29 06:27:43 UTC - RP537 - Installed AVG 7.5


-- First Restore Point --
1: 2007-09-27 02:45:09 UTC - RP524 - Unsigned driver install


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 256 MiB (512 MiB recommended).


-- HijackThis (run as ALEX.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:09:40 PM, on 10/2/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Linksys\Wireless-N Network Monitor\NICServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\printer.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\s3hotkey.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\S3Tray2.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\kmw_run.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\WINDOWS\System32\KMW_SHOW.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avginet.exe
C:\Program Files\Linksys\Wireless-N Network Monitor\OdHost.exe
C:\Program Files\Java\jre1.5.0_08\bin\jucheck.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Documents and Settings\ALEX\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ALEX.exe

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.sexofactory.com/ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.toshiba.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\printer.exe
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Linksys Wireless-N Notebook Adapter] C:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\System32\WinAvXX.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\System32\WinAvXX.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: system.exe
O4 - Global Startup: autorun.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: info.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Investigador - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.substance.com/save/makeover.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1100911663445
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\cmcache.dat
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICSer_WPC300N - Unknown owner - C:\Program Files\Linksys\Wireless-N Network Monitor\NICServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Smart Card Helper SCardDrvImapiService (SCardDrvImapiService) - Unknown owner - C:\WINDOWS\System32\acctresh.exe
O23 - Service: WMI Performance Adapter WmiApSrvwinmgmt (WmiApSrvwinmgmt) - Unknown owner - C:\WINDOWS\System32\actxprxyv.exe

--
End of file - 9603 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 TVALD (Toshiba ACPI-Based Value Added Logical Device Driver) - c:\windows\system32\drivers\tvald.sys <Not Verified; Toshiba Corporation; Toshiba ACPI-Compliant Value Added Logical Device>
R0 TVALG (Toshiba Value Added Logical and General Purpose Device Driver) - c:\windows\system32\drivers\tvalg.sys <Not Verified; TOSHIBA Corporation; TOSHIBA Value Added Logical and General Purpose Device Driver>
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R2 PMEM - c:\windows\system32\drivers\pmemnt.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(TM) Operating System>
R3 CBTNDIS5 (CBTNDIS5 NDIS Protocol Driver) - c:\windows\system32\cbtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
R3 S3SSavage - c:\windows\system32\drivers\s3ssavm.sys <Not Verified; S3 Graphics, Inc.; S3 Graphics SuperSavage Miniport>
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
R3 SMCIRDA (SMC IrCC Miniport Device Driver) - c:\windows\system32\drivers\smcirda.sys <Not Verified; SMC; Fast Infrared Miniport Driver>
R3 TOSHIBASoftModem (TOSHIBA Software Modem) - c:\windows\system32\drivers\ltsm.sys <Not Verified; LT; TOSHIBA SoftModem Driver>
R3 tsdhd (TOSHIBA SD Card Host Controller Driver) - c:\windows\system32\drivers\tsdhd.sys <Not Verified; TOSHIBA Corporation; SD Card Driver Set>
R3 WDM_YAMAHAAC97 (YAMAHA AC-XG Audio Device) - c:\windows\system32\drivers\yacxgc.sys <Not Verified; YAMAHA Corporation; YAMAHA AC-XG WDM>

S3 ApfiltrService (Alps Pointing-device Filter Driver) - c:\windows\system32\drivers\apfiltr.sys <Not Verified; Alps Electric Co., Ltd.; Alps Touch Pad Driver for Windows 2000/XP>
S3 BCM43XX (Linksys Wireless-N Notebook Adapter WPC300N Driver) - c:\windows\system32\drivers\bcmwl5.sys <Not Verified; Linksys, A Division of Cisco Systems, Inc.; Linksys Wireless-N Notebook Adapter WPC300N Driver>
S3 catchme - c:\docume~1\alex\locals~1\temp\catchme.sys (file missing)
S3 pciSd - c:\windows\system32\drivers\tossdpci.sys <Not Verified; TOSHIBA; Toshiba SD Memory Driver>
S3 TBiosDrv - c:\windows\system32\drivers\tbiosdrv.sys
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)
S3 wlluc48 (Wireless LAN PC Card Driver) - c:\windows\system32\drivers\wlluc48.sys <Not Verified; Lucent Technologies; ORiNOCO Driver for Windows.>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 NICSer_WPC300N - c:\program files\linksys\wireless-n network monitor\nicserv.exe

S2 SCardDrvImapiService (Smart Card Helper SCardDrvImapiService) - c:\windows\system32\acctresh.exe srv
S2 WmiApSrvwinmgmt (WMI Performance Adapter WmiApSrvwinmgmt) - c:\windows\system32\actxprxyv.exe srv
 
Here is the rest of it


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-10-02 16:06:00 412 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job
2007-10-02 15:20:51 252 --a------ C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
2007-09-18 18:05:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2007-09-02 and 2007-10-02 -----------------------------

2007-10-02 15:03:16 59904 --a------ C:\WINDOWS\boot4384.exe
2007-10-01 16:57:09 8364 --a------ C:\WINDOWS\System32\sulimo.dat
2007-10-01 16:56:57 12288 --a------ C:\WINDOWS\svhjdsah.exe
2007-09-30 18:29:32 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-09-30 18:29:03 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-09-30 18:29:03 0 d-------- C:\Documents and Settings\ALEX\Application Data\SUPERAntiSpyware.com
2007-09-30 18:19:10 54563 --a------ C:\WINDOWS\System32\neth.exe
2007-09-30 18:19:04 39424 --a------ C:\WINDOWS\System32\vtr.dll <Not Verified; ; IEHelper Module>
2007-09-30 18:19:04 7680 --a------ C:\WINDOWS\System32\printer.exe
2007-09-30 18:18:54 46913 --a------ C:\WINDOWS\System32\acctresh.exe
2007-09-30 18:18:53 163840 --a------ C:\WINDOWS\wupdsnff.exe
2007-09-30 18:18:53 7680 --a------ C:\WINDOWS\System32\winavxx.exe
2007-09-30 18:18:53 9728 --a------ C:\WINDOWS\exploeee.exe
2007-09-30 17:54:26 3470 --a------ C:\WINDOWS\System32\tmp.reg
2007-09-28 23:40:06 0 dr-h----- C:\$VAULT$.AVG
2007-09-28 23:34:16 0 d-------- C:\Documents and Settings\ALEX\Application Data\AVG7
2007-09-28 23:29:32 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-09-28 23:27:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-09-28 23:27:48 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-09-28 22:25:59 0 d-------- C:\Program Files\Trend Micro
2007-09-28 16:31:21 0 d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2007-09-28 15:39:42 0 d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2007-09-28 15:39:42 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-09-28 15:39:42 0 d-------- C:\Documents and Settings\Administrator\Application Data\Drag'n Drop CD
2007-09-28 15:39:42 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2007-09-28 15:39:41 0 dr------- C:\Documents and Settings\Administrator\Favorites
2007-09-28 15:39:41 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-09-28 15:39:41 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2007-09-28 15:39:41 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-09-28 15:39:41 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-09-28 15:39:41 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-09-28 15:39:40 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-09-28 15:39:40 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-09-28 15:39:40 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-09-28 15:39:40 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-09-28 15:39:40 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-09-28 15:39:40 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-09-28 15:39:40 0 d-------- C:\Documents and Settings\Administrator\NetWorkSwitch.temp
2007-09-28 15:39:40 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-09-28 15:39:40 0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-09-28 15:39:40 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-09-28 15:39:37 2027520 --a------ C:\Documents and Settings\Administrator\NTUSER.DAT
2007-09-27 18:47:34 0 d-------- C:\Program Files\MSXML 4.0
2007-09-26 16:21:12 53 --ahs---- C:\WINDOWS\System32\4039909485.dat
2007-09-26 16:21:06 28672 -r-hs---- C:\WINDOWS\System32\actxprxyv.exe
2007-09-26 16:21:02 8192 --a------ C:\WINDOWS\System32\stdole32.dat
2007-09-26 15:49:38 0 d-------- C:\Program Files\Funk Software
2007-09-26 15:49:38 0 d-------- C:\Program Files\Common Files\Funk Software
2007-09-26 15:48:19 94208 --a------ C:\WINDOWS\System32\W32N50CT.DLL <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2007-09-26 15:48:19 1497088 --a------ C:\WINDOWS\System32\cc3260mt.dll <Not Verified; Borland Corporation; Borland C++ Builder 6.0>
2007-09-26 15:48:19 17142 --a------ C:\WINDOWS\System32\CBTNDIS5.SYS <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2007-09-26 15:48:18 1496064 --a------ C:\WINDOWS\System32\cc3250mt.dll <Not Verified; Inprise Corporation; Borland C++ Builder 5.0>
2007-09-26 15:48:18 25600 --a------ C:\WINDOWS\System32\borlndmm.dll <Not Verified; Inprise Corporation; Borland Memory Manager>
2007-09-26 15:48:17 543104 --a------ C:\WINDOWS\System32\drivers\BCMWL5.SYS <Not Verified; Linksys, A Division of Cisco Systems, Inc.; Linksys Wireless-N Notebook Adapter WPC300N Driver>
2007-09-26 15:48:04 0 d-------- C:\Program Files\Linksys
2007-09-16 18:25:26 6144 --a------ C:\WINDOWS\reppor.exe
2007-09-15 21:47:19 6144 --a------ C:\WINDOWS\System32\cmcache.dat
2007-09-09 20:34:45 0 d-------- C:\Program Files\Microsoft Streets and Trips


-- Find3M Report ---------------------------------------------------------------

2007-09-30 20:55:45 0 d-------- C:\Program Files\MBKWBar
2007-09-30 18:26:35 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-30 18:19:10 0 d-------- C:\Program Files\Ivde
2007-09-29 23:00:29 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-29 22:59:11 0 d-------- C:\Program Files\Symantec
2007-09-29 22:56:35 0 d-------- C:\Documents and Settings\ALEX\Application Data\Lavasoft
2007-09-26 15:49:38 0 d-------- C:\Program Files\Common Files
2007-09-26 15:48:01 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-08-25 09:28:48 0 d-------- C:\Program Files\MySpace
2007-08-23 21:57:17 0 d-------- C:\Documents and Settings\ALEX\Application Data\MySpace
2007-08-16 19:12:04 0 d-------- C:\Program Files\Opera
2007-08-07 18:30:18 0 d-------- C:\Program Files\ZipForm Desktop


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"00THotkey"="C:\WINDOWS\System32\00THotkey.exe" [04/15/2002 06:35 PM]
"000StTHK"="000StTHK.exe" [06/23/2001 08:28 PM C:\WINDOWS\system32\000StTHK.exe]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [11/14/2001 03:37 AM]
"S3Hotkey"="s3hotkey.exe" [09/12/2001 09:27 PM C:\WINDOWS\system32\s3hotkey.exe]
"S3TRAY2"="S3Tray2.exe" [02/20/2002 04:38 PM C:\WINDOWS\system32\S3Tray2.exe]
"TFNF5"="TFNF5.exe" [08/03/2001 06:08 PM C:\WINDOWS\system32\TFNF5.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [03/29/2002 02:40 PM]
"TFncKy"="TFncKy.exe" []
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [04/12/2002 11:13 AM]
"Tpwrtray"="TPWRTRAY.EXE" [03/19/2002 08:38 PM C:\WINDOWS\system32\TPWRTRAY.EXE]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [07/03/2001 07:11 AM]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [04/09/2002 05:51 PM]
"windows auto update"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [10/25/2006 07:58 PM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [08/04/2003 06:28 PM]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [12/22/2003 09:38 AM]
"kmw_run.exe"="kmw_run.exe" [05/27/2003 02:48 PM C:\WINDOWS\system32\kmw_run.exe]
"MSWheel"="" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [10/30/2006 10:36 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [07/26/2006 04:03 AM]
"Linksys Wireless-N Notebook Adapter"="C:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exe" [04/28/2006 05:55 AM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [09/28/2007 11:28 PM]
"WinAVX"="C:\WINDOWS\System32\WinAvXX.exe" [10/02/2007 03:04 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [08/01/2007 09:31 PM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [06/21/2007 02:06 PM]
"WinAVX"="C:\WINDOWS\System32\WinAvXX.exe" [10/02/2007 03:04 PM]

C:\Documents and Settings\ALEX\Start Menu\Programs\Startup\
system.exe [10/1/2007 4:57:09 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
autorun.exe [10/1/2007 4:57:09 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [9/16/2003 6:19:24 AM]
info.exe [9/30/2007 6:19:48 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 2:01:04 AM]
SpySubtract.lnk - C:\Program Files\interMute\SpySubtract\SpySub.exe [2/1/2005 7:49:19 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=1 (0x1)
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=1 (0x1)
"DisableTaskMgr"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=1 (0x1)
"NoWindowsUpdate"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"= c:\Program Files\interMute\SpySubtract\sshook.dll [02/01/2005 07:49 PM 77824]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 01:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe C:\WINDOWS\System32\printer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\System32\cmcache.dat

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll




-- Hosts -----------------------------------------------------------------------

192.168.200.3 ad.doubleclick.net
192.168.200.3 ad.fastclick.net
192.168.200.3 ads.fastclick.net
192.168.200.3 ar.atwola.com
192.168.200.3 atdmt.com
192.168.200.3 avp.ch
192.168.200.3 avp.com
192.168.200.3 avp.ru
192.168.200.3 awaps.net
192.168.200.3 banner.fastclick.net

92 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2007-10-02 16:14:09 ------------

Thank you

Alex
 
Hi

why do you have NO service packs ?

without the service packs you have no hope of keeping clean, as they plug countless security vulnerabilities in both XP & IE.

First you need to install Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time. DO NOT UPGRADE TO SP2 AT THIS TIME

Go here to download SP1a

http://www.download.com/Windows-XP-Service-Pack-1a-SP1a-/3000-2098_4-10147920.html?tag=lst-0-19

The malware you have has blocked Windows update, but you should be able to install from the above link ...

-
We can forget everything you've run so far ... Combofix, AVG anti-virus & Superantispyware ( if you ran it) have all removed the bulk of this infection ... but DSS shows everything is back ....

-
Once you have SP1a installed, we'll start again ...

steam
 
Hi

I don't know a lot about computers. I didn't know what service packs were. Sorry for both of us wasting our time. But I greatly appreciate the time you have invested in me to help me resolve this problem. I was unable to get the update from download.com and when it redirected me to a third party, which was microsoft.com it would not let me open the page. I tried opening microsoft.com with IE and Opera, and they couldn't open it. What should I do?

Alex
 
Hi

I'm attaching a zip file, this zip file contains a registry file ... it will delete several keys from your registry... it will remove the entry blocking windows update & your Control panel + some others ...

Download the zip file to your desktop, unzip it to your desktop to reveal the reg file ... double click on the reg file and allow it to merge with the registry ...

Then try to download SP1 again ...

steam
 
Hi

I downloaded the zip file, but it won't let me open it. It will say Registry editing has been disabled by your admin.

Alex
 
HI

OK ... I want you to run SUPERAntiSpyware ... then post or attach the log ...

Immediately followed by Combofix ... post or attach the log ...

If you need to you can .....

Look back to post#6 for instructions on how to run SUPERAntiSpyware ...

& then post #2 for Combofix ...

steam
 
Hi

ComboFix 07-09-30.5 - ALEX 2007-10-05 20:53:26.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.0.1252.1.1033.18.66 [GMT -7:00]
Running from: C:\Documents and Settings\ALEX\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-09-06 to 2007-10-06 )))))))))))))))))))))))))))))))
.

2007-10-03 20:49 12,288 --a------ C:\WINDOWS\mraerea.exe
2007-10-02 16:06 <DIR> d-------- C:\Deckard
2007-10-01 16:57 8,364 --a------ C:\WINDOWS\system32\sulimo.dat
2007-09-30 18:29 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-09-30 18:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-09-30 18:29 <DIR> d-------- C:\Documents and Settings\ALEX\Application Data\SUPERAntiSpyware.com
2007-09-30 17:54 3,470 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-29 17:57 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-28 22:25 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-28 16:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\NetWorkSwitch.temp
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Drag'n Drop CD
2007-09-27 18:47 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-09-26 16:21 8,192 --a------ C:\WINDOWS\system32\stdole32.dat
2007-09-26 16:21 53 --ahs---- C:\WINDOWS\system32\4039909485.dat
2007-09-26 16:21 28,672 -r-hs---- C:\WINDOWS\system32\actxprxyv.exe
2007-09-26 15:49 <DIR> d-------- C:\Program Files\Funk Software
2007-09-26 15:49 <DIR> d-------- C:\Program Files\Common Files\Funk Software
2007-09-26 15:48 94,208 --a------ C:\WINDOWS\system32\W32N50CT.DLL
2007-09-26 15:48 543,104 --a------ C:\WINDOWS\system32\drivers\BCMWL5.SYS
2007-09-26 15:48 25,600 --a------ C:\WINDOWS\system32\borlndmm.dll
2007-09-26 15:48 17,142 --a------ C:\WINDOWS\system32\CBTNDIS5.SYS
2007-09-26 15:48 1,706,800 --a------ C:\WINDOWS\system32\GdiPlus.dll
2007-09-26 15:48 1,497,088 --a------ C:\WINDOWS\system32\cc3260mt.dll
2007-09-26 15:48 1,496,064 --a------ C:\WINDOWS\system32\cc3250mt.dll
2007-09-26 15:48 <DIR> d-------- C:\Program Files\Linksys
2007-09-16 18:25 6,144 --a------ C:\WINDOWS\reppor.exe
2007-09-15 21:47 6,144 --a------ C:\WINDOWS\system32\cmcache.dat
2007-09-09 20:34 <DIR> d-------- C:\Program Files\Microsoft Streets and Trips

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-03 14:41 --------- d-------- C:\Program Files\Ivde
2007-09-30 20:55 --------- d-------- C:\Program Files\MBKWBar
2007-09-30 18:26 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-29 23:00 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-29 23:00 --------- d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-29 22:59 --------- d-------- C:\Program Files\Symantec
2007-09-29 22:56 --------- d-------- C:\Documents and Settings\ALEX\Application Data\Lavasoft
2007-09-26 15:48 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-25 09:28 --------- d-------- C:\Program Files\MySpace
2007-08-23 21:57 --------- d-------- C:\Documents and Settings\ALEX\Application Data\MySpace
2007-08-16 19:12 --------- d-------- C:\Program Files\Opera
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2002-09-08 11:11 56832 --ahsc--- C:\Program Files\Thumbs.db
2001-08-18 12:00:00 94,784 -csh--w C:\WINDOWS\twain.dll
2001-08-18 12:00:00 46,592 -csh--w C:\WINDOWS\twain_32.dll
2001-08-18 12:00:00 995,383 --sh--w C:\WINDOWS\system32\mfc42.dll
2001-08-18 12:00:00 50,688 -csh--w C:\WINDOWS\system32\msvcirt.dll
2001-08-18 12:00:00 401,462 --sh--w C:\WINDOWS\system32\msvcp60.dll
2001-08-18 12:00:00 322,560 --sh--w C:\WINDOWS\system32\msvcrt.dll
2001-08-18 12:00:00 569,344 --sh--w C:\WINDOWS\system32\oleaut32.dll
2001-08-18 12:00:00 106,496 --sh--w C:\WINDOWS\system32\olepro32.dll
2001-08-18 12:00:00 9,728 -csh--w C:\WINDOWS\system32\regsvr32.exe
.

-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"00THotkey"="C:\WINDOWS\System32\00THotkey.exe" [2002-04-15 18:35]
"000StTHK"="000StTHK.exe" [2001-06-23 20:28 C:\WINDOWS\system32\000StTHK.exe]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2001-11-14 03:37]
"S3Hotkey"="s3hotkey.exe" [2001-09-12 21:27 C:\WINDOWS\system32\s3hotkey.exe]
"S3TRAY2"="S3Tray2.exe" [2002-02-20 16:38 C:\WINDOWS\system32\S3Tray2.exe]
"TFNF5"="TFNF5.exe" [2001-08-03 18:08 C:\WINDOWS\system32\TFNF5.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2002-03-29 14:40]
"TFncKy"="TFncKy.exe" []
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2002-04-12 11:13]
"Tpwrtray"="TPWRTRAY.EXE" [2002-03-19 20:38 C:\WINDOWS\system32\TPWRTRAY.EXE]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 07:11]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2002-04-09 17:51]
"windows auto update"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 18:28]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 09:38]
"kmw_run.exe"="kmw_run.exe" [2003-05-27 14:48 C:\WINDOWS\system32\kmw_run.exe]
"MSWheel"="" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 04:03]
"Linksys Wireless-N Notebook Adapter"="C:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exe" [2006-04-28 05:55]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-28 23:28]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-01 21:31]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 06:19:24]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]
SpySubtract.lnk - C:\Program Files\interMute\SpySubtract\SpySub.exe [2005-02-01 19:49:19]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 06:19:24]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]
SpySubtract.lnk - C:\Program Files\interMute\SpySubtract\SpySub.exe [2005-02-01 19:49:19]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"= c:\Program Files\interMute\SpySubtract\sshook.dll [2005-02-01 19:49 77824]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\System32\cmcache.dat

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

R0 TVALG;Toshiba Value Added Logical and General Purpose Device Driver;C:\WINDOWS\System32\DRIVERS\TVALG.SYS
R3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\System32\CBTNDIS5.SYS
R3 KMW_KBD;Kensington Input Devices Class filter driver;C:\WINDOWS\System32\DRIVERS\KMW_KBD.sys
R3 KMW_SYS;Kensington MouseWorks Mouse filter driver;C:\WINDOWS\System32\DRIVERS\KMW_SYS.sys
R3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINDOWS\System32\DRIVERS\odysseyIM4.sys
R3 TOSHIBASoftModem;TOSHIBA Software Modem;C:\WINDOWS\System32\DRIVERS\LTSM.sys
R3 tsdhd;TOSHIBA SD Card Host Controller Driver;C:\WINDOWS\System32\DRIVERS\tsdhd.sys
R3 WDM_YAMAHAAC97;YAMAHA AC-XG Audio Device;C:\WINDOWS\System32\drivers\yacxgc.sys
S3 KMW_USB;Kensington MouseWorks USB filter driver;C:\WINDOWS\System32\DRIVERS\KMW_USB.sys
S3 pciSd;pciSd;C:\WINDOWS\System32\DRIVERS\tossdpci.sys
S3 wlluc48;Wireless LAN PC Card Driver;C:\WINDOWS\System32\DRIVERS\wlluc48.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-19 01:05:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-10-06 03:20:12 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
"2007-10-06 04:11:06 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-05 21:08:21
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\drivers\volsnap.sys
C:\WINDOWS\system32\drivers\wanarp.sys
C:\WINDOWS\system32\drivers\wdmaud.sys
C:\WINDOWS\system32\drivers\wlluc48.sys
C:\WINDOWS\system32\drivers\wmilib.sys
C:\WINDOWS\system32\drivers\ws2ifsl.sys
C:\WINDOWS\system32\drivers\yacxgc.sys
C:\WINDOWS\system32\drivers\Ygny51.sys

scan completed successfully
hidden files: 8

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Ygny51]

.
Completion time: 2007-10-05 21:15:36 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-05 21:15
C:\ComboFix2.txt ... 2007-09-29 19:58
C:\ComboFix3.txt ... 2007-09-29 19:29
.
--- E O F ---
 
Hi

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/05/2007 at 08:23 PM

Application Version : 3.9.1008

Core Rules Database Version : 3320
Trace Rules Database Version: 1321

Scan type : Complete Scan
Total Scan Time : 02:26:39

Memory items scanned : 467
Memory threats detected : 1
Registry items scanned : 5434
Registry threats detected : 13
File items scanned : 74698
File threats detected : 29

Trojan.Net-AVP/AVT
C:\WINDOWS\SYSTEM32\PRINTER.EXE
C:\WINDOWS\SYSTEM32\PRINTER.EXE
[WinAVX] C:\WINDOWS\SYSTEM32\WINAVXX.EXE
C:\WINDOWS\SYSTEM32\WINAVXX.EXE
[WinAVX] C:\WINDOWS\SYSTEM32\WINAVXX.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#WinAVX [ C:\WINDOWS\System32\WinAvXX.exe ]
HKU\S-1-5-21-3657561249-101265881-2389969595-1005\Software\Microsoft\Windows\CurrentVersion\Run#WinAVX [ C:\WINDOWS\System32\WinAvXX.exe ]
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\START MENU\PROGRAMS\STARTUP\SYSTEM.EXE
C:\DOCUMENTS AND SETTINGS\ALEX\START MENU\PROGRAMS\STARTUP\SYSTEM.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\STARTUP\AUTORUN.EXE
C:\WINDOWS\Prefetch\AUTORUN.EXE-3088AD1E.pf
C:\WINDOWS\Prefetch\PRINTER.EXE-0E099EB1.pf
C:\WINDOWS\Prefetch\SYSTEM.EXE-234F3E08.pf
C:\WINDOWS\Prefetch\WINAVXX.EXE-050EF48B.pf

Trojan.Net-VTROLL
HKLM\Software\Classes\CLSID\{ABCDECF0-4B15-11D1-ABED-709549C10000}
HKCR\CLSID\{ABCDECF0-4B15-11D1-ABED-709549C10000}
HKCR\CLSID\{ABCDECF0-4B15-11D1-ABED-709549C10000}
HKCR\CLSID\{ABCDECF0-4B15-11D1-ABED-709549C10000}\InprocServer32
HKCR\CLSID\{ABCDECF0-4B15-11D1-ABED-709549C10000}\InprocServer32#ThreadingModel
HKCR\CLSID\{ABCDECF0-4B15-11D1-ABED-709549C10000}\ProgID
HKCR\CLSID\{ABCDECF0-4B15-11D1-ABED-709549C10000}\Programmable
HKCR\CLSID\{ABCDECF0-4B15-11D1-ABED-709549C10000}\VersionIndependentProgID
C:\WINDOWS\SYSTEM32\VTR.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ABCDECF0-4B15-11D1-ABED-709549C10000}

Adware.Tracking Cookie
C:\Documents and Settings\ALEX\Cookies\alex@revsci[2].txt

Trojan.Net-Explore/DND
C:\QOOBOX\QUARANTINE\C\WINDOWS\EXPLORE.EXE.VIR

Trojan.Downloader-Gen/NoMultiTask
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9C4232D3-2AED-420D-8BC5-9EBE4CDA7B51}\RP524\A0147066.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9C4232D3-2AED-420D-8BC5-9EBE4CDA7B51}\RP540\A0151022.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9C4232D3-2AED-420D-8BC5-9EBE4CDA7B51}\RP541\A0151070.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9C4232D3-2AED-420D-8BC5-9EBE4CDA7B51}\RP541\A0151143.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9C4232D3-2AED-420D-8BC5-9EBE4CDA7B51}\RP541\A0151166.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9C4232D3-2AED-420D-8BC5-9EBE4CDA7B51}\RP541\A0151193.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9C4232D3-2AED-420D-8BC5-9EBE4CDA7B51}\RP541\A0151235.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9C4232D3-2AED-420D-8BC5-9EBE4CDA7B51}\RP541\A0151258.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9C4232D3-2AED-420D-8BC5-9EBE4CDA7B51}\RP541\A0151289.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9C4232D3-2AED-420D-8BC5-9EBE4CDA7B51}\RP541\A0151310.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9C4232D3-2AED-420D-8BC5-9EBE4CDA7B51}\RP541\A0151333.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9C4232D3-2AED-420D-8BC5-9EBE4CDA7B51}\RP541\A0151357.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9C4232D3-2AED-420D-8BC5-9EBE4CDA7B51}\RP541\A0151378.DLL

Adware.Starware
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9C4232D3-2AED-420D-8BC5-9EBE4CDA7B51}\RP540\A0150944.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9C4232D3-2AED-420D-8BC5-9EBE4CDA7B51}\RP540\A0150945.EXE

MBKWBar Toolbar
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9C4232D3-2AED-420D-8BC5-9EBE4CDA7B51}\RP540\A0150946.DLL

Adware.eXactAdvertising-Installer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9C4232D3-2AED-420D-8BC5-9EBE4CDA7B51}\RP540\A0150947.EXE

Alex
 
Hi

I ran Combofix and SuperAntispyware and I had regained access to my control panel, the moment I logged on to the internet to post the logs I lost access to the Control panel. Do you think I should try to download Windows sp1a from a friends computer and not connect to the internet with this infected computer until it's up to date? I'm open to any suggestions.

Thanks

Alex
 
You must log in or register to reply here.
Back
Top