Spybot powers off computer at win32.agent..

spybot powers off computer...

ok got to step 8 and once again spybot powered off the computer at win32.agent. Just before win32 there was a slew of spyware items. What is this win32.agent thing all about?

I did get a new rapport log from smitfraud just in case...

SmitFraudFix v2.132

Scan done at 17:01:03.93, Mon 01/08/2007
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End
 
hi zachj,

ok thanks for the info. not sure whats going on with spybot. lets do this:
one more download to get update and run.:
---------------------------------------------
Download AVG Anti-Spyware and save that file to your
desktop.

http://www.ewido.net/en/download/

This is a 30 day trial of the program
Once you have downloaded ewido anti-spyware, locate the icon on the desktop
and double-click it to launch the set up program.
Once the setup is complete you will need run ewido and update the definition
files.
On the main screen select the icon "Update" then select the "
Update now" link.
Next select the "Start Update" button, the update will start and a
progress bar will show the updates being installed.
Once the update has completed select the "Scanner" icon at the top of
the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then
select "Quarantine".
Under "Reports"
Select "Automatically generate report after every scan"
Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet.

boot your computer into safe mode like you did before

once in safe mode:

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware, and run a full scan.
IMPORTANT: Do not open any other windows or
programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab
then click on "Complete System Scan".
ewido will now begin the scanning process, be patient this may take a little
time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all
actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the
screen and save it to a text file on your system (make sure to remember where
you saved that file, this is important).
Close AVG Anti-Spyware and Reboot in Normal Mode.

please post the saved avg report. also since its been awhile please rescan and post a new hjt log. once it all looks good we will come back to the spybot problem.

shelf life

PS: if there are alot of cookies in the avg report you can edit them out to keep it shorter.....thanks
 
spybot powers off computer...

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:56:40 PM 1/9/2007

+ Scan result:



C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP639\A0081150.dll -> Adware.AutoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP639\A0081152.dll -> Adware.Aws : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Application Data\Install.dat -> Adware.Bravesent : Cleaned with backup (quarantined).
C:\Documents and Settings\NetworkService\Application Data\Install.dat -> Adware.Bravesent : Cleaned with backup (quarantined).
HKU\S-1-5-21-373023368-1483638691-2528199300-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{755BBD1A-AA59-456C-AFEB-B4C42C4DCB6F} -> Adware.Generic : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP633\A0063612.exe -> Adware.MediaTickets : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP632\A0062577.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP639\A0081151.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\WINDOWS\temp\nsiD3.tmp\DetectionProcessus.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\WINDOWS\temp\nso9FE.tmp\DetectionProcessus.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\WINDOWS\temp\nsp12E.tmp\DetectionProcessus.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\WINDOWS\temp\nsp307.tmp\DetectionProcessus.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\WINDOWS\temp\nsv55.tmp\DetectionProcessus.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\WINDOWS\temp\nsw2E5.tmp\DetectionProcessus.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP639\A0081144.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP639\A0081145.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP639\A0081146.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP639\A0081147.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP639\A0081148.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP637\A0075899.exe -> Backdoor.Small.nk : Cleaned with backup (quarantined).
C:\command.exe -> Downloader.Agent.axh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP647\A0096637.exe -> Downloader.Zlob : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP637\A0075902.EXE -> Trojan.FirePass.e : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP637\A0075903.EXE -> Trojan.FirePass.e : Cleaned with backup (quarantined).


::Report end


HI Jack log in next post..
 
spybot powers off computer...

Logfile of HijackThis v1.99.1
Scan saved at 7:00:57 PM, on 1/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\hijackthis\scan.exe.exe

O2 - BHO: Internet Explorer Protector - {1B77D30A-81C9-497A-8647-142F7511B1FB} - C:\Program Files\IE Protector\ieprotector.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IPPDetect] IPP4Detect.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {05842B0C-271B-412F-958F-D1A8F6CAD937} (ClickLoan Control) - https://www.clickloan.com/CAB/GenClickLoan/1,0,0,12/GenClickLoan.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://www.taylorbeanonline.com/scriptx/smsx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://chlwholesaletraining.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\System32\msasvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
 
hi zachj,

ok good, thanks for the info. your spybot has been updated recently? i see you have trojan hunter, does it flag anything? avg found alot of stuff in your system restore files, which we can get rid of like this:

You must be logged in as an Administrator to do this. If you are not logged in as an Administrator, the System Restore tab will not be displayed.
Turning off System Restore will clear out all previous restore points.
To turn off Windows XP System Restore:

NOTE: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot. (will delete possibly infected restore points)

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

4. Reboot (new clean restore point)

also please delete the quarantined files from avg.

last: attempt to run spybot again. just trying to make sure its not malware causing the shutdown.

shelf life
 
spybot power off computer...

Ok I did all that then I ran spybot in safe mode and it still shut down at win32.agent. I ran it again and did stop check right before it got to win32.agent and I ran a report result which is below and let it fix all the items. I notice an item named web-nexus right before win32.agent, and before that items such as virus-blast, trojan shield, true sword, trojan hunter, spy sheriff, spy doctor, spy destroy, adware-patrol, spy axe, killspy, etc. etc.

Here's the spybot results..

Advertising.com: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)


CoreMetrics: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)


FastClick: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)


Avenue A, Inc.: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)


HitBox: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)


CasaleMedia: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)


HitBox: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)


DoubleClick: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)


TagASaurus: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)


CasaleMedia: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)


User abort!: Scan was not completed successfully. ()



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2006-11-19 unins000.exe (51.41.0.0)
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-02-06 advcheck.dll (1.0.2.0)
2006-02-20 Tools.dll (2.0.0.2)
2006-10-27 Includes\Keyloggers.sbi (*)
2006-10-20 Includes\PUPS.sbi (*)
2006-10-13 Includes\Spybots.sbi (*)
2006-12-08 Includes\Dialer.sbi (*)
2006-11-24 Includes\Hijackers.sbi (*)
2006-12-15 Includes\Malware.sbi (*)
2006-12-08 Includes\Security.sbi (*)
2006-12-08 Includes\Trojans.sbi (*)
2006-12-15 Includes\Cookies.sbi (*)
2006-12-15 Includes\Revision.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-12-15 Includes\TrojansC.sbi (*)
2006-12-15 Includes\SpybotsC.sbi (*)
2006-12-15 Includes\SecurityC.sbi (*)
2006-12-15 Includes\PUPSC.sbi (*)
2006-12-15 Includes\MalwareC.sbi (*)
2006-12-15 Includes\KeyloggersC.sbi (*)
2006-12-15 Includes\HijackersC.sbi (*)
2006-12-15 Includes\DialerC.sbi (*)
 
hi zachj,

ok thanks. one more download to run.

Download - rustbfix.exe ...and save it to your desktop:

http://www.uploads.ejvindh.net/rustbfix.exe

Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). Post the content of these logfiles along with a new HijackThis log.

shelf life
 
spybot powers off computer...

************************* Rustock.b-fix -- By ejvindh *************************
Thu 01/11/2007 19:04:40.95

No Rustock.b-rootkits found

******************************* End of Logfile ********************************
 
hi zachj,

good thanks for the info, just trying to rule malware out as the reason why spybot shuts down.

i want to confirm something from the smitfraud log. please download and run combofix.

1. Download this file :

http://download.bleepingcomputer.com/sUBs/combofix.exe
http://www.techsupportforum.com/sectools/combofix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
 
spybot powers off computer...

"Owner" - 07-01-12 19:12:18 Service Pack 2
ComboFix 07-01-12 - Running from: "C:\Documents and Settings\Owner\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\dlh9jkd1q8.exe
c:\command.com
C:\WINDOWS\s32.txt
C:\WINDOWS\ws386.ini
C:\WINDOWS\Downloaded Program Files\WebEx
C:\Program Files\Common Files\{34401~1
C:\Documents and Settings\All Users\Documents\Settings
C:\Program Files\psdream
C:\WINDOWS\system32\components
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\DOCUME~1
C:\qoobox\purity\DOCUME~1\Owner
C:\qoobox\purity\DOCUME~1\Owner\My Documents
C:\qoobox\purity\DOCUME~1\Owner\My Documents\from.txt
C:\qoobox\purity\DOCUME~1\Owner\My Documents\CROSOF~1.NET


((((((((((((((((((((((((((((((( Files Created from 2006-12-12 to 2007-01-12 ))))))))))))))))))))))))))))))))))


2007-01-11 19:04 <DIR> d-------- C:\Rustbfix
2007-01-10 18:06 <DIR> d--hs---- C:\FOUND.000
2007-01-09 16:37 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-01-07 18:42 3,176 --a------ C:\WINDOWS\system32\tmp.reg
2007-01-07 18:41 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-01-07 18:41 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-01-07 18:41 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-01-07 18:41 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-01-07 18:41 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-01-07 18:41 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-12-20 18:35 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2006-12-20 18:29 <DIR> d-------- C:\DOCUME~1\Owner\Application Data\Active Disk
2006-12-20 18:25 86,016 --a------ C:\WINDOWS\unvise32.exe
2006-12-20 18:24 <DIR> d-------- C:\Program Files\Iomega
2006-12-20 18:23 <DIR> d-------- C:\DOCUME~1\Owner\Application Data\Leadertech
2006-12-20 17:16 <DIR> d-------- C:\DOCUME~1\Owner\Application Data\TrojanHunter
2006-12-20 17:15 <DIR> d-------- C:\Program Files\TrojanHunter 4.6
2006-12-20 17:01 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2006-12-20 17:00 <DIR> d-------- C:\WINDOWS\Internet Logs
2006-12-19 18:32 <DIR> d-------- C:\VundoFix Backups
2006-12-19 18:26 81,684 --a------ C:\WINDOWS\system32\ofopxbgk.dll
2006-12-18 23:04 <DIR> d-------- C:\Program Files\eFax Messenger 4.2
2006-12-18 23:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\eFax Messenger 4.2 Setup
2006-12-18 19:11 <DIR> d-------- C:\hijackthis
2006-12-18 14:18 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-12-17 22:21 <DIR> d--hs---- C:\FOUND.023
2006-12-17 19:38 <DIR> d--hs---- C:\FOUND.022
2006-12-17 16:03 <DIR> d--hs---- C:\FOUND.021
2006-12-17 15:42 <DIR> d--hs---- C:\FOUND.020
2006-12-16 13:29 <DIR> d--hs---- C:\FOUND.019
2006-12-14 10:26 118,804 --a------ C:\WINDOWS\system32\ysrnkfcd.dll
2006-12-13 10:17 <DIR> d--hs---- C:\FOUND.018


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-08 13:24 69670 --a------ C:\WINDOWS\system32\lzx32.sys
2006-12-10 19:21 -------- d-------- C:\Program Files\address book recovery
2006-12-10 13:24 -------- d-------- C:\DOCUME~1\Owner\Application Data\uniblue
2006-12-10 01:57 -------- d-------- C:\Program Files\copy of outlook express
2006-12-09 17:09 -------- d-------- C:\Program Files\uphclean
2006-12-06 23:40 90164 ---hs---- C:\WINDOWS\system32\ddccd.dll
2006-12-06 15:02 -------- d-------- C:\Program Files\eprintv4
2006-12-06 15:01 -------- d-------- C:\Program Files\agentx
2006-12-06 15:00 -------- d-------- C:\Program Files\agentlink
2006-11-24 08:14 816672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-11-21 13:14 692276 --a------ C:\WINDOWS\system32\gebcc.dll
2006-11-21 12:11 692276 --a------ C:\WINDOWS\system32\mllmn.dll
2006-11-21 00:25 734369 ---hs---- C:\WINDOWS\system32\mpqss.ini2
2006-11-21 00:24 4960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-11-21 00:24 4224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-11-21 00:24 3968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2006-11-21 00:24 28416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-11-20 23:55 728154 ---hs---- C:\WINDOWS\system32\mpqss.bak2
2006-11-20 00:01 -------- d-------- C:\Program Files\symantec
2006-11-19 23:24 10 --a------ C:\WINDOWS\smdat32m.sys
2006-11-19 16:23 732227 ---hs---- C:\WINDOWS\system32\mpqss.bak1
2006-11-19 15:15 7408 --a------ C:\WINDOWS\system32\start2.exe
2006-11-19 15:13 24 --a------ C:\WINDOWS\koxks.dll
2006-11-15 16:57 0 --a------ C:\WINDOWS\dmffo4kd.exe
2006-11-15 00:14 35328 --a------ C:\ohsrdx.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"IPPDetect"="IPP4Detect.exe"
"WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"eFax 4.2"="\"C:\\Program Files\\eFax Messenger 4.2\\J2GDllCmd.exe\" /R"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"THGuard"="\"C:\\Program Files\\TrojanHunter 4.6\\THGuard.exe\""
"ADUserMon"="C:\\Program Files\\Iomega\\AutoDisk\\ADUserMon.exe"
"Iomega Drive Icons"="C:\\Program Files\\Iomega\\DriveIcons\\ImgIcon.exe"
"Deskup"="C:\\Program Files\\Iomega\\DriveIcons\\deskup.exe /IMGSTART"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\America Online 9.0 Tray Icon.lnk"
"backup"="C:\\WINDOWS\\pss\\America Online 9.0 Tray Icon.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\AMERIC~1.0\\aoltray.exe -check"
"item"="America Online 9.0 Tray Icon"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\AOL Companion.lnk"
"backup"="C:\\WINDOWS\\pss\\AOL Companion.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\AOLCOM~1\\COMPAN~1.EXE /s"
"item"="AOL Companion"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax 4.2.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\eFax 4.2.lnk"
"backup"="C:\\WINDOWS\\pss\\eFax 4.2.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\EFAXME~1.2\\J2GTray.exe "
"item"="eFax 4.2"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax DllCmd 3.5.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\eFax DllCmd 3.5.lnk"
"backup"="C:\\WINDOWS\\pss\\eFax DllCmd 3.5.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\EFAXME~1.5\\J2GDLL~1.EXE /R"
"item"="eFax DllCmd 3.5"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax Tray Menu 3.5.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\eFax Tray Menu 3.5.lnk"
"backup"="C:\\WINDOWS\\pss\\eFax Tray Menu 3.5.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\EFAXME~1.5\\J2GTray.exe "
"item"="eFax Tray Menu 3.5"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SmartUI.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\SmartUI.lnk"
"backup"="C:\\WINDOWS\\pss\\SmartUI.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Scansoft\\PAPERP~1\\SmartUI\\SmartUI.exe "
"item"="SmartUI"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\WinZip Quick Pick.lnk"
"backup"="C:\\WINDOWS\\pss\\WinZip Quick Pick.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\WinZip\\WZQKPICK.EXE "
"item"="WinZip Quick Pick"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PaperMaster Live Menu 7.0.lnk]
"path"="C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\PaperMaster Live Menu 7.0.lnk"
"backup"="C:\\WINDOWS\\pss\\PaperMaster Live Menu 7.0.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\PAPERM~1.0\\J2GDLL~1.EXE /R /K \"C:\\Program Files\\PaperMaster Pro 7.0\\J2GPfcW.dll\",JSPFCWSetHooking,1,0,0,0"
"item"="PaperMaster Live Menu 7.0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PaperMaster Tray Menu 7.0.lnk]
"path"="C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\PaperMaster Tray Menu 7.0.lnk"
"backup"="C:\\WINDOWS\\pss\\PaperMaster Tray Menu 7.0.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\PAPERM~1.0\\J2GTray.exe "
"item"="PaperMaster Tray Menu 7.0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim"
"hkey"="HKCU"
"command"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="J2GDllCmd"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\eFax Messenger 4.1\\J2GDllCmd.exe\" /R"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="J2GDllCmd"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\eFax Messenger 4.2\\J2GDllCmd.exe\" /R"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IndexSearch"
"hkey"="HKLM"
"command"="C:\\Program Files\\Scansoft\\PaperPort\\IndexSearch.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort 8.0 SE Registration Reminder]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="navLoad"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Scansoft\\PaperPort\\WebEreg\\NAVBrowser.exe\" -r \"C:\\Program Files\\Scansoft\\PaperPort\\WebEreg\\navLoad.ini\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pptd40nt"
"hkey"="HKLM"
"command"="C:\\Program Files\\Scansoft\\PaperPort\\pptd40nt.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlaxoUpdate]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PlaxoHelper"
"hkey"="HKCU"
"command"="C:\\Program Files\\Plaxo\\2.11.1.5\\PlaxoHelper.exe -a"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RealPlay"
"hkey"="HKLM"
"command"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SemanticInsight]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SemanticInsight"
"hkey"="HKLM"
"command"="C:\\Program Files\\RXToolBar\\Semantic Insight\\SemanticInsight.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smart Start UP]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PnPDetect"
"hkey"="HKLM"
"command"="C:\\Program Files\\NewSoft\\Smart Start UP\\PnPDetect.exe /Automation "
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="C:\\Program Files\\Winamp\\winampa.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ypager"
"hkey"="HKCU"
"command"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\control panel\load]
"forwas"=hex:15,26,db,fb,69
"cryptpa"=hex:21,df,db,f4,20

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"system"="C:\\WINDOWS\\csrss.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0




~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20061220-134953-230
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - (no file)
backup-20061220-134953-284
O2 - BHO: (no name) - {08B0A51B-0C50-4B9A-99B5-89AC1E56E533} - C:\WINDOWS\System32\ddcyw.dll (file missing)
backup-20061220-134953-450
O2 - BHO: (no name) - {380739FB-EB33-8E37-C659-02260E8D29C4} - (no file)
backup-20061219-185747-172
O20 - Winlogon Notify: winxtx32 - winxtx32.dll (file missing)
backup-20061219-185746-141
O20 - Winlogon Notify: ssqpm - C:\WINDOWS\System32\ssqpm.dll (file missing)
backup-20061219-185644-800
O4 - HKLM\..\Run: [mxwpic.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\mxwpic.dll,wealicb
backup-20061219-185644-334
O2 - BHO: (no name) - {755bbd1a-aa59-456c-afeb-b4c42c4dcb6f} - (no file)
backup-20061219-185644-462
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\ysrnkfcd.dll",setvm
backup-20061219-185644-216
O8 - Extra context menu item: &Search - http://km.bar.need2find.com/KM/menusearch.html?p=KM
backup-20061219-185644-953
O18 - Filter: text/html - (no CLSID) - (no file)
backup-20061219-185644-228
O2 - BHO: (no name) - {3FD6B99C-A275-46ea-8FD1-3D63986E51E4} - C:\WINDOWS\system32\kxjuwbvm.dll
backup-20061219-185644-601
O2 - BHO: (no name) - {8d83b16e-0de1-452b-ac52-96ec0b34aa4b} - (no file)
backup-20061219-185644-511
O2 - BHO: (no name) - {45B70304-6774-6631-26BC-0B328E8CE570} - (no file)
backup-20061219-185644-833
O2 - BHO: (no name) - {11F0EE13-5947-2942-F631-09BEB2706006} - (no file)
backup-20061219-185644-468
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
backup-20061219-185644-542
O2 - BHO: (no name) - {0FC1C4CA-3F9D-4548-AF67-50E10FE9685F} - (no file)

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 07-01-12 19:15:37
 
hi zachj,

good, thanks for the info. you hanging in there? please try to run spybot now.

can you tell me anything that dosnt seem right with your computer, other than spybot terminating?
-------------------------------------
please download AVG anti-rootkit beta from here:

http://www.softpedia.com/get/Antivirus/AVG-Anti-Rootkit.shtml

click the downloaded file to install.
after a reboot click the icon to start the scanner. click "perform in-depth search" button
after scanning is done click the "save result to file"
Save In: desktop, or anywhere you can find it.
File Name: avg scan or whatever. add the extension .txt to end (avg scan.txt)
please post saved log in post.
 
Last edited:
spybot powers off computer...

Wow well thanks a lot spybot ran through sucessufully! I thought the combofix was just running a log, didn't think it actually did anything. Or maybe spybot running through was just a fluke, hope not. Looks like it picked up some win32.agent items.

Anyhow I ran the avg anti-root and nothing was found. As far as anything else wrong with the computer, it just runs a bit slow, especially the internet connection at times. I have highspeed internet but it is an older computer with low memory capacity.

Results from sypbot....

Smitfraud-C.Toolbar888: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan

Win32.Agent.baf: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\system=...C:\WINDOWS\csrss.exe...

Win32.Agent.baf: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\csrss.exe

Advertising.com: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)


CoreMetrics: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)


FastClick: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)


Avenue A, Inc.: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)


HitBox: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)


CasaleMedia: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)


HitBox: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)


DoubleClick: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)


TagASaurus: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)


CasaleMedia: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)


Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)


Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)


Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)


Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)


Avenue A, Inc.: Tracking cookie (Firefox: default) (Cookie, nothing done)


DoubleClick: Tracking cookie (Firefox: default) (Cookie, nothing done)


FastClick: Tracking cookie (Firefox: default) (Cookie, nothing done)


MediaPlex: Tracking cookie (Firefox: default) (Cookie, nothing done)



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2006-11-19 unins000.exe (51.41.0.0)
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-02-06 advcheck.dll (1.0.2.0)
2006-02-20 Tools.dll (2.0.0.2)
2006-10-27 Includes\Keyloggers.sbi (*)
2006-10-20 Includes\PUPS.sbi (*)
2006-10-13 Includes\Spybots.sbi (*)
2006-12-08 Includes\Dialer.sbi (*)
2006-11-24 Includes\Hijackers.sbi (*)
2006-12-08 Includes\Security.sbi (*)
2006-12-08 Includes\Trojans.sbi (*)
2006-12-22 Includes\Malware.sbi (*)
2007-01-05 Includes\Cookies.sbi (*)
2007-01-05 Includes\Revision.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-01-05 Includes\TrojansC.sbi (*)
2007-01-05 Includes\SpybotsC.sbi (*)
2007-01-05 Includes\SecurityC.sbi (*)
2007-01-05 Includes\PUPSC.sbi (*)
2007-01-05 Includes\MalwareC.sbi (*)
2007-01-05 Includes\KeyloggersC.sbi (*)
2007-01-05 Includes\HijackersC.sbi (*)
2007-01-05 Includes\DialerC.sbi (*)
 
hi zachj,

good. those spybot items just look like leftover registry entries,
please post one more hjt log.

shelf life
 
spybot powers off computer...

Hijack log...


Logfile of HijackThis v1.99.1
Scan saved at 4:31:25 PM, on 1/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\eFax Messenger 4.2\J2GTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINPOINT\winpoint.exe
C:\Program Files\internet explorer\iexplore.exe
C:\hijackthis\scan.exe.exe

O2 - BHO: Internet Explorer Protector - {1B77D30A-81C9-497A-8647-142F7511B1FB} - C:\Program Files\IE Protector\ieprotector.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IPPDetect] IPP4Detect.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {05842B0C-271B-412F-958F-D1A8F6CAD937} (ClickLoan Control) - https://www.clickloan.com/CAB/GenClickLoan/1,0,0,12/GenClickLoan.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://www.taylorbeanonline.com/scriptx/smsx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://chlwholesaletraining.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\System32\msasvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
 
hi zachj,

log looks good. lets check this:
go to start>run and type in--> services.msc,<--in the list of services that comes up, under the name column look for>> Microsoft authenticate service<<

right click on it and select properties. under the general tab:
make sure that the service status is: Stopped
and the Startup type is: disabled
-------------------
next see if you can locate the file in the:
C:\WINDOWS\System32 dir and delete it

shelf life
 
spybot powers off computer..

Wait so I should delete the system32 Folder under Windows? There's a lot of items in there. Are you sure?
 
hi zachj,

Wait so I should delete the system32 Folder under Windows? There's a lot of items in there. Are you sure?
Click to expand...

no, my mistake.
i left the file off of the post. we want to look for and delete if present only this file:
msasvc.exe
in the C:\WINDOWS\System32 dir
 
spybot powers off computer...

Wow good thing I didn't delete that folder I guess.

That file msasvc.exe is not present.


Zach
 
hi zachj,

its a needed windows OS dir. windows wouldnt let you delete it. good, you didnt find that .exe. hows it all looking on your end now?

shelf life
 
You must log in or register to reply here.
Back
Top