Thanks Shaba. Here are the logs as requested
Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please
Reg Entries that were deleted
...
Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
...
PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»» Searching by size/names...
»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSFUU.EXE 51,724 2006-11-08
C:\WINDOWS\SYSTEM32\DMYVV.EXE 60,432 2001-08-18
Other suspects.
Directory of C:\WINDOWS\system32
»»»»» Misc files.
»»»»» Checking for older varients covered by the Rem3 tool.
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 3:00:10 PM 12/2/2006
+ Scan result:
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP15\A0014072.inf -> Adware.AntiAwarePro : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP32\A0017765.dll -> Adware.Baidu : Cleaned with backup (quarantined).
C:\Program Files\CNNIC\Cdn\cdnforie.dll -> Adware.Cdn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP32\A0017836.dll -> Adware.Cdn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP32\A0030756.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP32\A0030989.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP33\A0031216.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP38\A0031679.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP41\A0034607.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP32\A0017827.exe -> Downloader.Delf.ayf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP32\A0017831.exe -> Downloader.Delf.ayf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP32\A0017841.exe -> Downloader.Delf.ayf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP32\A0017847.exe -> Downloader.Delf.ayf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP32\A0017848.exe -> Downloader.Delf.ayf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP32\A0017829.exe -> Downloader.Delf.bau : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP32\A0017830.exe -> Downloader.Delf.bau : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP32\A0017832.exe -> Downloader.Delf.bau : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP32\A0017833.exe -> Downloader.Delf.bau : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP32\A0017834.exe -> Downloader.Delf.bau : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP32\A0017835.exe -> Downloader.Delf.bau : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP41\A0034744.exe -> Downloader.Delf.bcv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP41\A0034745.exe -> Downloader.Delf.bcv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP41\A0034746.exe -> Downloader.Delf.bcv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP41\A0034747.exe -> Downloader.Delf.bcv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP41\A0034748.exe -> Downloader.Delf.bcv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP41\A0034749.exe -> Downloader.Delf.bcv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP41\A0034750.exe -> Downloader.Delf.bcv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP32\A0017828.sys -> Downloader.Small.npa : Cleaned with backup (quarantined).
C:\WINDOWS\system32\kdsxr.exe -> Downloader.Zlob.aty : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP32\A0030957.exe -> Trojan.Sinowal.bi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP41\A0034797.exe -> Trojan.Sinowal.bi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP32\A0030855.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP32\A0030991.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP32\A0030992.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP33\A0031225.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP38\A0031816.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP38\A0032103.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP41\A0033491.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP41\A0034690.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP32\A0019229.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP32\A0019268.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP32\A0019336.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP32\A0020335.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP32\A0021337.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP32\A0025554.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP32\A0026554.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP32\A0027554.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP32\A0028554.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP32\A0029554.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP32\A0030554.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP32\A0030613.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP32\A0030623.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP32\A0030744.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP32\A0030757.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP32\A0030931.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP32\A0030965.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP33\A0031167.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP33\A0031183.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP33\A0031196.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP34\A0031328.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP41\A0034842.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP41\A0034844.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP41\A0034845.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP41\A0034846.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP41\A0034847.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP41\A0034848.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP41\A0034849.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP41\A0034850.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4052D5C3-EB59-4DEF-A854-663C6869D0DA}\RP41\A0034851.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\WINDOWS\system32\csfuu.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
::Report end
Logfile of HijackThis v1.99.1
Scan saved at 15:10:17, on 02/12/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\VM303_STI.EXE
D:\New Programs\FATALERRORFILE\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
D:\New Programs\FATALERRORFILE\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\VetMsgNT.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\New Programs\FATALERRORFILE\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://www.homecallb...d.com/customer/O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\New Programs\ADOBEACROBAT\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [Zone Labs Client] "D:\New Programs\FATALERRORFILE\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\New Programs\FATALERRORFILE\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Windows Registry Repair Pro] D:\New Programs\FATALERRORFILE\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) -
https://www.windowso...nSSWebAgent.CABO16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
http://ruby-roses.sp...ad/MsnPUpld.cabO16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -
http://download.bitd...can8/oscan8.cabO16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) -
http://cdn.scan.safe...lscbase8460.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.micros...b?1161268279966O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://acs.pandasoft...free/asinst.cabO16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) -
http://www.driverage...driveragent.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{711164E7-2FE8-4520-B8A2-3628C221B948}: NameServer = 85.255.113.132 85.255.112.84
O17 - HKLM\System\CS1\Services\Tcpip\..\{711164E7-2FE8-4520-B8A2-3628C221B948}: NameServer = 85.255.113.132 85.255.112.84
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\New Programs\FATALERRORFILE\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\WINDOWS\System32\VetMsgNT.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe