please help with virus: Win32: TratBHO[trj] [RESOLVED]

Need a geek? Geeks to Go offers free, quality tech support -- in terms anyone can understand. Volunteers are waiting to help, friendly, technology experts who have knowledge to share, and enjoy helping others. Feel free to browse the site as a guest. However, you must log in to reply to existing topics, or to start a new topic. Other benefits of joining include richer forum features, and removal of all advertising. Learn more in our Welcome Guide Infected? Malware and Spyware Cleaning Guide. What are you waiting for? Click here to join for free today!

> Geeks to Go! » Security » Virus, Spyware and Trojan Removal

2 Pages

1 2 >

please help with virus: Win32: TratBHO[trj] [RESOLVED], hep!

Options

cweezy24 View Member Profile	Feb 17 2008, 11:21 PM Post #1
New Member Posts: 8 OS: Windows XP	My computer is infected with the virus Win32: TratBHO[trj]. I use avast anti-virus and I am a novice with computers. Can you please help me, from the start, how to get rid of this awful thing? THANKS SO MUCH!

Rorschach112 View Member Profile	Feb 18 2008, 09:09 AM Post #2
GeekU Teacher Posts: 34,385 From: Dublin OS: XP	Hello Please download Deckard's System Scanner (DSS) and save it to your Desktop. Close all other windows before proceeding. Double-click on dss.exe and follow the prompts. If your anti-virus or firewall complains, please allow this script to run as it is not malicious. When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

cweezy24 View Member Profile	Feb 18 2008, 02:55 PM Post #3
New Member Posts: 8 OS: Windows XP	Sorry for the delay - I did not notice the "You must read this before posting a HiJackThis Log, so I have been going to that page and performing all of those required tests throughout the day. I first installed DSS and tried to run that, but everytime it got to the point where it said "Examining Event Logs", the program would shut itself down and not be able to complete itself. I am pasting a copy of my HiJackThis log, and also the Super AntiSpyware Scan Log below. Thanks so much for the help this virus is causing me so many head aches! Super Anti Spyware Scan Log: SUPERAntiSpyware Scan Log Generated 02/18/2008 at 03:36 PM Application Version : 3.6.1000 Core Rules Database Version : 3190 Trace Rules Database Version: 1200 Scan type : Complete Scan Total Scan Time : 00:35:49 Memory items scanned : 394 Memory threats detected : 1 Registry items scanned : 4378 Registry threats detected : 0 File items scanned : 33944 File threats detected : 10 Adware.Vundo Variant C:\WINDOWS\SYSTEM32\GEEDD.DLL C:\WINDOWS\SYSTEM32\GEEDD.DLL Adware.Tracking Cookie C:\Documents and Settings\asli\Cookies\asli@findwhat[1].txt C:\Documents and Settings\asli\Cookies\asli@ads.gmodules[2].txt C:\Documents and Settings\asli\Cookies\asli@statcounter[1].txt C:\Documents and Settings\asli\Cookies\asli@enhance[2].txt C:\Documents and Settings\asli\Cookies\asli@ad.lookery[2].txt C:\Documents and Settings\asli\Cookies\asli@ads.gmodules[1].txt C:\Documents and Settings\asli\Cookies\asli@apmebf[1].txt C:\Documents and Settings\asli\Cookies\asli@atwola[1].txt C:\Documents and Settings\asli\Cookies\asli@bizadverts[1].txt HiJackThis Log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:46:10 PM, on 2/18/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16608) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\SiteAdvisor\6253\SAService.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\Apoint2K\Apoint.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\DIGStream\digstream.exe C:\Program Files\ESPNRunTime\DIGServices.exe C:\Program Files\SiteAdvisor\6253\SiteAdv.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Apoint2K\Apntex.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jmu.edu/jmuweb/students/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll O2 - BHO: (no name) - {69B09293-EC9D-49BF-B7C1-8DAEC190D799} - C:\WINDOWS\system32\geedd.dll (file missing) O2 - BHO: {5c5d57b3-d586-d939-d204-70bda1b996dc} - {cd699b1a-db07-402d-939d-685d3b75d5c5} - C:\WINDOWS\system32\dfbajagy.dll O2 - BHO: (no name) - {E180F496-8A4B-44E2-9FE0-0364E345DB7F} - C:\WINDOWS\system32\mljihge.dll O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24 O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: mljihge - C:\WINDOWS\SYSTEM32\mljihge.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 7855 bytes

Rorschach112 View Member Profile	Feb 18 2008, 03:14 PM Post #4
GeekU Teacher Posts: 34,385 From: Dublin OS: XP	Do this Download ComboFix from one of the locations below, and save it to your Desktop. Link 1 Link 2 Link 3 Double click combofix.exe and follow the prompts. When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply Note: Do not mouseclick combofix's window while its running. That may cause it to stall

cweezy24 View Member Profile	Feb 18 2008, 03:33 PM Post #5
New Member Posts: 8 OS: Windows XP	Thanks so much for the speedy response. Here is the log for combofix: ComboFix 08-02-17.2 - asli 2008-02-18 16:21:41.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.168 [GMT -5:00] Running from: C:\Documents and Settings\asli\Desktop\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\mljihge.dll C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat C:\Temp\isgTi19 C:\WINDOWS\cookies.ini C:\WINDOWS\system32\cqithabs.ini C:\WINDOWS\system32\ddeeg.ini C:\WINDOWS\system32\ddeeg.ini2 C:\WINDOWS\system32\dfbajagy.dll C:\WINDOWS\system32\gayckfyk.dll C:\WINDOWS\system32\gnuxuubf.ini C:\WINDOWS\system32\jkklj.dll C:\WINDOWS\system32\jlkkj.ini C:\WINDOWS\system32\jlkkj.ini2 C:\WINDOWS\system32\lqychlko.ini C:\WINDOWS\system32\mljihge.dll C:\WINDOWS\system32\msssc.dll C:\WINDOWS\system32\nGpxx01 C:\WINDOWS\system32\nGpxx01\nGpxx011065.exe C:\WINDOWS\system32\niwdbels.dll C:\WINDOWS\system32\oklhcyql.dll C:\WINDOWS\system32\pac.txt C:\WINDOWS\system32\pkqsdtql.ini C:\WINDOWS\system32\rhnyxrjw.ini C:\WINDOWS\system32\sccmruee.dll C:\WINDOWS\system32\srolgwqy.dll C:\WINDOWS\system32\wjrxynhr.dll ----- BITS: Possible infected sites ----- hxxp://au.download.windowsupda . ((((((((((((((((((((((((( Files Created from 2008-01-18 to 2008-02-18 ))))))))))))))))))))))))))))))) . 2008-02-18 15:45 . 2008-02-18 15:45 <DIR> d-------- C:\Program Files\Trend Micro 2008-02-18 14:55 . 2008-02-18 14:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-02-18 14:53 . 2008-02-18 15:44 <DIR> d-------- C:\Program Files\SUPERAntiSpyware 2008-02-18 14:53 . 2008-02-18 14:53 <DIR> d-------- C:\Documents and Settings\asli\Application Data\SUPERAntiSpyware.com 2008-02-18 14:52 . 2008-02-18 14:52 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-02-18 11:51 . 2008-02-18 11:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft 2008-02-18 02:49 . 2008-02-18 02:49 <DIR> d-------- C:\Documents and Settings\asli\Application Data\Grisoft 2008-02-18 02:46 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2008-02-18 02:45 . 2008-02-18 02:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2008-02-13 03:17 . 2008-02-18 16:22 <DIR> d-------- C:\Temp 2008-01-31 13:27 . 2008-01-31 13:27 <DIR> d-------- C:\Program Files\iPod 2008-01-31 13:27 . 2008-02-18 15:42 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-01-31 13:27 . 2008-01-31 13:27 1,409 --a------ C:\WINDOWS\QTFont.for 2008-01-31 13:26 . 2008-01-31 13:27 <DIR> d-------- C:\Program Files\iTunes 2008-01-31 13:26 . 2008-02-14 01:11 <DIR> d-------- C:\Program Files\Bonjour 2008-01-31 13:25 . 2008-01-31 13:25 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE 2008-01-31 13:25 . 2008-01-31 13:26 <DIR> d-------- C:\Program Files\QuickTime 2008-01-31 13:25 . 2008-01-31 13:25 <DIR> d-------- C:\Program Files\Common Files\Apple 2008-01-31 13:25 . 2008-01-31 13:25 <DIR> d-------- C:\Program Files\Apple Software Update 2008-01-31 13:25 . 2008-01-31 13:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple 2008-01-31 00:44 . 2008-01-31 00:44 <DIR> d-------- C:\Program Files\Common Files\Adobe 2008-01-31 00:44 . 2008-01-31 00:44 <DIR> d-------- C:\Documents and Settings\asli\Application Data\AdobeUM 2008-01-30 22:58 . 2003-06-18 17:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll 2008-01-30 22:58 . 2008-01-30 22:58 376 --a------ C:\WINDOWS\ODBC.INI 2008-01-30 22:57 . 2008-01-30 22:57 <DIR> d-------- C:\Program Files\Microsoft ActiveSync 2008-01-30 22:56 . 2008-01-30 22:57 <DIR> d-------- C:\WINDOWS\SHELLNEW 2008-01-30 22:51 . 2008-01-30 22:51 <DIR> d-------- C:\Program Files\Microsoft.NET 2008-01-30 22:48 . 2008-01-30 22:48 <DIR> dr-h----- C:\MSOCache 2008-01-29 18:32 . 2004-08-04 08:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll 2008-01-29 14:23 . 2008-01-29 14:23 <DIR> d-------- C:\Program Files\Viewpoint 2008-01-29 14:23 . 2008-01-29 14:23 <DIR> d-------- C:\Documents and Settings\asli\Application Data\Viewpoint 2008-01-29 14:23 . 2008-01-29 14:23 <DIR> d-------- C:\Documents and Settings\asli\Application Data\acccore 2008-01-29 14:23 . 2008-01-29 14:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint 2008-01-29 14:22 . 2008-01-29 14:22 <DIR> d-------- C:\Program Files\Common Files\AOL 2008-01-29 14:22 . 2008-01-29 14:23 <DIR> d-------- C:\Program Files\AIM6 2008-01-29 14:22 . 2008-01-29 14:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP 2008-01-29 14:22 . 2008-01-29 14:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL 2008-01-29 14:22 . 2008-01-29 14:23 1,046 --ah----- C:\IPH.PH 2008-01-29 13:51 . 2008-01-29 13:51 <DIR> d-------- C:\WINDOWS\Sun 2008-01-29 13:51 . 2008-01-29 13:51 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor 2008-01-29 13:50 . 2008-01-29 13:50 <DIR> d-------- C:\Program Files\SiteAdvisor 2008-01-29 13:50 . 2008-01-31 01:53 <DIR> d-------- C:\Documents and Settings\asli\Application Data\SiteAdvisor 2008-01-29 13:50 . 2008-02-17 19:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor 2008-01-29 13:50 . 2008-01-29 13:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee 2008-01-29 13:39 . 2008-01-29 13:39 <DIR> d-------- C:\Documents and Settings\asli\Application Data\ESPN 2008-01-29 13:38 . 2008-01-29 13:38 <DIR> d-------- C:\Program Files\ESPNRunTime 2008-01-29 13:38 . 2008-01-29 13:38 <DIR> d-------- C:\Program Files\ESPNMotion 2008-01-29 13:38 . 2008-01-29 13:38 <DIR> d-------- C:\Program Files\ESPN 2008-01-29 13:38 . 2008-01-29 13:38 <DIR> d-------- C:\Program Files\DIGStream 2008-01-29 13:38 . 2008-01-29 13:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESPN 2008-01-29 13:38 . 2008-02-18 15:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DIGStream 2008-01-29 13:16 . 2007-12-06 21:21 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll 2008-01-29 13:16 . 2007-06-30 22:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat 2008-01-29 13:16 . 2007-06-30 22:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui 2008-01-29 13:16 . 2007-12-06 21:21 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll 2008-01-29 13:16 . 2007-12-06 21:21 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll 2008-01-29 13:16 . 2007-12-06 21:21 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll 2008-01-29 13:16 . 2007-12-06 21:21 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll 2008-01-29 13:16 . 2007-12-06 21:21 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll 2008-01-29 13:16 . 2007-12-06 06:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe 2008-01-29 13:01 . 2008-02-13 04:27 <DIR> d--h----- C:\WINDOWS\$hf_mig$ 2008-01-29 13:01 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe 2008-01-29 12:58 . 2008-01-29 12:58 <DIR> d--hs---- C:\Documents and Settings\asli\UserData 2008-01-29 12:46 . 2007-12-04 07:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr 2008-01-29 12:46 . 2007-12-04 09:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys 2008-01-29 12:46 . 2007-12-04 09:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys 2008-01-29 12:46 . 2007-12-04 09:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys 2008-01-29 12:46 . 2007-12-04 09:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys 2008-01-29 12:46 . 2007-12-04 09:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys 2008-01-29 12:45 . 2008-01-29 12:45 <DIR> d-------- C:\Program Files\Alwil Software 2008-01-29 12:45 . 2003-03-18 15:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll 2008-01-29 12:45 . 2007-12-04 08:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe 2008-01-29 12:45 . 2003-03-18 14:14 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll 2008-01-29 12:45 . 2004-01-09 04:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx 2008-01-29 12:45 . 2003-02-20 22:42 348,160 --a------ C:\WINDOWS\system32\MSVCR71.dll 2008-01-29 02:59 . 2008-01-29 02:59 <DIR> d-------- C:\Documents and Settings\asli\Application Data\Leadertech 2008-01-29 00:40 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys 2008-01-29 00:40 . 2001-08-17 13:53 3,328 --a------ C:\WINDOWS\system32\drivers\qv2kux.sys 2008-01-29 00:40 . 2001-08-17 13:53 3,328 --a--c--- C:\WINDOWS\system32\dllcache\qv2kux.sys 2008-01-29 00:33 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll 2008-01-29 00:33 . 2004-08-04 00:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll 2008-01-29 00:33 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys 2008-01-29 00:33 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys 2008-01-29 00:33 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys 2008-01-29 00:33 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys 2008-01-28 17:03 . 2008-01-28 17:03 <DIR> d-------- C:\Documents and Settings\asli\Application Data\Apple Computer . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-31 18:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer 2008-01-28 22:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime 2008-01-16 23:22 --------- d-----w C:\Program Files\Quicken 2008-01-16 23:22 --------- d-----w C:\Program Files\Common Files\Palo Alto Software 2008-01-16 23:21 --------- d-----w C:\Program Files\Zone.com 2008-01-16 23:21 --------- d-----w C:\Program Files\Common Files\Intuit 2008-01-16 23:06 1,731 --sha-r C:\WINDOWS\system32\drivers\HP_Pavilion zv5200 (PF144UA ABA)_YN_Pavi_QCND425_E_4_I08A0_SCompal_V32.22_BF.11_T040430_WXH2_L409_M512_J80_7 AMD_8Athlon 64 3200+_90.8_1104C8026_N_P104CAC54_Z10DE00D9_K_A10DE00DA_U10DE00D7_G10DE0179.MRK 2008-01-16 23:05 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-01-16 23:05 --------- d-----w C:\Program Files\HPQ 2008-01-16 19:45 --------- d-----w C:\Program Files\Java 2008-01-16 19:45 --------- d-----w C:\Program Files\Common Files\Java 2008-01-16 19:44 --------- d-----w C:\Program Files\Sonic 2008-01-16 19:44 --------- d-----w C:\Program Files\RecordNow! 2008-01-16 19:44 --------- d-----w C:\Program Files\Common Files\SureThing Shared 2008-01-16 19:44 --------- d-----w C:\Program Files\Common Files\Sonic 2008-01-16 19:44 --------- d-----w C:\Documents and Settings\asli\Application Data\Sonic 2008-01-16 19:40 --------- d-----w C:\Program Files\InterVideo 2008-01-16 18:56 --------- d-----w C:\Program Files\Common Files\InstallShield 2008-01-16 18:56 --------- d-----w C:\Program Files\AMD 2008-01-16 18:55 --------- d-----w C:\Program Files\Apoint2K 2008-01-16 18:51 --------- d-----w C:\Program Files\Analog Devices 2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69B09293-EC9D-49BF-B7C1-8DAEC190D799}] C:\WINDOWS\system32\geedd.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RecordNow!"="" [] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360] "Aim6"="" [] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-07 14:40 159744] "AGRSMMSG"="AGRSMMSG.exe" [2004-01-30 03:01 88363 C:\WINDOWS\AGRSMMSG.exe] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-04-07 06:22 4730880] "nwiz"="nwiz.exe" [2004-04-07 06:22 323584 C:\WINDOWS\system32\nwiz.exe] "Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-03-01 13:05 200766] "eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-01-13 09:21 245760] "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592] "SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2008-01-16 14:45 32881] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224] "DIGStream"="C:\Program Files\DIGStream\digstream.exe" [2006-02-10 14:06 278528] "DIGServices"="C:\Program Files\ESPNRunTime\DIGServices.exe" [2006-07-14 10:47 106496] "SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-12-04 16:03 36640] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2003-07-29 21:49:48 57344] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"= 0 (0x0) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38] . Contents of the 'Scheduled Tasks' folder "2008-02-09 12:29:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************ catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-02-18 16:28:26 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????8?2?0?5??????? ???B???????????????B? ?????? scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\SiteAdvisor\6253\SAService.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\iPod\bin\iPodService.exe . ************************************************************************ . Completion time: 2008-02-18 16:30:59 - machine was rebooted ComboFix-quarantined-files.txt 2008-02-18 21:30:41 . 2008-02-13 18:22:31 --- E O F ---

Rorschach112 View Member Profile	Feb 18 2008, 03:58 PM Post #6
GeekU Teacher Posts: 34,385 From: Dublin OS: XP	Hello 1. Close any open browsers. 2. Open notepad and copy/paste the text in the quotebox below into it: QUOTE File:: C:\WINDOWS\system32\MFC71.dll C:\WINDOWS\system32\geedd.dll Save this as CFScript.txt, in the same location as ComboFix.exe Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you at "C:\ComboFix.txt" Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall Also post a new HijackThis log

cweezy24 View Member Profile	Feb 18 2008, 05:15 PM Post #7
New Member Posts: 8 OS: Windows XP	HiJackThis Log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:13:57 PM, on 2/18/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16608) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Apoint2K\Apoint.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\DIGStream\digstream.exe C:\Program Files\ESPNRunTime\DIGServices.exe C:\Program Files\SiteAdvisor\6253\SiteAdv.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\SiteAdvisor\6253\SAService.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jmu.edu/jmuweb/students/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = .local O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll O2 - BHO: (no name) - {69B09293-EC9D-49BF-B7C1-8DAEC190D799} - C:\WINDOWS\system32\geedd.dll (file missing) O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24 O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 7320 bytes ComboFix Log: ComboFix 08-02-17.2 - asli 2008-02-18 18:05:17.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.212 [GMT -5:00] Running from: C:\Documents and Settings\asli\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\asli\Desktop\CFScript.txt Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! FILE :: C:\WINDOWS\system32\geedd.dll C:\WINDOWS\system32\MFC71.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\MFC71.dll . ((((((((((((((((((((((((( Files Created from 2008-01-18 to 2008-02-18 ))))))))))))))))))))))))))))))) . 2008-02-18 16:39 . 2008-02-18 16:39 <DIR> d-------- C:\WINDOWS\LastGood 2008-02-18 15:45 . 2008-02-18 15:45 <DIR> d-------- C:\Program Files\Trend Micro 2008-02-18 14:55 . 2008-02-18 14:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-02-18 14:53 . 2008-02-18 15:44 <DIR> d-------- C:\Program Files\SUPERAntiSpyware 2008-02-18 14:53 . 2008-02-18 14:53 <DIR> d-------- C:\Documents and Settings\asli\Application Data\SUPERAntiSpyware.com 2008-02-18 14:52 . 2008-02-18 14:52 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-02-18 11:51 . 2008-02-18 11:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft 2008-02-18 02:49 . 2008-02-18 02:49 <DIR> d-------- C:\Documents and Settings\asli\Application Data\Grisoft 2008-02-18 02:46 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2008-02-18 02:45 . 2008-02-18 02:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2008-02-13 03:17 . 2008-02-18 16:22 <DIR> d-------- C:\Temp 2008-01-31 13:27 . 2008-01-31 13:27 <DIR> d-------- C:\Program Files\iPod 2008-01-31 13:27 . 2008-02-18 16:28 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-01-31 13:27 . 2008-01-31 13:27 1,409 --a------ C:\WINDOWS\QTFont.for 2008-01-31 13:26 . 2008-01-31 13:27 <DIR> d-------- C:\Program Files\iTunes 2008-01-31 13:26 . 2008-02-14 01:11 <DIR> d-------- C:\Program Files\Bonjour 2008-01-31 13:25 . 2008-01-31 13:25 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE 2008-01-31 13:25 . 2008-01-31 13:26 <DIR> d-------- C:\Program Files\QuickTime 2008-01-31 13:25 . 2008-01-31 13:25 <DIR> d-------- C:\Program Files\Common Files\Apple 2008-01-31 13:25 . 2008-01-31 13:25 <DIR> d-------- C:\Program Files\Apple Software Update 2008-01-31 13:25 . 2008-01-31 13:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple 2008-01-31 00:44 . 2008-01-31 00:44 <DIR> d-------- C:\Program Files\Common Files\Adobe 2008-01-31 00:44 . 2008-01-31 00:44 <DIR> d-------- C:\Documents and Settings\asli\Application Data\AdobeUM 2008-01-30 22:58 . 2003-06-18 17:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll 2008-01-30 22:58 . 2008-01-30 22:58 376 --a------ C:\WINDOWS\ODBC.INI 2008-01-30 22:57 . 2008-01-30 22:57 <DIR> d-------- C:\Program Files\Microsoft ActiveSync 2008-01-30 22:56 . 2008-01-30 22:57 <DIR> d-------- C:\WINDOWS\SHELLNEW 2008-01-30 22:51 . 2008-01-30 22:51 <DIR> d-------- C:\Program Files\Microsoft.NET 2008-01-30 22:48 . 2008-01-30 22:48 <DIR> dr-h----- C:\MSOCache 2008-01-29 18:32 . 2004-08-04 08:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll 2008-01-29 14:23 . 2008-01-29 14:23 <DIR> d-------- C:\Program Files\Viewpoint 2008-01-29 14:23 . 2008-01-29 14:23 <DIR> d-------- C:\Documents and Settings\asli\Application Data\Viewpoint 2008-01-29 14:23 . 2008-01-29 14:23 <DIR> d-------- C:\Documents and Settings\asli\Application Data\acccore 2008-01-29 14:23 . 2008-01-29 14:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint 2008-01-29 14:22 . 2008-01-29 14:22 <DIR> d-------- C:\Program Files\Common Files\AOL 2008-01-29 14:22 . 2008-01-29 14:23 <DIR> d-------- C:\Program Files\AIM6 2008-01-29 14:22 . 2008-01-29 14:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP 2008-01-29 14:22 . 2008-01-29 14:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL 2008-01-29 14:22 . 2008-01-29 14:23 1,046 --ah----- C:\IPH.PH 2008-01-29 13:51 . 2008-01-29 13:51 <DIR> d-------- C:\WINDOWS\Sun 2008-01-29 13:51 . 2008-01-29 13:51 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor 2008-01-29 13:50 . 2008-01-29 13:50 <DIR> d-------- C:\Program Files\SiteAdvisor 2008-01-29 13:50 . 2008-01-31 01:53 <DIR> d-------- C:\Documents and Settings\asli\Application Data\SiteAdvisor 2008-01-29 13:50 . 2008-02-17 19:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor 2008-01-29 13:50 . 2008-01-29 13:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee 2008-01-29 13:39 . 2008-01-29 13:39 <DIR> d-------- C:\Documents and Settings\asli\Application Data\ESPN 2008-01-29 13:38 . 2008-01-29 13:38 <DIR> d-------- C:\Program Files\ESPNRunTime 2008-01-29 13:38 . 2008-01-29 13:38 <DIR> d-------- C:\Program Files\ESPNMotion 2008-01-29 13:38 . 2008-01-29 13:38 <DIR> d-------- C:\Program Files\ESPN 2008-01-29 13:38 . 2008-01-29 13:38 <DIR> d-------- C:\Program Files\DIGStream 2008-01-29 13:38 . 2008-01-29 13:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESPN 2008-01-29 13:38 . 2008-02-18 17:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DIGStream 2008-01-29 13:16 . 2007-12-06 21:21 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll 2008-01-29 13:16 . 2007-06-30 22:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat 2008-01-29 13:16 . 2007-06-30 22:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui 2008-01-29 13:16 . 2007-12-06 21:21 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll 2008-01-29 13:16 . 2007-12-06 21:21 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll 2008-01-29 13:16 . 2007-12-06 21:21 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll 2008-01-29 13:16 . 2007-12-06 21:21 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll 2008-01-29 13:16 . 2007-12-06 21:21 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll 2008-01-29 13:16 . 2007-12-06 06:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe 2008-01-29 13:01 . 2008-02-13 04:27 <DIR> d--h----- C:\WINDOWS\$hf_mig$ 2008-01-29 13:01 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe 2008-01-29 12:58 . 2008-01-29 12:58 <DIR> d--hs---- C:\Documents and Settings\asli\UserData 2008-01-29 12:46 . 2007-12-04 07:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr 2008-01-29 12:46 . 2007-12-04 09:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys 2008-01-29 12:46 . 2007-12-04 09:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys 2008-01-29 12:46 . 2007-12-04 09:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys 2008-01-29 12:46 . 2007-12-04 09:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys 2008-01-29 12:46 . 2007-12-04 09:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys 2008-01-29 12:45 . 2008-01-29 12:45 <DIR> d-------- C:\Program Files\Alwil Software 2008-01-29 12:45 . 2007-12-04 08:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe 2008-01-29 12:45 . 2003-03-18 14:14 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll 2008-01-29 12:45 . 2004-01-09 04:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx 2008-01-29 12:45 . 2003-02-20 22:42 348,160 --a------ C:\WINDOWS\system32\MSVCR71.dll 2008-01-29 02:59 . 2008-01-29 02:59 <DIR> d-------- C:\Documents and Settings\asli\Application Data\Leadertech 2008-01-29 00:40 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys 2008-01-29 00:40 . 2001-08-17 13:53 3,328 --a------ C:\WINDOWS\system32\drivers\qv2kux.sys 2008-01-29 00:40 . 2001-08-17 13:53 3,328 --a--c--- C:\WINDOWS\system32\dllcache\qv2kux.sys 2008-01-29 00:33 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll 2008-01-29 00:33 . 2004-08-04 00:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll 2008-01-29 00:33 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys 2008-01-29 00:33 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys 2008-01-29 00:33 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys 2008-01-29 00:33 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys 2008-01-28 17:03 . 2008-01-28 17:03 <DIR> d-------- C:\Documents and Settings\asli\Application Data\Apple Computer . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-31 18:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer 2008-01-28 22:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime 2008-01-16 23:22 --------- d-----w C:\Program Files\Quicken 2008-01-16 23:22 --------- d-----w C:\Program Files\Common Files\Palo Alto Software 2008-01-16 23:21 --------- d-----w C:\Program Files\Zone.com 2008-01-16 23:21 --------- d-----w C:\Program Files\Common Files\Intuit 2008-01-16 23:06 1,731 --sha-r C:\WINDOWS\system32\drivers\HP_Pavilion zv5200 (PF144UA ABA)_YN_Pavi_QCND425_E_4_I08A0_SCompal_V32.22_BF.11_T040430_WXH2_L409_M512_J80_7 AMD_8Athlon 64 3200+_90.8_1104C8026_N_P104CAC54_Z10DE00D9_K_A10DE00DA_U10DE00D7_G10DE0179.MRK 2008-01-16 23:05 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-01-16 23:05 --------- d-----w C:\Program Files\HPQ 2008-01-16 19:45 --------- d-----w C:\Program Files\Java 2008-01-16 19:45 --------- d-----w C:\Program Files\Common Files\Java 2008-01-16 19:44 --------- d-----w C:\Program Files\Sonic 2008-01-16 19:44 --------- d-----w C:\Program Files\RecordNow! 2008-01-16 19:44 --------- d-----w C:\Program Files\Common Files\SureThing Shared 2008-01-16 19:44 --------- d-----w C:\Program Files\Common Files\Sonic 2008-01-16 19:44 --------- d-----w C:\Documents and Settings\asli\Application Data\Sonic 2008-01-16 19:40 --------- d-----w C:\Program Files\InterVideo 2008-01-16 18:56 --------- d-----w C:\Program Files\Common Files\InstallShield 2008-01-16 18:56 --------- d-----w C:\Program Files\AMD 2008-01-16 18:55 --------- d-----w C:\Program Files\Apoint2K 2008-01-16 18:51 --------- d-----w C:\Program Files\Analog Devices 2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys 2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll 2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69B09293-EC9D-49BF-B7C1-8DAEC190D799}] C:\WINDOWS\system32\geedd.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RecordNow!"="" [] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360] "Aim6"="" [] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-07 14:40 159744] "AGRSMMSG"="AGRSMMSG.exe" [2004-01-30 03:01 88363 C:\WINDOWS\AGRSMMSG.exe] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-04-07 06:22 4730880] "nwiz"="nwiz.exe" [2004-04-07 06:22 323584 C:\WINDOWS\system32\nwiz.exe] "Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-03-01 13:05 200766] "eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-01-13 09:21 245760] "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592] "SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2008-01-16 14:45 32881] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224] "DIGStream"="C:\Program Files\DIGStream\digstream.exe" [2006-02-10 14:06 278528] "DIGServices"="C:\Program Files\ESPNRunTime\DIGServices.exe" [2006-07-14 10:47 106496] "SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-12-04 16:03 36640] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2003-07-29 21:49:48 57344] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38] . Contents of the 'Scheduled Tasks' folder "2008-02-09 12:29:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************ catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-02-18 18:06:48 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????8?2?0?5??????? ???B???????????????B? ?????? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-02-18 18:07:21 ComboFix-quarantined-files.txt 2008-02-18 23:07:07 ComboFix2.txt 2008-02-18 21:31:00 . 2008-02-13 18:22:31 --- E O F ---

Rorschach112 View Member Profile	Feb 18 2008, 06:03 PM Post #8
GeekU Teacher Posts: 34,385 From: Dublin OS: XP	Hello 1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present): O2 - BHO: (no name) - {69B09293-EC9D-49BF-B7C1-8DAEC190D799} - C:\WINDOWS\system32\geedd.dll (file missing) 2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis. Please download Malwarebytes' Anti-Malware from Here or Here Double Click mbam-setup.exe to install the application. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Copy&Paste the entire report in your next reply. Extra Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly. Reboot and post a new HijackThis log and tell me how your PC is running

cweezy24 View Member Profile	Feb 18 2008, 06:20 PM Post #9
New Member Posts: 8 OS: Windows XP	The computer is running pretty well - seems like it is back to normal but I am not too sure...still a little slow but that might be because I just booted it up. MBAM Log: Malwarebytes' Anti-Malware 1.03 Database version: 376 Scan type: Quick Scan Objects scanned: 25197 Time elapsed: 3 minute(s), 21 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 5 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Here is the HiJackThis Log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:20:28 PM, on 2/18/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16608) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Apoint2K\Apoint.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\DIGStream\digstream.exe C:\Program Files\ESPNRunTime\DIGServices.exe C:\Program Files\SiteAdvisor\6253\SiteAdv.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\SiteAdvisor\6253\SAService.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jmu.edu/jmuweb/students/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24 O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 7264 bytes Thanks for all of the help....how is it looking to you?

Rorschach112 View Member Profile	Feb 18 2008, 06:29 PM Post #10
GeekU Teacher Posts: 34,385 From: Dublin OS: XP	Looks perfect, few things to do Now lets uninstall Combofix: Click START then RUN Now type Combofix /u in the runbox and click OK The above procedure will do the following: Delete ComboFix and its associated files and folders. Delete VundoFix backups, if present Delete the C:\Deckard folder, if present Delete the C:_OtMoveIt folder, if present Reset the clock settings. Hide file extensions, if required. Hide System/Hidden files, if required. Reset System Restore. You now need to update your Java and remove your older versions. Please follow these steps to remove older version Java components. * Click Start > Control Panel. * Click Add/Remove Programs. * Check any item with Java Runtime Environment (JRE) in the name. * Click the Remove or Change/Remove button. Download the latest version of Java Runtime Environment (JRE), and install it to your computer from here Below I have included a number of recommendations for how to protect your computer against malware infections. * Keep Windows updated by regularly checking their website at : http://windowsupdate.microsoft.com/ This will ensure your computer has always the latest security updates available installed on your computer. * To reduce re-infection for malware in the future, I strongly recommend installing these free programs: SpywareBlaster protects against bad ActiveX IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all Have a look at this tutorial for IE-Spyad here * SpywareGuard offers realtime protection from spyware installation attempts. Make Internet Explorer more secure Click Start > Run Type Inetcpl.cpl & click OK Click on the Security tab Click Reset all zones to default level Make sure the Internet Zone is selected & Click Custom level In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable". Next Click OK, then Apply button and then OK to exit the Internet Properties page. * MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future. * Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from Here * Take a good look at the following suggestions for malware prevention by reading Tony Klein�s article 'How Did I Get Infected In The First Place' Here Thank you for your patience, and performing all of the procedures requested.

cweezy24 View Member Profile	Feb 18 2008, 07:14 PM Post #11
New Member Posts: 8 OS: Windows XP	Thank you for all of your help!!! It's a miracle what you guys can do for users like me across the world. I am very pleased with your patience and help. The system seems to be running fine. I have a few questions. Well, I just downloaded the recommended programs to prevent future infection, but as of now I have a cluttered desktop from many programs I have downloaded to remove the virus. What do you recommend I do with the following programs - If you would like me to keep them, How do I use them together or how do I keep them updated and effecient? AVG Anti Spyware DSS SuperAntiSpyware Free Edition Hijack This Malwarebtyes' Anti Malware Thank so much for all of the recommendations.

Rorschach112 View Member Profile	Feb 18 2008, 07:16 PM Post #12
GeekU Teacher Posts: 34,385 From: Dublin OS: XP	Hello Keep these ones if you wish, I would keep two of them myself AVG Anti Spyware SuperAntiSpyware Free Edition Malwarebtyes' Anti Malware Remove DSS HijackThis All you will need to do is keep them updated and run them occasionally Let me know if you have any more questions

cweezy24 View Member Profile	Feb 18 2008, 07:28 PM Post #13
New Member Posts: 8 OS: Windows XP	I will keep the ones you recommended. Also, the spyware guard you told me to download hasn't updated definitions since 2004 - should I still keep this? Thanks for all the help!

Rorschach112 View Member Profile	Feb 18 2008, 07:32 PM Post #14
GeekU Teacher Posts: 34,385 From: Dublin OS: XP	Yes keep SpywareGuard It uses heuristics so it doesn't have to download updates to work. It is one of the most important programs. Any more questions ?

cweezy24 View Member Profile	Feb 18 2008, 09:44 PM Post #15
New Member Posts: 8 OS: Windows XP	no more questions - your help is above and beyond expectations I am very grateful and I will recommend this site to everyone! Thanks so much for the help! God Bless

« Next Oldest · Virus, Spyware and Trojan Removal · Next Newest »

2 Pages

1 2 >

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Topic Title	Replies / Views	Topic Information
Virus, Spyware and Trojan Removal Help Please - Win32:TratBHO [trj] [RESOLVED]	7 / 666	6th February 2008 - 06:19 PM rd4everanime started - last by Rorschach112
Virus, Spyware and Trojan Removal HELP: Win32: TratBHO [Trj] [RESOLVED] 12	23 / 1,046	13th May 2008 - 10:41 AM becca_hoo started - last by ScHwErV
Virus, Spyware and Trojan Removal PLEASE HELP WITH VIRUS - POSSIBLY WINFIXER AND .WIN32 [RESOLVED] 12	17 / 1,072	13th June 2008 - 09:39 AM ralfcam started - last by greyknight17
Virus, Spyware and Trojan Removal Please Help with Virus Removal [RESOLVED] 12	21 / 1,594	26th June 2008 - 04:59 PM cervada started - last by loophole