Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Help needed with passion.com, forexcenter popups


  • This topic is locked This topic is locked

#1
xtc_bowling

xtc_bowling

    Member

  • Member
  • PipPip
  • 10 posts
I have used Bitdefeder and AVG anti-spyware to scan but they still keep randomly coming back.
Your assistance would be greatly appreciated.



Logfile of HijackThis v1.99.1
Scan saved at 9:10:40, on 16/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EP.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Softwin\BitDefender9\bdoesrv.exe
C:\progra~1\softwin\bitdef~1\bdnagent.exe
C:\progra~1\softwin\bitdef~1\bdswitch.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\ABK\abk.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\WordWeb\wweb32.exe
c:\progra~1\intern~1\iexplore.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
c:\progra~1\softwin\bitdef~1\bdmcon.exe
C:\Program Files\totalcmd\TOTALCMD.EXE
C:\Program Files\HijackThis\Analyse.exe

O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: iFinger plugin / Browser helper object - {A114D52B-870C-4F15-8021-B6D7F91A054B} - C:\PROGRA~1\iFinger\plugins\IE.ifp
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [EPSON Stylus CX6500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EP.EXE /P26 "EPSON Stylus CX6500 Series" /O5 "LPT1:" /M "Stylus CX6500"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ShareAlarmPro] C:\Program Files\Nsasoft\ShareAlarmPro\ShareAlarmPro.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\SOFTWIN\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "c:\progra~1\softwin\bitdef~1\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "c:\progra~1\softwin\bitdef~1\bdswitch.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ABK] C:\Program Files\ABK\abk.exe /q
O4 - HKCU\..\Run: [Tons Grid] C:\DOCUME~1\ADMINI~1\APPLIC~1\COMPAX~1\eq corn audio.exe
O4 - Startup: WordWeb Pro.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: ส่&งออกไปยัง Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe (file missing)
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.can.com.sg/mwf/mgaxctrl.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - https://java.sun.com...indows-i586.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{393D00FA-2980-4B9F-BECF-039DD512E22E}: NameServer = 203.144.255.71,203.144.255.72
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: SysEnforce - Unknown owner - C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
  • 0

Advertisements


#2
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi

Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  • 0

#3
xtc_bowling

xtc_bowling

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Thank you very much, this is the combofix report:

Administrator - 06-11-17 8:52:28.87 Service Pack 2
ComboFix 06.11.9 - Running from: "D:\Download\Utilities\Anit-Spyware"

((((((((((((((((((((((((((((((( Files Created from 2006-10-17 to 2006-11-17 ))))))))))))))))))))))))))))))))))


2006-11-16 16:27 630,784 -ra------ C:\WINDOWS\system32\drivers\cfosspeed.sys
2006-11-16 16:26 270,336 --a------ C:\WINDOWS\system32\cfosspeed.dll
2006-11-15 11:29 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-13 21:48 18,030 --a------ C:\WINDOWS\system32\drivers\DeskLock.sys
2006-11-13 21:36 90,112 --a------ C:\WINDOWS\system32\TLDL.DLL
2006-11-03 15:57 223,128 --a------ C:\WINDOWS\system32\drivers\vaxscsi.sys
2006-11-03 15:49 96,256 --a------ C:\WINDOWS\system32\drivers\sptd3197.sys
2006-11-03 15:49 642,560 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2006-10-21 15:38 24,072 --a------ C:\WINDOWS\system32\uxtuneup.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-16 17:11 -------- d-------- C:\Program Files\Desktop Lock
2006-11-16 16:26 -------- d-------- C:\Program Files\cFosSpeed
2006-11-15 11:29 -------- d-------- C:\Program Files\Grisoft
2006-11-13 09:31 73728 --a------ C:\WINDOWS\system32\sockspy.dll
2006-11-13 09:31 459 --a------ C:\Program Files\INSTALL.LOG
2006-11-13 09:30 77824 --a------ C:\WINDOWS\system32\xcomm.dll
2006-11-13 09:17 -------- d-------- C:\Program Files\Softwin
2006-11-13 09:16 -------- d-------- C:\Program Files\Common Files\Softwin
2006-11-09 11:35 -------- d-------- C:\Program Files\Datel
2006-11-09 11:00 86094 --a------ C:\WINDOWS\BPMNT.dll
2006-11-09 11:00 71749 --a------ C:\WINDOWS\hcextoutput.dll
2006-11-09 11:00 176709 --a------ C:\WINDOWS\tsc.exe
2006-11-09 11:00 1101904 --a------ C:\WINDOWS\vsapi32.dll
2006-11-07 15:39 -------- d-------- C:\Program Files\Comp Axis Pile
2006-11-07 15:39 -------- d-------- C:\Program Files\Anti-Leech
2006-11-07 15:39 -------- d-------- C:\Documents and Settings\Administrator\Application Data\NetPumper
2006-11-07 15:39 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Comp Axis Pile
2006-11-07 15:38 -------- d-------- C:\Program Files\NetPumper
2006-11-07 14:55 34308 --a------ C:\WINDOWS\system32\BASSMOD.dll
2006-10-27 13:32 -------- d-------- C:\Program Files\ZSoft
2006-10-25 16:04 -------- d-------- C:\Program Files\WIDCOMM
2006-10-17 15:15 -------- d-------- C:\Program Files\BitComet
2006-10-16 10:34 73216 --a------ C:\WINDOWS\ST6UNST.EXE
2006-10-16 10:34 249856 --------- C:\WINDOWS\Setup1.exe
2006-10-07 15:20 -------- d-------- C:\Program Files\Radmin
2006-10-06 14:01 -------- d-------- C:\Program Files\Super Mp3 Recorder Professional
2006-10-05 09:22 -------- d-------- C:\Program Files\FengShui
2006-10-03 17:42 -------- d-------- C:\Program Files\Remote Control Pro
2006-10-02 15:46 -------- d-------- C:\Program Files\Microsoft.NET
2006-10-02 15:29 102608 --a------ C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2006-09-28 11:48 -------- d-------- C:\Program Files\SmartForm
2006-09-28 11:14 737280 --a------ C:\WINDOWS\iun6002.exe
2006-09-28 09:29 -------- d-------- C:\Program Files\InvProDemo
2006-09-27 17:08 4518 --a------ C:\WINDOWS\system32\drivers\U3SHLPDR200.SYS
2006-09-26 16:11 -------- d-------- C:\Program Files\Pointasia
2006-09-26 10:46 -------- d-------- C:\Program Files\CD Catalog Expert
2006-09-22 13:36 -------- d-------- C:\Program Files\Solveig Multimedia
2006-09-21 11:51 -------- d-------- C:\Program Files\Ultra Video Splitter
2006-09-19 13:13 -------- d-------- C:\Program Files\Java
2006-09-19 13:09 98304 --a------ C:\WINDOWS\system32\hpzjsn01.dll
2006-09-19 13:09 73728 --a------ C:\WINDOWS\system32\hptcpmib.dll
2006-09-19 13:09 28672 --a------ C:\WINDOWS\system32\hpzjfw01.dll
2006-09-19 13:09 204800 --a------ C:\WINDOWS\system32\hptcpmui.dll
2006-09-19 13:09 155648 --a------ C:\WINDOWS\system32\hptcpmon.dll
2006-09-19 13:09 139264 --a------ C:\WINDOWS\system32\hpzjrd01.dll
2006-09-15 14:09 36864 --a------ C:\WINDOWS\system32\dlep.dll
2006-09-13 13:06 284 --a------ C:\Documents and Settings\Administrator\Application Data\ViewerApp.dat
2006-09-13 12:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-13 11:43 50 --a------ C:\AUTOEXEC.BAT
2006-09-11 14:15 120832 --a------ C:\WINDOWS\G723_LT.DLL
2006-08-25 22:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 19:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 16:14 23040 --a------ C:\WINDOWS\system32\fltMc.exe
2006-08-17 21:08 4 --a------ C:\WINDOWS\system32\msvcrt53.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe\""
"Tons Grid"="C:\\DOCUME~1\\ADMINI~1\\APPLIC~1\\COMPAX~1\\eq corn audio.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"EPSON Stylus CX6500 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATI9EP.EXE /P26 \"EPSON Stylus CX6500 Series\" /O5 \"LPT1:\" /M \"Stylus CX6500\""
"SoundMan"="SOUNDMAN.EXE"
"AlcWzrd"="ALCWZRD.EXE"
"Alcmtr"="ALCMTR.EXE"
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\""
"FinePrint Dispatcher v5"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\fpdisp5a.exe"
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ShareAlarmPro"="C:\\Program Files\\Nsasoft\\ShareAlarmPro\\ShareAlarmPro.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_05\\bin\\jusched.exe"
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\isuspm.exe -startup"
"BDMCon"="C:\\PROGRA~1\\SOFTWIN\\BITDEF~1\\bdmcon.exe"
"BDOESRV"="\"C:\\Program Files\\Softwin\\BitDefender9\\bdoesrv.exe\""
"BDNewsAgent"="\"c:\\progra~1\\softwin\\bitdef~1\\bdnagent.exe\""
"BDSwitchAgent"="\"c:\\progra~1\\softwin\\bitdef~1\\bdswitch.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"cFosSpeed"="C:\\Program Files\\cFosSpeed\\cFosSpeed.exe"
"Desktop Lock Loader"="C:\\Program Files\\Desktop Lock\\DLoader.exe /boot"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword"=dword:00000000
"DisableLockWorkstation"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"tunebite.exe"="C:\\Program Files\\tunebite\\tunebite.exe -hidden"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"Desktop Lock Express"="\"C:\\DOCUMENTS AND SETTINGS\\ADMINISTRATOR\\DESKTOP\\UTILITIES\\DTLEP.EXE\" /B"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"WLockUp"="C:\\Program Files\\WLockUp\\wlock.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\{4D36E96B-E325-11CE-BFC1-08002BE10818}
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\{4D36E96F-E325-11CE-BFC1-08002BE10818}

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job
C:\WINDOWS\tasks\{C925C3DF-E859-44B2-8FCE-774424BCEE80}_PU-106_Administrator.job
C:\WINDOWS\tasks\{C918F6F4-F745-40DB-AB6C-E87987CA7061}_PU-106_Administrator.job
C:\WINDOWS\tasks\{A40C535B-266D-4EFE-8B38-D00C256EBF14}_PU-106_Administrator.job
C:\WINDOWS\tasks\81427E918509F605.job

Completion time: 06-11-17 8:53:28.65
C:\ComboFix.txt ... 06-11-17 08:53
  • 0

#4
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi :whistling:

Please run a scan with HijackThis and check the following lines for removal:

O4 - HKCU\..\Run: [Tons Grid] C:\DOCUME~1\ADMINI~1\APPLIC~1\COMPAX~1\eq corn audio.exe

Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis.


Please open Notepad, and copy/paste the code in the white box below into a new text file. Save it as "delete.bat" WITH THE QUOTES and save it on your Desktop.

attrib -s -r -h "C:\Documents and Settings\Administrator\Application Data\Comp Axis Pile\*.*"
rd /q /s "C:\Documents and Settings\Administrator\Application Data\Comp Axis Pile"
attrib -s -r -h "C:\Program Files\Comp Axis Pile\*.*"
rd /q /s "C:\Program Files\Comp Axis Pile"
attrib -s -r -h "C:\DOCUME~1\ADMINI~1\APPLIC~1\COMPAX~1\*.*"
rd /q /s "C:\DOCUME~1\ADMINI~1\APPLIC~1\COMPAX~1"
attrib -s -r -h "C:\WINDOWS\tasks\81427E918509F605.job"
del /q "C:\WINDOWS\tasks\81427E918509F605.job"
attrib -s -r -h "C:\WINDOWS\iun6002.exe"
del /q "C:\WINDOWS\iun6002.exe"
quit

after saving as instructed above, please close notepad. You will now have a file on your desktop called delete.bat. Dont do anything with it yet

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.

Please double click the delete.bat file we created eearlier and allow it to run. It will only take a second or two

Clean out your Temporary Internet files. Proceed as follows:
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.

Reboot

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report along with a new hijackthis log.

  • 0

#5
xtc_bowling

xtc_bowling

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
When I going into Safe Mode up where windows ask whether I would like to use system restore or not dialogue box; I was not able to use my mouse or keyboard at all. With no otherchoice I had to pull the plug. I have tried both Safe Mode and Safe Mode with Network Suppoort both the same result. :whistling:

Can I run the "delete.bat" from command prompt instead? Or should I use some of those miniPe CD to boot in order run "delete.bat" and clear the IE history?
  • 0

#6
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi

Are you saying you cant get into safemode at all or can you get into safemode but when it loads all of your stuff the mouse and keyboard dont work. Actually if you did the fix with hijack and rebooted you could probably run it in normal windows. Give it a try and post a new combofix and hijack log and lets see if it worked :whistling:
  • 0

#7
xtc_bowling

xtc_bowling

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Yes, after lots of loading this dialogue just popup asking whether I would like to use system resore or continue using safe mode (yes) (no) with "safe mode" at each corner. At this point mouse and keyboard are unusable.

Anyway, I have deleted the line "eq corn audio.exe" using Hijack This, reboot into Normal mode then ran the "delete.bat". Cleared the internet temporary files etc. and Reboot

Here are the logs:
Logfile of HijackThis v1.99.1
Scan saved at 16:01:41, on 18/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\cFosSpeed\spd.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EP.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\PROGRA~1\SOFTWIN\BITDEF~1\bdmcon.exe
C:\Program Files\Softwin\BitDefender9\bdoesrv.exe
C:\PROGRA~1\SOFTWIN\BITDEF~1\bdnagent.exe
C:\PROGRA~1\SOFTWIN\BITDEF~1\bdswitch.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\Program Files\Desktop Lock\DLoader.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\Desktop Lock\DLoader.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\totalcmd\TOTALCMD.EXE
C:\Program Files\HijackThis\Analyse.exe

O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: iFinger plugin / Browser helper object - {A114D52B-870C-4F15-8021-B6D7F91A054B} - C:\PROGRA~1\iFinger\plugins\IE.ifp
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [EPSON Stylus CX6500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EP.EXE /P26 "EPSON Stylus CX6500 Series" /O5 "LPT1:" /M "Stylus CX6500"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ShareAlarmPro] C:\Program Files\Nsasoft\ShareAlarmPro\ShareAlarmPro.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\SOFTWIN\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\PROGRA~1\SOFTWIN\BITDEF~1\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\PROGRA~1\SOFTWIN\BITDEF~1\bdswitch.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [Desktop Lock Loader] C:\Program Files\Desktop Lock\DLoader.exe /boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Startup: WordWeb Pro.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: ส่&งออกไปยัง Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe (file missing)
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.can.com.sg/mwf/mgaxctrl.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - https://java.sun.com...indows-i586.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{393D00FA-2980-4B9F-BECF-039DD512E22E}: NameServer = 203.144.255.71,203.144.255.72
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - Unknown owner - C:\Program Files\cFosSpeed\spd.exe" -service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SysEnforce - Unknown owner - C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)



------------------------------------------------------------------------------------------------------

Administrator - 06-11-18 16:02:16.03 Service Pack 2
ComboFix 06.11.9 - Running from: "D:\Download\Utilities\Anit-Spyware"

((((((((((((((((((((((((((((((( Files Created from 2006-10-18 to 2006-11-18 ))))))))))))))))))))))))))))))))))


2006-11-16 16:27 630,784 -ra------ C:\WINDOWS\system32\drivers\cfosspeed.sys
2006-11-16 16:26 270,336 --a------ C:\WINDOWS\system32\cfosspeed.dll
2006-11-15 11:29 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-13 21:48 18,030 --a------ C:\WINDOWS\system32\drivers\DeskLock.sys
2006-11-13 21:36 90,112 --a------ C:\WINDOWS\system32\TLDL.DLL
2006-11-04 14:14 1,245,696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-11-03 15:57 223,128 --a------ C:\WINDOWS\system32\drivers\vaxscsi.sys
2006-11-03 15:49 96,256 --a------ C:\WINDOWS\system32\drivers\sptd3197.sys
2006-11-03 15:49 642,560 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2006-10-21 15:38 24,072 --a------ C:\WINDOWS\system32\uxtuneup.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-17 11:01 -------- d-------- C:\Program Files\MSXML 4.0
2006-11-16 17:11 -------- d-------- C:\Program Files\Desktop Lock
2006-11-16 16:26 -------- d-------- C:\Program Files\cFosSpeed
2006-11-15 11:29 -------- d-------- C:\Program Files\Grisoft
2006-11-13 09:31 73728 --a------ C:\WINDOWS\system32\sockspy.dll
2006-11-13 09:31 459 --a------ C:\Program Files\INSTALL.LOG
2006-11-13 09:30 77824 --a------ C:\WINDOWS\system32\xcomm.dll
2006-11-13 09:17 -------- d-------- C:\Program Files\Softwin
2006-11-13 09:16 -------- d-------- C:\Program Files\Common Files\Softwin
2006-11-09 11:35 -------- d-------- C:\Program Files\Datel
2006-11-09 11:00 86094 --a------ C:\WINDOWS\BPMNT.dll
2006-11-09 11:00 71749 --a------ C:\WINDOWS\hcextoutput.dll
2006-11-09 11:00 176709 --a------ C:\WINDOWS\tsc.exe
2006-11-09 11:00 1101904 --a------ C:\WINDOWS\vsapi32.dll
2006-11-07 15:39 -------- d-------- C:\Program Files\Anti-Leech
2006-11-07 15:39 -------- d-------- C:\Documents and Settings\Administrator\Application Data\NetPumper
2006-11-07 15:38 -------- d-------- C:\Program Files\NetPumper
2006-11-07 14:55 34308 --a------ C:\WINDOWS\system32\BASSMOD.dll
2006-10-27 13:32 -------- d-------- C:\Program Files\ZSoft
2006-10-25 16:04 -------- d-------- C:\Program Files\WIDCOMM
2006-10-17 15:15 -------- d-------- C:\Program Files\BitComet
2006-10-16 10:34 73216 --a------ C:\WINDOWS\ST6UNST.EXE
2006-10-16 10:34 249856 --------- C:\WINDOWS\Setup1.exe
2006-10-13 19:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 19:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 19:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-13 17:23 163584 --a------ C:\WINDOWS\system32\drivers\nwrdr.sys
2006-10-07 15:20 -------- d-------- C:\Program Files\Radmin
2006-10-06 14:01 -------- d-------- C:\Program Files\Super Mp3 Recorder Professional
2006-10-05 09:22 -------- d-------- C:\Program Files\FengShui
2006-10-03 17:42 -------- d-------- C:\Program Files\Remote Control Pro
2006-10-02 15:46 -------- d-------- C:\Program Files\Microsoft.NET
2006-10-02 15:29 102608 --a------ C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2006-09-28 11:48 -------- d-------- C:\Program Files\SmartForm
2006-09-28 09:29 -------- d-------- C:\Program Files\InvProDemo
2006-09-27 17:08 4518 --a------ C:\WINDOWS\system32\drivers\U3SHLPDR200.SYS
2006-09-26 16:11 -------- d-------- C:\Program Files\Pointasia
2006-09-26 10:46 -------- d-------- C:\Program Files\CD Catalog Expert
2006-09-22 13:36 -------- d-------- C:\Program Files\Solveig Multimedia
2006-09-21 11:51 -------- d-------- C:\Program Files\Ultra Video Splitter
2006-09-19 13:13 -------- d-------- C:\Program Files\Java
2006-09-19 13:09 98304 --a------ C:\WINDOWS\system32\hpzjsn01.dll
2006-09-19 13:09 73728 --a------ C:\WINDOWS\system32\hptcpmib.dll
2006-09-19 13:09 28672 --a------ C:\WINDOWS\system32\hpzjfw01.dll
2006-09-19 13:09 204800 --a------ C:\WINDOWS\system32\hptcpmui.dll
2006-09-19 13:09 155648 --a------ C:\WINDOWS\system32\hptcpmon.dll
2006-09-19 13:09 139264 --a------ C:\WINDOWS\system32\hpzjrd01.dll
2006-09-15 14:09 36864 --a------ C:\WINDOWS\system32\dlep.dll
2006-09-13 13:06 284 --a------ C:\Documents and Settings\Administrator\Application Data\ViewerApp.dat
2006-09-13 12:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-13 11:43 50 --a------ C:\AUTOEXEC.BAT
2006-09-11 14:15 120832 --a------ C:\WINDOWS\G723_LT.DLL
2006-08-25 22:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 19:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 16:14 23040 --a------ C:\WINDOWS\system32\fltMc.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"EPSON Stylus CX6500 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATI9EP.EXE /P26 \"EPSON Stylus CX6500 Series\" /O5 \"LPT1:\" /M \"Stylus CX6500\""
"SoundMan"="SOUNDMAN.EXE"
"AlcWzrd"="ALCWZRD.EXE"
"Alcmtr"="ALCMTR.EXE"
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\""
"FinePrint Dispatcher v5"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\fpdisp5a.exe"
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ShareAlarmPro"="C:\\Program Files\\Nsasoft\\ShareAlarmPro\\ShareAlarmPro.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_05\\bin\\jusched.exe"
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\isuspm.exe -startup"
"BDMCon"="C:\\PROGRA~1\\SOFTWIN\\BITDEF~1\\bdmcon.exe"
"BDOESRV"="\"C:\\Program Files\\Softwin\\BitDefender9\\bdoesrv.exe\""
"BDNewsAgent"="\"C:\\PROGRA~1\\SOFTWIN\\BITDEF~1\\bdnagent.exe\""
"BDSwitchAgent"="\"C:\\PROGRA~1\\SOFTWIN\\BITDEF~1\\bdswitch.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"cFosSpeed"="C:\\Program Files\\cFosSpeed\\cFosSpeed.exe"
"Desktop Lock Loader"="C:\\Program Files\\Desktop Lock\\DLoader.exe /boot"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword"=dword:00000000
"DisableLockWorkstation"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"tunebite.exe"="C:\\Program Files\\tunebite\\tunebite.exe -hidden"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"Desktop Lock Express"="\"C:\\DOCUMENTS AND SETTINGS\\ADMINISTRATOR\\DESKTOP\\UTILITIES\\DTLEP.EXE\" /B"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"WLockUp"="C:\\Program Files\\WLockUp\\wlock.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\{4D36E96B-E325-11CE-BFC1-08002BE10818}
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\{4D36E96F-E325-11CE-BFC1-08002BE10818}

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job
C:\WINDOWS\tasks\{C925C3DF-E859-44B2-8FCE-774424BCEE80}_PU-106_Administrator.job
C:\WINDOWS\tasks\{C918F6F4-F745-40DB-AB6C-E87987CA7061}_PU-106_Administrator.job
C:\WINDOWS\tasks\{A40C535B-266D-4EFE-8B38-D00C256EBF14}_PU-106_Administrator.job

Completion time: 06-11-18 16:03:11.85
C:\ComboFix2.txt ... 06-11-18 15:43
C:\ComboFix3.txt ... 06-11-17 08:53
C:\ComboFix.txt ... 06-11-18 16:03
  • 0

#8
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Great, It worked fine. :whistling:

Go ahead and run the Panda scan as noted above and we can try to finish this one up.
  • 0

#9
xtc_bowling

xtc_bowling

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
yes, this is the Panda Scan report


Incident Status Location

Adware:adware/transponder Not disinfected Windows Registry
Dialer:dialer.asl Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0D62A517-E7C6-4E1F-A577-07D4AC549A48}
Adware:adware/azesearch Not disinfected Windows Registry
Adware:adware/powerstrip Not disinfected Windows Registry
Adware:adware/wupd Not disinfected Windows Registry
Adware:adware/ist.istbar Not disinfected Windows Registry
Possible Virus. Not disinfected D:\Download\Utilities\Anit-Spyware\StartupList.exe
Possible Virus. Not disinfected D:\Download\Utilities\Anit-Spyware\startuplist.zip[StartupList.exe]
  • 0

#10
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi :whistling:

Sorry for the lengthy delay.

Most of the stuff is orphaned registry entries which will take forever to find without the location. They are harmless

Click start>>>>run then copy and paste the text below into the runbox and then click OK

reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0D62A517-E7C6-4E1F-A577-07D4AC549A48}" /f

How is everything running?
  • 0

#11
xtc_bowling

xtc_bowling

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Terrific :whistling:
No more popups, computer running smoothly now.

Thank you so much for your assistance.
  • 0

#12
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
your welcome :whistling:
  • 0

#13
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :whistling:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP