Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Need Logs Analyzed - Multiple Trojans and Downloaders [RESOLVED]

Started by greystreet33 , Jul 18 2007 06:11 AM

This topic is locked

#1
greystreet33

Posted 18 July 2007 - 06:11 AM

New Member

Member
4 posts

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:24:28 PM 7/17/2007

+ Scan result:

HKLM\SOFTWARE\Classes\WR -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\runner1 -> Adware.Generic : Cleaned with backup (quarantined).
C:\WINDOWS\tk58.exe -> Adware.ZQuest : Cleaned with backup (quarantined).
C:\WINDOWS\system32\X3\w73r.exe -> Downloader.Small.eqn : Cleaned with backup (quarantined).
C:\WINDOWS\system32\isymbddy.exe -> Downloader.Tiny.id : Cleaned with backup (quarantined).
C:\WINDOWS\system32\qfgmgxwn.exe -> Downloader.Tiny.id : Cleaned with backup (quarantined).
C:\WINDOWS\system32\o09PrEz\o09PrEz1099.exe -> Downloader.VB.awj : Cleaned with backup (quarantined).
:mozilla.19:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.24:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.25:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.26:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.33:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.162:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.163:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.64:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.66:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.67:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.81:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.86:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.87:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.74:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.75:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.76:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.77:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.78:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.123:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.208:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned.
:mozilla.142:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.211:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Cnn : Cleaned.
:mozilla.175:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.207:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Coremetrics : Cleaned.
:mozilla.59:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Coremetrics : Cleaned.
:mozilla.37:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.151:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.79:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.84:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.182:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.183:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.184:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.185:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.187:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.188:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.127:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.128:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.60:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.61:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.62:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.63:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.138:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.8:C:\Documents and Settings\SBurdick\Application Data\Mozilla\Firefox\Profiles\4dand9py.default\cookies.txt -> TrackingCookie.Netflame : Cleaned.
:mozilla.201:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.164:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.165:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.166:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.167:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.97:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.98:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.124:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.125:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.23:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.31:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.32:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.34:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.35:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.154:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.152:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.41:C:\Documents and Settings\SBurdick\Application Data\Mozilla\Firefox\Profiles\4dand9py.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.42:C:\Documents and Settings\SBurdick\Application Data\Mozilla\Firefox\Profiles\4dand9py.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.43:C:\Documents and Settings\SBurdick\Application Data\Mozilla\Firefox\Profiles\4dand9py.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.44:C:\Documents and Settings\SBurdick\Application Data\Mozilla\Firefox\Profiles\4dand9py.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.45:C:\Documents and Settings\SBurdick\Application Data\Mozilla\Firefox\Profiles\4dand9py.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.70:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.83:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.85:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.216:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.132:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.133:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.47:C:\Documents and Settings\SBurdick\Application Data\Mozilla\Firefox\Profiles\4dand9py.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.69:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.198:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.71:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.72:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.73:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.80:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.139:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7rzvjwbr.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
::Report end

################################################################################
###############################################################

SUPERAntiSpyware Scan Log
Generated 07/17/2007 at 11:54 PM

Application Version : 3.6.1000

Core Rules Database Version : 3270
Trace Rules Database Version: 1281

Scan type : Complete Scan
Total Scan Time : 01:22:24

Memory items scanned : 467
Memory threats detected : 1
Registry items scanned : 6155
Registry threats detected : 0
File items scanned : 89579
File threats detected : 8

Adware.Vundo Variant
C:\WINDOWS\SYSTEM32\XRWXNGSE.DLL
C:\WINDOWS\SYSTEM32\XRWXNGSE.DLL

Trojan.WinAntiSpyware/WinAntiVirus 2006/2007
C:\WINDOWS\system32\drivers\FOPN.sys
C:\WINDOWS\system32\stera.exe

Trojan.Downloader-Gen/TStamp
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP2\A0000022.EXE

Adware.Vundo/Traff-2
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP2\A0000023.EXE

Trojan.Downloader-Gen/BundleBase
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP2\A0000024.EXE

Trojan.ZQuest-Installer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP2\A0000026.EXE

Trojan.Downloader-WebBuying/PopEngine
C:\WINDOWS\SYSTEM32\MAWWIXW.DLL
################################################################################
###############################################################

Logfile of HijackThis v1.99.1
Scan saved at 8:00:28 AM, on 7/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\WINDOWS\LOGI_MWX.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\pageant.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.mywa...idebar.jsp?p=DE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2696b37b-7e53-438b-abf6-72723a5975f8} - C:\WINDOWS\system32\mawwixw.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Tweak UI] "RUNDLL32.EXE" TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"
O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QBReminderFlash] "C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe"
O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] "C:\Program Files\Picasa2\PicasaMediaDetector.exe"
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [FileZilla Server Interface] "C:\Program Files\FileZilla Server\FileZilla Server Interface.exe"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.7.8\webbuying.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Mozilla Thunderbird.lnk = C:\Program Files\Mozilla Thunderbird\thunderbird.exe
O4 - Startup: pageant.exe.lnk = C:\WINDOWS\system32\pageant.exe
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WUSB54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe (file missing)
################################################################################
###############################################################

HJT UNINSTALL LIST

A.F.5 Rename your files 1.1
Ad-Aware SE Personal
Adobe Audition 2.0
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 7.0.8
Adobe Stock Photos 1.0
Adobe® Photoshop® Album Starter Edition 3.0
AIM 6
AIM Gadgets 2.8
Alt-Tab Task Switcher Powertoy for Windows XP
AOL Instant Messenger
AOLIcon
Apple Software Update
Aspell English Dictionary-0.50-2
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AuthorScript Engine 1.0
AVG Anti-Spyware 7.5
Azureus
BitTornado 0.3.7
BootSkin
ClamWin Free Antivirus 0.90.2.1 (RC2)
Conexant D850 56K V.9x DFVc Modem
Creative MediaSource
DAO
Dell Driver Reset Tool
Dell Photo Printer 720
Dell Picture Studio v3.0
Digital Line Detect
DVD Decrypter (Remove Only)
DVD Shrink 3.2
Exact Audio Copy 0.95b3
FastStone Photo Resizer 1.4
FileZilla (remove only)
FLAC Installer 1.1.2a (remove only)
foobar2000 v0.9.4.3
Freedom Security & Privacy
GNU Aspell 0.50-3
Google Desktop
Google Desktop System Monitor Plugin
Google Earth
GTK+ Runtime 2.10.7 rev a (remove only)
High Definition Audio Driver Package - KB835221
Hijackthis 1.99.1
HijackThis 1.99.1
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Image Resizer Powertoy for Windows XP
Intel® PRO Network Connections Software v9.2.4.11
Intel® PROSafe for Wired Connections
Intel® PROSafe for Wired Connections
Internet Explorer Default Page
iPod for Windows 2005-03-23
iPod for Windows 2006-01-10
iTunes
Jasc Paint Shop Pro Studio, Dell Editon
Java 2 Runtime Environment, SE v1.4.2_03
Linksys Wireless-G USB Network Adapter
Logitech MouseWare 9.79.1
Macromedia Dreamweaver MX
Macromedia Extension Manager
Macromedia Fireworks MX
Macromedia Flash MX
Macromedia Flash Player
Macromedia FreeHand 10
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 1.1 (SR1)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft RAW Image Thumbnailer and Viewer for Windows XP Version 1.0 (Build 50)
Modem Helper
Mozilla Firefox (2.0.0.4)
Mozilla Thunderbird (2.0.0.4)
MSXML 4.0 SP2 (KB927978)
Multiple Image Resizer .NET
Musicmatch for Windows Media Player
Musicmatch® Jukebox
Nero 6 Ultra Edition
NetWaiting
Picasa 2
PowerDVD 5.5
QuickBooks Simple Start Special Edition
QuickTime
Rainlendar (remove only)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
SHOUTcast DNAS (remove only)
SHOUTcast Source DSP 1.9.0 (remove only)
SmartFTP Client
SmartFTP Client 2.0
SmartFTP Client 2.0 Setup Files (remove only)
SoftSound Shorten for Windows 2.3b
Sonic DLA
Sonic Encoders
Sonic MyDVD LE
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sound Blaster Live! 24-bit
Spelling Dictionaries For Adobe Reader Package
Spy Sweeper
Spybot - Search & Destroy 1.4
SUPERAntiSpyware Free Edition
TaxCut Deluxe 2005
TightVNC 1.2.9
TitanTV Client components for ATI
Tweak UI
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB936357)
VideoLAN VLC media player 0.8.2
Viewpoint Media Player
WebCyberCoach 3.2 Dell
Winamp (remove only)
Windows Defender
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Player 10
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
WinRAR archiver
WinZip
WordPerfect Office 12
Yahoo! Install Manager
Yahoo! Widgets

#2
Crustyoldbloke

Posted 18 July 2007 - 08:09 AM

Old Malware Surgeon with a shaky scalpel

Retired Staff
15,131 posts

Hello greystreet33 and welcome to Geeks to Go

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

ALL staff here at Geeks To Go are volunteers, please bear that in mind if I don’t answer your post as quickly as you’d like; I give what time I can.

Please note that you should have Administrator rights to perform the fixes. Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting, but continue with the fix.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which will not allow you to access the internet, or my instructions! (Click the Options drop down near the upper right of the topic. Select Print this topic.)

You have a mixture of malware with Trojans. Let’s see what we can do.

I see a reference to McAfee antivirus but no confirmation that it is running. Have you tried to uninstall this programme? If not, you need to install it again or download another AV programme from this list:

AVG AntiVirus version 7.5 is free for personal use.
avast! 4 Home Edition another very good free AV.
Avira AntiVir PersonalEdition, yet another good free AV.

Firstly could you please disable Windows Defender from running during the fix, it may just hinder our attempts to change anything. Open Windows Defender, click Tools, click Options, under Real-time protection options, clear the Use real-time protection check box, click Save

Please disable SpySweeper, as it may hinder the removal of some entries. You can re-enable it after you're clean. To disable SpySweeper: Open it click > Options over to the left then > Program options > Uncheck "load at windows startup". Over to the left click "shields" and uncheck all there. Uncheck "home page shield". Uncheck "automatically restore default without notification".

Also please disable AVGas Guard from running for the same reason. Right click on the multicoloured icon with an S, in the taskbar (near the clock) and uncheck Resident Shield. The icon will change to a grey colour.

When your PC has been declared clean, please only enable one of those three programmes to run in real-time. All others should be used as “on demand” scanners. Having more than one antispyware programme running in real-time will cause slowness and even conflicts.

If you have Windows automatic updates enabled, it might be wise for you to disable this feature for the time being as we might get a reboot at an inopportune moment. Please go to the automatic updates applet in the control panel and disable them.

To start please download the following programmes, we will run them later. Please save them to a place that you will remember, I suggest the Desktop:

OTMoveIt by OldTimer.
combofix.exe
CCleaner

Updating Java and Clearing Cache

Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
It will say "Java Plug-in" under the icon.
Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
If you are unable to update you can manually update by going here:
- http://www.java.com/en/download/manual.jsp
After the reboot, go back into the Control Panel and double-click the Java Icon.
Under Temporary Internet Files, click the Delete Files button.
There are three options in the window to clear the cache - Leave ALL 3 CheckedDownloaded Applets
Downloaded Applications
Other Files
Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
Click OK to leave the Java Control Panel.

There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I recommend that you run CCleaner. Install it, check the default setting in the left-hand pane, ensure you uncheck old prefetch data found under the Windows tab, then click Analyze> Run Cleaner. You may be fairly surprised by how much it finds. Also click Issues then Scan for issues – fix selected issues This should also speed up any scans necessary.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {2696b37b-7e53-438b-abf6-72723a5975f8} - C:\WINDOWS\system32\mawwixw.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"
O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.7.8\webbuying.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

Now close all windows other than HiJackThis, then click Fix Checked.

Please remove these entries from Add/Remove Programs in the Control Panel (if present):(click Start>Settings>Control Panel)

Azureus
BitTornado 0.3.7
Java 2 Runtime Environment, SE v1.4.2_03
Viewpoint Media Player

Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\svhost.exe
C:\Program Files\Common Files\WinAntiSpyware 2007
C:\WINDOWS\poolsv.exe
C:\Program Files\WinPop
C:\Program Files\Web Buying

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
Close OTMoveIt
*If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine, choose Yes.
**If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")

Click "Exit" to close OTMoveIt.

Double click combofix.exe & follow the prompts.

When it has finished, it will produce a log called ComboFix.txt. Please post that log in your next reply. You should find it at C:\ComboFix.txt

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post back a fresh [b]HijackThis log (from normal mode) and I will take another look.

#3
greystreet33

Posted 18 July 2007 - 01:05 PM

New Member

Topic Starter
Member
4 posts

First off, I am shocked at the dedication to helping others on this website. Very impressive in this seemingly thankless position. So with that, thank you for getting back to me so quickly and attempting to help out. Much appreciated.

Now back to the problems. Upon running Hijack this a second time, some of the items you suggested removing were no longer in the list. These were as follows:
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"
O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.7.8\webbuying.exe
All others you listed were there, and I removed appropriately.

My post has 3 sections below, in this order:
1.) OTMoveIt Log
2.) Combo Fix Log
3.) final Hijackthis Log

1.) OTMoveIt Log #######################################################################
File/Folder C:\WINDOWS\svhost.exe not found.
File/Folder C:\Program Files\Common Files\WinAntiSpyware 2007 not found.
File/Folder C:\WINDOWS\poolsv.exe not found.
File/Folder C:\Program Files\WinPop not found.
File/Folder C:\Program Files\Web Buying not found.

Created on 07/18/2007 14:51:40

################################################################################
###

2.) Combo Fix Log#######################################################################
"SBurdick" - 2007-07-18 14:53:34 - ComboFix 07-07-17.8 - Service Pack 2 NTFS

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
C:\tempb9
C:\tempb9\tmpTF.log
C:\temp\iee
C:\temp\iee\tmpZTF.log
C:\temp\tn3
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\drivers\ApiMon.sys
C:\WINDOWS\system32\o09PrEz
C:\WINDOWS\system32\win
C:\WINDOWS\system32\X2
C:\WINDOWS\system32\X3
C:\WINDOWS\system32\X4
C:\WINDOWS\system32\X5
C:\WINDOWS\system32\X9
C:\WINDOWS\wr.txt

((((((((((((((((((((((((( Files Created from 2007-06-18 to 2007-07-18 )))))))))))))))))))))))))))))))

2007-07-18 14:52 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-18 12:44 <DIR> d-------- C:\Program Files\CCleaner
2007-07-17 22:30 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-07-17 22:30 <DIR> d-------- C:\DOCUME~1\SBurdick\APPLIC~1\SUPERAntiSpyware.com
2007-07-17 22:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-17 22:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-17 20:39 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-07-06 20:21 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\.clamwin
2007-07-06 17:19 <DIR> d-------- C:\Program Files\Windows Defender
2007-07-06 17:14 66,048 --a------ C:\WINDOWS\ieResetIcons.exe
2007-07-06 11:05 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-07-06 11:02 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Webroot
2007-07-06 10:30 22,080 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-07-06 10:30 21,056 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-07-06 10:30 20,544 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys
2007-07-06 10:30 144,448 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-07-06 10:30 <DIR> d-------- C:\Program Files\Webroot
2007-07-06 10:30 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Webroot
2007-07-06 10:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-07-06 10:29 <DIR> d-------- C:\DOCUME~1\SBurdick\APPLIC~1\Webroot
2007-07-06 10:15 <DIR> d-------- C:\DOCUME~1\SBurdick\APPLIC~1\.clamwin
2007-07-06 10:14 <DIR> d-------- C:\Program Files\ClamWin
2007-07-06 10:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\.clamwin
2007-07-06 08:36 1,853,943 ---hs---- C:\WINDOWS\system32\bbadd.bak1
2007-07-06 08:26 <DIR> d-------- C:\Temp
2007-07-01 10:29 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Viewpoint
2007-06-29 14:40 <DIR> d-------- C:\DOCUME~1\SBurdick\APPLIC~1\COWON
2007-06-29 14:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\IDS_COMPANY_NAME
2007-06-23 21:26 <DIR> d-------- C:\Program Files\Picasa2

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-18 18:47:25 -------- d-----w C:\Program Files\Azureus
2007-07-18 11:56:54 -------- d-----w C:\Program Files\Common Files\Real
2007-07-18 11:56:36 -------- d-----w C:\DOCUME~1\SBurdick\APPLIC~1\Real
2007-07-16 00:15:17 -------- d-----w C:\Program Files\Facebook Plugin
2007-07-06 21:10:43 -------- d-----w C:\Program Files\Gaim
2007-07-06 14:15:13 -------- d-----w C:\DOCUME~1\SBurdick\APPLIC~1\.clamwin
2007-07-05 21:09:35 1,984 ----a-w C:\WINDOWS\system32\d3d9caps.dat
2007-06-29 21:41:30 -------- d-----w C:\DOCUME~1\SBurdick\APPLIC~1\foobar2000
2007-06-29 18:39:39 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-24 14:07:15 223 ----a-w C:\WINDOWS\freedom.backup.dat
2007-06-24 01:26:12 -------- d-----w C:\Program Files\Google
2007-06-21 13:05:13 -------- d-----w C:\Program Files\Mozilla Thunderbird
2007-06-06 02:34:55 -------- d-----w C:\Program Files\Yahoo!
2007-06-06 02:25:03 -------- d-----w C:\Program Files\Common Files\AOL
2007-06-06 02:25:01 -------- d-----w C:\Program Files\AIM6
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-01-12 20:38 63128 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 02:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
2004-12-06 02:05 118842 --a------ C:\WINDOWS\system32\dla\tfswshx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-07-12 04:00 501136 --a------ C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2006-11-21 13:38]
"Tweak UI"="RUNDLL32.exe" [2004-08-10 06:00 C:\WINDOWS\system32\rundll32.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"QBReminderFlash"="C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe" [2004-11-11 11:26]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-05-02 02:08]
"P17Helper"="P17.dll" [2004-06-10 17:51 C:\WINDOWS\system32\P17.dll]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 09:50]
"Logitech Utility"="LOGI_MWX.EXE" [2003-12-17 10:50 C:\WINDOWS\LOGI_MWX.EXE]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-10-17 03:18]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19]
"CTSysVol"="C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 11:43]
"ClamWin"="C:\Program Files\ClamWin\bin\ClamTray.exe" [2007-05-27 20:48]
"BootSkin Startup Jobs"="C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" [2004-04-26 17:21]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 22:05]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 17:17]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39]

C:\DOCUME~1\SBurdick\STARTM~1\Programs\Startup
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-11-04 01:06:31]
Mozilla Thunderbird.lnk - C:\Program Files\Mozilla Thunderbird\thunderbird.exe [2005-11-01 22:27:53]
pageant.exe.lnk - C:\WINDOWS\system32\pageant.exe [2007-02-18 23:41:29]
Rainlendar.lnk - C:\Program Files\Rainlendar\Rainlendar.exe [2005-10-23 13:35:01]
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-05-04 15:39:42]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 02:05:26]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-10-23 10:22:36]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 12:59:36]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 08:29]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 12:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll --a------ 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService]

Contents of the 'Scheduled Tasks' folder
2007-07-04 18:59:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-07-18 16:41:32 C:\WINDOWS\tasks\MP Scheduled Scan.job
2007-07-18 11:46:37 C:\WINDOWS\tasks\WeeklyBackup.job
2007-07-18 07:00:21 C:\WINDOWS\tasks\wrSpySweeper_L6BADCD7B588A45298C4F3DFDEDFF4222.job

**************************************************************************

catchme 0.3.1040 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-18 14:56:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\\xd8\x2022\x20ac|\xff\xff\xff\xff\22\x2022\x20ac|\xf9\x2022A~\2]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\Software\Adobe\FeatureSubscriptions\DVAAdobeDocMeta\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\Registered"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:000001ba

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-18 14:56:45
C:\ComboFix-quarantined-files.txt ... 2007-07-18 14:56

--- E O F ---

################################################################################
###

3.) final Hijackthis Log####################################################################
Logfile of HijackThis v1.99.1
Scan saved at 2:58:00 PM, on 7/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\WINDOWS\LOGI_MWX.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\pageant.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Tweak UI] "RUNDLL32.EXE" TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QBReminderFlash] "C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] "C:\Program Files\Picasa2\PicasaMediaDetector.exe"
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Mozilla Thunderbird.lnk = C:\Program Files\Mozilla Thunderbird\thunderbird.exe
O4 - Startup: pageant.exe.lnk = C:\WINDOWS\system32\pageant.exe
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WUSB54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe (file missing)

#4
Crustyoldbloke

Posted 18 July 2007 - 02:06 PM

Old Malware Surgeon with a shaky scalpel

Retired Staff
15,131 posts

Hello again

Thanks for the logs.

I feel that I must point out some errors that I see in your logs.

I see that the McAfee reference has now gone, however, even though I see a reference to ClamWin Antivirus in your ComboFix log dated 6th July, I see no evidence of it running in real-time and offering protection.

I see too many antimalware programmes offering real-time protection. This is bad practice as between them they will cause slowness and conflicts. The rue is one only to run in real-time and all others to be used for on demand scanning. These are the ones you have that I can see in your logs: Windows Defender, Spy Sweeper, AVGas. NB - SUPERAntiSpyware Free Edition, does not offer real-time protection.

If you need help in disabling two of the three from running, please say.

Other than that, I see 3 deletions are necessary.

Please openOTMoveIt by OldTimer

Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\bbadd.bak1
C:\DOCUME~1\Guest\APPLIC~1\Viewpoint
C:\Program Files\Azureus
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
Close OTMoveIt

*If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine, choose Yes.
**If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")

Click "Exit" to close OTMoveIt.

How's the PC running now?

#5
greystreet33

Posted 18 July 2007 - 02:35 PM

New Member

Topic Starter
Member
4 posts

Once again, thanks for your prompt replies.

Regarding your note about multiple anti-spyware programs, I am open to your suggestions here. I have historically used only Ad-Aware and Spybot S&D as on-demand scanners, but installed all of these others in the past week or so to try to combat this new infection. I will gladly follow your advice on which to remove, which to keep, and which to run as real time scanners, so please provide your opinion there.

As far as the anti-virus programs, my McAfee subscription ended a while back and I recently installed ClamWin AntiVirus as a free alternative. However, that does not offer real time protection, so again, I am willing to follow your advice here as well (I downloaded the setup file for AVG free anti-virus, but havent installed yet). What should I uninstall from my current system and what should I have running going forward? I'd like to complete a last set of scans with your recommended programs to ensure that they all report a clean system before I am comfortable that nothing is still hiding

Here is the OTMoveIt! log from the actions you suggested in your latest reply:
################################################################################
###
C:\WINDOWS\system32\bbadd.bak1 moved successfully.
C:\DOCUME~1\Guest\APPLIC~1\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03 moved successfully.
C:\DOCUME~1\Guest\APPLIC~1\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02 moved successfully.
C:\DOCUME~1\Guest\APPLIC~1\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01 moved successfully.
C:\DOCUME~1\Guest\APPLIC~1\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00 moved successfully.
C:\DOCUME~1\Guest\APPLIC~1\Viewpoint\Viewpoint Experience Technology\Resources moved successfully.
C:\DOCUME~1\Guest\APPLIC~1\Viewpoint\Viewpoint Experience Technology moved successfully.
C:\DOCUME~1\Guest\APPLIC~1\Viewpoint moved successfully.
C:\Program Files\Azureus\plugins\azupdater moved successfully.
C:\Program Files\Azureus\plugins\azplugins moved successfully.
C:\Program Files\Azureus\plugins moved successfully.
C:\Program Files\Azureus moved successfully.

Created on 07/18/2007 16:24:30
################################################################################
###

As a last note for this reply, where can I find explanations of all these files I am running to understand what they are doing? i.e. OTMoveIT, ComboFix, etc.

#6
Crustyoldbloke

Posted 18 July 2007 - 02:56 PM

Old Malware Surgeon with a shaky scalpel

Retired Staff
15,131 posts

Hello again

Please uninstall Clamwin via the Add or Remove applet in the control panel.

Download: AVG ANTIVIRUS 7.5 FREE EDITION

Install AVG, update its virus definitions and perform a full system scan before proceeding any further. AVG will update and scan daily, providing your PC is switched on.

Now onto the antimlaware programmes. We are going to disabled the real-time protection of AVGas and Spy Sweeper. This will leave Windows Defender "on guard" and we can add a different type of protection programme to go with it, that will not cause problems.

Go to Start > Run and type or copy & paste this into the Run box:

sc delete WebrootSpySweeperService

Hit ENTER

Rescan with HijackThis. Close all programmes leaving only HijackThis running. Place a checkmark or tick against the following:

O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

Click on Fix Checked when finished and exit HijackThis.

As a last note for this reply, where can I find explanations of all these files I am running to understand what they are doing? i.e. OTMoveIT, ComboFix, etc.

Well, they are not commercially available programmes, but tools designed by malware experts to do certain jobs for us automatically. OTMoveIt helps us get rid of folders and files with the minimum of bother, and ComboFix deletes some bad entries and shows the trained eye where problems lie, so that I can place them into the OTMoveIt programme. As for totally understanding them, you will need a brain the size of a small planet.

Now to beef-up your protection safely.

Please download and Install MVPS hosts file.

This is probably one of the best defensive processes available for FREE.

This replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.

Please go to: MVPS Hosts file

If you scroll down the MVPS page, you will see an animated folder next to hosts.zip Download that file to your desktop and right click on it, choose EXTRACT ALL and a window will open containing the files, double click mvps.bat and a DOS screen will open inviting you to press any key to continue. That's all there is to it.

Please bookmark/add to favourite this site as the file is updated every 14 days, so you need to do this once a month. There is now a facility for you to register your email address with the site to be informed of updates. The link is towards the foot of the page.

From now on, whilst surfing, you will notice some sites not loading and you may see the word “advertisement” on some pages, this is because the IP address of either the site or advertiser is known as bad and it is being blocked.

SPYWARE BLASTER - Blocks bad ActiveX items from installing on your computer. This also requires a manual update periodically. I suggest that you do MVPS Hosts and Spyware Blaster at the same time

Please reboot normally and post a fresh HJT log for checking. Is everything running well now?

#7
greystreet33

Posted 18 July 2007 - 05:09 PM

New Member

Topic Starter
Member
4 posts

Steps Taken:
-Uninstalled ClamWin
-Installed AVG antivirus 7.5, scanned (result: no threats found)
-Performed "sc delete WebrootSpySweeperService"
-Uninstalled SpySweeper (was a trial version)
-Ran Hijackthis and removed:

O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

-Downloaded and Installed MVPS Hosts file
-Downloaded and Installed Spyware Blaster
-Rebooted and posted a fresh Hijackthis log (see below)

If I understand correctly, this should be the recommended setup going forward...
Real Time Scanners (running at startup):

Windows Defender (i dont see anything in my system tray, is this still running properly?)
MVPS host file
Spyware Blaster
AVG Antivirus 7.5

On Demand Scanners (manually run system scans periodically):

Spybot - Search and Destroy
Ad-Aware
SUPERAntiSpyware Free Edition (runs at startup, but real-time protection is disabled)
AVG Anti Spyware 7.5

Diagnostic Tools to file away:

Hijackthis
ATF Cleaner
CCleaner
ComboFix
OTMoveIt

System seems to be running OK. Once you look at the final Hijackthis log, I'm going to reboot and run scans with all my on demand scanners to make sure they don't detect any threats. If they are all clean, I will finally be comfortable that nothing is lurking in my memory and registry. Thanks again! :whistling:

########################################################################
Logfile of HijackThis v1.99.1
Scan saved at 7:05:29 PM, on 7/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\LOGI_MWX.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\WINDOWS\system32\pageant.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Tweak UI] "RUNDLL32.EXE" TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Picasa Media Detector] "C:\Program Files\Picasa2\PicasaMediaDetector.exe"
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Mozilla Thunderbird.lnk = C:\Program Files\Mozilla Thunderbird\thunderbird.exe
O4 - Startup: pageant.exe.lnk = C:\WINDOWS\system32\pageant.exe
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: WUSB54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe (file missing)

########################################################################

Well, they are not commercially available programmes, but tools designed by malware experts to do certain jobs for us automatically. OTMoveIt helps us get rid of folders and files with the minimum of bother, and ComboFix deletes some bad entries and shows the trained eye where problems lie, so that I can place them into the OTMoveIt programme. As for totally understanding them, you will need a brain the size of a small planet.

Having a degree in computer science, this side of the programming world is very intriguing to me. This being my first run-in with a serious infection, I haven't delved very deep into the malware world. I've learned a lot today, and hope to learn more. Thanks a ton for taking the time to walk me through this.

#8
Crustyoldbloke

Posted 18 July 2007 - 06:34 PM

Old Malware Surgeon with a shaky scalpel

Retired Staff
15,131 posts

Hello again

I see nothing wrong with your logic at all.

I am contemplating taking a degree course in computer science myself. It is a three year course and I just have to hope that my health holds out for that period of time, and of course that my last remaining brain cell continues to work.

The AVGas showing in your running processes will disappear shortly. I do not wish to disable it via NT services as it will mean a re-install.

Congratulations! your new log is clean. :whistling:

Just a little bit more to do to prevent further infection.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn OFF System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check *Turn off System Restore*.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

I recommend going to the following link and update as recommended by Microsoft. This adds more security and extra features including a pop-up blocker for Internet Explorer. Microsoft Update

SiteAdvisor download this plug-in for your browser and it will alert you of a known bad site for FREE.

Now that everything is fixed, I suggest that you consider getting these programmes to help keep the computer clean:

WINDOWS DEFENDER - With daily updates and scans, this programme offers good security against malware.
AD-AWARE PERSONAL – A fine free malware detector and removal programme
SPYBOT S&D – Excellent free spyware detector and removal programme
FIREFOX - Safer alternative to the Internet Explorer web browser.
AVG ANTIVIRUS FREE EDITION - Free antivirus programme if you currently are not using one.
ZONEALARM - Free firewall programme if you currently are not using one (Windows XP has a built-in firewall).

Remember to update these frequently.

Please note that whilst there is nothing wrong in having more than one antimalware programme for “on demand” scanning, having more than one running in real-time is not recommended as they may well cause conflicts and slowness.

You may also want to read "How did I get infected in the first place" to learn how to better secure your computer.

Be sure to keep your Windows, antimalware and antivirus updated. :blink:

If you used ComboFix during the fix and have files quarantined at C:\qoobox\, you may delete that folder and its content.

It just remains for me to wish you happy safe surfing; I hope you found my advice helpful.

#9
Crustyoldbloke

Posted 01 August 2007 - 01:37 AM

Old Malware Surgeon with a shaky scalpel

Retired Staff
15,131 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :whistling:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.