Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Hijack This log - smitfraud [RESOLVED]


  • This topic is locked This topic is locked

#1
Smitfrauded

Smitfrauded

    New Member

  • Member
  • Pip
  • 6 posts
Hi there. I've been going round in circles all day trying to clear out malware from my system. I've thought at least twice that I'd cracked it, only for the things to regenerate again. Oh for those halcyon days before I knew of Smitfraud and Zlob etc. I've tried Smitfraudfix but it hasn't worked. Neither have the various anti-spyware programs I've tried...spybot, ad-aware, grisoft, spyware doctor. At this stage, I'm gone beyond confused and I can't make head nor tail of the logs. I'm hoping that some kind soul out there will be able to help me.

Main.txt
Deckard's System Scanner v20071014.68
Run by James on 2008-01-06 01:29:30
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
80: 2008-01-06 01:29:41 UTC - RP214 - Deckard's System Scanner Restore Point
79: 2008-01-05 22:47:15 UTC - RP213 - Spyware Doctor: Cleaning Threats
78: 2008-01-05 21:35:42 UTC - RP212 - Spyware Doctor: Cleaning Threats
77: 2008-01-05 19:56:03 UTC - RP211 - Spyware Doctor: Cleaning Threats
76: 2008-01-05 19:55:29 UTC - RP210 - Spyware Doctor: Cleaning Threats


-- First Restore Point --
1: 2007-10-08 19:06:24 UTC - RP135 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as James.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:31:02, on 06/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\NetMeter\NetMeter.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\James\Desktop\dss.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\James.exe

O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: BDEX System - {059947A2-838E-4773-9EE2-8AB8F53C2EDE} - C:\WINDOWS\dxpvqlmgtv.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {7D1AD5EB-9902-4FF0-986F-CA498179A53B} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Startup: ScreenThemes.lnk = C:\Program Files\ScreenThemes\scthemes.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - http://upload.facebo...toUploader2.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1180642291437
O16 - DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} (OD2 Eircom MediaBar) - http://sib1.od2.com/...nagerPlugin.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.m...ash/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.on...e/en/crlocx.ocx
O21 - SSODL: ampkfst - {2D5EDA7E-3876-44EE-B5EA-9C004181B6E5} - C:\WINDOWS\ampkfst.dll
O21 - SSODL: bklgvsf - {2CC81FA6-9C10-413E-B312-CC55EC694315} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 11352 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - "C:\Program Files\Macromedia\Dreamweaver 8\dreamweaver.exe",2


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 BTHidMgr (Bluetooth HID Manager Service) - c:\windows\system32\drivers\bthidmgr.sys <Not Verified; IVT Corporation; BlueSoleil©>
R0 timounter (Acronis True Image Backup Archive Explorer) - c:\windows\system32\drivers\timntr.sys <Not Verified; Acronis; Acronis True Image>
R2 tifsfilter (Acronis True Image FS Filter) - c:\windows\system32\drivers\tifsfilt.sys <Not Verified; Acronis; Acronis True Image>
R3 ASAPIW2k - c:\windows\system32\drivers\asapiw2k.sys <Not Verified; VOB Computersysteme GmbH; asapi>
R3 BlueletAudio (Bluetooth Audio Service) - c:\windows\system32\drivers\blueletaudio.sys <Not Verified; IVT Corporation; Windows ® 2000 DDK driver>
R3 BT (Bluetooth PAN Network Adapter) - c:\windows\system32\drivers\btnetdrv.sys <Not Verified; IVT Corporation; BlueSoleil>
R3 BTHidEnum (Bluetooth HID Enumerator) - c:\windows\system32\drivers\vbtenum.sys
R3 MarvinBus (Pinnacle Marvin Bus) - c:\windows\system32\drivers\marvinbus.sys <Not Verified; Pinnacle Systems GmbH; Pinnacle Marvin Discrete>
R3 VComm (Virtual Serial port driver) - c:\windows\system32\drivers\vcomm.sys <Not Verified; IVT Corporation; BlueSoleil>
R3 VcommMgr (Bluetooth VComm Manager Service) - c:\windows\system32\drivers\vcommmgr.sys <Not Verified; IVT Corporation; BlueSoleil>

S3 Btcsrusb (Bluetooth USB For Bluetooth Service) - c:\windows\system32\drivers\btcusb.sys <Not Verified; IVT Corporation; Bluetooth USB Device Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AdobeActiveFileMonitor (Adobe Active File Monitor) - c:\program files\adobe\photoshop elements 3.0\photoshopelementsfileagent.exe
R2 BlueSoleil Hid Service - c:\program files\ivt corporation\bluesoleil\btntservice.exe
R2 PhotoshopElementsDeviceConnect (Photoshop Elements Device Connect) - c:\program files\adobe\photoshop elements 3.0\photoshopelementsdeviceconnect.exe

S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E978-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ROOT\PORTS\0004
Manufacturer:
Name:
PNP Device ID: ROOT\PORTS\0004
Service:


-- Files created between 2007-12-06 and 2008-01-06 -----------------------------

2008-01-05 22:26:48 0 dr-h----- C:\Documents and Settings\James\Recent
2008-01-05 16:40:37 0 d-------- C:\Program Files\Spyware Doctor
2008-01-05 16:40:37 0 d-------- C:\Documents and Settings\James\Application Data\PC Tools
2008-01-05 16:27:00 0 d-------- C:\Program Files\Trend Micro
2008-01-05 00:42:39 0 d-------- C:\Documents and Settings\James\Application Data\Grisoft
2008-01-04 23:12:21 0 d-------- C:\Program Files\Lavasoft
2008-01-04 23:12:20 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-04 23:11:52 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-04 19:34:55 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-01-04 19:34:55 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-01-04 19:34:55 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-01-04 19:34:55 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-01-04 19:34:55 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-01-04 19:34:55 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-01-04 19:34:55 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-01-04 19:34:55 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-01-04 19:34:54 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-01-04 19:34:54 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-01-04 19:34:54 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-01-04 19:34:54 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-01-04 19:34:54 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-01-04 19:34:54 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-01-04 19:29:10 3712 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-04 19:28:20 0 d-------- C:\SmitfraudFix
2008-01-04 19:28:09 1129580 --a------ C:\SmitfraudFix.exe
2008-01-04 12:19:21 86016 --a------ C:\WINDOWS\foxflpd.exe
2008-01-04 12:19:21 290816 --a------ C:\WINDOWS\dxpvqlmgtv.dll <Not Verified; ; dxpvqlmgtv>
2008-01-04 12:19:21 253952 --a------ C:\WINDOWS\ampkfst.dll <Not Verified; ; ampkfst>
2008-01-02 01:15:47 0 d-------- C:\Program Files\virtual dub mod
2008-01-02 00:19:27 0 d-------- C:\videos
2007-12-30 18:39:00 0 d-------- C:\Program Files\Winamp
2007-12-30 18:39:00 0 d-------- C:\Documents and Settings\James\Application Data\Winamp
2007-12-28 14:11:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2007-12-28 14:11:34 0 d-------- C:\Documents and Settings\James\Application Data\Azureus
2007-12-28 14:10:36 0 d-------- C:\Program Files\Azureus
2007-12-26 12:34:11 43698 --a------ C:\WINDOWS\system32\xvid-uninstall.exe
2007-12-26 12:33:24 0 d-------- C:\Program Files\Gabest
2007-12-26 12:32:53 0 d-------- C:\Program Files\AutoGK
2007-12-12 23:21:10 0 d-------- C:\Program Files\mp3DirectCut
2007-12-09 14:41:21 0 d-------- C:\Documents and Settings\James\Application Data\ESET
2007-12-09 14:38:45 0 d-------- C:\Documents and Settings\All Users\Application Data\ESET


-- Find3M Report ---------------------------------------------------------------

2008-01-05 21:38:56 0 d-------- C:\Program Files\Google
2008-01-04 23:11:52 0 d-------- C:\Program Files\Common Files
2008-01-04 00:04:00 0 d-------- C:\Documents and Settings\James\Application Data\foobar2000
2008-01-01 17:35:07 0 d-------- C:\Program Files\FreeCommander
2008-01-01 10:57:45 0 d-------- C:\Program Files\Opera
2007-12-28 21:55:17 0 d-------- C:\Program Files\PeerGuardian2
2007-12-28 14:09:51 0 d-------- C:\Program Files\FlashGet
2007-12-28 12:19:30 0 d-------- C:\Documents and Settings\James\Application Data\uTorrent
2007-12-26 20:53:55 565 --a------ C:\Documents and Settings\James\Application Data\AutoGK.ini
2007-12-26 14:29:41 0 d-------- C:\Documents and Settings\James\Application Data\dvdcss
2007-12-26 12:34:04 0 d-------- C:\Program Files\AviSynth 2.5
2007-12-26 00:45:22 0 d-------- C:\Program Files\WinAVI Video Capture
2007-12-25 00:06:22 0 d-------- C:\Program Files\DOSBox-0.70
2007-12-22 22:03:34 0 d-------- C:\Program Files\Last.fm
2007-12-13 18:59:35 0 d-------- C:\Program Files\Audacity
2007-12-08 10:52:04 0 d-------- C:\Documents and Settings\James\Application Data\Google
2007-12-05 22:50:28 0 d-------- C:\Documents and Settings\James\Application Data\SumatraPDF
2007-12-03 00:40:57 0 d-------- C:\Program Files\NetMeter
2007-11-30 22:52:36 0 d-------- C:\Program Files\Yahoo!
2007-11-30 00:32:38 0 d-------- C:\Program Files\Pinnacle
2007-11-23 08:30:07 0 d-------- C:\Documents and Settings\James\Application Data\ieSpell
2007-11-23 08:07:04 0 d-------- C:\Documents and Settings\James\Application Data\Yahoo!
2007-11-23 07:42:59 0 d-------- C:\Program Files\FLV Player
2007-11-21 20:50:12 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-11-21 11:54:55 0 d-------- C:\Documents and Settings\James\Application Data\LimeWire
2007-11-19 23:26:03 0 d-------- C:\Program Files\ieSpell
2007-11-19 12:56:23 0 d-------- C:\Program Files\iTunes
2007-11-19 12:56:04 0 d-------- C:\Program Files\iPod
2007-11-19 12:54:27 0 d-------- C:\Program Files\QuickTime
2007-11-13 19:00:16 0 d-------- C:\Program Files\Jasc Software Inc
2007-11-13 19:00:16 0 d-------- C:\Documents and Settings\James\Application Data\Jasc Software Inc
2007-11-10 21:58:32 0 d-------- C:\Documents and Settings\James\Application Data\MySpace
2007-11-10 21:58:28 0 d-------- C:\Program Files\MySpace
2007-11-10 11:13:19 0 d-------- C:\Documents and Settings\James\Application Data\Adobe
2007-11-09 19:33:58 0 d-------- C:\Program Files\Amazon


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{059947A2-838E-4773-9EE2-8AB8F53C2EDE}]
03/01/2008 11:53 290816 --a------ C:\WINDOWS\dxpvqlmgtv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [04/08/2004 12:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [04/08/2004 12:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [04/08/2004 12:00]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [04/11/2004 19:40]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [04/11/2004 19:38]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [21/12/2004 20:05]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" [16/02/2007 17:45]
"AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe" [16/02/2007 17:57]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [16/02/2007 17:49]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 00:11]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [10/11/2003 16:06]
"USB2Check"="C:\WINDOWS\system32\PCLECoInst.dll" [21/12/2005 10:14]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [14/11/2007 15:05]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [14/11/2007 23:43]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [11/06/2007 09:25]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [02/10/2007 16:27]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 12:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [14/07/2007 23:09]
"C:\Program Files\NetMeter\NetMeter.exe"="C:\Program Files\NetMeter\NetMeter.exe" [11/08/2007 15:50]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [31/08/2007 16:46]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\James\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [26/09/2007 23:22:39]
ScreenThemes.lnk - C:\Program Files\ScreenThemes\scthemes.exe [04/06/2007 19:02:17]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"ampkfst"= {2D5EDA7E-3876-44EE-B5EA-9C004181B6E5} - C:\WINDOWS\ampkfst.dll [03/01/2008 11:53 253952]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{860ec022-161c-11dc-b03b-00904bebd852}]
AutoRun\command- E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{860ec023-161c-11dc-b03b-00904bebd852}]
AutoRun\command- E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{86150310-8318-11dc-b150-000ee750016c}]
AutoRun\command- E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{86150311-8318-11dc-b150-000ee750016c}]
AutoRun\command- E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c1d4cd49-54a2-11dc-b0cf-00904bebd852}]
AutoRun\command- K:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d20fb2dc-8319-11dc-b151-000ee750016c}]
AutoRun\command- E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f7a7df00-0f70-11dc-b020-00904bebd852}]
AutoRun\command- E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f7a7df04-0f70-11dc-b020-00904bebd852}]
AutoRun\command- E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f7a7df05-0f70-11dc-b020-00904bebd852}]
AutoRun\command- E:\AutoRun.exe




-- Hosts -----------------------------------------------------------------------

127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 00hq.com
127.0.0.1 www.00hq.com
127.0.0.1 010402.com
127.0.0.1 032439.com
127.0.0.1 www.032439.com

7820 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-01-06 01:31:57 ------------

Extra.txt
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ 64 Processor 3500+
Percentage of Memory in Use: 56%
Physical Memory (total/avail): 1022.48 MiB / 445.23 MiB
Pagefile Memory (total/avail): 2460.16 MiB / 1817.57 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1926.69 MiB

C: is Fixed (NTFS) - 93.15 GiB total, 29.48 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - FUJITSU MHU2100AT - 93.16 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 93.15 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

FW: ESET Personal firewall v3.0.566.0 (ESET, spol. s r. o.)
AV: ESET Smart Security 3.0 v3.0 (ESET, spol. s r. o.)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Huawei technologies\\Huawei UMTS Data Card\\3 DataModem HSDPA.exe"="C:\\Program Files\\Huawei technologies\\Huawei UMTS Data Card\\3 DataModem HSDPA.exe:*:Enabled:3 DDataModem HSDPA"
"C:\\Documents and Settings\\James\\Desktop\\utorrent.exe"="C:\\Documents and Settings\\James\\Desktop\\utorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\Utorrent\\utorrent.exe"="C:\\Program Files\\Utorrent\\utorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\Last.fm\\LastFM.exe"="C:\\Program Files\\Last.fm\\LastFM.exe:*:Enabled:LastFM"
"C:\\Program Files\\Sunbelt Software\\Personal Firewall\\kpf4gui.exe"="C:\\Program Files\\Sunbelt Software\\Personal Firewall\\kpf4gui.exe:*:Enabled:Sunbelt Firewall GUI"
"C:\\Program Files\\FlashGet\\flashget.exe"="C:\\Program Files\\FlashGet\\flashget.exe:*:Enabled:Flashget"
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"="C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe:*:Enabled:BlueSoleil"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"="C:\\Program Files\\VideoLAN\\VLC\\vlc.exe:*:Enabled:VLC media player"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"="C:\\Program Files\\Winamp Remote\\bin\\Orb.exe:*:Enabled:Orb"
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe:*:Enabled:OrbTray"
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe:*:Enabled:Orb Stream Client"
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe:*:Enabled:MySpaceIM"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\James\Application Data
audesktop=C:\DOCUME~1\ALLUSE~1\Desktop
aufavorites=C:\DOCUME~1\ALLUSE~1\FAVORI~1
austartm=C:\DOCUME~1\ALLUSE~1\STARTM~1
austartprg=C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs
austartup=C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup
CancelDNS=Configuration canceled. Check your network settings.
ChoixMenu=2
ChoixRegistre=y
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CleanDNS=Do you want to set your network to dynamic -DHCP- Server ?
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MISS-0F6D18627E
ComSpec=C:\WINDOWS\system32\cmd.exe
CurDir=C:\SmitfraudFix
desktop=C:\DOCUME~1\James\Desktop
DNSHJ=Your computer may be victim of a DNS Hijack
DoReboot=0
DoRestart=0
favorites=C:\DOCUME~1\James\FAVORI~1
fixname=SmitFraudFix
fixvers=v2.274
FP_NO_HOST_CHECK=NO
FSType=NTFS
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\James
huy32Mess=huy32 detected, use a Rootkit scanner
KDMess=detected !
lang=int
LOGONSERVER=\\MISS-0F6D18627E
lzx32Mess=lzx32 detected, use a Rootkit scanner
msguardMess=msguard detected, use a Rootkit scanner
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Mozilla Firefox;C:\Program Files\Mozilla Firefox;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
pe386Mess=pe386 detected, use a Rootkit scanner
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 15 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0f00
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
RKScan=use a Rootkit scanner
SafeMDisp=Fix run in safe mode
SafeMWarn=Fix run in normal mode
sChoice=Enter your choice
sDel=Deleted
sEnd=End
sError=Problem while deleting
SESSIONNAME=Console
sFound=FOUND !
sFoundLSP=Detected, use LSPFix.exe to delete !
sFSType=The filesystem type is
sfxname=C:\SmitfraudFix.exe
sHOSTS=hosts file corrupted !
sInfect=infected !
sInfect2=infected !
sNotFound=not found
sProcess=Killing process
sRegClean=Registry Cleaning
sRegCleanQ=Do you want to clean the registry ? (y/n)
sRen=Please, Reboot and Run SmitfraudFix option 2 once again.
sRunFrom=Run from
sScanDate=Scan done at
sSearch=Scanning
startm=C:\DOCUME~1\James\STARTM~1
startprg=C:\DOCUME~1\James\STARTM~1\Programs
startup=C:\DOCUME~1\James\STARTM~1\Programs\Startup
sTempFolder=Deleting Temp Files
sTrustBackUp=Saving BackUp
sTrustDone=Trusted Zone deleted.
sTrustError=*** Error : zone.reg not found ***
sTrustQ=Restore Trusted Zone ? (y/n)
sWininetQ=Replace infected file ? (y/n)
sWiniSearch=Scanning for wininet.dll backup
syspath=C:\WINDOWS\system32
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\James\LOCALS~1\Temp
TMP=C:\DOCUME~1\James\LOCALS~1\Temp
USERDOMAIN=MISS-0F6D18627E
USERNAME=James
USERPROFILE=C:\Documents and Settings\James
Version=Microsoft Windows XP [Version 5.1.2600]
windir=C:\WINDOWS
xpdtMess=xpdt detected, use a Rootkit scanner
xpdxMess=xpdx detected, use a Rootkit scanner


-- User Profiles ---------------------------------------------------------------

James (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> MsiExec.exe /I{5B782FFA-6A95-480D-8E0A-0954A14693D6}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
3 DataModem HSDPA --> C:\PROGRA~1\HUAWEI~1\HUAWEI~1\Uninstall.exe
Acronis True Image Home --> MsiExec.exe /X{419CF344-3D94-4DAD-99C8-EA7B00E5EA8B}
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Photoshop Elements 3.0 --> MsiExec.exe /I{851C67EF-068A-4060-9EF5-2E3DDCD68382}
AM-DeadLink 3.1 --> "C:\Program Files\AM-DeadLink\unins000.exe"
Ashampoo Burning Studio 2008 --> "C:\Program Files\Ashampoo\Ashampoo Burning Studio 2008\unins000.exe"
Athlon 64 Processor Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C151CE54-E7EA-4804-854B-F515368B0798}\setup.exe" -l0x9
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,[email protected] -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
Audacity 1.2.6 --> "C:\Program Files\Audacity\unins000.exe"
Auto Gordian Knot 2.45 --> C:\Program Files\AutoGK\uninst.exe
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
AviSynth 2.5 --> "C:\Program Files\AviSynth 2.5\Uninstall.exe"
Azureus Vuze --> C:\Program Files\Azureus\uninstall.exe
BlueSoleil --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B9F499B8-D1F0-42FC-84BE-CC552123CCCB}\setup.exe" -l0x9
Broadcom 802.11 Driver --> C:\WINDOWS\system32\BCMWLU00.exe verbose /rootkey=Software\Broadcom\802.11\UninstallInfo
Canon iP1600 --> C:\WINDOWS\system32\CNMCP75.exe "-PRINTERNAMECanon iP1600" "-HELPERDLLC:\Documents and Settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINDOWS\Canon iP1600 Installer\Inst2\cnmis.dll" "-RCDLLcnmi0409.dll"
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Chord Miner --> MsiExec.exe /X{6C9C52E1-5DC8-4FA8-8B12-6B3AC2E35357}
Conexant AC-Link Audio --> CIAunwdm.exe
Cool Edit Pro 2.1 --> C:\Program Files\coolpro2\cep2unin.exe
Crossword Forge 5.1.4 --> "C:\Program Files\Crossword Forge\unins000.exe"
D-Fend v2 --> "C:\Program Files\DOSBox-0.70\D-Fend v2\uninstall.exe"
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DVD Audio Extractor 4.1.1 --> "C:\Program Files\DVD Audio Extractor\unins000.exe"
DVD Shrink 3.2 --> "C:\Program Files\DVD Shrink\unins000.exe"
Easy Hi-Q Recorder 2.0 --> "C:\Program Files\Easy Hi-Q Recorder\unins000.exe"
eMusic - 50 Free MP3 offer --> "C:\Program Files\Winamp\eMusic\Uninst-eMusic-promotion.exe"
EPSON Scan --> C:\Program Files\epson\escndv\setup\setup.exe /r
ESET Smart Security --> MsiExec.exe /I{73DD62F9-7B11-4431-B38A-DFAD02FCB5F3}
FileZilla (remove only) --> "C:\Program Files\FileZilla\uninstall.exe"
FlashGet 1.8.8.1010 --> C:\Program Files\FlashGet\uninst.exe
Flickr Uploadr 2.5.0.15 --> "C:\Program Files\Flickr Uploadr\uninstall.exe"
FLV Player --> "C:\WINDOWS\FLV Player\uninstall.exe" "/U:C:\Program Files\FLV Player\Uninstall\uninstall.xml"
FLV Player 1.3.3 --> "C:\Program Files\FLVPlayer\uninstall.exe"
FLV Player 2.0, build 23 --> C:\Program Files\FLV Player\uninst.exe
foobar2000 v0.9.4.3 --> "C:\Program Files\foobar2000\uninstall.exe"
Foxit Reader --> C:\Program Files\Foxit Software\Foxit Reader\Uninstall.exe
FreeCommander 2007.05a --> "C:\Program Files\FreeCommander\unins000.exe"
Gmail POP Troubleshooter --> C:\Program Files\Google\Gmail POP Troubleshooter\uninstall.exe
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
ieSpell --> "C:\Program Files\ieSpell\uninst.exe"
Incomedia WebSite X5 Smart --> C:\WINDOWS\system32\iwpsetup.exe Uninst /Smart /EN /C:\Program Files\WebSite X5 Smart
IsoBuster 2.1 --> "C:\Program Files\Smart Projects\IsoBuster\Uninst\unins000.exe"
iTunes --> MsiExec.exe /I{4F5CE18C-D97D-48FF-A510-A0D90C918294}
IZArc 3.7 --> "C:\Program Files\IZArc\unins000.exe"
Jasc Paint Shop Pro 8 --> MsiExec.exe /I{81A34902-9D0B-4920-A25C-4CDC5D14B328}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Juice 2.2 --> C:\Program Files\Juice\uninst.exe
Last.fm 1.4.1.57486 --> "C:\Program Files\Last.fm\unins000.exe"
Macromedia Dreamweaver 8 --> MsiExec.exe /I{0837A661-FEC3-48B3-876C-91E7D32048A9}
Macromedia Extension Manager --> MsiExec.exe /I{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}
Macromedia Fireworks 8 --> MsiExec.exe /I{4C24A8C1-7CFA-4650-AF15-732F5BD7B46D}
Macromedia Flash 8 --> MsiExec.exe /I{2BD5C305-1B27-4D41-B690-7A61172D2FEB}
Macromedia Flash 8 Video Encoder --> MsiExec.exe /X{8BF2C401-02CE-424D-BC26-6C4F9FB446B6}
Macromedia Flash Player 8 --> MsiExec.exe /X{885A63EA-382B-4DD4-A755-14809B8557D6}
MailWasher --> C:\WINDOWS\uninst.exe -f"C:\Program Files\MailWasher\DeIsL1.isu" -c"C:\Program Files\MailWasher\_ISREG32.DLL"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office FrontPage 2003 --> MsiExec.exe /I{90170409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Mozilla Firefox (2.0.0.11) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Thunderbird (2.0.0.6) --> C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe
Mp3tag v2.39 --> C:\Program Files\Mp3tag\Mp3tagUninstall.EXE
MySpaceIM --> C:\Program Files\MySpace\IM\Uninstall.exe
Nero 7 Premium --> MsiExec.exe /I{40261D0A-A385-4C1A-A7DE-5F270D9B1033}
NetMeter 1.1.3 --> "C:\Program Files\NetMeter\unins000.exe"
NetObjects Fusion 9.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AEED21B8-5C3C-421C-A2D1-5A6D9EA68296}\setup.exe" -l0x9 anything -uninst
Network Play System (Patching) --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Electronic Arts\Network Play System\NPSPatch.isu"
OD2 Eircom MediaBar --> C:\WINDOWS\Downloaded Program Files\MusicManagerUnInstaller.exe "C:\WINDOWS\Downloaded Program Files\MusicManagerPlugin.ocx" "{C45B1500-7B63-47C2-AB25-C28CB46AFDEE}"
Opera 9.25 --> MsiExec.exe /X{870B0889-A92E-4230-A6A1-F739C1D140DD}
PCI 1620 Cardbus Controller and Software --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{97355297-21C8-40CD-96D3-48E58037A9B8} /l1033
PDFCreator --> "C:\WINDOWS\PDFCreator_Toolbar_Uninstaller_0.exe" -hu _?=C:\Program Files\PDFCreator Toolbar
PDFCreator Toolbar --> "C:\WINDOWS\PDFCreator_Toolbar_Uninstaller_0.exe" _?=C:\Program Files\PDFCreator Toolbar
PeerGuardian 2.0 --> "C:\Program Files\PeerGuardian2\unins000.exe"
Picasa 2 --> "K:\Picasa2\Uninstall.exe"
Pinnacle Instant DVD Recorder --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EF781A5C-58F5-4BFD-87F9-E4F14D382F25}\Setup.exe" -l0x9 UNINSTALL
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
REALTEK Gigabit and Fast Ethernet NIC Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{94FB906A-CF42-4128-A509-D353026A607E}\setup.exe" -l0x9 REMOVE
Registry Mechanic 6.0 --> "C:\Program Files\Registry Mechanic\unins000.exe"
Samsung SPP-2040 Series --> C:\Program Files\Samsung\Samsung SPP-2040 Series\Install\Setup.exe /R
ScreenThemes 3.0 --> "C:\Program Files\ScreenThemes\unins000.exe"
SoftV90 Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_1002&DEV_4378&SUBSYS_3085103C\HXFSETUP.EXE -U -Icpl30855.inf
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Spyware Doctor 5.1 --> C:\Program Files\Spyware Doctor\unins000.exe /LOG
Streambox Vcr Suite 2 --> "C:\Program Files\StreamboxVcrSuite2\unins000.exe"
SureThing CD Labeler Deluxe 4 --> C:\WINDOWS\mvuninst\App1\mvuninst.exe "SureThing CD Labeler Deluxe 4"
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Texas Instruments PCIxx21/x515 drivers. --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{D71AC256-FA83-45EA-9F14-1B20BB5105C9} /l1033
TextPad 4.7 --> MsiExec.exe /X{B510A987-487E-4C66-9F4F-D386AC275715}
THE Rename 2.1.6 --> "C:\Program Files\THE Rename\unins000.exe"
The Sims --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Maxis\The Sims\Uninst.isu"
Theme Hospital --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Bullfrog\Hospital\DeIsL1.isu"
VideoLAN VLC media player 0.8.6c --> C:\Program Files\VideoLAN\VLC\uninstall.exe
VobSub v2.23 (Remove Only) --> "C:\Program Files\Gabest\VobSub\uninstall.exe"
Winamp --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinHTTrack Website Copier 3.41-3 --> "C:\Program Files\WinHTTrack\unins000.exe"
XviD MPEG4 Video Codec (remove only) --> "C:\WINDOWS\system32\xvid-uninstall.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type2516 / Success
Event Submitted/Written: 01/06/2008 00:52:17 AM
Event ID/Source: 2570 / Adobe Active File Monitor
Event Description:
Adobe Active File Monitor Service has Started.

Event Record #/Type2514 / Success
Event Submitted/Written: 01/06/2008 00:49:29 AM
Event ID/Source: 2570 / Adobe Active File Monitor
Event Description:
Adobe Active File Monitor Service has Started.

Event Record #/Type2511 / Success
Event Submitted/Written: 01/05/2008 11:28:40 PM
Event ID/Source: 2570 / Adobe Active File Monitor
Event Description:
Adobe Active File Monitor Service has Started.

Event Record #/Type2509 / Error
Event Submitted/Written: 01/05/2008 11:01:33 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application googleearth.exe, version 4.2.205.5730, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type2499 / Success
Event Submitted/Written: 01/05/2008 04:11:39 PM
Event ID/Source: 2570 / Adobe Active File Monitor
Event Description:
Adobe Active File Monitor Service has Started.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type21154 / Error
Event Submitted/Written: 01/06/2008 00:47:33 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type21153 / Error
Event Submitted/Written: 01/06/2008 00:46:34 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

Event Record #/Type21152 / Error
Event Submitted/Written: 01/06/2008 00:26:58 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

Event Record #/Type21151 / Error
Event Submitted/Written: 01/06/2008 00:21:11 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Event Record #/Type21150 / Error
Event Submitted/Written: 01/05/2008 11:56:04 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}



-- End of Deckard's System Scanner: finished at 2008-01-06 01:31:57 ------------
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello, always nice to meet a fellow Irish person here :)


Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

  • 0

#3
Smitfrauded

Smitfrauded

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Alrighty. Here's the log Always nice to meet an Irish person in Cyberspace :)

ComboFix 08-01-06.4 - James 2008-01-06 12:21:17.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.570 [GMT 0:00]
Running from: C:\Documents and Settings\James\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\ampkfst.dll
C:\WINDOWS\dat.txt
C:\WINDOWS\dxpvqlmgtv.dll
C:\WINDOWS\foxflpd.exe
C:\WINDOWS\privacy_danger
C:\WINDOWS\privacy_danger\images\capt.gif
C:\WINDOWS\privacy_danger\images\danger.jpg
C:\WINDOWS\privacy_danger\images\down.gif
C:\WINDOWS\privacy_danger\images\spacer.gif
C:\WINDOWS\privacy_danger\index.htm
C:\WINDOWS\rs.txt
C:\WINDOWS\search_res.txt

.
((((((((((((((((((((((((( Files Created from 2007-12-06 to 2008-01-06 )))))))))))))))))))))))))))))))
.

2008-01-06 12:15 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-06 01:29 . 2008-01-06 01:29 <DIR> d-------- C:\Deckard
2008-01-05 16:41 . 2007-10-04 17:10 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-01-05 16:41 . 2007-10-04 17:10 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-01-05 16:41 . 2007-10-04 17:10 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-01-05 16:41 . 2007-10-04 17:11 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-01-05 16:40 . 2008-01-06 01:21 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-01-05 16:40 . 2008-01-05 16:40 <DIR> d-------- C:\Documents and Settings\James\Application Data\PC Tools
2008-01-05 16:40 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2008-01-05 16:27 . 2008-01-05 16:27 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-05 00:42 . 2008-01-05 00:42 <DIR> d-------- C:\Documents and Settings\James\Application Data\Grisoft
2008-01-05 00:42 . 2007-05-30 12:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-04 23:12 . 2008-01-04 23:12 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-04 23:12 . 2008-01-04 23:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-04 23:11 . 2008-01-04 23:11 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-04 23:03 . 2008-01-04 23:03 85 --a------ C:\WINDOWS\wininit.ini
2008-01-04 19:29 . 2008-01-06 01:26 3,712 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-04 19:28 . 2008-01-06 01:27 <DIR> d-------- C:\SmitfraudFix
2008-01-04 19:28 . 2008-01-04 19:25 1,129,580 --a------ C:\SmitfraudFix.exe
2008-01-02 01:15 . 2008-01-02 01:23 <DIR> d-------- C:\Program Files\virtual dub mod
2008-01-02 00:19 . 2008-01-02 00:19 <DIR> d-------- C:\videos
2007-12-30 18:39 . 2007-12-30 18:48 <DIR> d-------- C:\Program Files\Winamp
2007-12-30 18:39 . 2007-12-30 18:49 <DIR> d-------- C:\Documents and Settings\James\Application Data\Winamp
2007-12-28 14:11 . 2008-01-04 14:16 <DIR> d-------- C:\Documents and Settings\James\Application Data\Azureus
2007-12-28 14:11 . 2007-12-28 14:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2007-12-28 14:10 . 2007-12-28 14:10 <DIR> d-------- C:\Program Files\Azureus
2007-12-26 12:34 . 2007-12-26 12:34 43,698 --a------ C:\WINDOWS\system32\xvid-uninstall.exe
2007-12-26 12:33 . 2007-12-26 12:33 <DIR> d-------- C:\Program Files\Gabest
2007-12-26 12:32 . 2007-12-26 12:34 <DIR> d-------- C:\Program Files\AutoGK
2007-12-12 23:21 . 2007-12-12 23:21 <DIR> d-------- C:\Program Files\mp3DirectCut
2007-12-09 14:41 . 2007-12-09 14:41 <DIR> d-------- C:\Documents and Settings\James\Application Data\ESET
2007-12-09 14:38 . 2007-12-09 14:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-06 12:12 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-05 22:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-05 21:38 --------- d-----w C:\Program Files\Google
2008-01-04 00:04 --------- d-----w C:\Documents and Settings\James\Application Data\foobar2000
2008-01-01 17:35 --------- d-----w C:\Program Files\FreeCommander
2008-01-01 10:57 --------- d-----w C:\Program Files\Opera
2007-12-28 21:55 --------- d-----w C:\Program Files\PeerGuardian2
2007-12-28 14:09 --------- d-----w C:\Program Files\FlashGet
2007-12-28 12:19 --------- d-----w C:\Documents and Settings\James\Application Data\uTorrent
2007-12-26 14:29 --------- d-----w C:\Documents and Settings\James\Application Data\dvdcss
2007-12-26 12:34 --------- d-----w C:\Program Files\AviSynth 2.5
2007-12-26 00:45 --------- d-----w C:\Program Files\WinAVI Video Capture
2007-12-25 00:06 --------- d-----w C:\Program Files\DOSBox-0.70
2007-12-22 22:03 --------- d-----w C:\Program Files\Last.fm
2007-12-13 18:59 --------- d-----w C:\Program Files\Audacity
2007-12-05 22:50 --------- d-----w C:\Documents and Settings\James\Application Data\SumatraPDF
2007-12-03 00:40 --------- d-----w C:\Program Files\NetMeter
2007-11-30 22:52 --------- d-----w C:\Program Files\Yahoo!
2007-11-30 00:32 --------- d-----w C:\Program Files\Pinnacle
2007-11-23 08:30 --------- d-----w C:\Documents and Settings\James\Application Data\ieSpell
2007-11-23 08:07 --------- d-----w C:\Documents and Settings\James\Application Data\Yahoo!
2007-11-23 07:42 --------- d-----w C:\Program Files\FLV Player
2007-11-23 01:25 499 ----a-w C:\WINDOWS\system32\drivers\fwdrv.err
2007-11-21 20:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-21 20:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Pinnacle
2007-11-21 11:54 --------- d-----w C:\Documents and Settings\James\Application Data\LimeWire
2007-11-19 23:26 --------- d-----w C:\Program Files\ieSpell
2007-11-19 12:56 --------- d-----w C:\Program Files\iTunes
2007-11-19 12:56 --------- d-----w C:\Program Files\iPod
2007-11-19 12:54 --------- d-----w C:\Program Files\QuickTime
2007-11-14 15:06 53,768 ----a-w C:\WINDOWS\system32\drivers\epfwtdi.sys
2007-11-14 15:06 50,696 ----a-w C:\WINDOWS\system32\drivers\epfw.sys
2007-11-14 15:06 30,728 ----a-w C:\WINDOWS\system32\drivers\epfwndis.sys
2007-11-14 15:04 27,656 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2007-11-14 15:03 33,800 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2007-11-13 19:00 --------- d-----w C:\Program Files\Jasc Software Inc
2007-11-13 19:00 --------- d-----w C:\Documents and Settings\James\Application Data\Jasc Software Inc
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-10 21:58 --------- d-----w C:\Program Files\MySpace
2007-11-10 21:58 --------- d-----w C:\Documents and Settings\James\Application Data\MySpace
2007-11-09 19:33 --------- d-----w C:\Program Files\Amazon
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-14 23:09 68856]
"C:\Program Files\NetMeter\NetMeter.exe"="C:\Program Files\NetMeter\NetMeter.exe" [2007-08-11 15:50 331264]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 12:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 12:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 12:00 455168]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 19:40 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 19:38 688218]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-21 20:05 344064]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-02-16 17:45 1169776]
"AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-02-16 17:57 1945960]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-02-16 17:49 149024]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2003-11-10 16:06 406016]
"USB2Check"="C:\WINDOWS\system32\PCLECoInst.dll" [2005-12-21 10:14 73728]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2007-11-14 15:05 1410304]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-14 23:43 286720]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 09:25 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 12:00 15360]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-28 01:17 443968]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-19 01:47 8720384]

C:\Documents and Settings\James\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-09-26 23:22:39]
ScreenThemes.lnk - C:\Program Files\ScreenThemes\scthemes.exe [2007-06-04 19:02:17]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"ampkfst"= {2D5EDA7E-3876-44EE-B5EA-9C004181B6E5} - C:\WINDOWS\ampkfst.dll [ ]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

R2 AdobeActiveFileMonitor;Adobe Active File Monitor;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 03:47]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 02:40]
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2004-06-10 14:59]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{860ec022-161c-11dc-b03b-00904bebd852}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{860ec023-161c-11dc-b03b-00904bebd852}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{86150310-8318-11dc-b150-000ee750016c}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{86150311-8318-11dc-b150-000ee750016c}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c1d4cd49-54a2-11dc-b0cf-00904bebd852}]
\Shell\AutoRun\command - K:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d20fb2dc-8319-11dc-b151-000ee750016c}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f7a7df00-0f70-11dc-b020-00904bebd852}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f7a7df04-0f70-11dc-b020-00904bebd852}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f7a7df05-0f70-11dc-b020-00904bebd852}]
\Shell\AutoRun\command - E:\AutoRun.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-06 12:27:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C:\\Program Files\\NetMeter\\NetMeter.exe"="C:\\Program Files\\NetMeter\\NetMeter.exe"
.
Completion time: 2008-01-06 12:29:26 - machine was rebooted [James]
ComboFix-quarantined-files.txt 2008-01-06 12:29:02
.
2007-12-11 19:56:59 --- E O F ---
  • 0

#4
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe



Please click on Start > Control Panel > Add/Remove Programs and uninstall the following programs(if present):

NetMeter



1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
E:\AutoRun.exe

Folder::
C:\Program Files\NetMeter

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"ampkfst"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{860ec022-161c-11dc-b03b-00904bebd852}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{860ec023-161c-11dc-b03b-00904bebd852}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{86150310-8318-11dc-b150-000ee750016c}]
[-KEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{86150311-8318-11dc-b150-000ee750016c}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d20fb2dc-8319-11dc-b151-000ee750016c}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f7a7df00-0f70-11dc-b020-00904bebd852}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f7a7df04-0f70-11dc-b020-00904bebd852}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f7a7df05-0f70-11dc-b020-00904bebd852}]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Reboot and post a new HijackThis log
  • 0

#5
Smitfrauded

Smitfrauded

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
OK. Here's the Hijack This log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:54:47, on 06/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: (no name) - {059947A2-838E-4773-9EE2-8AB8F53C2EDE} - (no file)
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {7D1AD5EB-9902-4FF0-986F-CA498179A53B} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Startup: ScreenThemes.lnk = C:\Program Files\ScreenThemes\scthemes.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - http://upload.facebo...toUploader2.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1180642291437
O16 - DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} (OD2 Eircom MediaBar) - http://sib1.od2.com/...nagerPlugin.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.m...ash/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.on...e/en/crlocx.ocx
O21 - SSODL: bklgvsf - {2CC81FA6-9C10-413E-B312-CC55EC694315} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 10922 bytes
  • 0

#6
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - {059947A2-838E-4773-9EE2-8AB8F53C2EDE} - (no file)
O3 - Toolbar: (no name) - {7D1AD5EB-9902-4FF0-986F-CA498179A53B} - (no file)
O21 - SSODL: bklgvsf - {2CC81FA6-9C10-413E-B312-CC55EC694315} - (no file)


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Also post the ComboFix log and a new HijackThis log
  • 0

#7
Smitfrauded

Smitfrauded

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
The Combofix Log

ComboFix 08-01-06.4 - James 2008-01-06 17:26:24.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.636 [GMT 0:00]
Running from: C:\Documents and Settings\James\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-12-06 to 2008-01-06 )))))))))))))))))))))))))))))))
.

2008-01-06 12:15 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-06 01:29 . 2008-01-06 01:29 <DIR> d-------- C:\Deckard
2008-01-05 16:41 . 2007-10-04 17:10 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-01-05 16:41 . 2007-10-04 17:10 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-01-05 16:41 . 2007-10-04 17:10 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-01-05 16:41 . 2007-10-04 17:11 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-01-05 16:40 . 2008-01-06 01:21 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-01-05 16:40 . 2008-01-05 16:40 <DIR> d-------- C:\Documents and Settings\James\Application Data\PC Tools
2008-01-05 16:40 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2008-01-05 16:27 . 2008-01-05 16:27 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-05 00:42 . 2008-01-05 00:42 <DIR> d-------- C:\Documents and Settings\James\Application Data\Grisoft
2008-01-05 00:42 . 2007-05-30 12:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-04 23:12 . 2008-01-04 23:12 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-04 23:12 . 2008-01-04 23:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-04 23:11 . 2008-01-04 23:11 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-04 23:03 . 2008-01-04 23:03 85 --a------ C:\WINDOWS\wininit.ini
2008-01-04 19:29 . 2008-01-06 01:26 3,712 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-04 19:28 . 2008-01-06 01:27 <DIR> d-------- C:\SmitfraudFix
2008-01-04 19:28 . 2008-01-04 19:25 1,129,580 --a------ C:\SmitfraudFix.exe
2008-01-02 01:15 . 2008-01-02 01:23 <DIR> d-------- C:\Program Files\virtual dub mod
2008-01-02 00:19 . 2008-01-02 00:19 <DIR> d-------- C:\videos
2007-12-30 18:39 . 2007-12-30 18:48 <DIR> d-------- C:\Program Files\Winamp
2007-12-30 18:39 . 2007-12-30 18:49 <DIR> d-------- C:\Documents and Settings\James\Application Data\Winamp
2007-12-28 14:11 . 2008-01-04 14:16 <DIR> d-------- C:\Documents and Settings\James\Application Data\Azureus
2007-12-28 14:11 . 2007-12-28 14:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2007-12-28 14:10 . 2007-12-28 14:10 <DIR> d-------- C:\Program Files\Azureus
2007-12-26 12:34 . 2007-12-26 12:34 43,698 --a------ C:\WINDOWS\system32\xvid-uninstall.exe
2007-12-26 12:33 . 2007-12-26 12:33 <DIR> d-------- C:\Program Files\Gabest
2007-12-26 12:32 . 2007-12-26 12:34 <DIR> d-------- C:\Program Files\AutoGK
2007-12-12 23:21 . 2007-12-12 23:21 <DIR> d-------- C:\Program Files\mp3DirectCut
2007-12-09 14:41 . 2007-12-09 14:41 <DIR> d-------- C:\Documents and Settings\James\Application Data\ESET
2007-12-09 14:38 . 2007-12-09 14:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-06 17:25 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-06 16:22 --------- d-----w C:\Program Files\FreeCommander
2008-01-05 22:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-05 21:38 --------- d-----w C:\Program Files\Google
2008-01-04 00:04 --------- d-----w C:\Documents and Settings\James\Application Data\foobar2000
2008-01-01 10:57 --------- d-----w C:\Program Files\Opera
2007-12-28 21:55 --------- d-----w C:\Program Files\PeerGuardian2
2007-12-28 14:09 --------- d-----w C:\Program Files\FlashGet
2007-12-28 12:19 --------- d-----w C:\Documents and Settings\James\Application Data\uTorrent
2007-12-26 14:29 --------- d-----w C:\Documents and Settings\James\Application Data\dvdcss
2007-12-26 12:34 --------- d-----w C:\Program Files\AviSynth 2.5
2007-12-26 00:45 --------- d-----w C:\Program Files\WinAVI Video Capture
2007-12-25 00:06 --------- d-----w C:\Program Files\DOSBox-0.70
2007-12-22 22:03 --------- d-----w C:\Program Files\Last.fm
2007-12-13 18:59 --------- d-----w C:\Program Files\Audacity
2007-12-05 22:50 --------- d-----w C:\Documents and Settings\James\Application Data\SumatraPDF
2007-11-30 22:52 --------- d-----w C:\Program Files\Yahoo!
2007-11-30 00:32 --------- d-----w C:\Program Files\Pinnacle
2007-11-23 08:30 --------- d-----w C:\Documents and Settings\James\Application Data\ieSpell
2007-11-23 08:07 --------- d-----w C:\Documents and Settings\James\Application Data\Yahoo!
2007-11-23 07:42 --------- d-----w C:\Program Files\FLV Player
2007-11-23 01:25 499 ----a-w C:\WINDOWS\system32\drivers\fwdrv.err
2007-11-21 20:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-21 20:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Pinnacle
2007-11-21 11:54 --------- d-----w C:\Documents and Settings\James\Application Data\LimeWire
2007-11-19 23:26 --------- d-----w C:\Program Files\ieSpell
2007-11-19 12:56 --------- d-----w C:\Program Files\iTunes
2007-11-19 12:56 --------- d-----w C:\Program Files\iPod
2007-11-19 12:54 --------- d-----w C:\Program Files\QuickTime
2007-11-14 15:06 53,768 ----a-w C:\WINDOWS\system32\drivers\epfwtdi.sys
2007-11-14 15:06 50,696 ----a-w C:\WINDOWS\system32\drivers\epfw.sys
2007-11-14 15:06 30,728 ----a-w C:\WINDOWS\system32\drivers\epfwndis.sys
2007-11-14 15:04 27,656 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2007-11-14 15:03 33,800 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2007-11-13 19:00 --------- d-----w C:\Program Files\Jasc Software Inc
2007-11-13 19:00 --------- d-----w C:\Documents and Settings\James\Application Data\Jasc Software Inc
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-10 21:58 --------- d-----w C:\Program Files\MySpace
2007-11-10 21:58 --------- d-----w C:\Documents and Settings\James\Application Data\MySpace
2007-11-09 19:33 --------- d-----w C:\Program Files\Amazon
.

((((((((((((((((((((((((((((( [email protected]_12.28.39.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 12:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\06-01-2008\ERDNT.EXE
+ 2008-01-06 15:35:12 7,553,024 ----a-w C:\WINDOWS\ERDNT\06-01-2008\Users\00000001\NTUSER.DAT
+ 2008-01-06 15:35:12 151,552 ----a-w C:\WINDOWS\ERDNT\06-01-2008\Users\00000002\UsrClass.dat
- 2008-01-06 12:08:52 40,844 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-01-06 17:22:55 40,844 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-01-06 12:08:52 312,814 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-01-06 17:22:55 312,814 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-14 23:09 68856]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 12:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 12:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 12:00 455168]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 19:40 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 19:38 688218]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-21 20:05 344064]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-02-16 17:45 1169776]
"AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-02-16 17:57 1945960]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-02-16 17:49 149024]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2003-11-10 16:06 406016]
"USB2Check"="C:\WINDOWS\system32\PCLECoInst.dll" [2005-12-21 10:14 73728]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2007-11-14 15:05 1410304]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-14 23:43 286720]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 09:25 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 12:00 15360]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-28 01:17 443968]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-19 01:47 8720384]

C:\Documents and Settings\James\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-09-26 23:22:39]
ScreenThemes.lnk - C:\Program Files\ScreenThemes\scthemes.exe [2007-06-04 19:02:17]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

R2 AdobeActiveFileMonitor;Adobe Active File Monitor;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 03:47]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 02:40]
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2004-06-10 14:59]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{86150311-8318-11dc-b150-000ee750016c}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c1d4cd49-54a2-11dc-b0cf-00904bebd852}]
\Shell\AutoRun\command - K:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-06 17:33:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-06 17:35:21 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-06 17:34:59
ComboFix2.txt 2008-01-06 17:24:43
ComboFix3.txt 2008-01-06 15:46:43
ComboFix4.txt 2008-01-06 12:29:26
.
2007-12-11 19:56:59 --- E O F ---

The Hijack This log (system scan only)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:37:43, on 06/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Startup: ScreenThemes.lnk = C:\Program Files\ScreenThemes\scthemes.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - http://upload.facebo...toUploader2.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1180642291437
O16 - DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} (OD2 Eircom MediaBar) - http://sib1.od2.com/...nagerPlugin.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.m...ash/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.on...e/en/crlocx.ocx
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 10441 bytes
  • 0

#8
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.


Also tell me how your PC is running now
  • 0

#9
Smitfrauded

Smitfrauded

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
OK. I've run the scan and deleted the 4 items. My computer seems to be running fine now.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/06/2008 at 09:42 PM

Application Version : 3.9.1008

Core Rules Database Version : 3375
Trace Rules Database Version: 1369

Scan type : Complete Scan
Total Scan Time : 02:05:59

Memory items scanned : 398
Memory threats detected : 0
Registry items scanned : 5992
Registry threats detected : 0
File items scanned : 109012
File threats detected : 4

Adware.Tracking Cookie
C:\Documents and Settings\James\Cookies\[email protected][1].txt
C:\Documents and Settings\James\Cookies\[email protected][1].txt
C:\Documents and Settings\James\Cookies\[email protected][1].txt

Trojan.Net-MSV/VPS-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3E651E92-F399-48F0-AA7F-D9E7B469FF20}\RP215\A0071061.DLL
  • 0

#10
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Your logs are clean ! You need to do a few things

Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK


    • Posted Image

  • When shown the disclaimer, Select "2"

The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
  • 0

#11
Smitfrauded

Smitfrauded

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Thank you very very much for all your help :) I'd have torn all my hair out by now. I've just made a donation.

Incidentally, I got the infection whilst using the browser Opera rather than IE.

Edited by Smitfrauded, 06 January 2008 - 05:33 PM.

  • 0

#12
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Thank you very much for the donation, it is much appreciated.

Always happy to help out another Irish person :) We are rare enough on this site !


By the way you can find me on Boards.ie if you ever have PC trouble in the future. It's a good Irish site if you don't know it :)
  • 0

#13
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP