Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan removal needed [RESOLVED]


  • This topic is locked This topic is locked

#1
andrea22

andrea22

    Member

  • Member
  • PipPipPip
  • 139 posts
Hi there, as in the topic description, a routine scan by AVG 7.5 picked up the above. I put the file in the virus vault where it has remained since. As directed, I have completed a system restore, an AVG anti-spyware scan in safe mode, a superantispyware scan, and windows updates. I didn't do the ATF cleaner due to download limit at that time. I attempted the Panda online scan twice; I downloaded the activex controls successfully then when I clicked on "my computer" in order to begin the scan, I got the message "error on page". I then tried clicking on all the other icons, and the same thing happened. Logs are below. None of these scans located the virus, althought I'm not sure whether this is due to it being in the virus vault-I tried to restore the virus and take it out of the vault to see whether it would make any difference but that didn't really work, it went to a different place and still remained in the vault so I just cleaned it and left it alone from that point. I have also spent a little time searching the net for this virus, potential removal tools or any information about it but didn't find anything helpful. Thank you, Andrea.


AVG 7.5 "Event Log History"

<history>
<!-- 01c86703ffd94110 -->
<rec time="2007/12/04 11:54:55" user="SYSTEM" source="Update">
<value>@HL_UpdateOK</value>
<attr name="version">avi:1218-1138;banner:488-100;iavi:1179-1025;</attr>
</rec>
<rec time="2007/12/04 12:01:25" user="SYSTEM" source="Update">
<value>@HL_UpdateOK</value>
<attr name="version">alertmgr:496-482;avgcc:497-487;avgui:503-482;avgvv:497-458;avgw:502-486;core:498-488;corent:498-488;email:501-480;ems:494-482;kernel:501-480;lng:496-487;lngus:501-487;update:503-486;</attr>
</rec>
<rec time="2007/12/04 12:01:41" user="SYSTEM" source="Update">
<value>@HL_UpdateOK</value>
<attr name="version">helpsmus:501-482;</attr>
</rec>
<rec time="2007/12/05 08:00:08" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2007/12/05 08:13:18" user="Owner" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2007/12/06 08:00:21" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2007/12/06 08:28:50" user="Owner" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2007/12/07 16:41:01" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2007/12/07 16:43:55" user="Owner" source="General">
<value>@HL_TestStopped</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2007/12/07 21:21:50" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_12</attr>
</rec>
<rec time="2007/12/07 21:22:07" user="Owner" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_12</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2007/12/08 02:03:57" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_12</attr>
</rec>
<rec time="2007/12/08 03:08:47" user="Owner" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_12</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2007/12/08 12:00:01" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2007/12/08 12:02:09" user="Owner" source="General">
<value>@HL_TestStopped</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2007/12/09 08:00:08" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2007/12/09 08:13:59" user="Owner" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2007/12/10 08:00:24" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2007/12/10 08:41:54" user="Owner" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2007/12/11 08:00:07" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2007/12/11 08:16:32" user="Owner" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2007/12/12 08:00:11" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2007/12/12 08:20:09" user="Owner" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2007/12/13 08:00:10" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2007/12/13 08:20:53" user="Owner" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2007/12/14 08:00:08" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2007/12/14 08:19:09" user="Owner" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2007/12/15 08:00:07" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2007/12/15 08:18:56" user="Owner" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2007/12/16 08:00:08" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2007/12/16 08:18:52" user="Owner" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2007/12/17 08:00:08" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2007/12/17 08:19:31" user="Owner" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2007/12/19 08:00:08" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2007/12/19 08:19:38" user="Owner" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2007/12/21 08:00:08" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2007/12/21 08:19:32" user="Owner" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2007/12/24 08:00:08" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2007/12/24 08:18:20" user="Owner" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2007/12/25 08:00:09" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2007/12/25 08:18:13" user="Owner" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2007/12/27 08:00:30" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2007/12/27 09:06:20" user="Owner" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2007/12/28 08:00:35" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2007/12/28 09:10:21" user="Owner" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2007/12/29 08:00:33" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2007/12/29 09:09:06" user="Owner" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2007/12/30 08:00:26" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2007/12/30 08:56:27" user="Owner" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2007/12/31 08:00:23" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2007/12/31 08:37:09" user="Owner" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2008/01/01 08:00:10" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2008/01/01 08:22:03" user="Owner" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2008/01/02 08:00:22" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2008/01/02 08:38:53" user="Owner" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2008/01/03 22:29:54" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2008/01/03 22:48:47" user="Owner" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2008/01/04 08:00:22" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2008/01/04 08:56:56" user="Owner" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2008/01/05 08:00:28" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2008/01/05 08:58:12" user="Owner" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2008/01/07 08:00:19" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2008/01/07 08:32:13" user="Owner" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2008/01/08 08:00:34" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2008/01/08 09:11:25" user="Owner" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2008/01/09 08:00:23" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2008/01/09 21:50:07" user="Owner" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2008/01/10 08:00:18" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2008/01/10 08:42:01" user="Owner" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2008/01/11 08:00:10" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2008/01/11 08:22:26" user="Owner" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2008/01/12 08:00:25" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2008/01/12 08:45:36" user="Owner" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2008/01/13 08:00:26" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2008/01/13 08:43:39" user="Owner" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2008/01/14 08:00:10" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2008/01/14 08:21:52" user="Owner" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2008/01/15 23:43:14" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2008/01/16 00:24:23" user="Owner" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2008/01/16 08:00:19" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2008/01/16 08:44:23" user="Owner" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2008/01/17 08:00:28" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2008/01/17 08:47:38" user="Owner" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2008/01/18 08:00:27" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2008/01/18 09:06:38" user="Owner" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2008/01/19 08:00:10" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2008/01/19 08:32:40" user="Owner" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2008/01/20 08:00:29" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2008/01/20 08:43:06" user="Owner" source="General">
<value>@HL_TestStopped</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2008/01/21 08:00:08" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2008/01/21 08:18:53" user="Owner" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2008/01/22 08:00:23" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2008/01/22 08:44:34" user="Owner" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2008/01/22 11:58:08" user="SYSTEM" source="Update">
<value>@HL_UpdateOK</value>
<attr name="version">avgcc:506-497;avgui:507-503;avgw:506-502;avgwfp:510-473;avi:1246-1218;banner:489-488;email:512-501;ems:510-494;fshmfx86:510-473;iavi:1246-1179;kernel:510-501;lngus:508-501;update:516-503;</attr>
</rec>
<rec time="2008/01/22 17:09:05" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2008/01/22 17:31:40" user="Owner" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2008/01/23 08:00:24" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2008/01/23 08:48:38" user="Owner" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2008/01/24 08:00:23" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2008/01/24 08:40:30" user="Owner" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2008/01/24 15:13:57" user="Owner" source="Virus">
<value>@HL_ReportFindRS</value>
<attr name="filename">F:\auto.exe</attr>
<attr name="finding">@EID_Id_trj</attr>
<attr name="virusname">Agent.DCM</attr>
</rec>
<rec time="2008/01/24 15:14:36" user="Owner" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">F:\auto.exe</attr>
<attr name="action">@HL_ActVVInserted</attr>
</rec>
<rec time="2008/01/30 10:01:27" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2008/01/30 10:06:08" user="Owner" source="General">
<value>@HL_TestStopped</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2008/01/30 10:53:55" user="SYSTEM" source="Update">
<value>@HL_UpdateOK</value>
<attr name="version">avi:1254-1246;iavi:1260-1246;setup:510-486;</attr>
</rec>
<rec time="2008/01/31 20:11:09" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2008/01/31 20:21:51" user="Owner" source="General">
<value>@HL_TestStopped</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2008/02/01 08:00:26" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2008/02/01 08:44:35" user="Owner" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2008/02/02 08:00:09" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2008/02/02 08:25:41" user="Owner" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2008/02/02 13:19:07" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_12</attr>
</rec>
<rec time="2008/02/02 13:19:08" user="Owner" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_12</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2008/02/02 13:20:20" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_12</attr>
</rec>
<rec time="2008/02/02 13:20:22" user="Owner" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_12</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2008/02/02 16:16:26" user="Owner" source="Virus">
<value>@HL_ReportFindRS</value>
<attr name="filename">C:\Documents and Settings\Owner\My Documents\auto.exe</attr>
<attr name="finding">@EID_Id_trj</attr>
<attr name="virusname">Agent.DCM</attr>
</rec>
<rec time="2008/02/02 17:39:28" user="Owner" source="Virus">
<value>@HL_ReportFindRS</value>
<attr name="filename">C:\Documents and Settings\Owner\My Documents\auto.exe</attr>
<attr name="finding">@EID_Id_trj</attr>
<attr name="virusname">Agent.DCM</attr>
</rec>
<rec time="2008/02/02 17:40:06" user="Owner" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">C:\Documents and Settings\Owner\My Documents\auto.exe</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2008/02/02 20:10:18" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2008/02/02 20:10:43" user="Owner" source="General">
<value>@HL_TestStopped</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2008/02/02 20:28:42" user="Administrator" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2008/02/02 21:14:06" user="Administrator" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2008/02/03 08:00:12" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2008/02/03 08:24:29" user="Owner" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2008/02/04 08:00:25" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2008/02/04 08:47:16" user="Owner" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2008/02/05 08:00:15" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2008/02/05 08:25:22" user="Owner" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2008/02/06 08:00:28" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2008/02/06 08:51:07" user="Owner" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
<rec time="2008/02/06 14:07:47" user="SYSTEM" source="Update">
<value>@HL_UpdateOK</value>
<attr name="version">avi:1258-1254;iavi:1271-1260;</attr>
</rec>
<rec time="2008/02/07 08:00:33" user="Owner" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2008/02/07 08:53:27" user="Owner" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
</history>



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:22:30 PM, on 7/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Downloads\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\D-Link\DSL-200\dslstat.exe
C:\Program Files\D-Link\DSL-200\dslagent.exe
C:\Downloads\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\system32\VirtualExpander\VirtualExpander.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.BIN
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite

6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\D-Link\DSL-200\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\D-Link\DSL-200\dslagent.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Downloads\AVG Anti-Spyware 7.5\avgas.exe"

/minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program

Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL

SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User

'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK

SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft

Office\Office12\ONENOTEM.EXE
O4 - Startup: OpenOffice.org 2.1.lnk = C:\Program Files\OpenOffice.org

2.1\program\quickstart.exe
O4 - Startup: VirtualExpander.lnk = C:\WINDOWS\system32\VirtualExpander\VirtualExpander.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader

8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader

8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: PC Health.lnk = C:\Program Files\TOSHIBA\TOSHIBA Management

Console\TOSHealthLocalS.vbs
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} -

C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} -

C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E5F23AA7-B1CF-4F35-818A-E0072C90180A}: NameServer =

123.2.6.197 122.148.1.5
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Downloads\AVG Anti-Spyware

7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) -

Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common

Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 6214 bytesAdobe Reader 8
ALi Audio Accelerator WDM Driver
AVG 7.5
AVG Anti-Spyware 7.5
D-Link DSL-200 ADSL Modem
FreeDVD Codec Installer Version 1.0
HijackThis 2.0.2
Hotfix for Windows XP (KB915865)
Intel® PRO Ethernet Adapter and Software
InterActual Player
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
MSXML 4.0 SP2 (KB936181)
Nero 7 Essentials
Network Device Switch
Nokia Connectivity Cable Driver
Nokia PC Suite
OpenOffice.org 2.1
Panda ActiveScan
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
SIM editor 3.0
SUPERAntiSpyware Free Edition
TOSHIBA Console
TOSHIBA Management Console Version 2.0 (2.0.3)
TOSHIBA Software Modem
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format Runtime
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
WinZip 11.1

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/02/2008 at 02:45 PM

Application Version : 3.9.1008

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type : Complete Scan
Total Scan Time : 00:49:21

Memory items scanned : 442
Memory threats detected : 0
Registry items scanned : 4725
Registry threats detected : 0
File items scanned : 23868
File threats detected : 22

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][4].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][3].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
  • 0

Advertisements


#2
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi there and sorry for the delay. I can see nothing apparent so I would like to do a deep analysis

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#3
andrea22

andrea22

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 139 posts
Thanks Essexboy, I'm on to it now.
  • 0

#4
andrea22

andrea22

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 139 posts
Started the scan all ok, but i got the message "dss.exe has encountered a problem and needs to close", so I rebooted and started it again, and the same thing happened. Both times it was nnearly finished. In case it's any help, The box that appeared next, regarding sending an error report to microsoft, had the file C;\DOCUME~1\Owner\LOCALS~1\TEMP\dbfd_appcompat.txt listed.
  • 0

#5
andrea22

andrea22

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 139 posts
I just tried the scan again, and same thing. It got up to "examining event logs" then gave me the same error message.
  • 0

#6
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Ok then lets try a different tack :)

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#7
andrea22

andrea22

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 139 posts
ComboFix 08-02.05.3 - Owner 2008-02-11 2:42:10.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.141 [GMT 10:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix(2).exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-10 to 2008-02-10 )))))))))))))))))))))))))))))))
.

2008-02-11 02:41 . 2008-02-11 02:44 <DIR> d-------- C:\ComboFix(2)
2008-02-11 02:31 . 2008-02-11 02:35 <DIR> d-------- C:\QooBox
2008-02-11 02:31 . 2000-08-31 08:00 212,480 --a------ C:\WINDOWS\system32\swxcacls.exe
2008-02-11 02:31 . 2000-08-31 08:00 161,792 --a------ C:\WINDOWS\system32\swreg.exe
2008-02-11 02:31 . 2000-08-31 08:00 136,704 --a------ C:\WINDOWS\system32\swsc.exe
2008-02-11 02:31 . 2000-08-31 08:00 98,816 --a------ C:\WINDOWS\system32\sed.exe
2008-02-11 02:31 . 2000-08-31 08:00 80,412 --a------ C:\WINDOWS\system32\grep.exe
2008-02-11 02:31 . 2000-08-31 08:00 73,728 --a------ C:\WINDOWS\system32\fdsv.exe
2008-02-11 02:31 . 2000-08-31 08:00 68,096 --a------ C:\WINDOWS\system32\zip.exe
2008-02-11 02:31 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-02-11 02:31 . 2000-08-31 08:00 49,152 --a------ C:\WINDOWS\system32\VFind.exe
2008-02-11 02:30 . 2004-08-04 22:00 388,608 --a------ C:\WINDOWS\system32\kmd.exe
2008-02-11 01:27 . 2008-02-11 01:27 <DIR> d-------- C:\Deckard
2008-02-08 21:09 . 2008-02-08 21:20 482,772 --a------ C:\WINDOWS\Harry Potter Castle Screen Save.exe
2008-02-08 21:09 . 2008-02-08 21:20 234,048 --a------ C:\WINDOWS\Harry Potter Castle Screen Save.scr
2008-02-08 21:09 . 2008-02-08 21:20 40,960 --a------ C:\WINDOWS\Harry Potter Castle Screen Save.dll
2008-02-08 21:09 . 2008-02-08 21:20 18,192 --a------ C:\WINDOWS\Harry Potter Castle Screen Save.dat
2008-02-08 20:39 . 2008-02-08 20:39 1,158 --a------ C:\WINDOWS\mozver.dat
2008-02-08 09:30 . 2008-02-11 02:06 <DIR> d-------- C:\Program Files\Mozilla Firefox
2008-02-08 00:29 . 2008-02-08 00:29 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-02-08 00:27 . 2008-02-08 07:30 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-08 00:27 . 2008-02-08 07:30 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-07 23:56 . 2008-02-07 23:56 48 --a------ C:\WINDOWS\iltwain.ini
2008-02-07 23:10 . 2008-02-07 23:57 <DIR> d-------- C:\Program Files\Folder Icon Changer
2008-02-07 22:37 . 2008-02-07 22:38 <DIR> d-------- C:\Program Files\QuickTime
2008-02-07 22:37 . 2008-02-07 22:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-07 22:36 . 2008-02-07 22:37 <DIR> d-------- C:\Program Files\Apple Software Update
2008-02-07 22:36 . 2008-02-07 22:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-02-07 16:22 . 2008-02-07 16:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-07 13:49 . 2006-08-02 12:39 73,728 --a------ C:\WINDOWS\system32\asuninst.exe
2008-02-07 13:49 . 2003-03-25 18:53 11,776 --a------ C:\WINDOWS\system32\ZPORT4AS.dll
2008-02-07 13:48 . 2008-02-07 14:14 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-07 13:48 . 2008-02-07 18:08 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-07 13:48 . 2008-02-07 18:08 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-07 13:48 . 2008-02-07 18:08 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-02 22:12 . 2008-02-02 22:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-02-02 22:04 . 2008-02-02 22:04 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2008-02-02 22:04 . 2007-05-30 22:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-02 20:26 . 2008-02-02 20:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-02-02 18:20 . 2008-02-02 18:20 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-02-02 18:19 . 2008-02-08 07:54 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\U3
2008-02-02 17:57 . 2008-02-02 18:28 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-02-02 13:39 . 2008-02-02 13:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-02 13:38 . 2008-02-08 00:12 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-02 13:38 . 2008-02-02 13:38 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-02-02 13:22 . 2008-02-02 13:22 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-02 03:00 . 2008-02-02 03:00 <DIR> d-------- C:\WINDOWS\ie7updates
2008-01-31 23:13 . 2008-01-31 23:13 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-31 23:13 . 2008-01-31 23:13 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-01-31 20:20 . 2008-01-31 20:20 <DIR> d-------- C:\WINDOWS\WBEM
2008-01-31 20:20 . 2008-02-02 03:01 <DIR> d-------- C:\WINDOWS\system32\en-US
2008-01-31 20:17 . 2008-01-31 20:19 <DIR> d--h-c--- C:\WINDOWS\ie7
2008-01-31 20:15 . 2006-07-15 01:51 121,856 --------- C:\WINDOWS\system32\xmllite.dll
2008-01-30 11:29 . 2008-01-30 11:29 0 --a------ C:\WINDOWS\nsreg.dat
2008-01-22 14:37 . 2008-01-22 14:37 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-01-21 15:00 . 2008-01-21 15:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-10 15:33 780,140,544 --sha-w C:\pagefile.sys
2008-02-10 15:33 --------- d-----w C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2008-02-09 22:43 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
2008-02-02 03:22 --------- d-----w C:\Program Files\Common Files
2008-02-02 02:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-02-02 02:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-01 17:01 --------- d-----w C:\Program Files\Internet Explorer
2008-01-22 04:38 --------- d-----w C:\Program Files\Outlook Express
2008-01-22 04:38 --------- d-----w C:\Program Files\Common Files\System
2008-01-22 01:57 26,952 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
2008-01-22 01:57 10,760 ----a-w C:\WINDOWS\system32\drivers\avgclean.sys
2008-01-21 05:02 --------- d-----w C:\Program Files\Common Files\Ahead
2008-01-20 15:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-01-02 00:21 17,642,616 ----a-w C:\WINDOWS\system32\MRT.exe
2007-12-27 09:06 --------- d-----w C:\Program Files\InterActual
2007-12-16 16:51 --------- d-----w C:\Program Files\SIM editor
2007-12-16 16:43 348,160 ----a-w C:\WINDOWS\MSVCR71.DLL
2007-12-16 16:43 1,060,864 ----a-w C:\WINDOWS\MFC71.DLL
2007-12-16 14:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-12 19:50 --------- d-----w C:\Documents and Settings\Owner\Application Data\Ahead
2007-12-11 15:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\LightScribe
2007-12-11 02:26 --------- d-----w C:\Program Files\Windows Media Player
2007-12-11 00:39 --------- d-----w C:\Program Files\D-Link
2007-12-05 13:37 8,972 ----a-w C:\WINDOWS\pchealth\helpctr\Config\Cntstore.bin
2007-12-05 12:39 45,056 ----a-w C:\WINDOWS\SimTestDll.dll
2007-12-04 02:06 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-12-04 02:06 249,856 ------w C:\WINDOWS\Setup1.exe
2007-12-04 01:50 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-12-04 01:50 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2007-11-13 11:31 60,416 ------w C:\WINDOWS\system32\tzchange.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VirtualExpanderFile.1]
@={E4000AC4-5E5F-4956-807A-C5854405D64F}

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 22:00 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 18:05 143360]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2005-06-24 14:08 860160]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-22 11:57 579072]
"DataLayer"="C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe" [2005-06-07 11:31 819712]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2005-06-29 15:29 176128]
"DSLSTATEXE"="C:\Program Files\D-Link\DSL-200\dslstat.exe" [2005-12-12 17:44 344064]
"DSLAGENTEXE"="C:\Program Files\D-Link\DSL-200\dslagent.exe" [2005-08-25 19:47 65536]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"!AVG Anti-Spyware"="C:\Downloads\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 19:25 6731312]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 22:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-04 12:01 219136]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54 98632]
OpenOffice.org 2.1.lnk - C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe [2006-11-27 16:45:48 393216]
VirtualExpander.lnk - C:\WINDOWS\system32\VirtualExpander\VirtualExpander.exe [2007-12-17 02:30:28 474808]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 01:48:20 40048]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 00:01:50 734872]
PC Health.lnk - C:\Program Files\TOSHIBA\TOSHIBA Management Console\TOSHealthLocalS.vbs [2006-06-02 16:40:15 2126]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R3 pciSd;pciSd;C:\WINDOWS\system32\DRIVERS\tossdpci.sys [2002-01-07 18:16]
R3 TOSHIBASoftModem;TOSHIBA Software Modem;C:\WINDOWS\system32\DRIVERS\LTSM.sys [2001-09-26 20:34]
R3 tridxp;tridxp;C:\WINDOWS\system32\DRIVERS\tridxpm.sys [2002-01-29 15:27]
R3 tsdhd;TOSHIBA SD Card Host Controller Driver;C:\WINDOWS\system32\DRIVERS\tsdhd.sys [2002-01-07 01:02]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1c2af080-ca3b-11dc-b9ea-00022d36625d}]
\Shell\Auto\command - auto.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5aa75321-d140-11dc-b9f6-00179a300101}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{907c9640-a6ec-11dc-b9b1-00022d36625d}]
\shell\play\Command - "C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:4 /device:DVD "%L"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a87d5011-0e40-11dc-8add-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1bef371-f23f-11da-919d-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f0ceee00-a4a2-11dc-b9a6-00022d36625d}]
\Shell\AutoRun\command - F:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-09 01:59:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-11 02:44:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:46, on 2008-02-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Downloads\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\D-Link\DSL-200\dslstat.exe
C:\Program Files\D-Link\DSL-200\dslagent.exe
C:\Downloads\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\system32\VirtualExpander\VirtualExpander.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.BIN
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\D-Link\DSL-200\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\D-Link\DSL-200\dslagent.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Downloads\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: OpenOffice.org 2.1.lnk = C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe
O4 - Startup: VirtualExpander.lnk = C:\WINDOWS\system32\VirtualExpander\VirtualExpander.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: PC Health.lnk = C:\Program Files\TOSHIBA\TOSHIBA Management Console\TOSHealthLocalS.vbs
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E5F23AA7-B1CF-4F35-818A-E0072C90180A}: NameServer = 203.220.32.107 203.220.32.107
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Downloads\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 6350 bytes
  • 0

#8
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi there Andrea not a lot showing just an old ezeula file and a dodgy registry entry

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\sed.exe

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1c2af080-ca3b-11dc-b9ea-00022d36625d}]

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Are you experiencing any problems ?
  • 0

#9
andrea22

andrea22

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 139 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:22:22 PM, on 11/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Downloads\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\D-Link\DSL-200\dslstat.exe
C:\Program Files\D-Link\DSL-200\dslagent.exe
C:\Downloads\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\D-Link\DSL-200\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\D-Link\DSL-200\dslagent.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Downloads\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E5F23AA7-B1CF-4F35-818A-E0072C90180A}: NameServer = 203.220.32.107 203.220.32.107
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Downloads\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 5549 bytes
ComboFix 08-02.05.3 - Owner 2008-02-11 15:17:02.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.105 [GMT 10:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-11 to 2008-02-11 )))))))))))))))))))))))))))))))
.

2008-02-11 03:24 . 2008-02-11 03:24 <DIR> d--h----- C:\WINDOWS\PIF
2008-02-11 02:41 . 2008-02-11 15:15 <DIR> d-------- C:\ComboFix(2)
2008-02-11 01:27 . 2008-02-11 01:27 <DIR> d-------- C:\Deckard
2008-02-08 21:09 . 2008-02-08 21:20 482,772 --a------ C:\WINDOWS\Harry Potter Castle Screen Save.exe
2008-02-08 21:09 . 2008-02-08 21:20 234,048 --a------ C:\WINDOWS\Harry Potter Castle Screen Save.scr
2008-02-08 21:09 . 2008-02-08 21:20 40,960 --a------ C:\WINDOWS\Harry Potter Castle Screen Save.dll
2008-02-08 21:09 . 2008-02-08 21:20 18,192 --a------ C:\WINDOWS\Harry Potter Castle Screen Save.dat
2008-02-08 20:39 . 2008-02-08 20:39 1,158 --a------ C:\WINDOWS\mozver.dat
2008-02-08 00:29 . 2008-02-08 00:29 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-02-08 00:27 . 2008-02-08 07:30 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-08 00:27 . 2008-02-08 07:30 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-07 23:56 . 2008-02-07 23:56 48 --a------ C:\WINDOWS\iltwain.ini
2008-02-07 23:10 . 2008-02-07 23:57 <DIR> d-------- C:\Program Files\Folder Icon Changer
2008-02-07 22:37 . 2008-02-07 22:38 <DIR> d-------- C:\Program Files\QuickTime
2008-02-07 22:37 . 2008-02-07 22:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-07 22:36 . 2008-02-07 22:37 <DIR> d-------- C:\Program Files\Apple Software Update
2008-02-07 22:36 . 2008-02-07 22:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-02-07 16:22 . 2008-02-07 16:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-07 13:48 . 2008-02-07 14:14 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-07 13:48 . 2008-02-07 18:08 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-07 13:48 . 2008-02-07 18:08 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-07 13:48 . 2008-02-07 18:08 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-02 22:12 . 2008-02-02 22:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-02-02 22:04 . 2008-02-02 22:04 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2008-02-02 22:04 . 2007-05-30 22:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-02 20:26 . 2008-02-02 20:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-02-02 18:20 . 2008-02-02 18:20 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-02-02 18:19 . 2008-02-08 07:54 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\U3
2008-02-02 17:57 . 2008-02-02 18:28 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-02-02 13:39 . 2008-02-02 13:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-02 13:38 . 2008-02-08 00:12 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-02 13:38 . 2008-02-02 13:38 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-02-02 13:22 . 2008-02-02 13:22 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-31 23:13 . 2008-01-31 23:13 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-31 23:13 . 2008-01-31 23:13 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-01-30 11:29 . 2008-01-30 11:29 0 --a------ C:\WINDOWS\nsreg.dat
2008-01-22 14:37 . 2008-01-22 14:37 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-01-21 15:00 . 2008-01-21 15:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-10 22:53 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
2008-02-10 17:01 --------- d-----w C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2008-02-02 02:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-02-02 02:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-21 05:02 --------- d-----w C:\Program Files\Common Files\Ahead
2008-01-20 15:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-12-27 09:06 --------- d-----w C:\Program Files\InterActual
2007-12-16 16:51 --------- d-----w C:\Program Files\SIM editor
2007-12-16 16:43 348,160 ----a-w C:\WINDOWS\MSVCR71.DLL
2007-12-16 16:43 1,060,864 ----a-w C:\WINDOWS\MFC71.DLL
2007-12-16 14:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-12 19:50 --------- d-----w C:\Documents and Settings\Owner\Application Data\Ahead
2007-12-11 15:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\LightScribe
2007-12-11 00:39 --------- d-----w C:\Program Files\D-Link
2007-12-05 12:39 45,056 ----a-w C:\WINDOWS\SimTestDll.dll
2007-12-04 02:06 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-12-04 02:06 249,856 ------w C:\WINDOWS\Setup1.exe
2007-12-04 01:50 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-12-04 01:50 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VirtualExpanderFile.1]
@={E4000AC4-5E5F-4956-807A-C5854405D64F}

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 22:00 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 18:05 143360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2005-06-24 14:08 860160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-22 11:57 579072]
"DataLayer"="C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe" [2005-06-07 11:31 819712]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2005-06-29 15:29 176128]
"DSLSTATEXE"="C:\Program Files\D-Link\DSL-200\dslstat.exe" [2005-12-12 17:44 344064]
"DSLAGENTEXE"="C:\Program Files\D-Link\DSL-200\dslagent.exe" [2005-08-25 19:47 65536]
"!AVG Anti-Spyware"="C:\Downloads\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 19:25 6731312]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 22:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-04 12:01 219136]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R3 pciSd;pciSd;C:\WINDOWS\system32\DRIVERS\tossdpci.sys [2002-01-07 18:16]
R3 TOSHIBASoftModem;TOSHIBA Software Modem;C:\WINDOWS\system32\DRIVERS\LTSM.sys [2001-09-26 20:34]
R3 tridxp;tridxp;C:\WINDOWS\system32\DRIVERS\tridxpm.sys [2002-01-29 15:27]
R3 tsdhd;TOSHIBA SD Card Host Controller Driver;C:\WINDOWS\system32\DRIVERS\tsdhd.sys [2002-01-07 01:02]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5aa75321-d140-11dc-b9f6-00179a300101}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{907c9640-a6ec-11dc-b9b1-00022d36625d}]
\shell\play\Command - "C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:4 /device:DVD "%L"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a87d5011-0e40-11dc-8add-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1bef371-f23f-11da-919d-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f0ceee00-a4a2-11dc-b9a6-00022d36625d}]
\Shell\AutoRun\command - F:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-09 01:59:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-11 15:20:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-11 15:21:13
.
2008-02-01 17:02:03 --- E O F ---
ComboFix 08-02.05.3 - Owner 2008-02-11 15:17:02.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.105 [GMT 10:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-11 to 2008-02-11 )))))))))))))))))))))))))))))))
.

2008-02-11 03:24 . 2008-02-11 03:24 <DIR> d--h----- C:\WINDOWS\PIF
2008-02-11 02:41 . 2008-02-11 15:15 <DIR> d-------- C:\ComboFix(2)
2008-02-11 01:27 . 2008-02-11 01:27 <DIR> d-------- C:\Deckard
2008-02-08 21:09 . 2008-02-08 21:20 482,772 --a------ C:\WINDOWS\Harry Potter Castle Screen Save.exe
2008-02-08 21:09 . 2008-02-08 21:20 234,048 --a------ C:\WINDOWS\Harry Potter Castle Screen Save.scr
2008-02-08 21:09 . 2008-02-08 21:20 40,960 --a------ C:\WINDOWS\Harry Potter Castle Screen Save.dll
2008-02-08 21:09 . 2008-02-08 21:20 18,192 --a------ C:\WINDOWS\Harry Potter Castle Screen Save.dat
2008-02-08 20:39 . 2008-02-08 20:39 1,158 --a------ C:\WINDOWS\mozver.dat
2008-02-08 00:29 . 2008-02-08 00:29 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-02-08 00:27 . 2008-02-08 07:30 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-08 00:27 . 2008-02-08 07:30 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-07 23:56 . 2008-02-07 23:56 48 --a------ C:\WINDOWS\iltwain.ini
2008-02-07 23:10 . 2008-02-07 23:57 <DIR> d-------- C:\Program Files\Folder Icon Changer
2008-02-07 22:37 . 2008-02-07 22:38 <DIR> d-------- C:\Program Files\QuickTime
2008-02-07 22:37 . 2008-02-07 22:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-07 22:36 . 2008-02-07 22:37 <DIR> d-------- C:\Program Files\Apple Software Update
2008-02-07 22:36 . 2008-02-07 22:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-02-07 16:22 . 2008-02-07 16:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-07 13:48 . 2008-02-07 14:14 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-07 13:48 . 2008-02-07 18:08 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-07 13:48 . 2008-02-07 18:08 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-07 13:48 . 2008-02-07 18:08 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-02 22:12 . 2008-02-02 22:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-02-02 22:04 . 2008-02-02 22:04 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2008-02-02 22:04 . 2007-05-30 22:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-02 20:26 . 2008-02-02 20:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-02-02 18:20 . 2008-02-02 18:20 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-02-02 18:19 . 2008-02-08 07:54 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\U3
2008-02-02 17:57 . 2008-02-02 18:28 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-02-02 13:39 . 2008-02-02 13:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-02 13:38 . 2008-02-08 00:12 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-02 13:38 . 2008-02-02 13:38 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-02-02 13:22 . 2008-02-02 13:22 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-31 23:13 . 2008-01-31 23:13 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-31 23:13 . 2008-01-31 23:13 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-01-30 11:29 . 2008-01-30 11:29 0 --a------ C:\WINDOWS\nsreg.dat
2008-01-22 14:37 . 2008-01-22 14:37 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-01-21 15:00 . 2008-01-21 15:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-10 22:53 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
2008-02-10 17:01 --------- d-----w C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2008-02-02 02:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-02-02 02:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-21 05:02 --------- d-----w C:\Program Files\Common Files\Ahead
2008-01-20 15:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-12-27 09:06 --------- d-----w C:\Program Files\InterActual
2007-12-16 16:51 --------- d-----w C:\Program Files\SIM editor
2007-12-16 16:43 348,160 ----a-w C:\WINDOWS\MSVCR71.DLL
2007-12-16 16:43 1,060,864 ----a-w C:\WINDOWS\MFC71.DLL
2007-12-16 14:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-12 19:50 --------- d-----w C:\Documents and Settings\Owner\Application Data\Ahead
2007-12-11 15:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\LightScribe
2007-12-11 00:39 --------- d-----w C:\Program Files\D-Link
2007-12-05 12:39 45,056 ----a-w C:\WINDOWS\SimTestDll.dll
2007-12-04 02:06 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-12-04 02:06 249,856 ------w C:\WINDOWS\Setup1.exe
2007-12-04 01:50 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-12-04 01:50 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VirtualExpanderFile.1]
@={E4000AC4-5E5F-4956-807A-C5854405D64F}

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 22:00 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 18:05 143360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2005-06-24 14:08 860160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-22 11:57 579072]
"DataLayer"="C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe" [2005-06-07 11:31 819712]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2005-06-29 15:29 176128]
"DSLSTATEXE"="C:\Program Files\D-Link\DSL-200\dslstat.exe" [2005-12-12 17:44 344064]
"DSLAGENTEXE"="C:\Program Files\D-Link\DSL-200\dslagent.exe" [2005-08-25 19:47 65536]
"!AVG Anti-Spyware"="C:\Downloads\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 19:25 6731312]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 22:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-04 12:01 219136]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R3 pciSd;pciSd;C:\WINDOWS\system32\DRIVERS\tossdpci.sys [2002-01-07 18:16]
R3 TOSHIBASoftModem;TOSHIBA Software Modem;C:\WINDOWS\system32\DRIVERS\LTSM.sys [2001-09-26 20:34]
R3 tridxp;tridxp;C:\WINDOWS\system32\DRIVERS\tridxpm.sys [2002-01-29 15:27]
R3 tsdhd;TOSHIBA SD Card Host Controller Driver;C:\WINDOWS\system32\DRIVERS\tsdhd.sys [2002-01-07 01:02]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5aa75321-d140-11dc-b9f6-00179a300101}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{907c9640-a6ec-11dc-b9b1-00022d36625d}]
\shell\play\Command - "C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:4 /device:DVD "%L"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a87d5011-0e40-11dc-8add-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1bef371-f23f-11da-919d-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f0ceee00-a4a2-11dc-b9a6-00022d36625d}]
\Shell\AutoRun\command - F:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-09 01:59:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-11 15:20:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-11 15:21:13
.
2008-02-01 17:02:03 --- E O F ---
ComboFix 08-02.05.3 - Owner 2008-02-11 15:17:02.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.105 [GMT 10:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-11 to 2008-02-11 )))))))))))))))))))))))))))))))
.

2008-02-11 03:24 . 2008-02-11 03:24 <DIR> d--h----- C:\WINDOWS\PIF
2008-02-11 02:41 . 2008-02-11 15:15 <DIR> d-------- C:\ComboFix(2)
2008-02-11 01:27 . 2008-02-11 01:27 <DIR> d-------- C:\Deckard
2008-02-08 21:09 . 2008-02-08 21:20 482,772 --a------ C:\WINDOWS\Harry Potter Castle Screen Save.exe
2008-02-08 21:09 . 2008-02-08 21:20 234,048 --a------ C:\WINDOWS\Harry Potter Castle Screen Save.scr
2008-02-08 21:09 . 2008-02-08 21:20 40,960 --a------ C:\WINDOWS\Harry Potter Castle Screen Save.dll
2008-02-08 21:09 . 2008-02-08 21:20 18,192 --a------ C:\WINDOWS\Harry Potter Castle Screen Save.dat
2008-02-08 20:39 . 2008-02-08 20:39 1,158 --a------ C:\WINDOWS\mozver.dat
2008-02-08 00:29 . 2008-02-08 00:29 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-02-08 00:27 . 2008-02-08 07:30 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-08 00:27 . 2008-02-08 07:30 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-07 23:56 . 2008-02-07 23:56 48 --a------ C:\WINDOWS\iltwain.ini
2008-02-07 23:10 . 2008-02-07 23:57 <DIR> d-------- C:\Program Files\Folder Icon Changer
2008-02-07 22:37 . 2008-02-07 22:38 <DIR> d-------- C:\Program Files\QuickTime
2008-02-07 22:37 . 2008-02-07 22:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-07 22:36 . 2008-02-07 22:37 <DIR> d-------- C:\Program Files\Apple Software Update
2008-02-07 22:36 . 2008-02-07 22:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-02-07 16:22 . 2008-02-07 16:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-07 13:48 . 2008-02-07 14:14 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-07 13:48 . 2008-02-07 18:08 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-07 13:48 . 2008-02-07 18:08 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-07 13:48 . 2008-02-07 18:08 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-02 22:12 . 2008-02-02 22:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-02-02 22:04 . 2008-02-02 22:04 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2008-02-02 22:04 . 2007-05-30 22:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-02 20:26 . 2008-02-02 20:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-02-02 18:20 . 2008-02-02 18:20 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-02-02 18:19 . 2008-02-08 07:54 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\U3
2008-02-02 17:57 . 2008-02-02 18:28 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-02-02 13:39 . 2008-02-02 13:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-02 13:38 . 2008-02-08 00:12 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-02 13:38 . 2008-02-02 13:38 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-02-02 13:22 . 2008-02-02 13:22 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-31 23:13 . 2008-01-31 23:13 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-31 23:13 . 2008-01-31 23:13 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-01-30 11:29 . 2008-01-30 11:29 0 --a------ C:\WINDOWS\nsreg.dat
2008-01-22 14:37 . 2008-01-22 14:37 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-01-21 15:00 . 2008-01-21 15:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-10 22:53 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
2008-02-10 17:01 --------- d-----w C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2008-02-02 02:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-02-02 02:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-21 05:02 --------- d-----w C:\Program Files\Common Files\Ahead
2008-01-20 15:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-12-27 09:06 --------- d-----w C:\Program Files\InterActual
2007-12-16 16:51 --------- d-----w C:\Program Files\SIM editor
2007-12-16 16:43 348,160 ----a-w C:\WINDOWS\MSVCR71.DLL
2007-12-16 16:43 1,060,864 ----a-w C:\WINDOWS\MFC71.DLL
2007-12-16 14:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-12 19:50 --------- d-----w C:\Documents and Settings\Owner\Application Data\Ahead
2007-12-11 15:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\LightScribe
2007-12-11 00:39 --------- d-----w C:\Program Files\D-Link
2007-12-05 12:39 45,056 ----a-w C:\WINDOWS\SimTestDll.dll
2007-12-04 02:06 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-12-04 02:06 249,856 ------w C:\WINDOWS\Setup1.exe
2007-12-04 01:50 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-12-04 01:50 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VirtualExpanderFile.1]
@={E4000AC4-5E5F-4956-807A-C5854405D64F}

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 22:00 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 18:05 143360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2005-06-24 14:08 860160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-22 11:57 579072]
"DataLayer"="C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe" [2005-06-07 11:31 819712]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2005-06-29 15:29 176128]
"DSLSTATEXE"="C:\Program Files\D-Link\DSL-200\dslstat.exe" [2005-12-12 17:44 344064]
"DSLAGENTEXE"="C:\Program Files\D-Link\DSL-200\dslagent.exe" [2005-08-25 19:47 65536]
"!AVG Anti-Spyware"="C:\Downloads\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 19:25 6731312]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 22:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-04 12:01 219136]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R3 pciSd;pciSd;C:\WINDOWS\system32\DRIVERS\tossdpci.sys [2002-01-07 18:16]
R3 TOSHIBASoftModem;TOSHIBA Software Modem;C:\WINDOWS\system32\DRIVERS\LTSM.sys [2001-09-26 20:34]
R3 tridxp;tridxp;C:\WINDOWS\system32\DRIVERS\tridxpm.sys [2002-01-29 15:27]
R3 tsdhd;TOSHIBA SD Card Host Controller Driver;C:\WINDOWS\system32\DRIVERS\tsdhd.sys [2002-01-07 01:02]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5aa75321-d140-11dc-b9f6-00179a300101}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{907c9640-a6ec-11dc-b9b1-00022d36625d}]
\shell\play\Command - "C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:4 /device:DVD "%L"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a87d5011-0e40-11dc-8add-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1bef371-f23f-11da-919d-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f0ceee00-a4a2-11dc-b9a6-00022d36625d}]
\Shell\AutoRun\command - F:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-09 01:59:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-11 15:20:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-11 15:21:13
.
2008-02-01 17:02:03 --- E O F ---
ComboFix 08-02.05.3 - Owner 2008-02-11 15:17:02.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.105 [GMT 10:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-11 to 2008-02-11 )))))))))))))))))))))))))))))))
.

2008-02-11 03:24 . 2008-02-11 03:24 <DIR> d--h----- C:\WINDOWS\PIF
2008-02-11 02:41 . 2008-02-11 15:15 <DIR> d-------- C:\ComboFix(2)
2008-02-11 01:27 . 2008-02-11 01:27 <DIR> d-------- C:\Deckard
2008-02-08 21:09 . 2008-02-08 21:20 482,772 --a------ C:\WINDOWS\Harry Potter Castle Screen Save.exe
2008-02-08 21:09 . 2008-02-08 21:20 234,048 --a------ C:\WINDOWS\Harry Potter Castle Screen Save.scr
2008-02-08 21:09 . 2008-02-08 21:20 40,960 --a------ C:\WINDOWS\Harry Potter Castle Screen Save.dll
2008-02-08 21:09 . 2008-02-08 21:20 18,192 --a------ C:\WINDOWS\Harry Potter Castle Screen Save.dat
2008-02-08 20:39 . 2008-02-08 20:39 1,158 --a------ C:\WINDOWS\mozver.dat
2008-02-08 00:29 . 2008-02-08 00:29 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-02-08 00:27 . 2008-02-08 07:30 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-08 00:27 . 2008-02-08 07:30 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-07 23:56 . 2008-02-07 23:56 48 --a------ C:\WINDOWS\iltwain.ini
2008-02-07 23:10 . 2008-02-07 23:57 <DIR> d-------- C:\Program Files\Folder Icon Changer
2008-02-07 22:37 . 2008-02-07 22:38 <DIR> d-------- C:\Program Files\QuickTime
2008-02-07 22:37 . 2008-02-07 22:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-07 22:36 . 2008-02-07 22:37 <DIR> d-------- C:\Program Files\Apple Software Update
2008-02-07 22:36 . 2008-02-07 22:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-02-07 16:22 . 2008-02-07 16:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-07 13:48 . 2008-02-07 14:14 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-07 13:48 . 2008-02-07 18:08 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-07 13:48 . 2008-02-07 18:08 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-07 13:48 . 2008-02-07 18:08 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-02 22:12 . 2008-02-02 22:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-02-02 22:04 . 2008-02-02 22:04 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2008-02-02 22:04 . 2007-05-30 22:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-02 20:26 . 2008-02-02 20:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-02-02 18:20 . 2008-02-02 18:20 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-02-02 18:19 . 2008-02-08 07:54 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\U3
2008-02-02 17:57 . 2008-02-02 18:28 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-02-02 13:39 . 2008-02-02 13:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-02 13:38 . 2008-02-08 00:12 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-02 13:38 . 2008-02-02 13:38 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-02-02 13:22 . 2008-02-02 13:22 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-31 23:13 . 2008-01-31 23:13 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-31 23:13 . 2008-01-31 23:13 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-01-30 11:29 . 2008-01-30 11:29 0 --a------ C:\WINDOWS\nsreg.dat
2008-01-22 14:37 . 2008-01-22 14:37 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-01-21 15:00 . 2008-01-21 15:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-10 22:53 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
2008-02-10 17:01 --------- d-----w C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2008-02-02 02:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-02-02 02:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-21 05:02 --------- d-----w C:\Program Files\Common Files\Ahead
2008-01-20 15:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-12-27 09:06 --------- d-----w C:\Program Files\InterActual
2007-12-16 16:51 --------- d-----w C:\Program Files\SIM editor
2007-12-16 16:43 348,160 ----a-w C:\WINDOWS\MSVCR71.DLL
2007-12-16 16:43 1,060,864 ----a-w C:\WINDOWS\MFC71.DLL
2007-12-16 14:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-12 19:50 --------- d-----w C:\Documents and Settings\Owner\Application Data\Ahead
2007-12-11 15:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\LightScribe
2007-12-11 00:39 --------- d-----w C:\Program Files\D-Link
2007-12-05 12:39 45,056 ----a-w C:\WINDOWS\SimTestDll.dll
2007-12-04 02:06 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-12-04 02:06 249,856 ------w C:\WINDOWS\Setup1.exe
2007-12-04 01:50 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-12-04 01:50 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VirtualExpanderFile.1]
@={E4000AC4-5E5F-4956-807A-C5854405D64F}

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 22:00 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 18:05 143360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2005-06-24 14:08 860160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-22 11:57 579072]
"DataLayer"="C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe" [2005-06-07 11:31 819712]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2005-06-29 15:29 176128]
"DSLSTATEXE"="C:\Program Files\D-Link\DSL-200\dslstat.exe" [2005-12-12 17:44 344064]
"DSLAGENTEXE"="C:\Program Files\D-Link\DSL-200\dslagent.exe" [2005-08-25 19:47 65536]
"!AVG Anti-Spyware"="C:\Downloads\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 19:25 6731312]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 22:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-04 12:01 219136]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R3 pciSd;pciSd;C:\WINDOWS\system32\DRIVERS\tossdpci.sys [2002-01-07 18:16]
R3 TOSHIBASoftModem;TOSHIBA Software Modem;C:\WINDOWS\system32\DRIVERS\LTSM.sys [2001-09-26 20:34]
R3 tridxp;tridxp;C:\WINDOWS\system32\DRIVERS\tridxpm.sys [2002-01-29 15:27]
R3 tsdhd;TOSHIBA SD Card Host Controller Driver;C:\WINDOWS\system32\DRIVERS\tsdhd.sys [2002-01-07 01:02]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5aa75321-d140-11dc-b9f6-00179a300101}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{907c9640-a6ec-11dc-b9b1-00022d36625d}]
\shell\play\Command - "C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:4 /device:DVD "%L"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a87d5011-0e40-11dc-8add-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1bef371-f23f-11da-919d-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f0ceee00-a4a2-11dc-b9a6-00022d36625d}]
\Shell\AutoRun\command - F:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-09 01:59:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-11 15:20:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-11 15:21:13
.
2008-02-01 17:02:03 --- E O F ---
ComboFix 08-02.05.3 - Owner 2008-02-11 15:17:02.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.105 [GMT 10:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-11 to 2008-02-11 )))))))))))))))))))))))))))))))
.

2008-02-11 03:24 . 2008-02-11 03:24 <DIR> d--h----- C:\WINDOWS\PIF
2008-02-11 02:41 . 2008-02-11 15:15 <DIR> d-------- C:\ComboFix(2)
2008-02-11 01:27 . 2008-02-11 01:27 <DIR> d-------- C:\Deckard
2008-02-08 21:09 . 2008-02-08 21:20 482,772 --a------ C:\WINDOWS\Harry Potter Castle Screen Save.exe
2008-02-08 21:09 . 2008-02-08 21:20 234,048 --a------ C:\WINDOWS\Harry Potter Castle Screen Save.scr
2008-02-08 21:09 . 2008-02-08 21:20 40,960 --a------ C:\WINDOWS\Harry Potter Castle Screen Save.dll
2008-02-08 21:09 . 2008-02-08 21:20 18,192 --a------ C:\WINDOWS\Harry Potter Castle Screen Save.dat
2008-02-08 20:39 . 2008-02-08 20:39 1,158 --a------ C:\WINDOWS\mozver.dat
2008-02-08 00:29 . 2008-02-08 00:29 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-02-08 00:27 . 2008-02-08 07:30 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-08 00:27 . 2008-02-08 07:30 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-07 23:56 . 2008-02-07 23:56 48 --a------ C:\WINDOWS\iltwain.ini
2008-02-07 23:10 . 2008-02-07 23:57 <DIR> d-------- C:\Program Files\Folder Icon Changer
2008-02-07 22:37 . 2008-02-07 22:38 <DIR> d-------- C:\Program Files\QuickTime
2008-02-07 22:37 . 2008-02-07 22:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-07 22:36 . 2008-02-07 22:37 <DIR> d-------- C:\Program Files\Apple Software Update
2008-02-07 22:36 . 2008-02-07 22:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-02-07 16:22 . 2008-02-07 16:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-07 13:48 . 2008-02-07 14:14 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-07 13:48 . 2008-02-07 18:08 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-07 13:48 . 2008-02-07 18:08 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-07 13:48 . 2008-02-07 18:08 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-02 22:12 . 2008-02-02 22:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-02-02 22:04 . 2008-02-02 22:04 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2008-02-02 22:04 . 2007-05-30 22:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-02 20:26 . 2008-02-02 20:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-02-02 18:20 . 2008-02-02 18:20 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-02-02 18:19 . 2008-02-08 07:54 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\U3
2008-02-02 17:57 . 2008-02-02 18:28 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-02-02 13:39 . 2008-02-02 13:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-02 13:38 . 2008-02-08 00:12 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-02 13:38 . 2008-02-02 13:38 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-02-02 13:22 . 2008-02-02 13:22 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-31 23:13 . 2008-01-31 23:13 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-31 23:13 . 2008-01-31 23:13 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-01-30 11:29 . 2008-01-30 11:29 0 --a------ C:\WINDOWS\nsreg.dat
2008-01-22 14:37 . 2008-01-22 14:37 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-01-21 15:00 . 2008-01-21 15:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-10 22:53 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
2008-02-10 17:01 --------- d-----w C:\Docu
  • 0

#10
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Nothing evident now - are you experiencing any problems ?
  • 0

#11
andrea22

andrea22

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 139 posts
Yes I still can't view photos with nero, which is what initially alerted me to the problem. Would it help to uninstall and reinstall nero?Also, am I correct in thinking I should now delete whats in the AVG virus vault?
  • 0

#12
andrea22

andrea22

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 139 posts
Ive uninstalled and reinstalled nero, and now everything works, yay! Thank you so much Essexboy!
  • 0

#13
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Sorry for the delay in answering your previous - but you did what I would have suggested :) Yes you can now empty the AVG vault

Now the best part of the day ----- Your log now appears clean :)

You may now remove the programmes I had you download



Now to get you off to a good start we will re-set your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your your restore point but this is my method:

1. Select Start > All Programs > Accessories > System tools > System Restore.
2. On the dialogue box that appears select Create a Restore Point
3. Click NEXT
4. Enter a name e.g. Clean
5. Click CREATE

You now have a clean restore point, to get rid of the bad ones:

1. Select Start > All Programs > Accessories > System tools > Disk Cleanup.
2. In the Drop down box that appears select your main drive e.g. C
3. Click OK
4. The System will do some calculation and the display a dialogue box with TABS
5. Select the More Options Tab.
6. At the bottom will be a system restore box with a CLEANUP button click this
7. Accept the Warning and select OK again, the program will close and you are done



Now that you are clean, to help protect your computer in the future I recommend that you get the following free program:
  • SpywareBlaster to help prevent spyware from installing in the first place.
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?


Keep safe :)
  • 0

#14
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP