Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

not sure if this is malware but can't open regedit/task manager[RE

Started by paysismom , Mar 03 2008 11:39 PM

  • This topic is locked This topic is locked

#1
paysismom
Posted 03 March 2008 - 11:39 PM

paysismom

    Member

  • Member
  • PipPip
  • 54 posts
hi guys,

I need help again. I'm not sure if this is malware though but I didn't do anything new with my computer and suddenly the task manager and regedit's not working. I also noticed that some of the folders in windows are "translucent" like it was deleted or something. check with avg anti-spyware and super antispyware, no infections though. this is my hijackthis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:28:40 PM, on 3/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\SSCVIIHOST.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\SSCVIIHOST.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\Documents and Settings\jenn\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe SSCVIIHOST.exe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\SSCVIIHOST.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O16 - DPF: {09883431-7429-11D5-8B69-0050049F5256} (VBAuthentic.Authentic) - https://www.metroban...VBAuthentic.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://inotes.pal.com.ph/iNotes6W.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-18.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {CA797B15-445F-4AA9-9828-8A88502F560F} (Uninstall Control) - http://www.worldwinn...d/uninstall.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai...l/installer.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.co...aploader_v6.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7102 bytes
  • 0

Advertisements

#2
RatHat
Posted 04 March 2008 - 08:40 AM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Hi there,

Welcome to GeeksToGo. My name is RatHat, and I will help you get through the process of cleaning the malware from your computer.


OK firstly, I need you to print out each post I make so that you can refer to it while we fix your computer. This is because there will be times when you are unable to be online to read my instructions, and I will want you to do everything very carefully. I also need you to follow my instructions in the order that they are given. If however, you cannot carry out one of them, please continue on with the next and let me know what you were unsuccessful with.

I would like to make sure that you can view hidden files and folders;
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading SELECT Show hidden files and folders.
  • UNCHECK the Hide protected operating system files (recommended) option.
  • UNCHECK the Hide extensions for known file types option.
  • Click Yes to confirm.
  • Click OK.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please post me an Uninstall List from HijackThis:
  • Re-Open HijackThis, click Config, click Misc Tools
  • Click "Open Uninstall Manager"
  • Click "Save List" (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download Brute Force Uninstaller to your desktop.
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Coolpics Remover.
Save it in the same folder you made earlier (c:\BFU).

Then, please go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Behind the scriptline to execute field click the folder icon Posted Image and select coolpics.bfu
  • Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please read this Combofix tutorial before continuing, then follow the instructions below.

Download ComboFix from Here, Here or Here to your Desktop. (If you already have ComboFix, please delete it and download this new version).

  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Save this log to your desktop as Combofix.txt and post it in your next reply.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Next, I would like to make sure that you can view hidden files and folders again (The BFU script will have reset these);
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading SELECT Show hidden files and folders.
  • UNCHECK the Hide protected operating system files (recommended) option.
  • UNCHECK the Hide extensions for known file types option.
  • Click Yes to confirm.
  • Click OK.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


So in your next post, please include:
  • The HijackThis Uninstall list
  • The contents of Combofix.txt
  • A fresh HijackThis log taken after completing all of the above

Regards,
RatHat
  • 0

#3
paysismom
Posted 04 March 2008 - 11:24 AM

paysismom

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
hi RatHat,

Thanks for the fast response! I've done what you've instructed me to do, although I didn't get to do the 1st step (check if I can view hidden files because when I clicked on the Tools Menu, the Folder Options' wasn't there, although after all the stuff you instructed me to do, the Folder Options' there already).

By the way, after all the instructions, I tried opening the task manager and regedit and it opened, I closed it after though, didn't do anything with them :)

One more follow up question, my computer's very slow compare to before, is it because of the malwares?

Anyway, here are the hijackthis uninstall list, combofix.txt and fresh hijackthis log. Thanks again! :)

HiJackThis Uninstall List

Ad-Aware 2007
Adobe Flash Player Plugin
Adobe Reader 8.1.2
Apple Mobile Device Support
Apple Software Update
AVG Anti-Spyware 7.5
Avira AntiVir PersonalEdition Classic
Blue's Kindergarten
Blue's Reading Time Activities
Caribbean Hideaway
CCleaner (remove only)
Chikka Messenger V4
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
Fairway Solitaire
HijackThis 2.0.2
Home Sweet Home
iTunes
Java™ 6 Update 3
Microsoft .NET Framework 2.0
Mozilla Firefox (2.0.0.12)
OpenAL
QuickTime
SUPERAntiSpyware Free Edition
Virtools 3D Life Player


Combofix.txt

ComboFix 08-03-04.2 - jenn 2008-03-05 0:54:09.4 - NTFSx86
Running from: C:\Documents and Settings\jenn\Desktop\Combo-Fix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\autorun.ini

.
((((((((((((((((((((((((( Files Created from 2008-02-04 to 2008-03-04 )))))))))))))))))))))))))))))))
.

2008-03-04 17:16 . 2008-03-04 17:16 <DIR> d-------- C:\Program Files\Avira
2008-03-04 17:16 . 2008-03-04 17:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-03-04 14:17 . 2008-03-04 20:15 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-04 14:17 . 2008-03-04 14:18 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-03-04 12:35 . 2008-03-04 12:35 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-02-29 23:53 . 2008-03-04 23:09 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-29 23:53 . 2008-02-29 23:53 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-20 15:38 . 2008-02-26 10:39 <DIR> d-------- C:\Documents and Settings\jenn\Application Data\CaribbeanHideaway
2008-02-20 15:30 . 2008-02-20 15:33 <DIR> d-------- C:\Program Files\Caribbean Hideaway
2008-02-17 10:12 . 2008-02-17 10:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grey Alien Games
2008-02-17 10:11 . 2008-02-17 10:12 <DIR> d-------- C:\Program Files\Fairway Solitaire
2008-02-12 09:07 . 2008-02-12 09:07 2,586 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-12 09:07 . 2008-02-12 09:07 0 --a------ C:\WINDOWS\system32\cscript
2008-02-07 23:20 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-07 23:06 . 2008-03-04 14:18 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-07 12:10 . 2008-02-07 12:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-07 12:09 . 2008-03-01 19:47 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-07 12:09 . 2008-02-07 12:09 <DIR> d-------- C:\Documents and Settings\jenn\Application Data\SUPERAntiSpyware.com
2008-02-07 12:05 . 2008-02-07 12:05 <DIR> d-------- C:\Documents and Settings\jenn\Application Data\Grisoft
2008-02-07 12:01 . 2008-02-07 12:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-07 12:01 . 2007-05-30 20:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-07 00:46 . 2008-02-07 02:23 <DIR> d-------- C:\Documents and Settings\jenn\.housecall6.6
2008-02-07 00:28 . 2008-02-07 00:28 <DIR> d-------- C:\Program Files\CCleaner
2008-02-07 00:09 . 2008-02-07 00:09 <DIR> d-------- C:\Documents and Settings\beng\Application Data\3M
2008-02-06 23:55 . 2005-03-03 02:09 577,024 --a--c--- C:\WINDOWS\system32\dllcache\user32.dll
2008-02-06 23:53 . 2008-02-06 23:53 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-06 23:52 . 2008-02-06 23:56 <DIR> d-------- C:\SDFix
2008-02-06 22:30 . 2008-02-06 22:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-06 22:29 . 2008-02-06 22:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-06 21:27 . 2008-02-06 22:35 <DIR> d-------- C:\Program Files\XoftSpySE
2008-02-06 21:17 . 2008-02-07 00:28 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-02-05 11:40 . 2008-02-05 11:40 <DIR> d-------- C:\Documents and Settings\jenn\Application Data\Home Sweet Home

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-04 06:02 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-04 05:27 146,432 ----a-w C:\WINDOWS\regedit.exe
2008-03-01 07:34 --------- d-----w C:\Documents and Settings\jenn\Application Data\Azureus
2008-02-29 15:48 --------- d-----w C:\Program Files\iTunes
2008-02-29 15:45 --------- d-----w C:\Program Files\iPod
2008-02-29 15:29 --------- d-----w C:\Program Files\QuickTime
2008-02-27 02:19 --------- d-----w C:\Documents and Settings\jenn\Application Data\TransRender
2008-02-24 09:04 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-09 01:16 --------- d-----w C:\Program Files\SpywareBlaster
2008-02-06 14:31 --------- d-----w C:\Program Files\Lavasoft
2008-02-03 08:11 --------- d-----w C:\Program Files\Home Sweet Home
2008-01-28 08:12 --------- d-----w C:\Program Files\Chikka Messenger
2008-01-23 14:03 --------- d-----w C:\Documents and Settings\jenn\Application Data\PlayFirst
2008-01-23 14:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-01-10 09:02 --------- d-----w C:\Program Files\Azureus
2007-12-14 03:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-11 19:46 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-12-11 19:46 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-12-11 19:45 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-12-11 19:45 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-12-11 19:43 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-06-14 15:04 63,472 -c--a-w C:\Documents and Settings\jenn\Application Data\GDIPFONTCACHEV1.DAT
2005-12-18 16:24 8 --sh--r C:\WINDOWS\system32\1B2E6AD7A2.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-06-11 18:16 4670968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2003-01-07 18:09 46592 C:\WINDOWS\SOUNDMAN.EXE]
"NeroCheck"="C:\WINDOWS\System32\\NeroCheck.exe" [2001-07-09 18:50 155648]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22 86016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-08-31 12:25 249896]

C:\Documents and Settings\jenn\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2003-11-18 22:10:59 233472]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-05-29 01:51:22 113664]
BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2006-07-20 23:17:02 1183744]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
Post-itr Software Notes Lite.lnk - C:\Program Files\3M\PSNLite\PsnLite.exe [2004-10-15 14:26:54 2080768]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 AvSynMgr;AVSync Manager;"C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe" [2002-08-05 07:00]
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-15 22:41]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{66446c53-dc22-11dc-bdab-101111111111}]
\Shell\AutoRun\command - F:\SSCVIIHOST.exe
\Shell\Open\command - F:\SSCVIIHOST.exe

*Newly Created Service* - SSMDRV
.
Contents of the 'Scheduled Tasks' folder
"2008-02-29 11:22:40 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-05 01:00:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-05 1:05:06
ComboFix-quarantined-files.txt 2008-03-04 17:05:01
ComboFix2.txt 2008-02-14 08:12:18
ComboFix3.txt 2008-02-14 07:58:01
ComboFix4.txt 2008-02-12 16:31:00


HiJackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:17:30 AM, on 3/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\jenn\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O16 - DPF: {09883431-7429-11D5-8B69-0050049F5256} (VBAuthentic.Authentic) - https://www.metroban...VBAuthentic.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://inotes.pal.com.ph/iNotes6W.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-18.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {CA797B15-445F-4AA9-9828-8A88502F560F} (Uninstall Control) - http://www.worldwinn...d/uninstall.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai...l/installer.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.co...aploader_v6.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7820 bytes
  • 0

#4
RatHat
Posted 04 March 2008 - 05:05 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Hi Jenn,

Things are looking a lot better!

One more follow up question, my computer's very slow compare to before, is it because of the malwares?

Probably, so we will see if we can speed things up a bit later.


OK, please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please run an online scan with Kaspersky WebScanner. Note: You must use Internet Explorer to run this scan.

Click the Accept button.

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display the results if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop as Kaspersky.txt.
  • Copy and paste that information in your next post.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Finally, please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, DSS will open two Notepad files: main.txt and extra.txt
  • Use Save As to save both Notepad files to your Desktop and post them in your next reply.
Note: A copy of these files can be found in you root drive, usually C:\Deckard\System Scanner\

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


OK, in your next post, please include:
  • The MBAM report
  • The Kaspersky log
  • The two DSS reports
And let me know if your speed has improved at all.

Regards,
RatHat
  • 0

#5
paysismom
Posted 05 March 2008 - 12:56 AM

paysismom

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
hi again RatHat,

so far, it's still more or less the same speed as before I did these instructios. Also, I noticed that I can't use the standard view of my google mail and the geekstogo forum looks "text based" now.


here are the logs and reports:

MBAM Report:

Malwarebytes' Anti-Malware 1.05
Database version: 451

Scan type: Quick Scan
Objects scanned: 29172
Time elapsed: 5 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DataDisp32 (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{4e7bd74f-2b8d-469e-86bd-fd60bb9aae3a} (Adware.OneToolBar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Kaspersky log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, March 05, 2008 1:52:42 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 5/03/2008
Kaspersky Anti-Virus database records: 597488
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 122593
Number of viruses found: 4
Number of infected objects: 13
Number of suspicious objects: 0
Duration of the scan process: 02:27:28

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\jenn\Application Data\3M\PSNotes\PSNData Object is locked skipped
C:\Documents and Settings\jenn\Application Data\Mozilla\Firefox\Profiles\cs0jrqez.default\cert8.db Object is locked skipped
C:\Documents and Settings\jenn\Application Data\Mozilla\Firefox\Profiles\cs0jrqez.default\history.dat Object is locked skipped
C:\Documents and Settings\jenn\Application Data\Mozilla\Firefox\Profiles\cs0jrqez.default\key3.db Object is locked skipped
C:\Documents and Settings\jenn\Application Data\Mozilla\Firefox\Profiles\cs0jrqez.default\parent.lock Object is locked skipped
C:\Documents and Settings\jenn\Application Data\Mozilla\Firefox\Profiles\cs0jrqez.default\search.sqlite Object is locked skipped
C:\Documents and Settings\jenn\Application Data\Mozilla\Firefox\Profiles\cs0jrqez.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\jenn\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\jenn\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\jenn\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\jenn\Local Settings\Application Data\Mozilla\Firefox\Profiles\cs0jrqez.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\jenn\Local Settings\Application Data\Mozilla\Firefox\Profiles\cs0jrqez.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\jenn\Local Settings\Application Data\Mozilla\Firefox\Profiles\cs0jrqez.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\jenn\Local Settings\Application Data\Mozilla\Firefox\Profiles\cs0jrqez.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\jenn\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\jenn\Local Settings\History\History.IE5\MSHist012008030520080306\index.dat Object is locked skipped
C:\Documents and Settings\jenn\Local Settings\Temp\~DF1A1C.tmp Object is locked skipped
C:\Documents and Settings\jenn\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\jenn\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\jenn\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Mozilla Firefox\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\QooBox\Quarantine\C\Program Files\Internet Explorer\svchost.exe.vir Infected: Trojan-Downloader.Win32.Delf.emo skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\autorun.ini.vir Infected: Trojan.Win32.AutoRun.a skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{71768B5E-383B-4067-A205-C82E78DF6572}\RP927\A0218527.exe Infected: Trojan-Downloader.Win32.AutoIt.aa skipped
C:\System Volume Information\_restore{71768B5E-383B-4067-A205-C82E78DF6572}\RP927\A0218541.exe Infected: Trojan-Downloader.Win32.AutoIt.aa skipped
C:\System Volume Information\_restore{71768B5E-383B-4067-A205-C82E78DF6572}\RP927\A0218657.exe Infected: Trojan-Downloader.Win32.AutoIt.aa skipped
C:\System Volume Information\_restore{71768B5E-383B-4067-A205-C82E78DF6572}\RP928\A0219663.exe Infected: Trojan-Downloader.Win32.AutoIt.aa skipped
C:\System Volume Information\_restore{71768B5E-383B-4067-A205-C82E78DF6572}\RP929\A0219670.exe Infected: Trojan-Downloader.Win32.AutoIt.aa skipped
C:\System Volume Information\_restore{71768B5E-383B-4067-A205-C82E78DF6572}\RP929\A0219678.exe Infected: Trojan-Downloader.Win32.AutoIt.aa skipped
C:\System Volume Information\_restore{71768B5E-383B-4067-A205-C82E78DF6572}\RP929\A0219681.exe Infected: Trojan-Downloader.Win32.AutoIt.aa skipped
C:\System Volume Information\_restore{71768B5E-383B-4067-A205-C82E78DF6572}\RP929\A0219683.exe Infected: Trojan-Downloader.Win32.AutoIt.aa skipped
C:\System Volume Information\_restore{71768B5E-383B-4067-A205-C82E78DF6572}\RP929\A0219684.exe Infected: Trojan-Downloader.Win32.AutoIt.aa skipped
C:\System Volume Information\_restore{71768B5E-383B-4067-A205-C82E78DF6572}\RP930\A0219697.ini Infected: Trojan.Win32.AutoRun.a skipped
C:\System Volume Information\_restore{71768B5E-383B-4067-A205-C82E78DF6572}\RP930\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


DSS (main.txt):

Deckard's System Scanner v20071014.68
Run by jenn on 2008-03-05 14:14:37
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
10: 2008-03-05 06:14:51 UTC - RP931 - Deckard's System Scanner Restore Point
9: 2008-03-04 16:53:36 UTC - RP930 - ComboFix created restore point
8: 2008-03-04 09:15:58 UTC - RP929 - AntiVir PersonalEdition Classic - 3/4/2008 17:14
7: 2008-03-04 05:55:26 UTC - RP928 - Installed Adobe Reader 8.1.2
6: 2008-03-02 13:12:42 UTC - RP927 - System Checkpoint


-- First Restore Point --
1: 2008-02-24 06:26:18 UTC - RP922 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 256 MiB (512 MiB recommended).


-- HijackThis (run as jenn.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:16:24 PM, on 3/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Documents and Settings\jenn\Desktop\dss.exe
C:\DOCUME~1\jenn\Desktop\jenn.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O16 - DPF: {09883431-7429-11D5-8B69-0050049F5256} (VBAuthentic.Authentic) - https://www.metroban...VBAuthentic.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://inotes.pal.com.ph/iNotes6W.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-18.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {CA797B15-445F-4AA9-9828-8A88502F560F} (Uninstall Control) - http://www.worldwinn...d/uninstall.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai...l/installer.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.co...aploader_v6.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7995 bytes

-- File Associations -----------------------------------------------------------

.ini - inifile - shell\open\command - C:\WINDOWS\SYSTEM32\NOTEPAD.EXE %1
.js - JSFile - DefaultIcon - C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe,2
.js - JSFile - shell\open\command - "C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe" "%1"
.txt - txtfile - shell\open\command - C:\WINDOWS\SYSTEM32\NOTEPAD.EXE %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 BTHidMgr (Bluetooth HID Manager Service) - c:\windows\system32\drivers\bthidmgr.sys <Not Verified; IVT Corporation; BlueSoleil©>
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R1 StarOpen - c:\windows\system32\drivers\staropen.sys
R2 BrPar - c:\windows\system32\drivers\brpar.sys <Not Verified; Brother Industries Ltd.; Brother Parallel Class Driver>
R2 ScFBPNT3 (CanoScan FBP3 Port Driver) - c:\windows\system32\drivers\scfbpnt3.sys
R3 BlueletAudio (Bluetooth Audio Service) - c:\windows\system32\drivers\blueletaudio.sys <Not Verified; IVT Corporation; Windows ® 2000 DDK driver>
R3 BT (Bluetooth PAN Network Adapter) - c:\windows\system32\drivers\btnetdrv.sys <Not Verified; IVT Corporation; BlueSoleil>
R3 BTHidEnum (Bluetooth HID Enumerator) - c:\windows\system32\drivers\vbtenum.sys
R3 VComm (Virtual Serial port driver) - c:\windows\system32\drivers\vcomm.sys <Not Verified; IVT Corporation; BlueSoleil>
R3 VcommMgr (Bluetooth VComm Manager Service) - c:\windows\system32\drivers\vcommmgr.sys <Not Verified; IVT Corporation; BlueSoleil>

S1 Cdr4_2K - c:\windows\system32\drivers\cdr4_2k.sys <Not Verified; Adaptec; Adaptec's CD-R Helper Drivers>
S3 Btcsrusb (Bluetooth USB For Bluetooth Service) - c:\windows\system32\drivers\btcusb.sys <Not Verified; IVT Corporation; Bluetooth USB Device Driver>
S3 BTDriver (Bluetooth Virtual Communications Driver) - c:\windows\system32\drivers\btport.sys (file missing)
S3 BTNetFilter (Bluetooth Network Filter) - c:\windows\system32\drivers\btnetfilter.sys
S3 BTWDNDIS (Bluetooth LAN Access Server) - c:\windows\system32\drivers\btwdndis.sys (file missing)
S3 GMSIPCI - d:\install\gmsipci.sys (file missing)
S3 PalmUSBD - c:\windows\system32\drivers\palmusbd.sys (file missing)
S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
S3 SDTHOOK - c:\windows\system32\drivers\sdthook.sys <Not Verified; Panda Software; Panda® Antivirus>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AntiVirScheduler (AntiVir PersonalEdition Classic Scheduler) - "c:\program files\avira\antivir personaledition classic\sched.exe" <Not Verified; Avira GmbH; Scheduler>
R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 AvSynMgr (AVSync Manager) - "c:\program files\mcafee\mcafee virusscan\avsynmgr.exe" <Not Verified; Network Associates, Inc.; VirusScan Home Edition>
R2 BlueSoleil Hid Service - c:\program files\ivt corporation\bluesoleil\btntservice.exe


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-02-29 19:22:40 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-02-05 and 2008-03-05 -----------------------------

2008-03-05 09:46:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-05 09:46:23 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-05 09:46:18 0 d-------- C:\WINDOWS\LastGood
2008-03-05 09:18:25 0 d-------- C:\Documents and Settings\jenn\Application Data\Malwarebytes
2008-03-05 09:18:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-05 09:18:00 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-05 00:25:51 0 d-------- C:\bfu
2008-03-04 17:16:41 0 d-------- C:\Program Files\Avira
2008-03-04 17:16:41 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-03-04 14:17:28 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-03-04 14:01:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-03-04 13:12:07 0 dr-h----- C:\Documents and Settings\jenn\Recent
2008-03-04 12:35:23 0 d--h----- C:\WINDOWS\system32\GroupPolicy
2008-02-20 15:38:36 0 d-------- C:\Documents and Settings\jenn\Application Data\CaribbeanHideaway
2008-02-20 15:30:07 0 d-------- C:\Program Files\Caribbean Hideaway
2008-02-17 10:12:47 0 d-------- C:\Documents and Settings\All Users\Application Data\Grey Alien Games
2008-02-17 10:11:23 0 d-------- C:\Program Files\Fairway Solitaire
2008-02-13 00:19:48 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-02-13 00:19:48 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-02-13 00:19:48 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-02-13 00:19:48 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-02-12 09:07:42 0 --a------ C:\WINDOWS\system32\cscript
2008-02-12 09:07:41 2586 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-07 23:20:22 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus>
2008-02-07 12:10:22 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-07 12:09:48 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-02-07 12:09:48 0 d-------- C:\Documents and Settings\jenn\Application Data\SUPERAntiSpyware.com
2008-02-07 12:05:15 0 d-------- C:\Documents and Settings\jenn\Application Data\Grisoft
2008-02-07 12:01:07 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-07 00:46:00 0 d-------- C:\Documents and Settings\jenn\.housecall6.6
2008-02-07 00:28:36 0 d-------- C:\Program Files\CCleaner
2008-02-07 00:12:09 0 d-------- C:\Documents and Settings\beng\Application Data\Mozilla
2008-02-07 00:09:03 0 d-------- C:\Documents and Settings\beng\Application Data\3M
2008-02-06 23:53:54 0 d-------- C:\WINDOWS\ERUNT
2008-02-06 23:09:34 0 d--hs---- C:\WINDOWS\CSC
2008-02-06 22:30:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-06 22:29:58 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-06 21:27:49 0 d-------- C:\Program Files\XoftSpySE
2008-02-06 21:17:55 0 d-------- C:\Program Files\RogueRemover FREE
2008-02-05 11:40:20 0 d-------- C:\Documents and Settings\jenn\Application Data\Home Sweet Home


-- Find3M Report ---------------------------------------------------------------

2008-03-04 14:30:46 0 d-------- C:\Documents and Settings\jenn\Application Data\Adobe
2008-03-04 14:02:07 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-01 15:34:31 0 d-------- C:\Documents and Settings\jenn\Application Data\Azureus
2008-02-29 23:48:20 0 d-------- C:\Program Files\iTunes
2008-02-29 23:45:51 0 d-------- C:\Program Files\iPod
2008-02-29 23:29:33 0 d-------- C:\Program Files\QuickTime
2008-02-27 10:19:26 0 d-------- C:\Documents and Settings\jenn\Application Data\TransRender
2008-02-09 09:16:14 0 d-------- C:\Program Files\SpywareBlaster
2008-02-06 22:31:00 0 d-------- C:\Program Files\Lavasoft
2008-02-06 22:29:58 0 d-------- C:\Program Files\Common Files
2008-02-03 16:11:15 0 d-------- C:\Program Files\Home Sweet Home
2008-01-28 16:12:24 0 d-------- C:\Program Files\Chikka Messenger
2008-01-23 22:03:13 0 d-------- C:\Documents and Settings\jenn\Application Data\PlayFirst
2008-01-10 17:02:43 0 d-------- C:\Program Files\Azureus
2007-12-12 03:46:02 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-12-12 03:44:28 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-12-12 03:44:28 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-12-12 03:44:18 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-12-12 03:44:18 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-12 03:44:18 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-12 03:44:18 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-12 03:43:44 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [01/07/2003 06:09 PM C:\WINDOWS\SOUNDMAN.EXE]
"NeroCheck"="C:\WINDOWS\System32\\NeroCheck.exe" [07/09/2001 06:50 PM]
"BluetoothAuthenticationAgent"="bthprops.cpl" [08/04/2004 12:56 AM C:\WINDOWS\system32\bthprops.cpl]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/22/2006 12:22 PM]
"nwiz"="nwiz.exe" [10/22/2006 12:22 PM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [10/22/2006 12:22 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/31/2008 11:13 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [02/19/2008 01:10 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [08/31/2007 12:25 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [06/11/2007 06:16 PM]

C:\Documents and Settings\jenn\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [11/18/2003 10:10:59 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [5/29/2003 1:51:22 AM]
BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [7/20/2006 11:17:02 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]
Post-itr Software Notes Lite.lnk - C:\Program Files\3M\PSNLite\PsnLite.exe [10/15/2004 2:26:54 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSetTaskbar"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 02/27/2007 11:39 AM 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{66446c53-dc22-11dc-bdab-101111111111}]
AutoRun\command- F:\SSCVIIHOST.exe
Open\command- F:\SSCVIIHOST.exe




-- End of Deckard's System Scanner: finished at 2008-03-05 14:17:20 ------------


DSS (extra.txt):

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ XP 1800+
Percentage of Memory in Use: 70%
Physical Memory (total/avail): 255.48 MiB / 75.03 MiB
Pagefile Memory (total/avail): 1003.58 MiB / 667.3 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1949.04 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 74.52 GiB total, 10.96 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST380011A - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.52 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is enabled.

AntivirusOverride is set.

AV: Avira AntiVir PersonalEdition v 7.0.0.2
(Avira GmbH) Disabled Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"="C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe:*:Enabled:BlueSoleil"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\jenn\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=JENNOLI-PC1
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\jenn
LOGONSERVER=\\JENNOLI-PC1
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared;C:\Program Files\Samsung\Samsung PC Studio 3;C:\Program Files\QuickTime\QTSystem;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0801
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\jenn\LOCALS~1\Temp
TMP=C:\DOCUME~1\jenn\LOCALS~1\Temp
USERDOMAIN=JENNOLI-PC1
USERNAME=jenn
USERPROFILE=C:\Documents and Settings\jenn
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

jenn (admin)
beng (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Avira AntiVir PersonalEdition Classic --> C:\Program Files\Avira\AntiVir PersonalEdition Classic\SETUP.EXE /REMOVE
Blue's Kindergarten --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Infogrames Interactive\Blue's Kindergarten\DeIsL1.isu"
Blue's Reading Time Activities --> C:\WINDOWS\IsUninst.exe -f"C:\HEGames\Blue's Reading Time Activities\Uninst.isu"
Caribbean Hideaway --> "C:\Program Files\Caribbean Hideaway\ReflexiveArcade\unins000.exe"
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Chikka Messenger V4 --> C:\PROGRA~1\CHIKKA~1\CHIKKA~1.4\UNWISE.EXE C:\PROGRA~1\CHIKKA~1\CHIKKA~1.4\INSTALL.LOG
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Fairway Solitaire --> "C:\Program Files\Fairway Solitaire\ReflexiveArcade\unins000.exe"
HijackThis 2.0.2 --> "C:\Documents and Settings\jenn\Desktop\HijackThis.exe" /uninstall
Home Sweet Home --> "C:\WINDOWS\Home Sweet Home\uninstall.exe" "/U:C:\Program Files\Home Sweet Home\Uninstall\uninstall.xml"
iTunes --> MsiExec.exe /I{80FD852F-5AAC-4129-B931-06AAFFA43138}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Mozilla Firefox (2.0.0.12) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
OpenAL --> "C:\Program Files\OpenAL\oalinst.exe" /U
QuickTime --> MsiExec.exe /I{BFD96B89-B769-4CD6-B11E-E79FFD46F067}
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Virtools 3D Life Player --> C:\Program Files\Virtools\3D Life Player\WebplayerConfig.exe -u


-- Application Event Log -------------------------------------------------------

No Errors/Warnings found.


-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type106099 / Error
Event Submitted/Written: 03/05/2008 09:31:40 AM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Event Record #/Type106098 / Error
Event Submitted/Written: 03/05/2008 09:31:40 AM
Event ID/Source: 17 / W32Time
Event Description:
Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15
minutes.
The error was: A socket operation was attempted to an unreachable host. (0x80072751)

Event Record #/Type106090 / Error
Event Submitted/Written: 03/05/2008 09:03:21 AM
Event ID/Source: 30013 / ipnathlp
Event Description:
The DHCP allocator has disabled itself on IP address 169.254.109.4,
since the IP address is outside the 192.168.0.0/255.255.255.0 scope
from which addresses are being allocated to DHCP clients.
To enable the DHCP allocator on this IP address,
please change the scope to include the IP address,
or change the IP address to fall within the scope.

Event Record #/Type106078 / Error
Event Submitted/Written: 03/05/2008 09:02:11 AM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
Cdr4_2K

Event Record #/Type106076 / Warning
Event Submitted/Written: 03/05/2008 09:01:01 AM
Event ID/Source: 1007 / Dhcp
Event Description:
Your computer has automatically configured the IP address for the Network
Card with network address 00304F21A02E. The IP address being used is 169.254.109.4.



-- End of Deckard's System Scanner: finished at 2008-03-05 14:17:20 ------------
  • 0

#6
RatHat
Posted 05 March 2008 - 05:06 AM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Hey Jenn,

If you are having problems with the way Firefox displays the pages on some sites, try hitting Ctrl and F5 at the same time. This should refresh the page to the correct state.

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\sed.exe
C:\WINDOWS\system32\grep.exe

Folder::
C:\Program Files\Azureus

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{66446c53-dc22-11dc-bdab-101111111111}]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Azureus\\Azureus.exe"=-


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Regards,
RatHat
  • 0

#7
paysismom
Posted 05 March 2008 - 06:52 AM

paysismom

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
hi,

I tried the Ctrl-F5 on Firefox but it's still the same.

anyway, when I restarted the computer after combofix, there was an error about viruscan not turned on (I can't remember the exact words, sorry :) ).

here's the combofix and hijackthis logs:

combofix

ComboFix 08-03-04.2 - jenn 2008-03-05 19:22:03.5 - NTFSx86
Running from: C:\Documents and Settings\jenn\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\jenn\Desktop\rat_hat\stage 2\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\grep.exe
C:\WINDOWS\system32\sed.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Azureus
C:\Program Files\Azureus\.install4j\_shfoldr.dll
C:\Program Files\Azureus\.install4j\autoUninstall.0
C:\Program Files\Azureus\.install4j\files.log
C:\Program Files\Azureus\.install4j\i4j_extf_0_5p83tu.utf8
C:\Program Files\Azureus\.install4j\i4j_extf_1_5p83tu_jhp9vg.png
C:\Program Files\Azureus\.install4j\i4j_extf_2_5p83tu.txt
C:\Program Files\Azureus\.install4j\i4j_extf_3_5p83tu_1kde336.ico
C:\Program Files\Azureus\.install4j\i4j_extf_4_5p83tu_62t8mu.icns
C:\Program Files\Azureus\.install4j\i4jdel.exe
C:\Program Files\Azureus\.install4j\i4jinst.dll
C:\Program Files\Azureus\.install4j\i4jparams.conf
C:\Program Files\Azureus\.install4j\i4jruntime.jar
C:\Program Files\Azureus\.install4j\inst_jre.cfg
C:\Program Files\Azureus\.install4j\install.prop
C:\Program Files\Azureus\.install4j\installation.log
C:\Program Files\Azureus\.install4j\installer.png
C:\Program Files\Azureus\.install4j\installerHeader.png
C:\Program Files\Azureus\.install4j\MessagesDefault
C:\Program Files\Azureus\.install4j\response.varfile
C:\Program Files\Azureus\.install4j\unicows.dll
C:\Program Files\Azureus\.install4j\uninstallerHeader.png
C:\Program Files\Azureus\.install4j\user.jar
C:\Program Files\Azureus\aereg.dll
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Azureus\Azureus.exe.manifest
C:\Program Files\Azureus\Azureus2.jar
C:\Program Files\Azureus\AzureusUpdater.exe
C:\Program Files\Azureus\ChangeLog.txt
C:\Program Files\Azureus\javaw.exe.manifest
C:\Program Files\Azureus\License.txt
C:\Program Files\Azureus\plugins\azplugins\azplugins_1.9.1.jar
C:\Program Files\Azureus\plugins\azplugins\azplugins_2.0.jar
C:\Program Files\Azureus\plugins\azplugins\azplugins_2.1.1.jar
C:\Program Files\Azureus\plugins\azplugins\azplugins_2.1.4.jar
C:\Program Files\Azureus\plugins\azrating\azrating_1.3.1.jar
C:\Program Files\Azureus\plugins\azrating\azrating_1.3.jar
C:\Program Files\Azureus\plugins\azupdater\azupdater_1.8.5.zip
C:\Program Files\Azureus\plugins\azupdater\azupdaterpatcher_1.8.3.jar
C:\Program Files\Azureus\plugins\azupdater\azupdaterpatcher_1.8.5.jar
C:\Program Files\Azureus\plugins\azupdater\plugin.properties
C:\Program Files\Azureus\plugins\azupdater\plugin.properties_1.8.5
C:\Program Files\Azureus\plugins\azupdater\Updater.jar
C:\Program Files\Azureus\plugins\azupdater\Updater.jar.bak
C:\Program Files\Azureus\plugins\azupnpav\azupnpav_0.1.2.jar
C:\Program Files\Azureus\plugins\azupnpav\azupnpav_0.1.6.jar
C:\Program Files\Azureus\plugins\azupnpav\azupnpav_0.1.6.zip
C:\Program Files\Azureus\plugins\azupnpav\azupnpav_0.1.7.jar
C:\Program Files\Azureus\plugins\azupnpav\azupnpav_0.1.7.zip
C:\Program Files\Azureus\plugins\azupnpav\plugin.properties
C:\Program Files\Azureus\plugins\azupnpav\plugin.properties_0.1.6
C:\Program Files\Azureus\plugins\azupnpav\plugin.properties_0.1.7
C:\Program Files\Azureus\swt-about.html
C:\Program Files\Azureus\swt-awt-win32-3139.dll
C:\Program Files\Azureus\swt-awt-win32-3232.dll
C:\Program Files\Azureus\swt-awt-win32-3318.dll
C:\Program Files\Azureus\swt-gdip-win32-3139.dll
C:\Program Files\Azureus\swt-gdip-win32-3232.dll
C:\Program Files\Azureus\swt-gdip-win32-3318.dll
C:\Program Files\Azureus\swt-wgl-win32-3232.dll
C:\Program Files\Azureus\swt-wgl-win32-3318.dll
C:\Program Files\Azureus\swt-win32-3139.dll
C:\Program Files\Azureus\swt-win32-3232.dll
C:\Program Files\Azureus\swt-win32-3318.dll
C:\Program Files\Azureus\swt.jar
C:\Program Files\Azureus\uninstall.exe
C:\WINDOWS\system32\grep.exe
C:\WINDOWS\system32\sed.exe

.
((((((((((((((((((((((((( Files Created from 2008-02-05 to 2008-03-05 )))))))))))))))))))))))))))))))
.

2008-03-05 14:14 . 2008-03-05 14:14 <DIR> d-------- C:\Deckard
2008-03-05 09:46 . 2008-03-05 09:46 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-05 09:46 . 2008-03-05 09:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-05 09:18 . 2008-03-05 09:18 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-05 09:18 . 2008-03-05 09:18 <DIR> d-------- C:\Documents and Settings\jenn\Application Data\Malwarebytes
2008-03-05 09:18 . 2008-03-05 09:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-04 17:16 . 2008-03-04 17:16 <DIR> d-------- C:\Program Files\Avira
2008-03-04 17:16 . 2008-03-04 17:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-03-04 14:17 . 2008-03-04 20:15 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-04 14:17 . 2008-03-04 14:18 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-03-04 12:35 . 2008-03-04 12:35 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-02-29 23:53 . 2008-03-05 14:42 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-29 23:53 . 2008-02-29 23:53 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-20 15:38 . 2008-02-26 10:39 <DIR> d-------- C:\Documents and Settings\jenn\Application Data\CaribbeanHideaway
2008-02-20 15:30 . 2008-02-20 15:33 <DIR> d-------- C:\Program Files\Caribbean Hideaway
2008-02-17 10:12 . 2008-02-17 10:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grey Alien Games
2008-02-17 10:11 . 2008-02-17 10:12 <DIR> d-------- C:\Program Files\Fairway Solitaire
2008-02-12 09:07 . 2008-02-12 09:07 2,586 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-12 09:07 . 2008-02-12 09:07 0 --a------ C:\WINDOWS\system32\cscript
2008-02-07 23:20 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-07 23:06 . 2008-03-04 14:18 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-07 12:10 . 2008-02-07 12:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-07 12:09 . 2008-03-01 19:47 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-07 12:09 . 2008-02-07 12:09 <DIR> d-------- C:\Documents and Settings\jenn\Application Data\SUPERAntiSpyware.com
2008-02-07 12:05 . 2008-02-07 12:05 <DIR> d-------- C:\Documents and Settings\jenn\Application Data\Grisoft
2008-02-07 12:01 . 2008-02-07 12:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-07 12:01 . 2007-05-30 20:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-07 00:46 . 2008-02-07 02:23 <DIR> d-------- C:\Documents and Settings\jenn\.housecall6.6
2008-02-07 00:28 . 2008-02-07 00:28 <DIR> d-------- C:\Program Files\CCleaner
2008-02-07 00:09 . 2008-02-07 00:09 <DIR> d-------- C:\Documents and Settings\beng\Application Data\3M
2008-02-06 23:55 . 2005-03-03 02:09 577,024 --a--c--- C:\WINDOWS\system32\dllcache\user32.dll
2008-02-06 23:53 . 2008-02-06 23:53 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-06 23:52 . 2008-02-06 23:56 <DIR> d-------- C:\SDFix
2008-02-06 22:30 . 2008-02-06 22:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-06 22:29 . 2008-02-06 22:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-06 21:27 . 2008-02-06 22:35 <DIR> d-------- C:\Program Files\XoftSpySE
2008-02-06 21:17 . 2008-02-07 00:28 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-02-05 11:40 . 2008-02-05 11:40 <DIR> d-------- C:\Documents and Settings\jenn\Application Data\Home Sweet Home

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-05 09:58 --------- d-----w C:\Documents and Settings\jenn\Application Data\Azureus
2008-03-04 06:02 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-04 05:27 146,432 ----a-w C:\WINDOWS\regedit.exe
2008-02-29 15:48 --------- d-----w C:\Program Files\iTunes
2008-02-29 15:45 --------- d-----w C:\Program Files\iPod
2008-02-29 15:29 --------- d-----w C:\Program Files\QuickTime
2008-02-27 02:19 --------- d-----w C:\Documents and Settings\jenn\Application Data\TransRender
2008-02-24 09:04 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-09 01:16 --------- d-----w C:\Program Files\SpywareBlaster
2008-02-06 14:31 --------- d-----w C:\Program Files\Lavasoft
2008-02-03 08:11 --------- d-----w C:\Program Files\Home Sweet Home
2008-01-28 08:12 --------- d-----w C:\Program Files\Chikka Messenger
2008-01-23 14:03 --------- d-----w C:\Documents and Settings\jenn\Application Data\PlayFirst
2008-01-23 14:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2007-12-14 03:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-11 19:46 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-12-11 19:46 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-12-11 19:45 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-12-11 19:45 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-12-11 19:43 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-06-14 15:04 63,472 -c--a-w C:\Documents and Settings\jenn\Application Data\GDIPFONTCACHEV1.DAT
2005-12-18 16:24 8 --sh--r C:\WINDOWS\system32\1B2E6AD7A2.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-06-11 18:16 4670968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2003-01-07 18:09 46592 C:\WINDOWS\SOUNDMAN.EXE]
"NeroCheck"="C:\WINDOWS\System32\\NeroCheck.exe" [2001-07-09 18:50 155648]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22 86016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-03-05 17:24 249896]

C:\Documents and Settings\jenn\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2003-11-18 22:10:59 233472]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-05-29 01:51:22 113664]
BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2006-07-20 23:17:02 1183744]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
Post-itr Software Notes Lite.lnk - C:\Program Files\3M\PSNLite\PsnLite.exe [2004-10-15 14:26:54 2080768]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 AvSynMgr;AVSync Manager;"C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe" [2002-08-05 07:00]
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-15 22:41]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-29 11:22:40 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-05 19:29:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-05 19:34:29
ComboFix-quarantined-files.txt 2008-03-05 11:34:24
ComboFix2.txt 2008-03-04 17:05:07
ComboFix3.txt 2008-02-14 08:12:18
ComboFix4.txt 2008-02-14 07:58:01
ComboFix5.txt 2008-02-12 16:31:00


hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:49:46 PM, on 3/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\jenn\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O16 - DPF: {09883431-7429-11D5-8B69-0050049F5256} (VBAuthentic.Authentic) - https://www.metroban...VBAuthentic.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://inotes.pal.com.ph/iNotes6W.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-18.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {CA797B15-445F-4AA9-9828-8A88502F560F} (Uninstall Control) - http://www.worldwinn...d/uninstall.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai...l/installer.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.co...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{83F8C38A-CC38-494B-A4ED-056422F9B193}: NameServer = 58.69.254.78 58.69.254.80
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8011 bytes
  • 0

#8
RatHat
Posted 05 March 2008 - 08:26 AM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Could you upload a file to Jotti for me:

Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:

    • C:\WINDOWS\system32\1B2E6AD7A2.dll
  • Click on the submit button
  • When the scan is complete, highlight all the results and copy them into Notepad
  • Save the Notepad file to your desktop as Jotti.txt
  • Please post the contents in your next reply.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Try using the Ctrl pls F5 method to refresh pages a couple more times on pages that are not showing properly in Firefox, this should fix the problem. If not, we may have to reinstall Firefox.

Now DSS shows that Avira AntiVir PersonalEdition v 7.0.0.2 has been disabled and is outdated. So please open Avira and ensure that all options are enabled, then ensure it downloads the latest definitions.

Regards,
RatHat
  • 0

#9
paysismom
Posted 05 March 2008 - 08:39 AM

paysismom

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
hi again,

the firefox's ok already, it's back to normal, thanks :)

here's the jotti.txt

Service load: 0% 100%

File: 1B2E6AD7A2.dll
Status: OK
MD5: 30d5858eefb0b40b95b9a0d12f8e6837
Packers detected: -
Bit9 reports: Not analyzed yet (more info)

Scanner results
Scan taken on 05 Mar 2008 14:32:52 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
  • 0

#10
RatHat
Posted 05 March 2008 - 09:30 AM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Hey there,

OK! Well done, your log is clean again! :)

Now lets uninstall Combofix and have a bit of a cleanup:
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
The above procedure will do the following:
  • Delete ComboFix and its associated files and folders.
  • Delete VundoFix backups, if present
  • Delete the C:\Deckard folder, if present
  • Delete the C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.
Please delete any logs or other files we have used during the fixing of your machine.

OK, lets carry out a few preventative steps to make sure you reduce the risk of further infections.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


An essential is to keep your computer updated with the latest operating system patches and security fixes. Windows Updates are constantly being revised to combat the newest hacks and threats, Microsoft releases security updates that help your computer from becoming vunerable. It is best if you have these set to download automatically.

Automatic Updates for Windows
  • Click Start.
  • Select Settings and then Control Panel.
  • Select Automatic Updates.
  • Click Automatic (recommended)
  • Choose a day and a time when you know the computer will be on and connected to the internet.
  • Click Apply then OK.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


In addition to Windows updates, you also need to ensure that your version of Java is the latest.Click here to download the latest version (Java Runtime Environment (JRE) 6 Update 5). Once downloaded, install it and then Reboot your computer.

It is most important that you also uninstall older versions of Java.
  • Click Start, Control Panel, Add/Remove Programs.
  • Delete all Java updates except Java ™ 6 Update 5
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


OK, now lets download some preventative programs that will help to keep the nasties away! We will start with Anti Spyware programs. I would advise getting a couple of them at least, and running each at least once a month.

Anti Spyware
  • SpywareBlaster to help prevent spyware from installing in the first place. A tutorial can be found here.
  • SpywareGuard to catch and block spyware before it can execute. A tutorial can be found here.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email. A tutorial can be found here.
  • Spybot Search & Destroy a powerful tool which can "search and destroy" nasties that make it onto your system. Now with an Immunize section that will help prevent future infections. A tutorial can be found here.
  • AdAware another very powerful tool which searches and kills nasties that infect your system. A tutorial can be found here. AdAware and Spybot Search & Destroy compliment each other very well.

Note: If you find your system slows down after installing any of these, just uninstall it, or disable it from running at startup.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Next lets look at Firewalls. These help to prevent unauthorised access both to and from the internet or your local network. A firewall is considered a first line of defense in protecting private information. Below are two free firewalls to choose from, if you do not already have one. Note: You only need one firewall one your system.

Personal Firewalls~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Nearly done! If you like to use chat, MSN and Yahoo have vunerabilities that can leave you open to infections. There are however a couple of very good, Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN):

Instant Messengers~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Lastly, it is a good idea to clear out all your temp files every now and again. This will help your computer from bogging down and slowing. It also can assist in getting rid of files that may contain malicious code that could re-infect your computer.

Temp File Cleaners
  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Note: Do NOT run this program if you have XP Professional 64 bit edition.
  • ATF Cleaner A very powerful cleaning program for XP and Windows 2000 only. Note: You may have this already as part of the fixes you have run.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I will keep this log open for the next couple of days, so if you have any further problems post another reply here.

OK, all the best, and stay safe!

Best regards,
RatHat
  • 0

Advertisements

#11
paysismom
Posted 06 March 2008 - 11:13 AM

paysismom

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
hi rathat,

been working on some stuff for my son since yesterday, I haven't done what you've instructed, I'll be able to do it tom, I'll report everything after I've done your instructions. have my fingers crossed that everything's gonna be okay. :) thanks again for all your help.
  • 0

#12
RatHat
Posted 06 March 2008 - 11:41 AM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Hi Jenn,

I will keep this log open until you have confirmed that all is OK, so no worries about having to work on your sons stuff first.

Regards,
RatHat
  • 0

#13
paysismom
Posted 08 March 2008 - 04:22 AM

paysismom

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
hi rathat,

finally finished all your intructions. I've installed spywareblaster, spywareguard, search and destroy and adaware :) will take note of your recommendations and here's to a clean computer from now on. thank you and geekstogo! :)
  • 0

#14
paysismom
Posted 08 March 2008 - 04:29 AM

paysismom

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
oh, and also comodo firewall. thanks again :)
  • 0

#15
RatHat
Posted 08 March 2008 - 05:08 AM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
You are welcome Jenn! I'm glad we could help :)

Regards,
RatHat
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP