Screen_shot.doc 271KB 17 downloads
Zlob Trojan - hijackthis log [RESOLVED]
#16
Posted 11 March 2008 - 12:07 PM
Screen_shot.doc 271KB 17 downloads
#17
Posted 12 March 2008 - 04:42 AM
#18
Posted 13 March 2008 - 04:23 PM
#19
Posted 13 March 2008 - 04:33 PM
There is nothing in your logs, we'll run some good scans to get rid of anything.
Download and scan with SUPERAntiSpyware Free for Home Users
- Double-click SUPERAntiSpyware.exe and use the default settings for installation.
- An icon will be created on your desktop. Double-click that icon to launch the program.
- If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
- Under "Configuration and Preferences", click the Preferences button.
- Click the Scanning Control tab.
- Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Scan for tracking cookies.
- Terminate memory threats before quarantining.
- Click the "Close" button to leave the control center screen.
- Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
- On the left, make sure you check C:\Fixed Drive.
- On the right, under "Complete Scan", choose Perform Complete Scan.
- Click "Next" to start the scan. Please be patient while it scans your computer.
- After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
- Make sure everything has a checkmark next to it and click "Next".
- A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
- If asked if you want to reboot, click "Yes".
- To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply.
- Click Close to exit the program.
#20
Posted 14 March 2008 - 01:15 PM
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 03/13/2008 at 07:07 PM
Application Version : 4.0.1154
Core Rules Database Version : 3418
Trace Rules Database Version: 1410
Scan type : Complete Scan
Total Scan Time : 02:14:35
Memory items scanned : 406
Memory threats detected : 0
Registry items scanned : 4529
Registry threats detected : 7
File items scanned : 64579
File threats detected : 36
Trojan.Media-Codec/V4
HKLM\Software\Classes\CLSID\{C2A1C5CB-C0EF-4689-9436-F62CCA1C5383}
HKCR\CLSID\{C2A1C5CB-C0EF-4689-9436-F62CCA1C5383}
HKCR\CLSID\{C2A1C5CB-C0EF-4689-9436-F62CCA1C5383}#xxx
HKCR\CLSID\{C2A1C5CB-C0EF-4689-9436-F62CCA1C5383}\InprocServer32
HKCR\CLSID\{C2A1C5CB-C0EF-4689-9436-F62CCA1C5383}\InprocServer32#ThreadingModel
C:\PROGRAM FILES\NETPROJECT\SBMDL.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C2A1C5CB-C0EF-4689-9436-F62CCA1C5383}
Trojan.Smitfraud Variant/IE Anti-Spyware
HKLM\Software\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}
Adware.Tracking Cookie
C:\Documents and Settings\Josh\Cookies\josh@serving-sys[2].txt
C:\Documents and Settings\Josh\Cookies\josh@doubleclick[3].txt
C:\Documents and Settings\Josh\Cookies\josh@advertising[1].txt
C:\Documents and Settings\Josh\Cookies\josh@atdmt[2].txt
C:\Documents and Settings\Josh\Cookies\josh@specificclick[1].txt
C:\Documents and Settings\Josh\Cookies\[email protected][1].txt
C:\Documents and Settings\Josh\Cookies\[email protected][1].txt
C:\Documents and Settings\Josh\Cookies\[email protected][1].txt
C:\Documents and Settings\Josh\Cookies\[email protected][3].txt
C:\Documents and Settings\Josh\Cookies\[email protected][2].txt
C:\Documents and Settings\Josh\Cookies\josh@tribalfusion[1].txt
C:\Documents and Settings\Josh\Cookies\josh@media6degrees[1].txt
C:\Documents and Settings\Josh\Cookies\josh@nextag[1].txt
C:\Documents and Settings\Josh\Cookies\josh@collective-media[1].txt
C:\Documents and Settings\Josh\Cookies\[email protected][1].txt
C:\Documents and Settings\Josh\Cookies\[email protected][1].txt
C:\Documents and Settings\Josh\Cookies\[email protected][1].txt
C:\Documents and Settings\Josh\Cookies\[email protected][1].txt
C:\Documents and Settings\Josh\Cookies\[email protected][3].txt
C:\Documents and Settings\Josh\Cookies\josh@eyewonder[1].txt
C:\Documents and Settings\Josh\Cookies\[email protected][1].txt
C:\Documents and Settings\Josh\Cookies\josh@fastclick[3].txt
C:\Documents and Settings\Josh\Cookies\[email protected][1].txt
C:\Documents and Settings\Josh\Cookies\[email protected][2].txt
C:\Documents and Settings\Josh\Cookies\[email protected][2].txt
C:\Documents and Settings\Josh\Cookies\[email protected][2].txt
C:\Documents and Settings\Josh\Cookies\josh@doubleclick[1].txt
C:\Documents and Settings\Josh\Cookies\josh@fastclick[1].txt
C:\Documents and Settings\Josh\Cookies\[email protected][2].txt
C:\Documents and Settings\Josh\Cookies\josh@media6degrees[2].txt
C:\Documents and Settings\Josh\Cookies\josh@trafficmp[1].txt
Trojan.Security Toolbar
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.url
Trojan.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{37D132CD-0E59-4BA5-B108-BA2F734766E0}\RP245\A0020332.ICO
C:\SYSTEM VOLUME INFORMATION\_RESTORE{37D132CD-0E59-4BA5-B108-BA2F734766E0}\RP245\A0020333.ICO
Unclassified.SpywareBot (Not A Threat)
G:\PROGRAMS\SETUP.EXE
#21
Posted 16 March 2008 - 02:16 AM
- Click Start , then Run
- Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
File::
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.url
Folder::
C:\PROGRAM FILES\NETPROJECT
Registry::
HKLM\Software\Classes\CLSID\{C2A1C5CB-C0EF-4689-9436-F62CCA1C5383}
HKCR\CLSID\{C2A1C5CB-C0EF-4689-9436-F62CCA1C5383}
HKCR\CLSID\{C2A1C5CB-C0EF-4689-9436-F62CCA1C5383}#xxx
HKCR\CLSID\{C2A1C5CB-C0EF-4689-9436-F62CCA1C5383}\InprocServer32
HKCR\CLSID\{C2A1C5CB-C0EF-4689-9436-F62CCA1C5383}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C2A1C5CB-C0EF-4689-9436-F62CCA1C5383}
3. Save the above as CFScript.txt
4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
- Combofix.txt
- A new HijackThis log.
#22
Posted 18 March 2008 - 11:46 AM
ComboFix 08-03-08.1 - Josh 2008-03-18 11:37:47.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.410 [GMT -6:00]
Running from: G:\Programs\ComboFix.exe
Command switches used :: C:\Documents and Settings\Josh\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.url
.
((((((((((((((((((((((((( Files Created from 2008-02-18 to 2008-03-18 )))))))))))))))))))))))))))))))
.
2008-03-16 19:22 . 2008-03-16 19:22 <DIR> d-------- C:\Program Files\Smilebox
2008-03-16 19:21 . 2008-03-16 19:36 <DIR> d-------- C:\Documents and Settings\Josh\Application Data\Smilebox
2008-03-16 18:26 . 2002-05-29 07:50 552,960 -ra------ C:\WINDOWS\system32\hpotscl.dll
2008-03-16 18:26 . 2002-06-11 08:51 77,824 -ra------ C:\WINDOWS\system32\hpovst08.dll
2008-03-16 18:26 . 2004-08-04 00:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-03-16 18:26 . 2004-08-04 00:58 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys
2008-03-16 18:24 . 2008-03-16 18:30 <DIR> d-------- C:\WINDOWS\LastGood
2008-03-16 18:18 . 2004-10-07 19:16 35,840 --a------ C:\WINDOWS\system32\drivers\AFS2K.SYS
2008-03-16 18:16 . 2002-06-11 08:51 27,801 --------- C:\WINDOWS\hpoins01.dat
2008-03-16 18:16 . 2002-04-25 09:40 7,765 --------- C:\WINDOWS\hpomdl01.dat
2008-03-13 16:49 . 2008-03-13 16:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-13 16:48 . 2008-03-13 23:02 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-13 16:48 . 2008-03-13 16:48 <DIR> d-------- C:\Documents and Settings\Josh\Application Data\SUPERAntiSpyware.com
2008-03-10 23:04 . 2008-03-11 21:10 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-10 22:57 . 2008-03-10 23:05 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-03-10 22:57 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-03-09 21:12 . 2008-03-09 21:20 672,137,216 --a------ C:\247.tmp
2008-03-09 20:47 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-03-09 20:46 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\bdrsftgqottr.sys
2008-03-09 20:18 . 2008-03-09 22:52 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-09 20:18 . 2008-03-09 21:24 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-03-09 20:18 . 2008-03-09 21:24 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-09 20:18 . 2008-03-09 21:24 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-09 18:00 . 2008-03-09 18:00 <DIR> d-------- C:\Documents and Settings\Josh\Application Data\Grisoft
2008-03-09 17:59 . 2008-03-09 17:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-09 17:59 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-09 10:57 . 2008-03-13 22:58 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-09 10:57 . 2008-03-09 10:57 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-07 19:21 . 2008-03-07 19:22 <DIR> d-------- C:\Documents and Settings\Josh\Application Data\AdwareAlert
2008-03-07 15:22 . 2008-03-07 15:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-06 15:56 . 2008-03-16 14:22 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-03-06 13:00 . 2008-03-06 13:00 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-06 12:59 . 2008-03-13 16:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-03 22:34 . 2008-03-03 22:35 <DIR> d-------- C:\Program Files\QuickTime
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-17 00:36 --------- d-----w C:\Program Files\ReadIris
2008-03-17 00:19 --------- d-----w C:\Program Files\Hewlett-Packard
2008-03-14 04:56 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-03-10 04:09 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-10 04:09 --------- d-----w C:\Program Files\Common Files\LightScribe
2008-02-16 19:24 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-05 19:06 97,216 ----a-w C:\WINDOWS\system32\drivers\AnyDVD.sys
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-12-26 18:24 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-19 23:01 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
.
((((((((((((((((((((((((((((( snapshot@2008-03-08_18.44.26.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-08-24 14:28:54 141,424 ----a-w C:\WINDOWS\Downloaded Program Files\asinst.dll
- 2000-08-31 15:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
+ 2000-08-31 14:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
- 2008-01-12 17:30:28 45,056 ----a-r C:\WINDOWS\Installer\{82DFB852-9594-4668-9C66-28BB6E94BCB2}\_73A08744BE78_4C68_91E8_AE13955031AE.exe
+ 2008-03-17 00:21:08 45,056 ----a-r C:\WINDOWS\Installer\{82DFB852-9594-4668-9C66-28BB6E94BCB2}\_73A08744BE78_4C68_91E8_AE13955031AE.exe
+ 2008-03-13 22:49:02 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-03-13 22:49:02 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2007-01-19 18:46:10 16,496 ----a-w C:\WINDOWS\LastGood\system32\drivers\HPZipr12.sys
+ 2002-04-22 19:47:12 262,144 ----a-w C:\WINDOWS\LastGood\system32\hpgwiamd.dll
+ 2002-05-10 16:36:02 237,568 ----a-r C:\WINDOWS\LastGood\system32\HPZc3212.dll
- 2000-08-31 15:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe
+ 2000-08-31 14:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe
+ 2007-03-29 15:20:50 110,592 ----a-w C:\WINDOWS\system32\ActiveScan\as.dll
+ 2006-10-05 22:15:26 233,472 ----a-w C:\WINDOWS\system32\ActiveScan\ascontrol.dll
+ 2005-06-03 20:03:18 96,256 ----a-w C:\WINDOWS\system32\ActiveScan\asmdat.dll
+ 2003-08-01 17:00:16 36,864 ----a-w C:\WINDOWS\system32\ActiveScan\certdll.dll
+ 2005-05-20 19:42:44 86,016 ----a-w C:\WINDOWS\system32\ActiveScan\instlsp.dll
+ 2007-11-12 15:46:18 26,112 ----a-w C:\WINDOWS\system32\ActiveScan\JID.dll
+ 2006-02-17 00:20:20 4,608 ----a-w C:\WINDOWS\system32\ActiveScan\memvfile.dll
+ 2005-10-26 00:08:32 348,160 ----a-w C:\WINDOWS\system32\ActiveScan\msvcr71.dll
+ 2007-11-26 17:10:36 61,440 ----a-w C:\WINDOWS\system32\ActiveScan\NanoWrapper.dll
+ 2004-05-04 21:01:02 139,264 ----a-w C:\WINDOWS\system32\ActiveScan\pavaleas.dll
+ 2006-07-14 19:04:10 45,056 ----a-w C:\WINDOWS\system32\ActiveScan\pavdr.exe
+ 2006-04-10 16:50:02 159,832 ----a-w C:\WINDOWS\system32\ActiveScan\pavexcom.dll
+ 2006-02-14 19:05:38 94,208 ----a-w C:\WINDOWS\system32\ActiveScan\pavinas.dll
+ 2006-02-17 00:35:38 180,224 ----a-w C:\WINDOWS\system32\ActiveScan\pavoe.dll
+ 2006-10-05 22:15:38 122,880 ----a-w C:\WINDOWS\system32\ActiveScan\pavpz.dll
+ 2007-06-04 17:31:52 57,344 ----a-w C:\WINDOWS\system32\ActiveScan\pavsddl.dll
+ 2006-06-30 20:13:38 8,704 ----a-w C:\WINDOWS\system32\ActiveScan\pfdnnt.exe
+ 2004-02-04 20:08:42 49,152 ----a-w C:\WINDOWS\system32\ActiveScan\port32.dll
+ 2007-10-30 16:04:14 36,864 ----a-w C:\WINDOWS\system32\ActiveScan\Prescan.dll
+ 2006-08-01 19:23:10 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\pscpu.dll
+ 2007-11-21 16:00:06 376,832 ----a-w C:\WINDOWS\system32\ActiveScan\pskahk.dll
+ 2007-10-31 19:05:06 32,768 ----a-w C:\WINDOWS\system32\ActiveScan\PSKAHKPRESCAN.dll
+ 2006-08-17 17:38:14 10,752 ----a-w C:\WINDOWS\system32\ActiveScan\pskalloc.dll
+ 2006-09-04 17:49:54 61,440 ----a-w C:\WINDOWS\system32\ActiveScan\pskas.dll
+ 2006-08-18 14:46:18 779,264 ----a-w C:\WINDOWS\system32\ActiveScan\pskavs.dll
+ 2007-03-26 20:25:34 417,792 ----a-w C:\WINDOWS\system32\ActiveScan\pskcmp.dll
+ 2006-08-09 16:42:24 90,112 ----a-w C:\WINDOWS\system32\ActiveScan\pskfss.dll
+ 2006-07-19 16:55:58 208,896 ----a-w C:\WINDOWS\system32\ActiveScan\pskhtml.dll
+ 2006-01-20 22:57:00 9,728 ----a-w C:\WINDOWS\system32\ActiveScan\pskmas.dll
+ 2006-05-17 15:50:12 14,336 ----a-w C:\WINDOWS\system32\ActiveScan\pskmdfs.dll
+ 2006-08-16 16:58:12 33,280 ----a-w C:\WINDOWS\system32\ActiveScan\pskpack.dll
+ 2006-06-30 20:42:36 266,240 ----a-w C:\WINDOWS\system32\ActiveScan\pskscs.dll
+ 2006-08-17 20:33:14 62,976 ----a-w C:\WINDOWS\system32\ActiveScan\pskutil.dll
+ 2006-08-08 19:13:10 13,312 ----a-w C:\WINDOWS\system32\ActiveScan\pskvfile.dll
+ 2006-08-18 14:53:08 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\pskvfs.dll
+ 2006-08-18 14:49:50 167,936 ----a-w C:\WINDOWS\system32\ActiveScan\pskvm.dll
+ 2007-10-18 15:30:16 105,472 ----a-w C:\WINDOWS\system32\ActiveScan\psnahk.dll
+ 2007-11-23 20:29:08 10,752 ----a-w C:\WINDOWS\system32\ActiveScan\psndsk.dll
+ 2007-10-18 15:30:38 42,496 ----a-w C:\WINDOWS\system32\ActiveScan\psnflg.dll
+ 2007-10-30 17:19:22 98,304 ----a-w C:\WINDOWS\system32\ActiveScan\psnglknt.dll
+ 2007-08-22 14:52:00 20,272 ----a-w C:\WINDOWS\system32\ActiveScan\psnhsh.dll
+ 2007-11-12 21:49:34 11,776 ----a-w C:\WINDOWS\system32\ActiveScan\psnjidsign.dll
+ 2007-08-22 14:52:04 76,080 ----a-w C:\WINDOWS\system32\ActiveScan\psnkrnl.dll
+ 2007-08-22 14:52:06 21,296 ----a-w C:\WINDOWS\system32\ActiveScan\psnmem.dll
+ 2007-10-04 21:26:28 28,672 ----a-w C:\WINDOWS\system32\ActiveScan\PsnPen.dll
+ 2007-10-23 17:40:10 86,016 ----a-w C:\WINDOWS\system32\ActiveScan\psntuc.dll
+ 2007-05-24 17:27:36 27,136 ----a-w C:\WINDOWS\system32\ActiveScan\PSNXprs.dll
+ 2007-04-18 23:16:04 353,840 ----a-w C:\WINDOWS\system32\ActiveScan\psscan.dll
+ 2007-01-22 20:42:48 35,328 ----a-w C:\WINDOWS\system32\ActiveScan\rawvfile.dll
+ 2007-06-08 15:44:36 8,576 ----a-w C:\WINDOWS\system32\ActiveScan\RKPavProc.sys
+ 2007-06-05 16:56:40 44,928 ----a-w C:\WINDOWS\system32\ActiveScan\sdthook.sys
+ 1997-09-18 12:12:32 9,488 ----a-w C:\WINDOWS\system32\ActiveScan\sporder.dll
+ 2006-02-28 23:23:40 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\tcpvfile.dll
+ 2007-09-17 15:14:08 126,976 ----a-w C:\WINDOWS\system32\ActiveScan\Tucan.dll
+ 2006-08-02 18:39:06 73,728 ----a-w C:\WINDOWS\system32\asuninst.exe
- 2007-01-19 18:46:10 16,496 ----a-w C:\WINDOWS\system32\drivers\HPZipr12.sys
+ 2007-01-19 17:46:10 16,496 ----a-w C:\WINDOWS\system32\drivers\HPZipr12.sys
- 2002-04-22 19:47:12 262,144 ----a-w C:\WINDOWS\system32\hpgwiamd.dll
+ 2002-05-16 01:12:50 262,144 ----a-r C:\WINDOWS\system32\hpgwiamd.dll
- 2008-02-04 23:09:46 18,214,008 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-03-05 16:30:54 19,148,408 ----a-w C:\WINDOWS\system32\MRT.exe
- 2008-01-23 10:06:03 59,984 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-03-09 16:59:30 59,984 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-01-23 10:06:03 397,890 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-03-09 16:59:30 397,890 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2000-08-31 15:00:00 161,792 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2000-08-31 14:00:00 161,792 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2003-03-26 00:53:50 11,776 ----a-w C:\WINDOWS\system32\ZPORT4AS.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]
"SmileboxTray"="C:\Documents and Settings\Josh\Application Data\Smilebox\SmileboxTray.exe" [2008-03-05 05:55 201352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" []
"MoneyStartUp10.0"="C:\Program Files\Microsoft Money\System\Activation.exe" [2001-07-25 09:00 241714]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 16:53 88024]
"DVDTray"="D:\Program Files\HP DVD\Umbrella\DVDTray.exe" [2004-09-03 11:14 57344]
"DVDBitSet"="D:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" [2003-12-18 15:37 184320]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 13:02 53408]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-03-17 06:34 124656]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="G:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25 6731312]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 04:19 69632]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2002-06-11 10:31:50 323646]
officejet 6100.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2002-06-11 10:32:22 147456]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=NVDESK32.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"G:\\Program Files\\iTunes\\iTunes.exe"=
R2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe [2001-08-17 23:36]
R3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys [2001-08-17 14:28]
.
Contents of the 'Scheduled Tasks' folder
"2008-03-18 09:00:00 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.ex
- C:\Program Files\AdwareAlert
"2008-03-18 00:36:14 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-17 00:37:59 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1205714223.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-18 11:42:16
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-03-18 11:44:09
ComboFix-quarantined-files.txt 2008-03-18 17:43:58
ComboFix2.txt 2008-03-09 04:15:07
ComboFix3.txt 2008-03-09 01:45:07
.
2008-03-18 09:00:47 --- E O F ---
Hijackthis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:45:43 AM, on 3/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
D:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
G:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqDIREC.exe
C:\Documents and Settings\Josh\Application Data\Smilebox\SmileboxTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [DVDTray] "D:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [DVDBitSet] "D:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "G:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SmileboxTray] "C:\Documents and Settings\Josh\Application Data\Smilebox\SmileboxTray.exe"
O4 - HKUS\S-1-5-21-3399203189-1465058494-1690550294-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Pool 2 - http://download2.gam...ts/y/poti_x.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1188631248092
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://ecampus.phoe...hxStudent15.CAB
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: dikage - {d4c51fa4-9192-4a9a-8d2a-a0690c92f171} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 8527 bytes
#23
Posted 19 March 2008 - 04:41 AM
- Click Start , then Run
- Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
File::
C:\WINDOWS\QTFont.for
C:\WINDOWS\QTFont.qfn
3. Save the above as CFScript.txt
4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
- Combofix.txt
- A new HijackThis log.
Could you please scan with Spy Hunter again and save a screenshot so that I can see the Location of the entries that it finds.
#24
Posted 19 March 2008 - 06:21 PM
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.318 [GMT -6:00]
Running from: G:\Programs\ComboFix.exe
Command switches used :: C:\Documents and Settings\Josh\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\QTFont.for
C:\WINDOWS\QTFont.qfn
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\QTFont.for
C:\WINDOWS\QTFont.qfn
.
((((((((((((((((((((((((( Files Created from 2008-02-19 to 2008-03-19 )))))))))))))))))))))))))))))))
.
2008-03-16 19:22 . 2008-03-16 19:22 <DIR> d-------- C:\Program Files\Smilebox
2008-03-16 19:21 . 2008-03-16 19:36 <DIR> d-------- C:\Documents and Settings\Josh\Application Data\Smilebox
2008-03-16 18:26 . 2002-05-29 07:50 552,960 -ra------ C:\WINDOWS\system32\hpotscl.dll
2008-03-16 18:26 . 2002-06-11 08:51 77,824 -ra------ C:\WINDOWS\system32\hpovst08.dll
2008-03-16 18:26 . 2004-08-04 00:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-03-16 18:26 . 2004-08-04 00:58 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys
2008-03-16 18:18 . 2004-10-07 19:16 35,840 --a------ C:\WINDOWS\system32\drivers\AFS2K.SYS
2008-03-16 18:16 . 2002-06-11 08:51 27,801 --------- C:\WINDOWS\hpoins01.dat
2008-03-16 18:16 . 2002-04-25 09:40 7,765 --------- C:\WINDOWS\hpomdl01.dat
2008-03-13 16:49 . 2008-03-13 16:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-13 16:48 . 2008-03-13 23:02 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-13 16:48 . 2008-03-13 16:48 <DIR> d-------- C:\Documents and Settings\Josh\Application Data\SUPERAntiSpyware.com
2008-03-10 23:04 . 2008-03-11 21:10 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-10 22:57 . 2008-03-10 23:05 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-03-10 22:57 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-03-09 21:12 . 2008-03-09 21:20 672,137,216 --a------ C:\247.tmp
2008-03-09 20:47 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-03-09 20:46 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\bdrsftgqottr.sys
2008-03-09 20:18 . 2008-03-09 22:52 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-09 20:18 . 2008-03-09 21:24 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-03-09 20:18 . 2008-03-09 21:24 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-09 20:18 . 2008-03-09 21:24 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-09 18:00 . 2008-03-09 18:00 <DIR> d-------- C:\Documents and Settings\Josh\Application Data\Grisoft
2008-03-09 17:59 . 2008-03-09 17:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-09 17:59 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-07 19:21 . 2008-03-07 19:22 <DIR> d-------- C:\Documents and Settings\Josh\Application Data\AdwareAlert
2008-03-07 15:22 . 2008-03-07 15:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-06 15:56 . 2008-03-16 14:22 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-03-06 13:00 . 2008-03-06 13:00 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-06 12:59 . 2008-03-13 16:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-03 22:34 . 2008-03-03 22:35 <DIR> d-------- C:\Program Files\QuickTime
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-18 18:08 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-03-17 00:36 --------- d-----w C:\Program Files\ReadIris
2008-03-17 00:19 --------- d-----w C:\Program Files\Hewlett-Packard
2008-03-10 04:09 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-10 04:09 --------- d-----w C:\Program Files\Common Files\LightScribe
2008-02-16 19:24 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-05 19:06 97,216 ----a-w C:\WINDOWS\system32\drivers\AnyDVD.sys
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-12-26 18:24 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-19 23:01 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]
"SmileboxTray"="C:\Documents and Settings\Josh\Application Data\Smilebox\SmileboxTray.exe" [2008-03-05 05:55 201352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" []
"MoneyStartUp10.0"="C:\Program Files\Microsoft Money\System\Activation.exe" [2001-07-25 09:00 241714]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 16:53 88024]
"DVDTray"="D:\Program Files\HP DVD\Umbrella\DVDTray.exe" [2004-09-03 11:14 57344]
"DVDBitSet"="D:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" [2003-12-18 15:37 184320]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 13:02 53408]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-03-17 06:34 124656]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="G:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25 6731312]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 04:19 69632]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2002-06-11 10:31:50 323646]
officejet 6100.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2002-06-11 10:32:22 147456]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=NVDESK32.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"G:\\Program Files\\iTunes\\iTunes.exe"=
R2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe [2001-08-17 23:36]
R3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys [2001-08-17 14:28]
*Newly Created Service* - SASDIFSV
.
Contents of the 'Scheduled Tasks' folder
"2008-03-19 09:00:00 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.exe
- C:\Program Files\AdwareAlert
"2008-03-18 00:36:14 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-17 00:37:59 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1205714223.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-19 17:29:43
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-03-19 17:31:27
ComboFix-quarantined-files.txt 2008-03-19 23:31:20
ComboFix2.txt 2008-03-18 17:44:10
ComboFix3.txt 2008-03-09 04:15:07
ComboFix4.txt 2008-03-09 01:45:07
.
2008-03-18 09:00:47 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:20:14 PM, on 3/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
D:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
G:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [DVDTray] "D:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [DVDBitSet] "D:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "G:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SmileboxTray] "C:\Documents and Settings\Josh\Application Data\Smilebox\SmileboxTray.exe"
O4 - HKUS\S-1-5-21-3399203189-1465058494-1690550294-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Pool 2 - http://download2.gam...ts/y/poti_x.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1188631248092
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://ecampus.phoe...hxStudent15.CAB
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: dikage - {d4c51fa4-9192-4a9a-8d2a-a0690c92f171} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 8783 bytes
#25
Posted 21 March 2008 - 01:16 AM
We need to backup the registry before we continue.
Registry edits can be potentially dangerous; we can revert to the backup if needed.
Go to Start » Run » type: regedit » OK.
- On the leftside, click to highlight My Computer at the top.
- Go up to File » Export
- Make sure in that window there is a tick next to "All" under Export Branch.
Leave the "Save As Type" as "Registration Files".
Under "Filename" put RegBackup.
- Make sure in that window there is a tick next to "All" under Export Branch.
- Choose to save it to C:\
- Click save and then go to File » Exit.
2.
Save text below as fixme.reg in Notepad. Under Save as type, select All Files and save it on your Desktop.
REGEDIT4 [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheculer\{d4c51fa4-9192-4a9a-8c2a-a0690c92f171}] [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-5C66EFF1D302}]
The above Registry file was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
Locate fixme.reg on your Desktop and double-click on it. It should look like this ->
You will receive a prompt similar to: Do you wish to merge the information into the registry?.
Answer Yes and wait for a message to appear similar to Merged Successfully.
Edited by sarahw, 21 March 2008 - 01:16 AM.
#26
Posted 21 March 2008 - 09:35 AM
#27
Posted 23 March 2008 - 05:53 PM
Sorry about the delay, I was busy over Easter.
Scan with SpyHunter again and post a fresh Hijack This log.
#28
Posted 24 March 2008 - 12:56 PM
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:55:55 PM, on 3/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
D:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
G:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
D:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
D:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [DVDTray] "D:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [DVDBitSet] "D:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "G:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AnyDVD] D:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKUS\S-1-5-21-3399203189-1465058494-1690550294-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Pool 2 - http://download2.gam...ts/y/poti_x.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1188631248092
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://ecampus.phoe...hxStudent15.CAB
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: dikage - {d4c51fa4-9192-4a9a-8d2a-a0690c92f171} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 8673 bytes
#29
Posted 24 March 2008 - 08:01 PM
regedit /e C:\look.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler"
Locate fixme.bat on your Desktop and double-click on it. It should look like this ->
Notepad should open with text on your screen, post or upload that into a reply.
#30
Posted 25 March 2008 - 04:29 PM
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users