Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

NaviPromo, Ads Served by Adsite [RESOLVED]


  • This topic is locked This topic is locked

#1
Justin Time

Justin Time

    Member

  • Member
  • PipPip
  • 31 posts
My computer has recently been running very slowly and displaying popups titled "Ads served by Adsite/Adrite??" AVG Free AntiVirus picked up "NaviPromo" having trouble correcting these problems. Have moved through the 'click here before posting a Hijack This log' sequence completing each step however the AVG Antispyware and Panda Scan ended with Program not responding and must shutdown... Any help is greatly appreciated.

SUPERAntiSpyware Scan Log
Generated 03/10/2008 at 11:52 PM

Application Version : 3.6.1000

Core Rules Database Version : 3416
Trace Rules Database Version: 1408

Scan type : Complete Scan
Total Scan Time : 00:31:42

Memory items scanned : 426
Memory threats detected : 5
Registry items scanned : 5829
Registry threats detected : 117
File items scanned : 32878
File threats detected : 55

RelevantKnowledge Spyware Component
C:\WINDOWS\SYSTEM32\RLLS.DLL
C:\WINDOWS\SYSTEM32\RLLS.DLL
C:\WINDOWS\SYSTEM32\RLVKNLG.EXE
C:\WINDOWS\SYSTEM32\RLVKNLG.EXE
[RelevantKnowledge] C:\WINDOWS\SYSTEM32\RLVKNLG.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\RELEVANTKNOWLEDGE\UNINSTALL INSTRUCTIONS.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{97885632-AA18-4176-A0D0-89C664624BD5}\RP356\A0037546.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{97885632-AA18-4176-A0D0-89C664624BD5}\RP356\A0037564.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{97885632-AA18-4176-A0D0-89C664624BD5}\RP356\A0037581.LNK
C:\WINDOWS\SYSTEM32\RK.BIN

Trojan.Unclassified/IEBROWSERCMP
C:\WINDOWS\SYSTEM32\IEBROWSERC.DLL
C:\WINDOWS\SYSTEM32\IEBROWSERC.DLL
HKLM\Software\Classes\CLSID\{1D8282E6-BC4F-469B-AAED-7E4FF077AD93}
HKCR\CLSID\{1D8282E6-BC4F-469B-AAED-7E4FF077AD93}
HKCR\CLSID\{1D8282E6-BC4F-469B-AAED-7E4FF077AD93}
HKCR\CLSID\{1D8282E6-BC4F-469B-AAED-7E4FF077AD93}\InprocServer32
HKCR\CLSID\{1D8282E6-BC4F-469B-AAED-7E4FF077AD93}\InprocServer32#ThreadingModel
HKCR\CLSID\{1D8282E6-BC4F-469B-AAED-7E4FF077AD93}\ProgID
HKCR\CLSID\{1D8282E6-BC4F-469B-AAED-7E4FF077AD93}\Programmable
HKCR\CLSID\{1D8282E6-BC4F-469B-AAED-7E4FF077AD93}\TypeLib
HKCR\CLSID\{1D8282E6-BC4F-469B-AAED-7E4FF077AD93}\VersionIndependentProgID
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1D8282E6-BC4F-469B-AAED-7E4FF077AD93}

Adware.webHancer
C:\PROGRAM FILES\WEBHANCER\PROGRAMS\WHIEHLPR.DLL
C:\PROGRAM FILES\WEBHANCER\PROGRAMS\WHIEHLPR.DLL
[webHancer Agent] C:\PROGRAM FILES\WEBHANCER\PROGRAMS\WHAGENT.EXE
C:\PROGRAM FILES\WEBHANCER\PROGRAMS\WHAGENT.EXE
HKLM\Software\Classes\CLSID\{c900b400-cdfe-11d3-976a-00e02913a9e0}
HKCR\CLSID\{C900B400-CDFE-11D3-976A-00E02913A9E0}
HKCR\CLSID\{C900B400-CDFE-11D3-976A-00E02913A9E0}
HKCR\CLSID\{C900B400-CDFE-11D3-976A-00E02913A9E0}\InprocServer32
HKCR\CLSID\{C900B400-CDFE-11D3-976A-00E02913A9E0}\InprocServer32#ThreadingModel
HKCR\CLSID\{C900B400-CDFE-11D3-976A-00E02913A9E0}\ProgID
HKCR\CLSID\{C900B400-CDFE-11D3-976A-00E02913A9E0}\Programmable
HKCR\CLSID\{C900B400-CDFE-11D3-976A-00E02913A9E0}\VersionIndependentProgID
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c900b400-cdfe-11d3-976a-00e02913a9e0}
HKCR\WhIeHelperObj.WhIeHelperObj
HKCR\WhIeHelperObj.WhIeHelperObj\CurVer
HKCR\WhIeHelperObj.WhIeHelperObj.1
HKCR\WhIeHelperObj.WhIeHelperObj.1\CLSID
HKCR\Interface\{C89435B0-CDFE-11D3-976A-00E02913A9E0}
HKCR\Interface\{C89435B0-CDFE-11D3-976A-00E02913A9E0}\ProxyStubClsid
HKCR\Interface\{C89435B0-CDFE-11D3-976A-00E02913A9E0}\ProxyStubClsid32
HKCR\Interface\{C89435B0-CDFE-11D3-976A-00E02913A9E0}\TypeLib
HKCR\Interface\{C89435B0-CDFE-11D3-976A-00E02913A9E0}\TypeLib#Version
HKCR\TypeLib\{C8CB3870-CDFE-11D3-976A-00E02913A9E0}
HKCR\TypeLib\{C8CB3870-CDFE-11D3-976A-00E02913A9E0}\1.0
HKCR\TypeLib\{C8CB3870-CDFE-11D3-976A-00E02913A9E0}\1.0\0
HKCR\TypeLib\{C8CB3870-CDFE-11D3-976A-00E02913A9E0}\1.0\0\win32
HKCR\TypeLib\{C8CB3870-CDFE-11D3-976A-00E02913A9E0}\1.0\FLAGS
HKCR\TypeLib\{C8CB3870-CDFE-11D3-976A-00E02913A9E0}\1.0\HELPDIR
HKLM\Software\WebHancer
HKLM\Software\WebHancer#BaseDir
HKLM\Software\WebHancer\CC
HKLM\Software\WebHancer\CC#DistTag
HKLM\Software\WebHancer\CC#DWLLTM
HKLM\Software\WebHancer\CC#SLNTIND
HKLM\Software\WebHancer\CC#ACCPTPS
HKLM\Software\WebHancer\CC#id
HKLM\Software\WebHancer\CC#INSTFRM
HKLM\Software\WebHancer\ESO
HKLM\Software\WebHancer\ESO#aa
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\webHancer Agent
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\webHancer Agent#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\webHancer Agent#DisplayName
C:\Program Files\WEBHANCER\Programs\webhdll.dll
C:\Program Files\WEBHANCER\Programs\whagent.ini
C:\Program Files\WEBHANCER\Programs\whinstaller.exe
C:\Program Files\WEBHANCER\Programs
C:\Program Files\WEBHANCER
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#webHancer Agent [ C:\Program Files\webHancer\Programs\whagent.exe ]

Trojan.Unclassified/FukuRuku-A
C:\WINDOWS\SYSTEM32\GZMRT.DLL
HKLM\Software\Classes\CLSID\{7D9362F8-77D8-4b29-97B5-621D550890C0}
HKCR\CLSID\{7D9362F8-77D8-4B29-97B5-621D550890C0}
HKCR\CLSID\{7D9362F8-77D8-4B29-97B5-621D550890C0}
HKCR\CLSID\{7D9362F8-77D8-4B29-97B5-621D550890C0}\InprocServer32
HKCR\CLSID\{7D9362F8-77D8-4B29-97B5-621D550890C0}\InprocServer32#ThreadingModel
HKCR\CLSID\{7D9362F8-77D8-4B29-97B5-621D550890C0}\ProgID
HKCR\CLSID\{7D9362F8-77D8-4B29-97B5-621D550890C0}\Programmable
HKCR\CLSID\{7D9362F8-77D8-4B29-97B5-621D550890C0}\TypeLib
HKCR\CLSID\{7D9362F8-77D8-4B29-97B5-621D550890C0}\VersionIndependentProgID
C:\WINDOWS\SYSTEM32\GZMRT.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7D9362F8-77D8-4b29-97B5-621D550890C0}

Adware.AdsSite
HKLM\Software\Classes\CLSID\{1648E328-3E5A-4EA5-A9C6-E5F09EE272DA}
HKCR\CLSID\{1648E328-3E5A-4EA5-A9C6-E5F09EE272DA}
HKCR\CLSID\{1648E328-3E5A-4EA5-A9C6-E5F09EE272DA}
HKCR\CLSID\{1648E328-3E5A-4EA5-A9C6-E5F09EE272DA}#AppID
HKCR\CLSID\{1648E328-3E5A-4EA5-A9C6-E5F09EE272DA}\InprocServer32
HKCR\CLSID\{1648E328-3E5A-4EA5-A9C6-E5F09EE272DA}\InprocServer32#ThreadingModel
HKCR\CLSID\{1648E328-3E5A-4EA5-A9C6-E5F09EE272DA}\ProgID
HKCR\CLSID\{1648E328-3E5A-4EA5-A9C6-E5F09EE272DA}\Programmable
HKCR\CLSID\{1648E328-3E5A-4EA5-A9C6-E5F09EE272DA}\TypeLib
HKCR\CLSID\{1648E328-3E5A-4EA5-A9C6-E5F09EE272DA}\VersionIndependentProgID
C:\WINDOWS\SYSTEM32\ADSSITE_SIDEBAR.DLL
HKLM\Software\Classes\CLSID\{315108E4-E3AF-460F-B264-F2ACC9E1ACEB}
HKCR\CLSID\{315108E4-E3AF-460F-B264-F2ACC9E1ACEB}
HKCR\CLSID\{315108E4-E3AF-460F-B264-F2ACC9E1ACEB}
HKCR\CLSID\{315108E4-E3AF-460F-B264-F2ACC9E1ACEB}#AppID
HKCR\CLSID\{315108E4-E3AF-460F-B264-F2ACC9E1ACEB}\Implemented Categories
HKCR\CLSID\{315108E4-E3AF-460F-B264-F2ACC9E1ACEB}\Implemented Categories\{00021493-0000-0000-C000-000000000046}
HKCR\CLSID\{315108E4-E3AF-460F-B264-F2ACC9E1ACEB}\InprocServer32
HKCR\CLSID\{315108E4-E3AF-460F-B264-F2ACC9E1ACEB}\InprocServer32#ThreadingModel
HKCR\CLSID\{315108E4-E3AF-460F-B264-F2ACC9E1ACEB}\ProgID
HKCR\CLSID\{315108E4-E3AF-460F-B264-F2ACC9E1ACEB}\Programmable
HKCR\CLSID\{315108E4-E3AF-460F-B264-F2ACC9E1ACEB}\TypeLib
HKCR\CLSID\{315108E4-E3AF-460F-B264-F2ACC9E1ACEB}\VersionIndependentProgID
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1648E328-3E5A-4EA5-A9C6-E5F09EE272DA}
HKU\S-1-5-21-2000478354-1409082233-839522115-1003\Software\Microsoft\Internet Explorer\Explorer Bars\{315108E4-E3AF-460F-B264-F2ACC9E1ACEB}

Adware.AdRotator/AdsSite
HKLM\Software\Classes\CLSID\{41C29B07-6F91-4966-91BE-2E2841643C83}
HKCR\CLSID\{41C29B07-6F91-4966-91BE-2E2841643C83}
HKCR\CLSID\{41C29B07-6F91-4966-91BE-2E2841643C83}
HKCR\CLSID\{41C29B07-6F91-4966-91BE-2E2841643C83}#AppID
HKCR\CLSID\{41C29B07-6F91-4966-91BE-2E2841643C83}\InprocServer32
HKCR\CLSID\{41C29B07-6F91-4966-91BE-2E2841643C83}\InprocServer32#ThreadingModel
HKCR\CLSID\{41C29B07-6F91-4966-91BE-2E2841643C83}\ProgID
HKCR\CLSID\{41C29B07-6F91-4966-91BE-2E2841643C83}\Programmable
HKCR\CLSID\{41C29B07-6F91-4966-91BE-2E2841643C83}\TypeLib
HKCR\CLSID\{41C29B07-6F91-4966-91BE-2E2841643C83}\VersionIndependentProgID
C:\PROGRAM FILES\ADSSITE ADVANCED TOOLBAR\TOOLBAR.DLL
HKLM\Software\Microsoft\Internet Explorer\Toolbar#{41C29B07-6F91-4966-91BE-2E2841643C83}
HKCR\CoolToolBar.IEBarLogic.1
HKCR\CoolToolBar.IEBarLogic.1\CLSID
HKCR\CoolToolBar.IEBarLogic
HKCR\CoolToolBar.IEBarLogic\CLSID
HKCR\CoolToolBar.IEBarLogic\CurVer
HKCR\TypeLib\{6B4FA1DD-A353-49F8-A650-79C21D6B4824}
HKCR\TypeLib\{6B4FA1DD-A353-49F8-A650-79C21D6B4824}\1.0
HKCR\TypeLib\{6B4FA1DD-A353-49F8-A650-79C21D6B4824}\1.0\0
HKCR\TypeLib\{6B4FA1DD-A353-49F8-A650-79C21D6B4824}\1.0\0\win32
HKCR\TypeLib\{6B4FA1DD-A353-49F8-A650-79C21D6B4824}\1.0\FLAGS
HKCR\TypeLib\{6B4FA1DD-A353-49F8-A650-79C21D6B4824}\1.0\HELPDIR
C:\WINDOWS\SYSTEM32\ADSSITE-REMOVE.EXE

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{9C8A568E-4201-478a-8536-526CF371D2E2}
HKCR\CLSID\{9C8A568E-4201-478A-8536-526CF371D2E2}
HKCR\CLSID\{9C8A568E-4201-478A-8536-526CF371D2E2}
HKCR\CLSID\{9C8A568E-4201-478A-8536-526CF371D2E2}\InprocServer32
HKCR\CLSID\{9C8A568E-4201-478A-8536-526CF371D2E2}\InprocServer32#ThreadingModel
HKCR\CLSID\{9C8A568E-4201-478A-8536-526CF371D2E2}\ProgID
HKCR\CLSID\{9C8A568E-4201-478A-8536-526CF371D2E2}\Programmable
HKCR\CLSID\{9C8A568E-4201-478A-8536-526CF371D2E2}\TypeLib
HKCR\CLSID\{9C8A568E-4201-478A-8536-526CF371D2E2}\VersionIndependentProgID
C:\WINDOWS\SYSTEM32\NSK2102.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9C8A568E-4201-478a-8536-526CF371D2E2}

Adware.Tracking Cookie
C:\Documents and Settings\Rule Family\Cookies\[email protected][3].txt
C:\Documents and Settings\Rule Family\Cookies\[email protected][2].txt
C:\Documents and Settings\Rule Family\Cookies\[email protected][1].txt
C:\Documents and Settings\Rule Family\Cookies\[email protected][1].txt
C:\Documents and Settings\Rule Family\Cookies\[email protected][2].txt
C:\Documents and Settings\Rule Family\Cookies\[email protected][2].txt
C:\Documents and Settings\Rule Family\Cookies\[email protected][1].txt
C:\Documents and Settings\Rule Family\Cookies\[email protected][2].txt
C:\Documents and Settings\Rule Family\Cookies\[email protected][2].txt
C:\Documents and Settings\Rule Family\Cookies\[email protected][2].txt
C:\Documents and Settings\Rule Family\Cookies\[email protected][3].txt
C:\Documents and Settings\Rule Family\Cookies\[email protected][3].txt
C:\Documents and Settings\Rule Family\Cookies\[email protected][3].txt
C:\Documents and Settings\Rule Family\Cookies\[email protected][1].txt
C:\Documents and Settings\Rule Family\Cookies\[email protected][3].txt
C:\Documents and Settings\Rule Family\Cookies\[email protected][2].txt
C:\Documents and Settings\Rule Family\Cookies\[email protected][2].txt
C:\Documents and Settings\Rule Family\Cookies\[email protected][2].txt
C:\Documents and Settings\Rule Family\Cookies\[email protected][2].txt
C:\Documents and Settings\Rule Family\Cookies\[email protected][3].txt
C:\Documents and Settings\Rule Family\Cookies\[email protected][2].txt
C:\Documents and Settings\Rule Family\Cookies\[email protected][1].txt
C:\Documents and Settings\Rule Family\Cookies\[email protected][1].txt
C:\Documents and Settings\Rule Family\Cookies\[email protected][1].txt
C:\Documents and Settings\Rule Family\Cookies\[email protected][2].txt
C:\Documents and Settings\Rule Family\Cookies\[email protected][1].txt
C:\Documents and Settings\Rule Family\Cookies\[email protected][1].txt
C:\Documents and Settings\Rule Family\Cookies\[email protected][1].txt
C:\Documents and Settings\Rule Family\Cookies\[email protected][1].txt
C:\Documents and Settings\Rule Family\Cookies\[email protected][1].txt
C:\Documents and Settings\Rule Family\Cookies\[email protected][1].txt
C:\Documents and Settings\Rule Family\Cookies\[email protected][1].txt
C:\Documents and Settings\Rule Family\Cookies\[email protected][2].txt
C:\Documents and Settings\Rule Family\Cookies\[email protected][1].txt

Adware.AdRotator/RightOnz
C:\WINDOWS\SYSTEM32\RIGHTONADZ-UNINST.EXE


Adobe Flash Player ActiveX
Adobe Reader 6.0.1
Adssite Advanced Toolbar
Agere Systems PCI Soft Modem
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Auto Gordian Knot 2.27
AutoCAD 2006 - English
Autodesk DWF Viewer
Avanquest update
AVG Anti-Spyware 7.5
AVG Free Edition
AviSynth 2.5
Browser Optimizer Adssite
Caterpillar Construction Tycoon
CloneCD
CmdHere Powertoy For Windows XP
Creative MediaSource
Creative Removable Disk Manager
Creative System Information
Creative Zen Vision M
Diablo II
DivX Web Player
DVD Decrypter (Remove Only)
DVD Shrink 3.2
DVD Solution
Enhancement Browser Tools Rightonadz
Hero Editor V0.96
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
HSV E Maloo R8
HSV E Maloo R8 2
InCD
J2SE Runtime Environment 5.0 Update 3
LimeWire PRO 4.10.9
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Motorola Driver Installation
Motorola Phone Tools
MSXML 4.0 SP2 (KB936181)
Multimedia Launcher
Nero OEM
Nokia Connectivity Cable Driver
Nokia Lifeblog 2.1
Nokia MTP driver
Nokia N73 highlights
Nokia Nseries Skin for Microsoft Windows Media Player
Nokia PC Connectivity Solution
Nokia PC Suite
Nokia themes for your device
Panda ActiveScan
PowerDVD
PowerProducer
QuickTime
Realtek AC'97 Audio
RelevantKnowledge
Search Assistant Adssite
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
Smart Office Keyboard
Socialnetworking Helper Adssite
SUPERAntiSpyware Free Edition
The Settlers III Gold Edition
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
VIA Rhine-Family Fast Ethernet Adapter
VideoLAN VLC media player 0.8.5
VobSub v2.23 (Remove Only)
Windows Driver Package - Nokia Modem (06/12/2006 6.81.0.21)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
Xbox 360 Controller for Windows
XviD MPEG4 Video Codec (remove only)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:12:02 PM, on 12/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.blizzard....ter/diablo2exp/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {C8C843F7-E75E-403E-9726-CE36EBF1EA04} - C:\WINDOWS\system32\ATIDEMG.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay10...es/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1204901946879
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {EF732B7C-BFF6-49B1-A32C-3C74C318FDCC} (VPlayer Control) - http://www.stubbysym...player_ocx.jpeg
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 7633 bytes
  • 0

Advertisements


#2
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hi Justin Time

welcome to geekstogo :)

sorry to keep you waiting. lets do a deeper scan of your machine for me to analyse.

(if your problem has already been resolved, could you just let me know so that i an move onto other logs to help others, thanks)

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

you may need to post the logs over 2 replies to ensure all the information is posted.

andrewuk
  • 0

#3
Justin Time

Justin Time

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Hi andrew, thanks for ur assistance. I downloaded DSS to the desktop and ran the scan. These were the results.

Deckard's System Scanner v20071014.68
Run by Rule Family on 2008-03-19 23:08:07
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
8: 2008-03-19 12:08:13 UTC - RP363 - Deckard's System Scanner Restore Point
7: 2008-03-16 07:36:56 UTC - RP362 - System Checkpoint
6: 2008-03-14 02:24:43 UTC - RP361 - System Checkpoint
5: 2008-03-13 01:08:14 UTC - RP360 - System Checkpoint
4: 2008-03-11 12:25:43 UTC - RP359 - System Checkpoint


-- First Restore Point --
1: 2008-03-09 05:14:31 UTC - RP356 - Restore Sunday 9-3-08 4:15 virus clean


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as Rule Family.exe) -----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:09:38 PM, on 19/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Rule Family\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Rule Family.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.blizzard....ter/diablo2exp/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {C8C843F7-E75E-403E-9726-CE36EBF1EA04} - C:\WINDOWS\system32\ATIDEMG.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay10...es/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1204901946879
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {EF732B7C-BFF6-49B1-A32C-3C74C318FDCC} (VPlayer Control) - http://www.stubbysym...player_ocx.jpeg
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 7571 bytes

-- File Associations -----------------------------------------------------------

.scr - AutoCADScriptFile - shell\open\command - "C:\WINDOWS\system32\notepad.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 cdrbsdrv - c:\windows\system32\drivers\cdrbsdrv.sys <Not Verified; B.H.A Corporation; B's Recorder GOLD>
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R2 ElbyCDIO (ElbyCDIO Driver) - c:\windows\system32\drivers\elbycdio.sys <Not Verified; Elaborate Bytes AG; CDRTools>
R3 ElbyCDFL - c:\windows\system32\drivers\elbycdfl.sys <Not Verified; SlySoft, Inc.; CloneCD>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S3 ASPI (Advanced SCSI Programming Interface Driver) - c:\windows\system32\drivers\aspi32.sys <Not Verified; Adaptec; Adaptec's ASPI Layer>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 nhksrv (Netropa NHK Server) - c:\program files\netropa\multimedia keyboard\nhksrv.exe

S3 ServiceLayer - "c:\program files\common files\pcsuite\services\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}
Description: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
Device ID: ACPI\PNP0303\3&13C0B0C5&0
Manufacturer: (Standard keyboards)
Name: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
PNP Device ID: ACPI\PNP0303\3&13C0B0C5&0
Service: i8042prt


-- Scheduled Tasks -------------------------------------------------------------

2008-03-19 02:00:00 350 --a------ C:\WINDOWS\Tasks\At3.job
2008-03-19 01:00:00 350 --a------ C:\WINDOWS\Tasks\At2.job
2008-03-19 00:00:00 350 --a------ C:\WINDOWS\Tasks\At1.job
2008-03-18 23:00:00 350 --a------ C:\WINDOWS\Tasks\At24.job
2008-03-16 18:00:00 350 --a------ C:\WINDOWS\Tasks\At19.job
2008-03-16 17:00:00 350 --a------ C:\WINDOWS\Tasks\At18.job
2008-03-16 16:00:00 350 --a------ C:\WINDOWS\Tasks\At17.job
2008-03-16 15:00:00 350 --a------ C:\WINDOWS\Tasks\At16.job
2008-03-15 21:00:00 350 --a------ C:\WINDOWS\Tasks\At22.job
2008-03-14 14:00:00 350 --a------ C:\WINDOWS\Tasks\At15.job
2008-03-14 13:00:00 350 --a------ C:\WINDOWS\Tasks\At14.job
2008-03-14 12:00:00 350 --a------ C:\WINDOWS\Tasks\At13.job
2008-03-13 22:00:00 350 --a------ C:\WINDOWS\Tasks\At23.job
2008-03-13 20:00:00 350 --a------ C:\WINDOWS\Tasks\At21.job
2008-03-13 19:00:00 350 --a------ C:\WINDOWS\Tasks\At20.job
2008-03-13 11:00:00 350 --a------ C:\WINDOWS\Tasks\At12.job
2008-03-13 10:00:00 350 --a------ C:\WINDOWS\Tasks\At11.job
2008-03-13 09:00:00 350 --a------ C:\WINDOWS\Tasks\At10.job
2008-03-13 08:00:00 350 --a------ C:\WINDOWS\Tasks\At9.job
2008-03-13 07:00:00 350 --a------ C:\WINDOWS\Tasks\At8.job
2008-03-13 06:00:01 350 --a------ C:\WINDOWS\Tasks\At7.job
2008-03-13 05:00:01 350 --a------ C:\WINDOWS\Tasks\At6.job
2008-03-13 04:00:00 350 --a------ C:\WINDOWS\Tasks\At5.job
2008-03-13 03:00:01 350 --a------ C:\WINDOWS\Tasks\At4.job


-- Files created between 2008-02-19 and 2008-03-19 -----------------------------

2008-03-12 23:10:59 0 d-------- C:\Program Files\Trend Micro
2008-03-12 22:49:31 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-03-10 23:25:59 0 --a------ C:\WINDOWS\system32\CMMGR32.EXE
2008-03-10 23:15:18 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-10 23:15:04 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-03-10 23:15:04 0 d-------- C:\Documents and Settings\Rule Family\Application Data\SUPERAntiSpyware.com
2008-03-10 23:14:33 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-09 17:02:24 0 d-------- C:\WINDOWS\pss
2008-03-09 16:24:44 0 d-------- C:\Documents and Settings\Rule Family\Application Data\Grisoft
2008-03-09 15:07:39 0 d-------- C:\Program Files\Enigma Software Group
2008-02-24 20:29:20 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-02-21 01:06:45 0 d-------- C:\WINDOWS\network diagnostic


-- Find3M Report ---------------------------------------------------------------

2008-03-18 22:34:37 0 d-------- C:\Documents and Settings\Rule Family\Application Data\LimeWire
2008-03-11 20:21:30 0 d-------- C:\Program Files\Adssite Advanced Toolbar
2008-03-10 23:14:33 0 dr------- C:\Program Files\Common Files
2008-03-10 18:30:42 256 --a------ C:\Documents and Settings\Rule Family\Application Data\urlredir.cfg
2008-03-09 15:18:14 0 d-------- C:\Program Files\TI-Connect
2008-03-09 15:16:23 0 d-------- C:\Program Files\TI Education
2008-03-08 01:36:21 0 d-------- C:\Program Files\Frets on Fire
2008-02-12 10:37:08 0 d-------- C:\Documents and Settings\Rule Family\Application Data\AVG7
2008-02-04 10:59:29 46300 --a------ C:\WINDOWS\system32\AdssiteSocial-uninstall.exe
2008-01-02 18:08:33 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-12-28 14:05:01 77353 --a------ C:\WINDOWS\system32\adssite_sidebar_uninstall.exe
2007-12-22 01:39:14 10752 --a------ C:\WINDOWS\system32\WhoisCL.exe <Not Verified; NirSoft; WhoisCL>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C8C843F7-E75E-403E-9726-CE36EBF1EA04}]
C:\WINDOWS\system32\ATIDEMG.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [20/01/2005 11:04 PM C:\WINDOWS\SOUNDMAN.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [29/06/2004 10:06 AM C:\WINDOWS\AGRSMMSG.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" []
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [08/12/2003 06:35 PM]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [10/03/2008 11:26 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [28/12/2007 01:39 PM]
"CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [20/05/2005 12:47 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [15/11/2006 09:29 PM]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [15/06/2006 01:36 PM]
"MULTIMEDIA KEYBOARD"="C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" [19/06/2002 12:50 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [11/06/2007 08:25 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 01:56 AM]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [02/12/2004 07:23 PM]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" []
"msnmsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [19/01/2007 01:54 PM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [16/03/2008 02:40 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [6/03/2005 1:18:22 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"=1 (0x1)
"AllowUnhashedWebView"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [20/12/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 16/03/2008 02:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{28942434-9479-11db-863f-003018c13452}]
AutoRun\command- E:\LaunchU3.exe -a




-- End of Deckard's System Scanner: finished at 2008-03-19 23:10:09 ------------



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ 64 Processor 3000+
Percentage of Memory in Use: 68%
Physical Memory (total/avail): 510.48 MiB / 161.91 MiB
Pagefile Memory (total/avail): 1245.59 MiB / 842.33 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1922.65 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 74.53 GiB total, 46.64 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST380011A - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.53 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is enabled.

UpdatesDisableNotify is set.

AV: AVG 7.5.519 v7.5.519 (Grisoft)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Diablo II\\Diablo II.exe"="C:\\Program Files\\Diablo II\\Diablo II.exe:*:Enabled:Diablo II - Lord of Destruction"
"C:\\Program Files\\Diablo II\\Game.exe"="C:\\Program Files\\Diablo II\\Game.exe:*:Enabled:Game.exe"
"C:\\WINDOWS\\system32\\dxdiag.exe"="C:\\WINDOWS\\system32\\dxdiag.exe:*:Enabled:Microsoft DirectX Diagnostic Tool"
"C:\\WINDOWS\\system32\\dpnsvr.exe"="C:\\WINDOWS\\system32\\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8 Server"
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Documents and Settings\\Rule Family\\Application Data\\U3\\0000060510097054\\0DE4F643-C398-46ec-9339-2362F2311932\\Exec\\Skype.exe"="C:\\Documents and Settings\\Rule Family\\Application Data\\U3\\0000060510097054\\0DE4F643-C398-46ec-9339-2362F2311932\\Exec\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\WINDOWS\\system32\\dplaysvr.exe"="C:\\WINDOWS\\system32\\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper"
"C:\\BlueByte\\Settlers3\\s3.exe"="C:\\BlueByte\\Settlers3\\s3.exe:*:Enabled:Siedler3"
"C:\\BlueByte\\Settlers3\\AUTORUN.EXE"="C:\\BlueByte\\Settlers3\\AUTORUN.EXE:*:Enabled:Change Installation"
"C:\\BlueByte\\Settlers3\\S3EDITOR\\S3Editor.exe"="C:\\BlueByte\\Settlers3\\S3EDITOR\\S3Editor.exe:*:Enabled:Settlers 3 Editor 2"
"C:\\BlueByte\\Settlers3\\SETUPS3.EXE"="C:\\BlueByte\\Settlers3\\SETUPS3.EXE:*:Enabled:Settlers 3 Setup"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\rlvknlg.exe"="C:\\WINDOWS\\system32\\rlvknlg.exe:*:Enabled:rlvknlg.exe"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Rule Family\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=RULE
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Rule Family
LOGONSERVER=\\RULE
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Common Files\Autodesk Shared\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 47 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2f00
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\RULEFA~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\RULEFA~1\LOCALS~1\Temp
USERDOMAIN=RULE
USERNAME=Rule Family
USERPROFILE=C:\Documents and Settings\Rule Family
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

Rule Family (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0B095086-7205-4D48-90DF-DCD16613C6D4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0B095086-7205-4D48-90DF-DCD16613C6D4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{103BCDA0-E063-46AC-8028-64E78722ABA7}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{103BCDA0-E063-46AC-8028-64E78722ABA7}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2616B36E-38CE-4357-8AB5-8B3EE9B1C117}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2616B36E-38CE-4357-8AB5-8B3EE9B1C117}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4095E277-3005-42E9-8D84-DE6EB8704CEC}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4095E277-3005-42E9-8D84-DE6EB8704CEC}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4F2F3E0C-2025-4F5E-9583-AB8CD5AA88A6}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4F2F3E0C-2025-4F5E-9583-AB8CD5AA88A6}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{57FA4E0F-82C9-417D-87BC-0186D6CB7A44}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{66BCC50C-22D9-4927-9251-27FA88A32214}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{66BCC50C-22D9-4927-9251-27FA88A32214}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7550D6AA-CCF3-4FDA-87D6-C2C1B2E5358D}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7550D6AA-CCF3-4FDA-87D6-C2C1B2E5358D}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{836612F0-1571-4C65-A4B7-58A39AA578EE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{836612F0-1571-4C65-A4B7-58A39AA578EE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{98181885-5B28-4280-9B56-452FF877D5B9}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{98181885-5B28-4280-9B56-452FF877D5B9}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9AB14DF5-3B04-4E3B-9969-695DBA7F2008}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9AB14DF5-3B04-4E3B-9969-695DBA7F2008}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A82F10CB-18B5-4EAC-AEF2-FA49CD565626}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D42EFA6C-0553-45F7-AD03-6D36207CA6D4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D42EFA6C-0553-45F7-AD03-6D36207CA6D4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D524239C-FD5C-4183-A49C-7930915A9C0A}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D524239C-FD5C-4183-A49C-7930915A9C0A}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DAAC5938-8026-4D0C-A476-D1954917B7F5}\SETUP.EXE" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DAAC5938-8026-4D0C-A476-D1954917B7F5}\SETUP.EXE" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DD2D9012-E5A1-4717-8EE9-8DB3F36E2F8C}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DD2D9012-E5A1-4717-8EE9-8DB3F36E2F8C}\setup.exe" -l0x9 /remove
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 6.0.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}
Adssite Advanced Toolbar --> C:\Program Files\Adssite Advanced Toolbar\uninstall.exe
Agere Systems PCI Soft Modem --> agrsmdel
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,[email protected] -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Auto Gordian Knot 2.27 --> C:\Program Files\AutoGK\uninst.exe
AutoCAD 2006 - English --> MsiExec.exe /I{5783F2D7-4001-0409-0002-0060B0CE6BBA}
Autodesk DWF Viewer --> C:\PROGRA~1\Autodesk\AUTODE~1\Setup.exe /remove
Avanquest update --> C:\Program Files\InstallShield Installation Information\{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}\Setup.exe -runfromtemp -l0x0009 -removeonly
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
AVG Free Edition --> C:\Program Files\Grisoft\AVG Free\setup.exe /UNINSTALL
AviSynth 2.5 --> "C:\Program Files\AviSynth 2.5\Uninstall.exe"
Browser Optimizer Adssite --> C:\WINDOWS\system32\adssite-remove.exe
Caterpillar Construction Tycoon --> "C:\Program Files\Activision Value\Caterpillar Construction Tycoon\unins000.exe"
CloneCD --> "C:\Program Files\SlySoft\CloneCD\ccd-uninst.exe" /D="C:\Program Files\SlySoft\CloneCD"
CmdHere Powertoy For Windows XP --> MsiExec.exe /I{6855CCDD-BDF9-48E4-B80A-80DFB96FE36C}
Creative MediaSource --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E0C1913-886B-4C5C-8DAF-D1E649CE5FCC}\SETUP.EXE" -l0x9 /remove
Creative Removable Disk Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{57FA4E0F-82C9-417D-87BC-0186D6CB7A44}\setup.exe" -l0x9 /remove
Creative System Information --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9 /remove
Creative Zen Vision M --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DC3065BF-95B4-42C5-B47D-0B713CDA75D0}\SETUP.EXE" -l0x9 /remove
Diablo II --> C:\WINDOWS\DIIUnin.exe C:\WINDOWS\DIIUnin.dat
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DVD Decrypter (Remove Only) --> "C:\Program Files\DVD Decrypter\uninstall.exe"
DVD Shrink 3.2 --> "C:\Program Files\DVD Shrink\unins000.exe"
DVD Solution --> "C:\Program Files\Uninstall_CDS.exe"
Enhancement Browser Tools Rightonadz --> C:\WINDOWS\system32\rightonadz-uninst.exe
Hero Editor V0.96 --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\Hero Editor\ST6UNST.LOG"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HSV E Maloo R8 --> "C:\WINDOWS\HSV E Maloo R8 Uninstaller\unins000.exe"
HSV E Maloo R8 2 --> "C:\WINDOWS\HSV E Maloo R8 2 Uninstaller\unins000.exe"
InCD --> C:\WINDOWS\NuNInst.exe /UNINSTALL
J2SE Runtime Environment 5.0 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
LimeWire PRO 4.10.9 --> "C:\Program Files\LimeWire\uninstall.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Motorola Driver Installation --> MsiExec.exe /I{3324A5DC-C7F6-430A-ACC8-F251CD8F4FC7}
Motorola Phone Tools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BAD8CA9C-77C0-4663-B00B-A8D3B13C341B}\setup.exe" -l0x9 -removeonly
Multimedia Launcher --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\setup.exe" -uninstall
Nero OEM --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Nokia Connectivity Cable Driver --> MsiExec.exe /X{6882DD11-33B8-4DEA-8305-7E765BF74BD3}
Nokia Lifeblog 2.1 --> MsiExec.exe /I{EE565795-2776-415A-B31C-EB3A8D7C6FA4}
Nokia MTP driver --> MsiExec.exe /I{59359B3D-ABE7-46BF-AB55-43B67A64DC68}
Nokia N73 highlights --> MsiExec.exe /I{02B71D92-A84B-4DFB-9A10-D12BB01AC1F2}
Nokia PC Connectivity Solution --> MsiExec.exe /I{0D80391C-0A72-43BB-9BC2-143F63CC111D}
Nokia PC Suite --> MsiExec.exe /I{531317A5-586A-4E36-87C1-CA823447B375}
Nokia themes for your device --> MsiExec.exe /I{77F5816C-64A6-4FBE-BBE5-52EFE5EB84E8}
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
PowerProducer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\setup.exe" -uninstall
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
RelevantKnowledge --> C:\windows\system32\rlvknlg.exe -bootremove -uninst:RelevantKnowledge
Search Assistant Adssite --> C:\WINDOWS\system32\adssite_sidebar_uninstall.exe
Smart Office Keyboard --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0208A7E3-0D30-11D4-A1FC-00508B9D1BA2}\Setup.exe" -l0x9
Socialnetworking Helper Adssite --> C:\WINDOWS\system32\AdssiteSocial-uninstall.exe
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
The Settlers III Gold Edition --> C:\WINDOWS\IsUninst.exe -fC:\BlueByte\Settlers3\Uninst.isu -x -c"C:\BlueByte\Settlers3\install\itools.dll"
VIA Rhine-Family Fast Ethernet Adapter --> Rundll32.exe vuins32.dll,vuins32Ex $Rhine $VIA
VideoLAN VLC media player 0.8.5 --> C:\Program Files\VideoLAN\VLC\uninstall.exe
VobSub v2.23 (Remove Only) --> "C:\Program Files\Gabest\VobSub\uninstall.exe"
Windows Driver Package - Nokia Modem (06/12/2006 6.81.0.21) --> C:\PROGRA~1\DIFX\D6ACC4BE676423A2B130B78A4B627FC457D98997\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\nokbtmdm_62A340731F8930057B44B8864F236850B0D49D65\nokbtmdm.inf
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live Sign-in Assistant --> MsiExec.exe /I{22B3CC30-77B8-419C-AA4B-F571FDF5D66D}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Xbox 360 Controller for Windows --> "C:\WINDOWS\$NtUninstall_Xbox_360_CC_Driver$\spuninst\spuninst.exe"
XviD MPEG4 Video Codec (remove only) --> "C:\WINDOWS\system32\xvid-uninstall.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type7089 / Warning
Event Submitted/Written: 03/19/2008 02:22:36 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type7030 / Error
Event Submitted/Written: 03/09/2008 10:43:36 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16608, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type7029 / Error
Event Submitted/Written: 03/09/2008 10:43:35 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16608, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type7028 / Error
Event Submitted/Written: 03/09/2008 10:43:33 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16608, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type7027 / Error
Event Submitted/Written: 03/09/2008 10:43:33 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16608, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type1295 / Error
Event Submitted/Written: 03/19/2008 11:01:45 PM / 03/19/2008 11:02:16 PM
Event ID/Source: 12294 / ati2mtag
Event Description:
CRT invalid display type

Event Record #/Type1290 / Error
Event Submitted/Written: 03/19/2008 02:00:00 AM
Event ID/Source: 7901 / Schedule
Event Description:
The At3.job command failed to start due to the following error:
%%2147942402

Event Record #/Type1163 / Warning
Event Submitted/Written: 03/19/2008 01:39:46 AM
Event ID/Source: 8021 / BROWSER
Event Description:
The browser was unable to retrieve a list of servers from the browser master \\GRULE on the network \Device\NetBT_Tcpip_{0EE9F311-D703-476F-B41A-6E959CD3A6C8}.
The data is the error code.

Event Record #/Type1036 / Error
Event Submitted/Written: 03/19/2008 01:00:00 AM
Event ID/Source: 7901 / Schedule
Event Description:
The At2.job command failed to start due to the following error:
%%2147942402

Event Record #/Type783 / Error
Event Submitted/Written: 03/19/2008 00:00:00 AM
Event ID/Source: 7901 / Schedule
Event Description:
The At1.job command failed to start due to the following error:
%%2147942402



-- End of Deckard's System Scanner: finished at 2008-03-19 23:10:09 ------------
  • 0

#4
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hi Justin Time

i can see the malware concerned so we will start the fix.

firstly a question. do you recognise this websire: http://www.stubbysymphony.com.au/player/player_ocx.jpeg - you have an ActiveX download from it.

and then.........
Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

andrewuk
  • 0

#5
Justin Time

Justin Time

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Hi Andrew,

I do recognise the site and i did allow an active x download from it some 6 months ago or so at a guess... do i need to follow this up at all?


ComboFix 08-03-18.1 - Rule Family 2008-03-20 11:34:19.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.190 [GMT 11:00]
Running from: C:\Documents and Settings\Rule Family\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Rule Family\Application Data\Adssite Advanced Toolbar
C:\Documents and Settings\Rule Family\Application Data\Adssite Advanced Toolbar\advertbuttons.xml
C:\Documents and Settings\Rule Family\Application Data\Adssite Advanced Toolbar\selected.xml
C:\Documents and Settings\Rule Family\Application Data\urlredir.cfg
C:\Program Files\Adssite Advanced Toolbar
C:\Program Files\Adssite Advanced Toolbar\buttons.xml
C:\Program Files\Adssite Advanced Toolbar\search.xml
C:\Program Files\Adssite Advanced Toolbar\uninstall.exe
C:\WINDOWS\system32\CMMGR32.EXE

.
((((((((((((((((((((((((( Files Created from 2008-02-20 to 2008-03-20 )))))))))))))))))))))))))))))))
.

2008-03-19 23:07 . 2008-03-19 23:07 <DIR> d-------- C:\Deckard
2008-03-12 23:10 . 2008-03-12 23:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-12 22:49 . 2008-03-12 22:58 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-12 22:49 . 2008-03-12 22:49 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-03-12 22:49 . 2008-03-12 22:49 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-12 22:49 . 2008-03-12 22:49 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-10 23:15 . 2008-03-16 14:41 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-10 23:15 . 2008-03-10 23:15 <DIR> d-------- C:\Documents and Settings\Rule Family\Application Data\SUPERAntiSpyware.com
2008-03-10 23:15 . 2008-03-10 23:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-10 23:14 . 2008-03-10 23:14 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-09 16:24 . 2008-03-09 16:24 <DIR> d-------- C:\Documents and Settings\Rule Family\Application Data\Grisoft
2008-03-09 16:24 . 2007-05-30 23:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-09 15:07 . 2008-03-09 15:07 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-03-08 21:46 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-08 21:46 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-02-24 20:29 . 2008-02-24 20:29 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-02-21 01:04 . 2007-12-07 13:21 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-02-21 01:04 . 2007-07-01 14:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-02-21 01:04 . 2007-07-01 14:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-02-21 01:04 . 2007-12-07 13:21 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-02-21 01:04 . 2007-12-07 13:21 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-02-21 01:04 . 2007-12-07 13:21 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-02-21 01:04 . 2007-12-07 13:21 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-02-21 01:04 . 2007-12-07 13:21 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-02-21 01:04 . 2007-12-06 22:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-18 11:34 --------- d-----w C:\Documents and Settings\Rule Family\Application Data\LimeWire
2008-03-12 21:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-09 04:18 --------- d-----w C:\Program Files\TI-Connect
2008-03-09 04:16 --------- d-----w C:\Program Files\TI Education
2008-03-07 14:36 --------- d-----w C:\Program Files\Frets on Fire
2008-02-11 23:37 --------- d-----w C:\Documents and Settings\Rule Family\Application Data\AVG7
2008-02-03 23:59 46,300 ----a-w C:\WINDOWS\system32\AdssiteSocial-uninstall.exe
2008-01-02 07:08 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-12-28 03:05 77,353 ----a-w C:\WINDOWS\system32\adssite_sidebar_uninstall.exe
2007-12-21 14:39 10,752 ----a-w C:\WINDOWS\system32\WhoisCL.exe
2006-12-26 10:17 92,064 ----a-w C:\Documents and Settings\Rule Family\mqdmmdm.sys
2006-12-26 10:17 9,232 ----a-w C:\Documents and Settings\Rule Family\mqdmmdfl.sys
2006-12-26 10:17 79,328 ----a-w C:\Documents and Settings\Rule Family\mqdmserd.sys
2006-12-26 10:17 66,656 ----a-w C:\Documents and Settings\Rule Family\mqdmbus.sys
2006-12-26 10:17 6,208 ----a-w C:\Documents and Settings\Rule Family\mqdmcmnt.sys
2006-12-26 10:17 5,936 ----a-w C:\Documents and Settings\Rule Family\mqdmwhnt.sys
2006-12-26 10:17 4,048 ----a-w C:\Documents and Settings\Rule Family\mqdmcr.sys
2006-12-26 10:17 25,600 ----a-w C:\Documents and Settings\Rule Family\usbsermptxp.sys
2006-12-26 10:17 22,768 ----a-w C:\Documents and Settings\Rule Family\usbsermpt.sys
2006-08-27 22:04 266 --sh--w C:\Program Files\desktop.ini
2006-08-27 22:04 11,079 ---ha-w C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C8C843F7-E75E-403E-9726-CE36EBF1EA04}]
C:\WINDOWS\system32\ATIDEMG.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 19:23 102400]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [ ]
"msnmsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54 5674352]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-03-16 14:40 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-01-20 23:04 77824 C:\WINDOWS\SOUNDMAN.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 10:06 88363 C:\WINDOWS\AGRSMMSG.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [ ]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-08 18:35 32768]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2008-03-10 23:26 0]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-28 13:39 579072]
"CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [2005-05-20 00:47 57344]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-11-15 21:29 77824]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2006-06-15 13:36 229376]
"MULTIMEDIA KEYBOARD"="C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" [2002-06-19 12:50 180224]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 20:25 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 01:56 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-25 17:21 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-03-16 14:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Diablo II\\Diablo II.exe"=
"C:\\Program Files\\Diablo II\\Game.exe"=
"C:\\WINDOWS\\system32\\dxdiag.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\BlueByte\\Settlers3\\s3.exe"=
"C:\\BlueByte\\Settlers3\\AUTORUN.EXE"=
"C:\\BlueByte\\Settlers3\\S3EDITOR\\S3Editor.exe"=
"C:\\BlueByte\\Settlers3\\SETUPS3.EXE"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\msikbd2k.sys [2001-12-20 11:02]
R2 nhksrv;Netropa NHK Server;C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe [2001-08-06 08:41]
S3 ASPI;Advanced SCSI Programming Interface Driver;C:\WINDOWS\System32\DRIVERS\ASPI32.sys [2002-07-17 10:05]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{28942434-9479-11db-863f-003018c13452}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-03-19 13:00:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\QJJ46mqt.exe
"2008-03-12 22:00:00 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\system32\QJJ46mqt.exe
"2008-03-12 23:00:00 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\system32\QJJ46mqt.exe
"2008-03-13 00:00:00 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\system32\QJJ46mqt.exe
"2008-03-14 01:00:00 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\system32\QJJ46mqt.exe
"2008-03-14 02:00:00 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\system32\QJJ46mqt.exe
"2008-03-14 03:00:00 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\system32\QJJ46mqt.exe
"2008-03-16 04:00:00 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\system32\QJJ46mqt.exe
"2008-03-16 05:00:00 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\system32\QJJ46mqt.exe
"2008-03-16 06:00:00 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\system32\QJJ46mqt.exe
"2008-03-16 07:00:00 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\system32\QJJ46mqt.exe

"2008-03-18 14:00:00 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\system32\QJJ46mqt.exe
"2008-03-13 08:00:00 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\system32\QJJ46mqt.exe
"2008-03-13 09:00:00 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\system32\QJJ46mqt.exe
"2008-03-15 10:00:00 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\system32\QJJ46mqt.exe
"2008-03-13 11:00:00 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\system32\QJJ46mqt.exe
"2008-03-18 12:00:00 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\system32\QJJ46mqt.exe
"2008-03-18 15:00:00 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\system32\QJJ46mqt.exe
"2008-03-12 16:00:01 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\system32\QJJ46mqt.exe
"2008-03-12 17:00:00 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\system32\QJJ46mqt.exe
"2008-03-12 18:00:01 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\system32\QJJ46mqt.exe
"2008-03-12 19:00:01 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\system32\QJJ46mqt.exe
"2008-03-12 20:00:00 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\system32\QJJ46mqt.exe
"2008-03-12 21:00:00 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\system32\QJJ46mqt.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-20 11:37:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-20 11:37:53
ComboFix-quarantined-files.txt 2008-03-20 00:37:38
.
2008-02-24 09:23:07 --- E O F ---




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:43:47 AM, on 20/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.blizzard....ter/diablo2exp/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {C8C843F7-E75E-403E-9726-CE36EBF1EA04} - C:\WINDOWS\system32\ATIDEMG.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay10...es/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1204901946879
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {EF732B7C-BFF6-49B1-A32C-3C74C318FDCC} (VPlayer Control) - http://www.stubbysym...player_ocx.jpeg
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 7265 bytes
  • 0

#6
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts

I do recognise the site and i did allow an active x download from it some 6 months ago or so at a guess... do i need to follow this up at all?

no, if the site is legitimate then you should be ok. the site looks legit to me, so i dont suspect the ActiveX component is malware. we can remove it if you like though.

in this post we will clear the remaining malware i can see.

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\ATIDEMG.dll
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At9.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\system32\QJJ46mqt.exe
C:\WINDOWS\system32\CMMGR32.EXE
C:\WINDOWS\ativpsrm.bin
C:\Documents and Settings\Rule Family\Application Data\urlredir.cfg
C:\WINDOWS\system32\AdssiteSocial-uninstall.exe
C:\WINDOWS\system32\adssite_sidebar_uninstall.exe
C:\WINDOWS\system32\WhoisCL.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C8C843F7-E75E-403E-9726-CE36EBF1EA04}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{28942434-9479-11db-863f-003018c13452}]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

andrewuk
  • 0

#7
Justin Time

Justin Time

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Ok thanks Andrew, here are the two logs.


ComboFix 08-03-18.1 - Rule Family 2008-03-23 18:01:16.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.201 [GMT 11:00]
Running from: C:\Documents and Settings\Rule Family\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Rule Family\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Rule Family\Application Data\urlredir.cfg
C:\WINDOWS\ativpsrm.bin
C:\WINDOWS\system32\adssite_sidebar_uninstall.exe
C:\WINDOWS\system32\AdssiteSocial-uninstall.exe
C:\WINDOWS\system32\ATIDEMG.dll
C:\WINDOWS\system32\CMMGR32.EXE
C:\WINDOWS\system32\QJJ46mqt.exe
C:\WINDOWS\system32\WhoisCL.exe
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\ativpsrm.bin
C:\WINDOWS\system32\adssite_sidebar_uninstall.exe
C:\WINDOWS\system32\AdssiteSocial-uninstall.exe
C:\WINDOWS\system32\WhoisCL.exe
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job

.
((((((((((((((((((((((((( Files Created from 2008-02-23 to 2008-03-23 )))))))))))))))))))))))))))))))
.

2008-03-23 17:55 . 2008-03-23 17:55 <DIR> d-------- C:\WINDOWS\Sun
2008-03-21 14:12 . 2008-03-21 14:12 <DIR> d--h----- C:\Documents and Settings\All Users\Application Data\CanonBJ
2008-03-19 23:07 . 2008-03-19 23:07 <DIR> d-------- C:\Deckard
2008-03-12 23:10 . 2008-03-12 23:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-12 22:49 . 2008-03-12 22:58 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-12 22:49 . 2008-03-12 22:49 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-03-12 22:49 . 2008-03-12 22:49 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-12 22:49 . 2008-03-12 22:49 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-10 23:15 . 2008-03-16 14:41 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-10 23:15 . 2008-03-10 23:15 <DIR> d-------- C:\Documents and Settings\Rule Family\Application Data\SUPERAntiSpyware.com
2008-03-10 23:15 . 2008-03-10 23:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-10 23:14 . 2008-03-10 23:14 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-09 16:24 . 2008-03-09 16:24 <DIR> d-------- C:\Documents and Settings\Rule Family\Application Data\Grisoft
2008-03-09 16:24 . 2007-05-30 23:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-09 15:07 . 2008-03-09 15:07 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-03-08 21:46 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-08 21:46 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-18 11:34 --------- d-----w C:\Documents and Settings\Rule Family\Application Data\LimeWire
2008-03-12 21:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-09 04:18 --------- d-----w C:\Program Files\TI-Connect
2008-03-09 04:16 --------- d-----w C:\Program Files\TI Education
2008-03-07 14:36 --------- d-----w C:\Program Files\Frets on Fire
2008-02-11 23:37 --------- d-----w C:\Documents and Settings\Rule Family\Application Data\AVG7
2008-01-02 07:08 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2006-12-26 10:17 92,064 ----a-w C:\Documents and Settings\Rule Family\mqdmmdm.sys
2006-12-26 10:17 9,232 ----a-w C:\Documents and Settings\Rule Family\mqdmmdfl.sys
2006-12-26 10:17 79,328 ----a-w C:\Documents and Settings\Rule Family\mqdmserd.sys
2006-12-26 10:17 66,656 ----a-w C:\Documents and Settings\Rule Family\mqdmbus.sys
2006-12-26 10:17 6,208 ----a-w C:\Documents and Settings\Rule Family\mqdmcmnt.sys
2006-12-26 10:17 5,936 ----a-w C:\Documents and Settings\Rule Family\mqdmwhnt.sys
2006-12-26 10:17 4,048 ----a-w C:\Documents and Settings\Rule Family\mqdmcr.sys
2006-12-26 10:17 25,600 ----a-w C:\Documents and Settings\Rule Family\usbsermptxp.sys
2006-12-26 10:17 22,768 ----a-w C:\Documents and Settings\Rule Family\usbsermpt.sys
2006-08-27 22:04 266 --sh--w C:\Program Files\desktop.ini
2006-08-27 22:04 11,079 ---ha-w C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((( [email protected]_11.37.32.93 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-05-01 05:00:00 11,264 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMBM92.DLL
+ 2007-05-01 05:00:00 33,280 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMBS92.DLL
+ 2007-05-01 05:00:00 11,264 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMBU92.DLL
+ 2007-05-01 05:00:00 1,600,000 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMCB92.DLL
+ 2007-05-01 05:00:00 102,400 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMCP92.DLL
+ 2007-05-01 05:00:00 221,184 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMD592.DLL
+ 2007-05-01 05:00:00 545,792 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMDR92.DLL
+ 2007-05-01 05:00:00 10,240 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMFU92.DLL
+ 2007-05-01 05:00:00 9,216 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMLH92.DLL
+ 2007-05-01 05:00:00 145,408 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMLR92.DLL
+ 2007-05-01 05:00:00 25,088 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMOP92.DLL
+ 2000-12-12 11:10:04 23,280 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMP092.DAT
+ 2000-12-12 11:10:04 27,140 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMP192.DAT
+ 2000-12-12 17:09:20 30,320 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMP292.DAT
+ 2007-05-01 05:00:00 12,288 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMPI92.DLL
+ 2007-05-01 05:00:00 102,400 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMPV92.DLL
+ 2007-05-01 05:00:00 1,142,272 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMSB92.DLL
+ 2007-05-01 05:00:00 47,616 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMSD92.DLL
+ 2007-05-01 11:22:34 17,496 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMSE92.EXE
+ 2007-05-01 05:00:00 428,544 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMSM92.DLL
+ 2007-05-01 05:00:00 44,032 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMSQ92.DLL
+ 2007-05-01 05:00:00 76,288 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMSR92.DLL
+ 2007-05-01 05:00:00 642,048 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMUB92.DLL
+ 2007-05-01 05:00:00 1,907,200 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMUI92.DLL
+ 2007-05-01 05:00:00 361,472 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMUR92.DLL
+ 2007-05-01 05:00:00 13,824 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMVS92.DLL
+ 2007-05-01 05:00:00 11,264 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMW392.DLL
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 19:23 102400]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [ ]
"msnmsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54 5674352]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-03-16 14:40 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-01-20 23:04 77824 C:\WINDOWS\SOUNDMAN.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 10:06 88363 C:\WINDOWS\AGRSMMSG.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [ ]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-08 18:35 32768]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2008-03-10 23:26 0]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-28 13:39 579072]
"CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [2005-05-20 00:47 57344]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-11-15 21:29 77824]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2006-06-15 13:36 229376]
"MULTIMEDIA KEYBOARD"="C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" [2002-06-19 12:50 180224]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 20:25 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 01:56 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-25 17:21 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-03-16 14:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Diablo II\\Diablo II.exe"=
"C:\\Program Files\\Diablo II\\Game.exe"=
"C:\\WINDOWS\\system32\\dxdiag.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\BlueByte\\Settlers3\\s3.exe"=
"C:\\BlueByte\\Settlers3\\AUTORUN.EXE"=
"C:\\BlueByte\\Settlers3\\S3EDITOR\\S3Editor.exe"=
"C:\\BlueByte\\Settlers3\\SETUPS3.EXE"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\msikbd2k.sys [2001-12-20 11:02]
R2 nhksrv;Netropa NHK Server;C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe [2001-08-06 08:41]
S3 ASPI;Advanced SCSI Programming Interface Driver;C:\WINDOWS\System32\DRIVERS\ASPI32.sys [2002-07-17 10:05]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-23 18:03:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-23 18:03:46
ComboFix-quarantined-files.txt 2008-03-23 07:03:25
ComboFix2.txt 2008-03-20 00:37:54
.
2008-02-24 09:23:07 --- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:09:58 PM, on 23/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.blizzard....ter/diablo2exp/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay10...es/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1204901946879
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {EF732B7C-BFF6-49B1-A32C-3C74C318FDCC} (VPlayer Control) - http://www.stubbysym...player_ocx.jpeg
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 7339 bytes
  • 0

#8
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
looking good so far :)

in this post we will remove some adware/malware programs and do some scans to see if there is anything else lurking on your machine. i suspect it will only take 2 more posts from me after this to wrap this all up.

the scans will likely take 2 hours, quite possibly much longer. so just let them run.

====STEP 1====
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


if you are using firefox and after using ATFCleaner the geekstogo website displays as plain text then you should clear the firefox cache.

To clear the cache, go to Tools > Options
Go to Advanced category, and then click on the Network tab.
Under Cache, click the Clear Now button.
Click OK.


====STEP 2====
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


====STEP 3====
Double-click that SUPERantispyware to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.


====STEP 4====
Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

Adssite Advanced Toolbar
Browser Optimizer Adssite
Enhancement Browser Tools Rightonadz
Search Assistant Adssite


Please note any other programs that you dont recognize in that list in your next response



====STEP 5====
Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

In your next reply could i see:
1. the malwarebtyes log
2. the SUPERantispyware log
3. the kaspersky log
4. a new hijackthis log
5. some idea of how your machine is running now

there will be a lot of information to post in the next reply, therefore you may need to post the information over more than one reply to ensure it is all posted.

andrewuk
  • 0

#9
Justin Time

Justin Time

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Ok, whilst on the net i am no longer getting any pop-ups and my computer is running at a more reasonable speed. Startup takes a while but i'm guessing that is affected by some of the new programs that have been installed?? Here are the new logs...



-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, March 25, 2008 2:36:50 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 24/03/2008
Kaspersky Anti-Virus database records: 660250
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 44885
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 00:36:13

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Rule Family\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-3-25-2008( 11-59-32 ).LOG Object is locked skipped
C:\Documents and Settings\Rule Family\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Rule Family\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Rule Family\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Rule Family\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Rule Family\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Rule Family\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Rule Family\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Rule Family\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{97885632-AA18-4176-A0D0-89C664624BD5}\RP358\A0037602.dll Infected: not-a-virus:AdWare.Win32.Agent.aig skipped
C:\System Volume Information\_restore{97885632-AA18-4176-A0D0-89C664624BD5}\RP367\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/25/2008 at 03:07 AM

Application Version : 4.0.1154

Core Rules Database Version : 3423
Trace Rules Database Version: 1415

Scan type : Complete Scan
Total Scan Time : 00:31:12

Memory items scanned : 428
Memory threats detected : 0
Registry items scanned : 5517
Registry threats detected : 0
File items scanned : 46752
File threats detected : 4

RelevantKnowledge Spyware Component
C:\SYSTEM VOLUME INFORMATION\_RESTORE{97885632-AA18-4176-A0D0-89C664624BD5}\RP358\A0037598.DLL

Trojan.Unclassified/IEBROWSERCMP
C:\SYSTEM VOLUME INFORMATION\_RESTORE{97885632-AA18-4176-A0D0-89C664624BD5}\RP358\A0037599.DLL

Trojan.Unclassified/FukuRuku-A
C:\SYSTEM VOLUME INFORMATION\_RESTORE{97885632-AA18-4176-A0D0-89C664624BD5}\RP358\A0037601.DLL

Adware.AdRotator/AdsSite
C:\SYSTEM VOLUME INFORMATION\_RESTORE{97885632-AA18-4176-A0D0-89C664624BD5}\RP358\A0038598.DLL


Malwarebytes' Anti-Malware 1.09
Database version: 528

Scan type: Full Scan (A:\|C:\|)
Objects scanned: 71901
Time elapsed: 17 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\MediaHoldings (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\HID_Layer (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Start Menu\Programs\RelevantKnowledge (Spyware.Marketscore) -> Quarantined and deleted successfully.

Files Infected:
C:\System Volume Information\_restore{97885632-AA18-4176-A0D0-89C664624BD5}\RP358\A0037589.exe (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{97885632-AA18-4176-A0D0-89C664624BD5}\RP358\A0037591.exe (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{97885632-AA18-4176-A0D0-89C664624BD5}\RP358\A0037592.dll (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{97885632-AA18-4176-A0D0-89C664624BD5}\RP358\A0037594.exe (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{97885632-AA18-4176-A0D0-89C664624BD5}\RP358\A0037600.dll (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\RelevantKnowledge\About RelevantKnowledge.lnk (Spyware.Marketscore) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\RelevantKnowledge\Privacy Policy and User License Agreement.lnk (Spyware.Marketscore) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\RelevantKnowledge\Support.lnk (Spyware.Marketscore) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:41:45 PM, on 25/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.blizzard....ter/diablo2exp/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay10...es/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1204901946879
O16 - DPF: {EF732B7C-BFF6-49B1-A32C-3C74C318FDCC} (VPlayer Control) - http://www.stubbysym...player_ocx.jpeg
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 6720 bytes
  • 0

#10
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hi Justin Time

congratulations, your logs are clean :)

the SUPERantispyware scan only found infections in the system restore points (which we will clear now), the kaspersky scan also only found an infection in the system restore and the malwarebytes scan found some traces as well as infections in the system restore points.

Startup takes a while but i'm guessing that is affected by some of the new programs that have been installed??

quite possibly, though it does not appear to be malware related. if it is unusually slow you could try posting in the Windows XP™, 2000, 2003, NT part of this forum, say your machine has been cleared of malware. though i will also leave you with some ideas on how to improve the system performance.

in this post we will clear away the fix tools, reset your restore points (there will be infections lurking in there) and i will leave you with some ideas on how to enhance the protection of your machine against future infection.


====STEP 1====
Clearing away the fix tools and resetting the system restore points.

Click START then RUN
  • Now type Combofix /u in the runbox and click OK


    • Posted Image

  • When shown the disclaimer, Select "2"

The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.
If you have trouble with this, let me know and we will clear away the fix tools and reset your restore points another way


====STEP 2====
ideas to improve the system performance

there is a nice page here that goes through what really slows a computer down, startups, defraging etc. with some good links, notably for you this one here



====AND FINALLY====
The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein


andrewuk
  • 0

#11
Justin Time

Justin Time

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Thank you very much Andrewuk i greatly appreciate the time you have spent helping me out.... I forgot to add in my last post the list of things i did not recognise in the Add/Remove Programs, they were:

CmdHere Powertoy For Windows
Avanquest Update
Relevant Knowledge
Socialnetworking Helper Addsite

the rest looked familiar or were programs i know i definatley installed myself...
  • 0

#12
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
uninstall these:
RelevantKnowledge
Socialnetworking Helper Adssite



as best i can tell, Avanquest Update is legit, http://www.innovativ...?showtopic=1636

as is CmdHere Powertoy For Windows XP, http://www.innovativ...?showtopic=3889

andrewuk
  • 0

#13
Justin Time

Justin Time

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Ok i didnt have any trouble with that. Once again thank you very much for your help. Much Appreciation!!! :)
  • 0

#14
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP