Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

BIG PROBLEM -- winfixer.150 -- Fraudtool.AVSystemCare.100 [RESOLVED]

Started by balbert , Mar 15 2008 10:26 PM

  • This topic is locked This topic is locked

#1
balbert
Posted 15 March 2008 - 10:26 PM

balbert

    Member

  • Member
  • PipPip
  • 11 posts
My wife's computer which she only uses for surfing the net, became badly infected with a multiplicity of trojan viruses. I have now installed and run 1. Spybot Search & Destroy, 2. Avira AntiVirus, 3. AdAware2007, 4. Shredder 5. Trojan Hunter to clean things up. I ran these in safe mode which seemed to have successfully taken care of much of the problem but definitely not all of the problem.

We are running WindowsXP

However Google searches are continually redirected to SPAM sites and every time I run Trojan Hunter or Ad Aware, it finds another something to destroy.

How can we get clean once and for all:

Below is my Hijack This file and uninstall list. Any help you can provide will be greatly, greatly appreciated.

Kind Regards,
Brian

Hijack This

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:26:30 PM, on 3/15/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Belkin\Cardbus F5D701F\Wireless Utility\Belkinwcui.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

F2 - REG:system.ini: Shell=Explorer.exe
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [StorageGuard] "c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKLM\..\Run: [jkdfj94kgdftdf] C:\WINDOWS\TEMP\winlogan.exe
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\System32\ctfmona.exe
O4 - HKLM\..\Run: [icasServ] C:\WINDOWS\System32\icasServ.exe
O4 - HKLM\..\Run: [ShareSearcher] c:\wsusupd.exe
O4 - HKLM\..\Run: [SystemDefender] "C:\Program Files\SystemDefender\SystemDefender.exe" hide
O4 - HKLM\..\Run: [ugac] "C:\PROGRA~1\COMMON~1\AVSYST~1\ugac.exe" -start
O4 - HKLM\..\Run: [bm(1)] "C:\Program Files\Common Files\AVSystemCare\bm.exe" dm=http://avsystemcare.com ad=http://avsystemcare.com sd=http://ykeeper.avsystemcare.com
O4 - HKLM\..\Run: [ptask] C:\Program Files\AVSystemCare\ptask.exe
O4 - HKLM\..\Run: [WinMed] winmed.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [WinIFixer] C:\Program Files\WinIFixer\WinIFixer.exe
O4 - HKLM\..\Run: [EasySpywareCleaner] C:\Program Files\EasySpywareCleaner\EasySpywareCleaner.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Sarah Vanek\Local Settings\Application Data\cftmon.exe
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [ucookw] "C:\PROGRA~1\ErrClean\ucookw.exe" -start
O4 - HKLM\..\Run: [AVSystemCare] C:\Program Files\AVSystemCare\pgs.exe
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\ErrClean\strpmon.exe" dm=http://errclean.com ad=http://errclean.com sd=http://inspaid.errclean.com
O4 - HKLM\..\RunOnce: [ZoneAlarmSB Uninstall] rundll32 C:\PROGRA~1\UNINST~1.DLL,O -3
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\SARAHV~1\LOCALS~1\Temp\csrssc.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\System32\spoolvs.exe
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [jkdfj94kgdftdf] C:\WINDOWS\TEMP\winlogan.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [braviax] C:\WINDOWS\System32\braviax.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O4 - Global Startup: Belkin Wireless G Notebook Card Client Utility.lnk = ?
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1204393670618
O20 - AppInit_DLLs: C:\WINDOWS\System32\cru629.dat
O20 - Winlogon Notify: crypt - crypts.dll (file missing)
O21 - SSODL: sglsxIpH - {681FCE85-C2B5-642F-98A2-731A7DA5EA14} - C:\WINDOWS\System32\govk.dll (file missing)
O21 - SSODL: WinApp - {C285CF22-115F-3252-41AC-F686D912C63D} - C:\WINDOWS\System32\clipuser32.dll (file missing)
O21 - SSODL: MonRunOnce - {425300ee-456a-4c42-b194-2ba30ca041f3} - C:\WINDOWS\Installer\{425300ee-456a-4c42-b194-2ba30ca041f3}\MonRunOnce.dll (file missing)
O22 - SharedTaskScheduler: sklfc94krteetj - {B5AC49A2-94F2-42BD-F434-2604812C897D} - (no file)
O22 - SharedTaskScheduler: JKhfj3ofgfgdtj - {B5AF0562-94F3-42BD-F434-2604812C797D} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Google Online Search Service - Unknown owner - C:\WINDOWS\System32\winlagons.exe (file missing)
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe (file missing)
O23 - Service: ICF - Unknown owner - C:\WINDOWS\System32\svchost.exe:exe.exe (file missing)
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE (file missing)
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe (file missing)
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8491 bytes


Uninstall List


Access IBM
Access IBM Message Center
Access IBM Tools
Ad-Aware 2007
Adobe Acrobat 5.0
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Agere Systems AC'97 Modem
alm
ATI Control Panel
ATI Display Driver
ATI HydraVision
Avira AntiVir PersonalEdition Classic
Belkin Wireless G Notebook Card Driver and Utility
Hijackthis 1.99.1
HijackThis 1.99.1
IBM Access Connections
IBM DLA
IBM Rapid Restore PC Setup
IBM RecordNow
IBM RecordNow Update Manager
IBM Themes
IBM ThinkPad Battery MaxiMiser and Power Management Features
IBM ThinkPad Configuration
IBM ThinkPad EasyEject Utility
IBM ThinkPad Keyboard Customizer Utility
IBM ThinkPad Power Management Driver
IBM ThinkPad Presentation Director
IBM ThinkPad UltraNav Driver
IBM ThinkPad UltraNav Wizard
IBM TrackPoint Accessibility Features
Intel® PRO Network Adapters and Drivers
Internet Explorer Q822925
InterVideo WinDVD
Lavasoft VX2 Cleaner
Mozilla Firefox (2.0.0.12)
Outlook Express Update Q330994
PC-Doctor for Windows
Spybot - Search & Destroy
ThinkPad FullScreen Magnifier
ThinkPad Software Installer
TPNala Wallpaper
TrojanHunter 5.0
ZoneAlarm
  • 0

Advertisements

#2
balbert
Posted 16 March 2008 - 12:18 AM

balbert

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Just want to add that Spybot Search and Destory keeps finding and deleting Zlob.DNSChanger.rtk

Thanks again for any help you might provide.
  • 0

#3
kahdah
Posted 16 March 2008 - 08:05 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello balbert

Welcome to G2Go. :)
====================
Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#4
balbert
Posted 16 March 2008 - 09:35 AM

balbert

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Thanks so much for looking into this for me. After installing Deckard's System Scan, the following notepads appeared:

Brian

Main.txt is as follows:



Deckard's System Scanner v20071014.68
Run by Sarah Vanek on 2008-03-16 07:26:19
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-03-16 15:26:25 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as Sarah Vanek.exe) -----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:27:53 AM, on 3/16/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Belkin\Cardbus F5D701F\Wireless Utility\Belkinwcui.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Sarah Vanek\Desktop\dss.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Sarah Vanek.exe

F2 - REG:system.ini: Shell=Explorer.exe
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [StorageGuard] "c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKLM\..\Run: [jkdfj94kgdftdf] C:\WINDOWS\TEMP\winlogan.exe
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\System32\ctfmona.exe
O4 - HKLM\..\Run: [icasServ] C:\WINDOWS\System32\icasServ.exe
O4 - HKLM\..\Run: [ShareSearcher] c:\wsusupd.exe
O4 - HKLM\..\Run: [SystemDefender] "C:\Program Files\SystemDefender\SystemDefender.exe" hide
O4 - HKLM\..\Run: [ugac] "C:\PROGRA~1\COMMON~1\AVSYST~1\ugac.exe" -start
O4 - HKLM\..\Run: [bm(1)] "C:\Program Files\Common Files\AVSystemCare\bm.exe" dm=http://avsystemcare.com ad=http://avsystemcare.com sd=http://ykeeper.avsystemcare.com
O4 - HKLM\..\Run: [ptask] C:\Program Files\AVSystemCare\ptask.exe
O4 - HKLM\..\Run: [WinMed] winmed.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [WinIFixer] C:\Program Files\WinIFixer\WinIFixer.exe
O4 - HKLM\..\Run: [EasySpywareCleaner] C:\Program Files\EasySpywareCleaner\EasySpywareCleaner.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Sarah Vanek\Local Settings\Application Data\cftmon.exe
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [AVSystemCare] C:\Program Files\AVSystemCare\pgs.exe
O4 - HKLM\..\Run: [ucookw] "C:\PROGRA~1\ErrClean\ucookw.exe" -start
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\ErrClean\strpmon.exe" dm=http://errclean.com ad=http://errclean.com sd=http://inspaid.errclean.com
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\SARAHV~1\LOCALS~1\Temp\csrssc.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\System32\spoolvs.exe
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [jkdfj94kgdftdf] C:\WINDOWS\TEMP\winlogan.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [braviax] C:\WINDOWS\System32\braviax.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O4 - Global Startup: Belkin Wireless G Notebook Card Client Utility.lnk = ?
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1204393670618
O20 - AppInit_DLLs: C:\WINDOWS\System32\cru629.dat
O20 - Winlogon Notify: crypt - crypts.dll (file missing)
O21 - SSODL: sglsxIpH - {681FCE85-C2B5-642F-98A2-731A7DA5EA14} - C:\WINDOWS\System32\govk.dll (file missing)
O21 - SSODL: WinApp - {C285CF22-115F-3252-41AC-F686D912C63D} - C:\WINDOWS\System32\clipuser32.dll (file missing)
O21 - SSODL: MonRunOnce - {425300ee-456a-4c42-b194-2ba30ca041f3} - C:\WINDOWS\Installer\{425300ee-456a-4c42-b194-2ba30ca041f3}\MonRunOnce.dll (file missing)
O22 - SharedTaskScheduler: sklfc94krteetj - {B5AC49A2-94F2-42BD-F434-2604812C897D} - (no file)
O22 - SharedTaskScheduler: JKhfj3ofgfgdtj - {B5AF0562-94F3-42BD-F434-2604812C797D} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Google Online Search Service - Unknown owner - C:\WINDOWS\System32\winlagons.exe (file missing)
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe (file missing)
O23 - Service: ICF - Unknown owner - C:\WINDOWS\System32\svchost.exe:exe.exe (file missing)
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE (file missing)
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe (file missing)
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8271 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 IBMTPCHK - c:\windows\system32\drivers\ibmbldid.sys
R1 Smapint - c:\windows\system32\drivers\smapint.sys <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
R1 TDSMAPI - c:\windows\system32\drivers\tdsmapi.sys
R1 TPHKDRV - c:\windows\system32\drivers\tphkdrv.sys <Not Verified; IBM Corporation; ThinkPad OnScreenDisplay>
R1 TPPWR - c:\windows\system32\drivers\tppwr.sys <Not Verified; IBM Corp.; IBM ThinkPad Utility>
R1 TSMAPIP - c:\windows\system32\drivers\tsmapip.sys
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.4.5.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.4.5.0>
R2 PMEM - c:\windows\system32\drivers\pmemnt.sys <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
R3 SjyPkt - c:\windows\system32\drivers\sjypkt.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>

S0 dhlp - c:\windows\system32\drivers\dhlp.sys (file missing)
S1 pcximg - c:\windows\system\pcximg.pif (file missing)
S3 PCDRDRV (Pcdr Helper Driver) - c:\progra~1\pc-doc~1\diagno~1\pcdrdrv.sys (file missing)
S3 PcdrNt - c:\windows\system32\drivers\pcdrnt.sys <Not Verified; PC-Doctor Inc.; PC-Doctor NT 3.0>
S3 Secdrv - c:\windows\system32\drivers\secdrv.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AntiVirScheduler (AntiVir PersonalEdition Classic Scheduler) - "c:\program files\avira\antivir personaledition classic\sched.exe" <Not Verified; Avira GmbH; Scheduler>

S2 Google Online Search Service - c:\windows\system32\winlagons.exe -a (file missing)
S2 IBMPMSVC (IBM PM Service) - c:\windows\system32\ibmpmsvc.exe (file missing)
S2 ICF - c:\windows\system32\svchost.exe:exe.exe (file missing)
S2 QCONSVC - system32\qconsvc.exe (file missing)
S2 Schedule (Task Scheduler) - c:\windows\system32\drivers\spools.exe (file missing)
S2 TpKmpSVC (IBM KCU Service) - c:\windows\system32\tpkmpsvc.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-12-13 15:28:42 314 --a------ C:\WINDOWS\Tasks\BMMTask.job


-- Files created between 2008-02-16 and 2008-03-16 -----------------------------

2008-03-15 20:26:16 0 d-------- C:\Program Files\Trend Micro
2008-03-15 19:34:32 262144 --a------ C:\Program Files\Uninstall Spy Blocker.dll <Not Verified; ZoneAlarm; ZoneAlarm Spy Blocker for Internet Explorer and Firefox>
2008-03-14 22:02:59 0 d-------- C:\Documents and Settings\Administrator\Application Data\TrojanHunter
2008-03-01 09:48:02 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-02-28 10:13:05 910336 --a------ C:\vx2cleaner.dll
2008-02-28 10:13:05 164864 --a------ C:\UNWISE.EXE
2008-02-28 10:11:56 0 d-------- C:\Program Files\Lavasoft
2008-02-28 10:01:55 0 d-------- C:\Documents and Settings\Sarah Vanek\Application Data\TrojanHunter
2008-02-28 10:00:41 0 d-------- C:\Program Files\TrojanHunter 5.0
2008-02-28 09:50:18 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-02-28 09:50:08 4212 ---h----- C:\WINDOWS\System32\zllictbl.dat
2008-02-28 09:49:59 11264 --a------ C:\WINDOWS\System32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
2008-02-28 09:49:32 0 d-------- C:\WINDOWS\System32\ZoneLabs
2008-02-28 09:48:35 0 d-------- C:\WINDOWS\Internet Logs
2008-02-28 09:42:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-28 09:42:01 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-28 09:08:52 0 d-------- C:\Documents and Settings\Sarah Vanek\Application Data\InfeStop.com
2008-02-27 08:23:29 0 d-------- C:\Documents and Settings\Sarah Vanek\Application Data\spy-rid.com
2008-02-27 07:58:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-26 18:01:08 0 d-------- C:\Documents and Settings\Sarah Vanek\Application Data\EasySpywareCleaner.com
2008-02-26 08:08:42 0 d-------- C:\Documents and Settings\Sarah Vanek\Application Data\WinIFixer.com
2008-02-25 20:03:20 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-25 20:03:16 0 d-------- C:\Documents and Settings\Sarah Vanek\Application Data\Mozilla
2008-02-25 17:35:31 0 d-------- C:\Program Files\Avira
2008-02-25 17:35:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-02-25 11:55:38 16384 --a------ C:\WINDOWS\System32\nod32se.exe
2008-02-25 10:04:39 0 d-------- C:\Documents and Settings\Sarah Vanek\Application Data\errclean
2008-02-25 09:52:46 0 d--hs---- C:\AVSystemCare
2008-02-25 09:52:42 0 d-------- C:\Documents and Settings\Sarah Vanek\Application Data\SysCleaner
2008-02-25 09:52:29 0 dr------- C:\Documents and Settings\All Users\Application Data\SalesMon
2008-02-25 09:47:44 0 d-------- C:\Documents and Settings\Sarah Vanek\Application Data\SystemDefender
2008-02-25 09:41:50 6656 --a------ C:\WINDOWS\System32\users32.dat
2008-02-25 09:40:36 6144 --a------ C:\WINDOWS\System32\cru629.dat
2008-02-25 09:38:17 2 --a------ C:\1746914948


-- Find3M Report ---------------------------------------------------------------

2008-03-01 09:48:59 0 d--h----- C:\Program Files\WindowsUpdate
2008-02-29 07:26:02 0 d-------- C:\Program Files\Common Files
2008-02-28 10:13:08 766 --a------ C:\Program Files\INSTALL.LOG
2008-02-12 07:58:49 0 d-------- C:\Documents and Settings\Sarah Vanek\Application Data\MSN6
2008-01-04 20:30:47 0 --ah----- C:\IO.SYS
2008-01-04 20:30:47 0 --ah----- C:\CONFIG.SYS
2008-01-04 20:30:47 0 --ah----- C:\AUTOEXEC.BAT


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"S3TRAY2"="S3Tray2.exe" [10/11/2001 10:32 PM C:\WINDOWS\system32\S3Tray2.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [07/31/2003 03:25 PM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [07/31/2003 03:24 PM]
"ATIModeChange"="Ati2mdxx.exe" [09/04/2001 04:24 PM C:\WINDOWS\system32\Ati2mdxx.exe]
"BluetoothAuthenticationAgent"="irprops.cpl" [11/22/2002 02:45 PM C:\WINDOWS\system32\irprops.cpl]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" []
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [01/17/2003 01:32 AM]
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [01/17/2003 01:32 AM]
"QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" []
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [08/08/2003 03:39 PM]
"TP4EX"="tp4ex.exe" [09/04/2002 01:05 AM C:\WINDOWS\system32\TP4EX.exe]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [12/24/2002 02:01 AM]
"AGRSMMSG"="AGRSMMSG.exe" [10/18/2002 11:07 AM C:\WINDOWS\AGRSMMSG.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [04/29/2003 09:00 PM]
"UC_SMB"="" []
"StorageGuard"="c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" [06/18/2002 12:01 AM]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [01/10/2003 03:50 AM]
"QCTray"="C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe" []
"jkdfj94kgdftdf"="C:\WINDOWS\TEMP\winlogan.exe" []
"ctfmona"="C:\WINDOWS\System32\ctfmona.exe" []
"icasServ"="C:\WINDOWS\System32\icasServ.exe" []
"ShareSearcher"="c:\wsusupd.exe" []
"SystemDefender"="C:\Program Files\SystemDefender\SystemDefender.exe" []
"ugac"="C:\PROGRA~1\COMMON~1\AVSYST~1\ugac.exe" []
"bm(1)"="C:\Program Files\Common Files\AVSystemCare\bm.exe" []
"ptask"="C:\Program Files\AVSystemCare\ptask.exe" []
"WinMed"="winmed.exe" []
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [02/25/2008 06:33 PM]
"WinIFixer"="C:\Program Files\WinIFixer\WinIFixer.exe" []
"EasySpywareCleaner"="C:\Program Files\EasySpywareCleaner\EasySpywareCleaner.exe" []
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [11/14/2007 04:05 PM]
"THGuard"="C:\Program Files\TrojanHunter 5.0\THGuard.exe" [02/08/2008 11:22 AM]
"autoload"="C:\Documents and Settings\Sarah Vanek\Local Settings\Application Data\cftmon.exe" []
"ntuser"="C:\WINDOWS\system32\drivers\spools.exe" []
"AVSystemCare"="C:\Program Files\AVSystemCare\pgs.exe" []
"ucookw"="C:\PROGRA~1\ErrClean\ucookw.exe" []
"Salestart"="C:\Program Files\Common Files\ErrClean\strpmon.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [08/20/2002 03:08 PM]
"Jnskdfmf9eldfd"="C:\DOCUME~1\SARAHV~1\LOCALS~1\Temp\csrssc.exe" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]
"Spoolsv"="C:\WINDOWS\System32\spoolvs.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ntuser"=C:\WINDOWS\system32\drivers\spools.exe
"jkdfj94kgdftdf"=C:\WINDOWS\TEMP\winlogan.exe
"braviax"=C:\WINDOWS\System32\braviax.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless G Notebook Card Client Utility.lnk - C:\Program Files\Belkin\Cardbus F5D701F\Wireless Utility\Belkinwcui.exe [1/7/2008 3:59:49 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"DisableTaskMgr"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"sglsxIpH"= {681FCE85-C2B5-642F-98A2-731A7DA5EA14} - C:\WINDOWS\System32\govk.dll [ ]
"WinApp"= {C285CF22-115F-3252-41AC-F686D912C63D} - C:\WINDOWS\System32\clipuser32.dll [ ]
"MonRunOnce"= {425300ee-456a-4c42-b194-2ba30ca041f3} - C:\WINDOWS\Installer\{425300ee-456a-4c42-b194-2ba30ca041f3}\MonRunOnce.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe "
"System"="kduke.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt]
crypts.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\System32\cru629.dat

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Reserved]
@="Driver Group"




-- End of Deckard's System Scanner: finished at 2008-03-16 07:29:45 ------------


And the extra.txt is as follows:

Deckard's System Scanner v20071014.68
Run by Sarah Vanek on 2008-03-16 07:26:19
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-03-16 15:26:25 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as Sarah Vanek.exe) -----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:27:53 AM, on 3/16/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Belkin\Cardbus F5D701F\Wireless Utility\Belkinwcui.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Sarah Vanek\Desktop\dss.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Sarah Vanek.exe

F2 - REG:system.ini: Shell=Explorer.exe
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [StorageGuard] "c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKLM\..\Run: [jkdfj94kgdftdf] C:\WINDOWS\TEMP\winlogan.exe
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\System32\ctfmona.exe
O4 - HKLM\..\Run: [icasServ] C:\WINDOWS\System32\icasServ.exe
O4 - HKLM\..\Run: [ShareSearcher] c:\wsusupd.exe
O4 - HKLM\..\Run: [SystemDefender] "C:\Program Files\SystemDefender\SystemDefender.exe" hide
O4 - HKLM\..\Run: [ugac] "C:\PROGRA~1\COMMON~1\AVSYST~1\ugac.exe" -start
O4 - HKLM\..\Run: [bm(1)] "C:\Program Files\Common Files\AVSystemCare\bm.exe" dm=http://avsystemcare.com ad=http://avsystemcare.com sd=http://ykeeper.avsystemcare.com
O4 - HKLM\..\Run: [ptask] C:\Program Files\AVSystemCare\ptask.exe
O4 - HKLM\..\Run: [WinMed] winmed.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [WinIFixer] C:\Program Files\WinIFixer\WinIFixer.exe
O4 - HKLM\..\Run: [EasySpywareCleaner] C:\Program Files\EasySpywareCleaner\EasySpywareCleaner.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Sarah Vanek\Local Settings\Application Data\cftmon.exe
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [AVSystemCare] C:\Program Files\AVSystemCare\pgs.exe
O4 - HKLM\..\Run: [ucookw] "C:\PROGRA~1\ErrClean\ucookw.exe" -start
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\ErrClean\strpmon.exe" dm=http://errclean.com ad=http://errclean.com sd=http://inspaid.errclean.com
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\SARAHV~1\LOCALS~1\Temp\csrssc.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\System32\spoolvs.exe
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [jkdfj94kgdftdf] C:\WINDOWS\TEMP\winlogan.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [braviax] C:\WINDOWS\System32\braviax.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O4 - Global Startup: Belkin Wireless G Notebook Card Client Utility.lnk = ?
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1204393670618
O20 - AppInit_DLLs: C:\WINDOWS\System32\cru629.dat
O20 - Winlogon Notify: crypt - crypts.dll (file missing)
O21 - SSODL: sglsxIpH - {681FCE85-C2B5-642F-98A2-731A7DA5EA14} - C:\WINDOWS\System32\govk.dll (file missing)
O21 - SSODL: WinApp - {C285CF22-115F-3252-41AC-F686D912C63D} - C:\WINDOWS\System32\clipuser32.dll (file missing)
O21 - SSODL: MonRunOnce - {425300ee-456a-4c42-b194-2ba30ca041f3} - C:\WINDOWS\Installer\{425300ee-456a-4c42-b194-2ba30ca041f3}\MonRunOnce.dll (file missing)
O22 - SharedTaskScheduler: sklfc94krteetj - {B5AC49A2-94F2-42BD-F434-2604812C897D} - (no file)
O22 - SharedTaskScheduler: JKhfj3ofgfgdtj - {B5AF0562-94F3-42BD-F434-2604812C797D} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Google Online Search Service - Unknown owner - C:\WINDOWS\System32\winlagons.exe (file missing)
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe (file missing)
O23 - Service: ICF - Unknown owner - C:\WINDOWS\System32\svchost.exe:exe.exe (file missing)
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE (file missing)
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe (file missing)
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8271 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 IBMTPCHK - c:\windows\system32\drivers\ibmbldid.sys
R1 Smapint - c:\windows\system32\drivers\smapint.sys <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
R1 TDSMAPI - c:\windows\system32\drivers\tdsmapi.sys
R1 TPHKDRV - c:\windows\system32\drivers\tphkdrv.sys <Not Verified; IBM Corporation; ThinkPad OnScreenDisplay>
R1 TPPWR - c:\windows\system32\drivers\tppwr.sys <Not Verified; IBM Corp.; IBM ThinkPad Utility>
R1 TSMAPIP - c:\windows\system32\drivers\tsmapip.sys
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.4.5.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.4.5.0>
R2 PMEM - c:\windows\system32\drivers\pmemnt.sys <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
R3 SjyPkt - c:\windows\system32\drivers\sjypkt.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>

S0 dhlp - c:\windows\system32\drivers\dhlp.sys (file missing)
S1 pcximg - c:\windows\system\pcximg.pif (file missing)
S3 PCDRDRV (Pcdr Helper Driver) - c:\progra~1\pc-doc~1\diagno~1\pcdrdrv.sys (file missing)
S3 PcdrNt - c:\windows\system32\drivers\pcdrnt.sys <Not Verified; PC-Doctor Inc.; PC-Doctor NT 3.0>
S3 Secdrv - c:\windows\system32\drivers\secdrv.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AntiVirScheduler (AntiVir PersonalEdition Classic Scheduler) - "c:\program files\avira\antivir personaledition classic\sched.exe" <Not Verified; Avira GmbH; Scheduler>

S2 Google Online Search Service - c:\windows\system32\winlagons.exe -a (file missing)
S2 IBMPMSVC (IBM PM Service) - c:\windows\system32\ibmpmsvc.exe (file missing)
S2 ICF - c:\windows\system32\svchost.exe:exe.exe (file missing)
S2 QCONSVC - system32\qconsvc.exe (file missing)
S2 Schedule (Task Scheduler) - c:\windows\system32\drivers\spools.exe (file missing)
S2 TpKmpSVC (IBM KCU Service) - c:\windows\system32\tpkmpsvc.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-12-13 15:28:42 314 --a------ C:\WINDOWS\Tasks\BMMTask.job


-- Files created between 2008-02-16 and 2008-03-16 -----------------------------

2008-03-15 20:26:16 0 d-------- C:\Program Files\Trend Micro
2008-03-15 19:34:32 262144 --a------ C:\Program Files\Uninstall Spy Blocker.dll <Not Verified; ZoneAlarm; ZoneAlarm Spy Blocker for Internet Explorer and Firefox>
2008-03-14 22:02:59 0 d-------- C:\Documents and Settings\Administrator\Application Data\TrojanHunter
2008-03-01 09:48:02 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-02-28 10:13:05 910336 --a------ C:\vx2cleaner.dll
2008-02-28 10:13:05 164864 --a------ C:\UNWISE.EXE
2008-02-28 10:11:56 0 d-------- C:\Program Files\Lavasoft
2008-02-28 10:01:55 0 d-------- C:\Documents and Settings\Sarah Vanek\Application Data\TrojanHunter
2008-02-28 10:00:41 0 d-------- C:\Program Files\TrojanHunter 5.0
2008-02-28 09:50:18 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-02-28 09:50:08 4212 ---h----- C:\WINDOWS\System32\zllictbl.dat
2008-02-28 09:49:59 11264 --a------ C:\WINDOWS\System32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
2008-02-28 09:49:32 0 d-------- C:\WINDOWS\System32\ZoneLabs
2008-02-28 09:48:35 0 d-------- C:\WINDOWS\Internet Logs
2008-02-28 09:42:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-28 09:42:01 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-28 09:08:52 0 d-------- C:\Documents and Settings\Sarah Vanek\Application Data\InfeStop.com
2008-02-27 08:23:29 0 d-------- C:\Documents and Settings\Sarah Vanek\Application Data\spy-rid.com
2008-02-27 07:58:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-26 18:01:08 0 d-------- C:\Documents and Settings\Sarah Vanek\Application Data\EasySpywareCleaner.com
2008-02-26 08:08:42 0 d-------- C:\Documents and Settings\Sarah Vanek\Application Data\WinIFixer.com
2008-02-25 20:03:20 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-25 20:03:16 0 d-------- C:\Documents and Settings\Sarah Vanek\Application Data\Mozilla
2008-02-25 17:35:31 0 d-------- C:\Program Files\Avira
2008-02-25 17:35:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-02-25 11:55:38 16384 --a------ C:\WINDOWS\System32\nod32se.exe
2008-02-25 10:04:39 0 d-------- C:\Documents and Settings\Sarah Vanek\Application Data\errclean
2008-02-25 09:52:46 0 d--hs---- C:\AVSystemCare
2008-02-25 09:52:42 0 d-------- C:\Documents and Settings\Sarah Vanek\Application Data\SysCleaner
2008-02-25 09:52:29 0 dr------- C:\Documents and Settings\All Users\Application Data\SalesMon
2008-02-25 09:47:44 0 d-------- C:\Documents and Settings\Sarah Vanek\Application Data\SystemDefender
2008-02-25 09:41:50 6656 --a------ C:\WINDOWS\System32\users32.dat
2008-02-25 09:40:36 6144 --a------ C:\WINDOWS\System32\cru629.dat
2008-02-25 09:38:17 2 --a------ C:\1746914948


-- Find3M Report ---------------------------------------------------------------

2008-03-01 09:48:59 0 d--h----- C:\Program Files\WindowsUpdate
2008-02-29 07:26:02 0 d-------- C:\Program Files\Common Files
2008-02-28 10:13:08 766 --a------ C:\Program Files\INSTALL.LOG
2008-02-12 07:58:49 0 d-------- C:\Documents and Settings\Sarah Vanek\Application Data\MSN6
2008-01-04 20:30:47 0 --ah----- C:\IO.SYS
2008-01-04 20:30:47 0 --ah----- C:\CONFIG.SYS
2008-01-04 20:30:47 0 --ah----- C:\AUTOEXEC.BAT


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"S3TRAY2"="S3Tray2.exe" [10/11/2001 10:32 PM C:\WINDOWS\system32\S3Tray2.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [07/31/2003 03:25 PM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [07/31/2003 03:24 PM]
"ATIModeChange"="Ati2mdxx.exe" [09/04/2001 04:24 PM C:\WINDOWS\system32\Ati2mdxx.exe]
"BluetoothAuthenticationAgent"="irprops.cpl" [11/22/2002 02:45 PM C:\WINDOWS\system32\irprops.cpl]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" []
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [01/17/2003 01:32 AM]
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [01/17/2003 01:32 AM]
"QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" []
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [08/08/2003 03:39 PM]
"TP4EX"="tp4ex.exe" [09/04/2002 01:05 AM C:\WINDOWS\system32\TP4EX.exe]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [12/24/2002 02:01 AM]
"AGRSMMSG"="AGRSMMSG.exe" [10/18/2002 11:07 AM C:\WINDOWS\AGRSMMSG.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [04/29/2003 09:00 PM]
"UC_SMB"="" []
"StorageGuard"="c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" [06/18/2002 12:01 AM]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [01/10/2003 03:50 AM]
"QCTray"="C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe" []
"jkdfj94kgdftdf"="C:\WINDOWS\TEMP\winlogan.exe" []
"ctfmona"="C:\WINDOWS\System32\ctfmona.exe" []
"icasServ"="C:\WINDOWS\System32\icasServ.exe" []
"ShareSearcher"="c:\wsusupd.exe" []
"SystemDefender"="C:\Program Files\SystemDefender\SystemDefender.exe" []
"ugac"="C:\PROGRA~1\COMMON~1\AVSYST~1\ugac.exe" []
"bm(1)"="C:\Program Files\Common Files\AVSystemCare\bm.exe" []
"ptask"="C:\Program Files\AVSystemCare\ptask.exe" []
"WinMed"="winmed.exe" []
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [02/25/2008 06:33 PM]
"WinIFixer"="C:\Program Files\WinIFixer\WinIFixer.exe" []
"EasySpywareCleaner"="C:\Program Files\EasySpywareCleaner\EasySpywareCleaner.exe" []
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [11/14/2007 04:05 PM]
"THGuard"="C:\Program Files\TrojanHunter 5.0\THGuard.exe" [02/08/2008 11:22 AM]
"autoload"="C:\Documents and Settings\Sarah Vanek\Local Settings\Application Data\cftmon.exe" []
"ntuser"="C:\WINDOWS\system32\drivers\spools.exe" []
"AVSystemCare"="C:\Program Files\AVSystemCare\pgs.exe" []
"ucookw"="C:\PROGRA~1\ErrClean\ucookw.exe" []
"Salestart"="C:\Program Files\Common Files\ErrClean\strpmon.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [08/20/2002 03:08 PM]
"Jnskdfmf9eldfd"="C:\DOCUME~1\SARAHV~1\LOCALS~1\Temp\csrssc.exe" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]
"Spoolsv"="C:\WINDOWS\System32\spoolvs.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ntuser"=C:\WINDOWS\system32\drivers\spools.exe
"jkdfj94kgdftdf"=C:\WINDOWS\TEMP\winlogan.exe
"braviax"=C:\WINDOWS\System32\braviax.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless G Notebook Card Client Utility.lnk - C:\Program Files\Belkin\Cardbus F5D701F\Wireless Utility\Belkinwcui.exe [1/7/2008 3:59:49 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"DisableTaskMgr"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"sglsxIpH"= {681FCE85-C2B5-642F-98A2-731A7DA5EA14} - C:\WINDOWS\System32\govk.dll [ ]
"WinApp"= {C285CF22-115F-3252-41AC-F686D912C63D} - C:\WINDOWS\System32\clipuser32.dll [ ]
"MonRunOnce"= {425300ee-456a-4c42-b194-2ba30ca041f3} - C:\WINDOWS\Installer\{425300ee-456a-4c42-b194-2ba30ca041f3}\MonRunOnce.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe "
"System"="kduke.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt]
crypts.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\System32\cru629.dat

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Reserved]
@="Driver Group"




-- End of Deckard's System Scanner: finished at 2008-03-16 07:29:45 ------------
  • 0

#5
kahdah
Posted 16 March 2008 - 09:47 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
You are welcome :)
=============

Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log
================
Then::

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#6
balbert
Posted 16 March 2008 - 11:01 AM

balbert

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Per the instructions, below is the SDFix Log and the Combo Fix logs. Let me know what else I need to do. Again much appreciated.

SDFix:


SDFix: Version 1.158

Run by Sarah Vanek on Sun 03/16/2008 at 08:15 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name:
dhlp
Google Online Search Service
ICF
pcximg

Path:
System32\Drivers\dhlp.sys
C:\WINDOWS\System32\winlagons.exe -A
C:\WINDOWS\System32\svchost.exe:exe.exe
\??\C:\WINDOWS\system\pcximg.pif

dhlp - Deleted
Google Online Search Service - Deleted
ICF - Deleted
pcximg - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default Schedule Service Path
Resetting AppInit_DLLs value


Rebooting

Service Ecqe50 - Deleted after Reboot

Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\kduke.exe - Deleted
C:\174691~1 - Deleted
C:\DOCUME~1\ALLUSE~1\DOCUME~1\SETTINGS\CONFIG.INI - Deleted
C:\Documents and Settings\Sarah Vanek\Application Data\SystemDefender\logs\1203961707.log - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\SystemDefender\SystemDefender Uninstall.lnk - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\SystemDefender\SystemDefender.lnk - Deleted
C:\WINDOWS\system32\n.ini - Deleted
C:\WINDOWS\system32\svchost.t__ - Deleted
C:\WINDOWS\system32\users32.dat - Deleted
C:\WINDOWS\system32\winlogans.tmp - Deleted
C:\WINDOWS\system32\drivers\Ecqe50.sys - Deleted


Could Not Remove C:\WINDOWS\system32\cru629.dat

Folder C:\Documents and Settings\Sarah Vanek\Application Data\SystemDefender - Removed
Folder C:\Documents and Settings\All Users\Application Data\SalesMon - Removed
Folder C:\Documents and Settings\All Users\Documents\Settings - Removed
Folder C:\Documents and Settings\All Users\Start Menu\Programs\SystemDefender - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-16 08:30:12
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Documents and Settings\\LocalService\\Application Data\\printer.exe"="C:\\Documents and Settings\\LocalService\\Application Data\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"\\findfast.exe"="\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Sarah Vanek\\Application Data\\mcrupdate.exe"="C:\\Documents and Settings\\Sarah Vanek\\Application Data\\mcrupdate.exe:*:Enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"C:\\Documents and Settings\\LocalService\\Application Data\\printer.exe"="C:\\Documents and Settings\\LocalService\\Application Data\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"\\findfast.exe"="\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Sarah Vanek\\Application Data\\mcrupdate.exe"="C:\\Documents and Settings\\Sarah Vanek\\Application Data\\mcrupdate.exe:*:Enabled:@xpsp2res.dll,-22019"

Remaining Files :

C:\WINDOWS\system32\cru629.dat Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"

Finished!

and the Combo Fix is as follows:

ComboFix 08-03-14.4 - Sarah Vanek 2008-03-16 8:45:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.261 [GMT -8:00]
Running from: C:\Documents and Settings\Sarah Vanek\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\LocalService\Local Settings\Application Data\n.ini
C:\Documents and Settings\Sarah Vanek\ResErrors.log
C:\WINDOWS\system32\cru629.dat
C:\WINDOWS\system32\nod32se.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\nm
-------\npf


((((((((((((((((((((((((( Files Created from 2008-02-16 to 2008-03-16 )))))))))))))))))))))))))))))))
.

2008-03-16 08:13 . 2002-11-01 15:26 528,896 --a------ C:\WINDOWS\system32\dllcache\user32.dll
2008-03-16 08:11 . 2008-03-16 08:11 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-16 08:06 . 2008-03-16 08:32 <DIR> d-------- C:\SDFix
2008-03-16 07:26 . 2008-03-16 07:26 <DIR> d-------- C:\Deckard
2008-03-15 20:26 . 2008-03-15 20:26 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-14 22:02 . 2008-03-14 22:02 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\TrojanHunter
2008-03-01 09:48 . 2007-07-30 19:19 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2008-03-01 09:48 . 2007-07-30 19:19 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2008-03-01 09:48 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\system32\wuaucpl.cpl
2008-03-01 09:48 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-03-01 09:48 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-03-01 09:48 . 2007-07-30 19:18 33,624 --a------ C:\WINDOWS\system32\wups.dll
2008-03-01 09:48 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-03-01 09:48 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-03-01 09:48 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-02-28 10:13 . 2005-08-22 14:41 910,336 --a------ C:\vx2cleaner.dll
2008-02-28 10:13 . 2005-08-22 14:41 316,416 --a------ C:\vx2cleaner.dlx
2008-02-28 10:13 . 2001-09-28 17:00 164,864 --a------ C:\UNWISE.EXE
2008-02-28 10:13 . 2005-08-22 14:41 29,636 --a------ C:\vx2cleaner.chm
2008-02-28 10:11 . 2008-02-28 10:11 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-28 10:01 . 2008-02-28 10:01 <DIR> d-------- C:\Documents and Settings\Sarah Vanek\Application Data\TrojanHunter
2008-02-28 10:00 . 2008-02-28 10:01 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2008-02-28 09:50 . 2008-02-28 09:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-02-28 09:50 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-02-28 09:50 . 2008-02-28 09:51 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-02-28 09:49 . 2008-02-28 09:49 <DIR> d-------- C:\Program Files\Zone Labs
2008-02-28 09:48 . 2008-03-16 08:32 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-02-28 09:42 . 2008-02-28 09:42 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-28 09:42 . 2008-02-28 09:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-28 09:08 . 2008-02-28 09:08 <DIR> d-------- C:\Documents and Settings\Sarah Vanek\Application Data\InfeStop.com
2008-02-28 08:33 . 2008-02-28 08:36 21,364,592 --a------ C:\Program Files\aaw2007.exe
2008-02-27 08:23 . 2008-02-27 08:23 <DIR> d-------- C:\Documents and Settings\Sarah Vanek\Application Data\spy-rid.com
2008-02-27 07:58 . 2008-02-27 07:58 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-27 07:58 . 2008-02-27 08:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-26 18:01 . 2008-02-26 18:01 <DIR> d-------- C:\Documents and Settings\Sarah Vanek\Application Data\EasySpywareCleaner.com
2008-02-26 08:08 . 2008-02-26 08:08 <DIR> d-------- C:\Documents and Settings\Sarah Vanek\Application Data\WinIFixer.com
2008-02-25 20:03 . 2008-02-25 20:03 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-25 17:35 . 2008-02-25 17:35 <DIR> d-------- C:\Program Files\Avira
2008-02-25 17:35 . 2008-02-25 17:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-02-25 10:04 . 2008-02-25 10:04 <DIR> d-------- C:\Documents and Settings\Sarah Vanek\Application Data\errclean
2008-02-25 09:52 . 2008-02-25 09:52 <DIR> d-------- C:\Documents and Settings\Sarah Vanek\Application Data\SysCleaner
2008-02-25 09:52 . 2004-10-07 13:39 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2008-02-25 09:52 . 2004-10-07 13:39 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-02-25 09:52 . 2004-10-07 13:39 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-02-25 09:52 . 2004-10-07 13:39 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2008-02-25 09:39 . 2002-08-29 05:00 504,320 --a------ C:\WINDOWS\system32\logonui.exe
2008-02-25 09:39 . 2002-08-29 05:00 504,320 --a------ C:\WINDOWS\system32\dllcache\logonui.exe
2008-02-25 09:37 . 2008-02-25 09:37 29 --a------ C:\WINDOWS\system32\giwgtfst.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-10 05:56 13,312 ----a-w C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-03-10 05:56 13,312 ----a-w C:\WINDOWS\system32\ctfmon.exe
2008-03-09 12:01 1,358,848 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp
2008-03-03 15:01 81,244 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_03_02_22_46_17_small.dmp.zip
2008-02-28 18:13 766 ----a-w C:\Program Files\INSTALL.LOG
2008-02-25 17:36 12,800 ----a-w C:\WINDOWS\system32\svchost.exe
2008-02-25 17:36 12,800 ----a-w C:\WINDOWS\system32\dllcache\svchost.exe
2008-02-12 15:58 --------- d-----w C:\Documents and Settings\Sarah Vanek\Application Data\MSN6
2008-02-12 15:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\MSN6
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 15:08 1511453]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"Spoolsv"="C:\WINDOWS\System32\spoolvs.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"S3TRAY2"="S3Tray2.exe" [2001-10-11 22:32 69632 C:\WINDOWS\system32\S3Tray2.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-07-31 15:25 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-07-31 15:24 512000]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 16:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"BluetoothAuthenticationAgent"="irprops.cpl" [2002-11-22 14:45 111104 C:\WINDOWS\system32\irprops.cpl]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [ ]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2003-01-17 01:32 64000]
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [2003-01-17 01:32 20480]
"QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [ ]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2003-08-08 15:39 897024]
"TP4EX"="tp4ex.exe" [2002-09-04 01:05 53248 C:\WINDOWS\system32\TP4EX.exe]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2002-12-24 02:01 204800]
"AGRSMMSG"="AGRSMMSG.exe" [2002-10-18 11:07 87751 C:\WINDOWS\AGRSMMSG.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-04-29 21:00 315392]
"UC_SMB"="" []
"StorageGuard"="c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 00:01 155648]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-01-10 03:50 106551]
"QCTray"="C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe" [ ]
"icasServ"="C:\WINDOWS\System32\icasServ.exe" [ ]
"bm(1)"="C:\Program Files\Common Files\AVSystemCare\bm.exe" [ ]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-25 18:33 249896]
"WinIFixer"="C:\Program Files\WinIFixer\WinIFixer.exe" [ ]
"EasySpywareCleaner"="C:\Program Files\EasySpywareCleaner\EasySpywareCleaner.exe" [ ]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"THGuard"="C:\Program Files\TrojanHunter 5.0\THGuard.exe" [2008-02-08 11:22 1047712]
"ucookw"="C:\PROGRA~1\ErrClean\ucookw.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"sglsxIpH"= {681FCE85-C2B5-642F-98A2-731A7DA5EA14} - C:\WINDOWS\System32\govk.dll [ ]
"MonRunOnce"= {425300ee-456a-4c42-b194-2ba30ca041f3} - C:\WINDOWS\Installer\{425300ee-456a-4c42-b194-2ba30ca041f3}\MonRunOnce.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

R0 avgntmgr;avgntmgr;C:\WINDOWS\System32\DRIVERS\avgntmgr.sys [2007-07-18 14:22]
R1 avgntdd;avgntdd;C:\WINDOWS\System32\DRIVERS\avgntdd.sys [2007-08-09 13:04]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\System32\drivers\IBMBLDID.SYS [2003-03-27 02:06]
R1 TPPWR;TPPWR;C:\WINDOWS\System32\drivers\Tppwr.sys [2003-01-17 01:32]
R3 Belkin701F;Belkin Wireless G Notebook Card Service v7;C:\WINDOWS\System32\DRIVERS\BLKWGNv7.sys [2006-10-19 01:42]
R3 SjyPkt;SjyPkt;C:\WINDOWS\System32\Drivers\SjyPkt.sys [2002-10-02 09:57]
S3 DLKRCB;D-Link DFE-690TXD CardBus PC Card;C:\WINDOWS\System32\DRIVERS\DLKRCB.SYS [2001-10-15 20:38]
S3 PCDRDRV;Pcdr Helper Driver;C:\PROGRA~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys []

.
Contents of the 'Scheduled Tasks' folder
"2007-12-13 23:28:42 C:\WINDOWS\Tasks\BMMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-16 08:49:33
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Belkin\Cardbus F5D701F\Wireless Utility\Belkinwcui.exe
C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\Ati2evxx.exe
.
**************************************************************************
.
Completion time: 2008-03-16 8:52:31 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-16 16:52:28
  • 0

#7
kahdah
Posted 16 March 2008 - 11:25 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\System32\spoolvs.exe
C:\WINDOWS\System32\govk.dll
Folder::
C:\Documents and Settings\Sarah Vanek\Application Data\InfeStop.com
C:\Documents and Settings\Sarah Vanek\Application Data\spy-rid.com
C:\Documents and Settings\Sarah Vanek\Application Data\EasySpywareCleaner.com
C:\Documents and Settings\Sarah Vanek\Application Data\WinIFixer.com
C:\Documents and Settings\Sarah Vanek\Application Data\errclean
C:\Documents and Settings\Sarah Vanek\Application Data\SysCleaner
C:\Program Files\Common Files\AVSystemCare
C:\Program Files\WinIFixer
C:\Program Files\EasySpywareCleaner
C:\PROGRA~1\ErrClean
C:\WINDOWS\Installer\{425300ee-456a-4c42-b194-2ba30ca041f3}
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spoolsv"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UC_SMB"=-
"bm(1)"=-
"WinIFixer"=-
"EasySpywareCleaner"=-
"ucookw"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"sglsxIpH"=-
"MonRunOnce"=-


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#8
balbert
Posted 16 March 2008 - 01:13 PM

balbert

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
OK -- Here is the Combofix log after the CFScript and the current Hijack this Log:

ComboFix:


ComboFix 08-03-14.4 - Sarah Vanek 2008-03-16 10:15:20.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.273 [GMT -8:00]
Running from: C:\Documents and Settings\Sarah Vanek\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Sarah Vanek\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\System32\govk.dll
C:\WINDOWS\System32\spoolvs.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Sarah Vanek\Application Data\EasySpywareCleaner.com
C:\Documents and Settings\Sarah Vanek\Application Data\errclean
C:\Documents and Settings\Sarah Vanek\Application Data\errclean\Logs\update.log
C:\Documents and Settings\Sarah Vanek\Application Data\InfeStop.com
C:\Documents and Settings\Sarah Vanek\Application Data\spy-rid.com
C:\Documents and Settings\Sarah Vanek\Application Data\SysCleaner
C:\Documents and Settings\Sarah Vanek\Application Data\SysCleaner\settings.dat
C:\Documents and Settings\Sarah Vanek\Application Data\WinIFixer.com
C:\WINDOWS\Installer\{425300ee-456a-4c42-b194-2ba30ca041f3}

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\npf


((((((((((((((((((((((((( Files Created from 2008-02-16 to 2008-03-16 )))))))))))))))))))))))))))))))
.

2008-03-16 08:13 . 2002-11-01 15:26 528,896 --a------ C:\WINDOWS\system32\dllcache\user32.dll
2008-03-16 08:11 . 2008-03-16 08:11 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-16 08:06 . 2008-03-16 08:32 <DIR> d-------- C:\SDFix
2008-03-16 07:26 . 2008-03-16 07:26 <DIR> d-------- C:\Deckard
2008-03-15 20:26 . 2008-03-15 20:26 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-14 22:02 . 2008-03-14 22:02 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\TrojanHunter
2008-03-01 09:48 . 2007-07-30 19:19 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2008-03-01 09:48 . 2007-07-30 19:19 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2008-03-01 09:48 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\system32\wuaucpl.cpl
2008-03-01 09:48 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-03-01 09:48 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-03-01 09:48 . 2007-07-30 19:18 33,624 --a------ C:\WINDOWS\system32\wups.dll
2008-03-01 09:48 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-03-01 09:48 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-03-01 09:48 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-02-28 10:13 . 2005-08-22 14:41 910,336 --a------ C:\vx2cleaner.dll
2008-02-28 10:13 . 2005-08-22 14:41 316,416 --a------ C:\vx2cleaner.dlx
2008-02-28 10:13 . 2001-09-28 17:00 164,864 --a------ C:\UNWISE.EXE
2008-02-28 10:13 . 2005-08-22 14:41 29,636 --a------ C:\vx2cleaner.chm
2008-02-28 10:11 . 2008-02-28 10:11 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-28 10:01 . 2008-02-28 10:01 <DIR> d-------- C:\Documents and Settings\Sarah Vanek\Application Data\TrojanHunter
2008-02-28 10:00 . 2008-02-28 10:01 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2008-02-28 09:50 . 2008-02-28 09:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-02-28 09:50 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-02-28 09:50 . 2008-02-28 09:51 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-02-28 09:49 . 2008-02-28 09:49 <DIR> d-------- C:\Program Files\Zone Labs
2008-02-28 09:48 . 2008-03-16 09:05 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-02-28 09:42 . 2008-02-28 09:42 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-28 09:42 . 2008-02-28 09:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-28 08:33 . 2008-02-28 08:36 21,364,592 --a------ C:\Program Files\aaw2007.exe
2008-02-27 07:58 . 2008-02-27 07:58 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-27 07:58 . 2008-02-27 08:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-25 20:03 . 2008-02-25 20:03 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-25 17:35 . 2008-02-25 17:35 <DIR> d-------- C:\Program Files\Avira
2008-02-25 17:35 . 2008-02-25 17:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-02-25 09:52 . 2004-10-07 13:39 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2008-02-25 09:52 . 2004-10-07 13:39 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-02-25 09:52 . 2004-10-07 13:39 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-02-25 09:52 . 2004-10-07 13:39 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2008-02-25 09:39 . 2002-08-29 05:00 504,320 --a------ C:\WINDOWS\system32\logonui.exe
2008-02-25 09:39 . 2002-08-29 05:00 504,320 --a------ C:\WINDOWS\system32\dllcache\logonui.exe
2008-02-25 09:37 . 2008-02-25 09:37 29 --a------ C:\WINDOWS\system32\giwgtfst.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-10 05:56 13,312 ----a-w C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-03-10 05:56 13,312 ----a-w C:\WINDOWS\system32\ctfmon.exe
2008-03-09 12:01 1,358,848 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp
2008-03-03 15:01 81,244 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_03_02_22_46_17_small.dmp.zip
2008-02-28 18:13 766 ----a-w C:\Program Files\INSTALL.LOG
2008-02-25 17:36 12,800 ----a-w C:\WINDOWS\system32\svchost.exe
2008-02-25 17:36 12,800 ----a-w C:\WINDOWS\system32\dllcache\svchost.exe
2008-02-12 15:58 --------- d-----w C:\Documents and Settings\Sarah Vanek\Application Data\MSN6
2008-02-12 15:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\MSN6
.

((((((((((((((((((((((((((((( snapshot@2008-03-16_ 8.52.15.65 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-16 16:27:24 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-03-16 16:48:30 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-03-16 16:27:24 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-03-16 16:48:30 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-03-16 16:27:24 65,536 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-03-16 16:48:30 65,536 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 15:08 1511453]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"Spoolsv"="C:\WINDOWS\System32\spoolvs.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"S3TRAY2"="S3Tray2.exe" [2001-10-11 22:32 69632 C:\WINDOWS\system32\S3Tray2.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-07-31 15:25 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-07-31 15:24 512000]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 16:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"BluetoothAuthenticationAgent"="irprops.cpl" [2002-11-22 14:45 111104 C:\WINDOWS\system32\irprops.cpl]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [ ]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2003-01-17 01:32 64000]
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [2003-01-17 01:32 20480]
"QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [ ]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2003-08-08 15:39 897024]
"TP4EX"="tp4ex.exe" [2002-09-04 01:05 53248 C:\WINDOWS\system32\TP4EX.exe]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2002-12-24 02:01 204800]
"AGRSMMSG"="AGRSMMSG.exe" [2002-10-18 11:07 87751 C:\WINDOWS\AGRSMMSG.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-04-29 21:00 315392]
"StorageGuard"="c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 00:01 155648]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-01-10 03:50 106551]
"QCTray"="C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe" [ ]
"icasServ"="C:\WINDOWS\System32\icasServ.exe" [ ]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-25 18:33 249896]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"THGuard"="C:\Program Files\TrojanHunter 5.0\THGuard.exe" [2008-02-08 11:22 1047712]
"ucookw"="C:\PROGRA~1\ErrClean\ucookw.exe" [ ]
"AVSystemCare"="C:\Program Files\AVSystemCare\pgs.exe" [ ]
"Salestart"="C:\Program Files\Common Files\ErrClean\strpmon.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

R0 avgntmgr;avgntmgr;C:\WINDOWS\System32\DRIVERS\avgntmgr.sys [2007-07-18 14:22]
R1 avgntdd;avgntdd;C:\WINDOWS\System32\DRIVERS\avgntdd.sys [2007-08-09 13:04]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\System32\drivers\IBMBLDID.SYS [2003-03-27 02:06]
R1 TPPWR;TPPWR;C:\WINDOWS\System32\drivers\Tppwr.sys [2003-01-17 01:32]
R3 Belkin701F;Belkin Wireless G Notebook Card Service v7;C:\WINDOWS\System32\DRIVERS\BLKWGNv7.sys [2006-10-19 01:42]
R3 SjyPkt;SjyPkt;C:\WINDOWS\System32\Drivers\SjyPkt.sys [2002-10-02 09:57]
S3 DLKRCB;D-Link DFE-690TXD CardBus PC Card;C:\WINDOWS\System32\DRIVERS\DLKRCB.SYS [2001-10-15 20:38]
S3 PCDRDRV;Pcdr Helper Driver;C:\PROGRA~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys []

*Newly Created Service* - SJYPKT
.
Contents of the 'Scheduled Tasks' folder
"2007-12-13 23:28:42 C:\WINDOWS\Tasks\BMMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-16 10:18:19
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Belkin\Cardbus F5D701F\Wireless Utility\Belkinwcui.exe
C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\Ati2evxx.exe
.
**************************************************************************
.
Completion time: 2008-03-16 10:21:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-16 18:21:25
ComboFix2.txt 2008-03-16 16:52:32



Hijack This Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:26:24 AM, on 3/16/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Belkin\Cardbus F5D701F\Wireless Utility\Belkinwcui.exe
C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [StorageGuard] "c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKLM\..\Run: [icasServ] C:\WINDOWS\System32\icasServ.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [ucookw] "C:\PROGRA~1\ErrClean\ucookw.exe" -start
O4 - HKLM\..\Run: [AVSystemCare] C:\Program Files\AVSystemCare\pgs.exe
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\ErrClean\strpmon.exe" dm=http://errclean.com ad=http://errclean.com sd=http://inspaid.errclean.com
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\System32\spoolvs.exe
O4 - Global Startup: Belkin Wireless G Notebook Card Client Utility.lnk = ?
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1204393670618
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe (file missing)
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE (file missing)
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6007 bytes
  • 0

#9
kahdah
Posted 16 March 2008 - 01:18 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please re-open Hijackthis and click on "Do a system scan only"
Then place a check mark next to these entries below:

O4 - HKLM\..\Run: [ucookw] "C:\PROGRA~1\ErrClean\ucookw.exe" -start
O4 - HKLM\..\Run: [AVSystemCare] C:\Program Files\AVSystemCare\pgs.exe
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\ErrClean\strpmon.exe" dm=http://errclean.com ad=http://errclean.com sd=http://inspaid.errclean.com
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\System32\spoolvs.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm



Now click on Fix Checked and then close Hijackthis.
=================================
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
  • 0

#10
balbert
Posted 16 March 2008 - 02:39 PM

balbert

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
When Hijack this tries to remove the specified checked items (except for O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm) which has been successfully removed, a pop up from a program called Resident says that the change in registry has been denied and when I rerun Hijack this, all the other items I was supposed to delete are still there.

Is there something else I should be doing. I am not sure what the Resident program is (I don't think it is related to any of the Anti-Spyware I downloaded). Or should I just go ahead with Step 2 and ignore the fact that the entries are not being removed.

Thanks again.

BBrian
  • 0

Advertisements

#11
kahdah
Posted 16 March 2008 - 02:49 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
It is part of SPybot.
It is called the tea timer.
=================
While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.

Then proceed.
  • 0

#12
balbert
Posted 16 March 2008 - 04:15 PM

balbert

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Great. Turning off TeaTimer did the trick. Should I turn it back on.

In all events below is the MBAM log. This malware is amazingly resilient. It looks like we are finding the same [bleep] little trojans again and again.

And again I say thank you.

MBAM Log:

Malwarebytes' Anti-Malware 1.08
Database version: 497

Scan type: Full Scan (C:\|)
Objects scanned: 48473
Time elapsed: 5 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 93
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{0494d93e-a2bb-4802-865c-a80a53b78107} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{0777f4cb-c8d3-4d24-87ae-da072c750ffb} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{0d4da0aa-99ab-40b3-9bf7-a9270fbaca46} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{155e990b-c7e9-47fd-a272-acdcb1474232} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{17b69d53-cd88-4657-be84-63297b10078e} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{19bbc30a-d722-46ef-a260-e97cf87d4b3b} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1e4dda88-df4b-4a51-8efb-acb68370b5e7} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{21f92505-0d90-4d8e-89d7-95158d147e00} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2a81c12b-bddf-42aa-98dd-f91a78097e13} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3479c9c8-b7ba-4704-9359-86fe33620c07} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{38200d33-6c95-43ed-bb05-aa6e9be57af8} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{49b3f626-1d1b-4018-8ba5-8ccab3fce422} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5183e02d-21d6-4325-8810-191ce7dbfa70} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5319069a-a18e-4a37-98e0-292e949f6302} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{599805b6-6faa-46e6-99e6-5f5425f52fd6} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5db349b9-44c9-469f-909b-1e2a4c200b43} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{737ebf2a-41a0-4c01-8476-30fa38580c03} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{76dd8871-d61f-497c-8fb4-1886a73986e0} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{79b9cdad-6160-468b-8c95-47fa426cb081} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7b57f151-f41c-49e1-a83f-8543867d2fea} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{815ff77e-a436-4485-8137-75fbe65eba2d} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{90305b36-8d00-48b6-bc2d-ae2131a50f64} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{975b8fb4-a107-4b4c-a811-d3560c5b70b8} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{aeebd295-3f93-4745-9208-57ba25305136} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b7ef28d0-1b74-4fad-8226-4c5e0a467106} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c1941056-f303-4db8-b014-48b70a2b9048} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d63fc539-120d-4db8-ab0d-cd1eb7c960b9} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{dc16bb9b-f6ff-4e4f-85ee-f5b0c94d6d13} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f8af8de8-bf15-4e9f-8601-f0985a1e8759} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{a521ac73-b0b9-48a4-82c2-454156af0e26} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1a697b7c-1f9a-4428-a35f-d67d3a7fb403} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1e7a2f4c-1b67-43f2-8839-1a5313f39fab} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{21785954-f667-4e24-aa93-3e96dbf87088} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2aa95d12-cdba-44ce-abb7-14f35fe213c9} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2c5638f8-9943-412e-bdaa-729df3caf9f2} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{387dd594-eca5-4053-b43e-49125a188d0f} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4fd6fe10-7424-4347-9527-b47ec1e5a5bb} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{536c1ae5-9000-4349-bdf4-ba9489d68ea1} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{566a294b-d4a3-447e-9bc7-c1ad9d4dab68} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{597e9862-08f9-48e8-b2fa-a59bf7b53791} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6b22978e-f8a5-437b-8f35-8010d0173441} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6b3b803b-ec5b-4e8b-b3d5-a9f6e0418565} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{70c1cc74-496c-42ce-acb4-768407d505ce} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{71d71cd3-3ade-409a-92e9-760def7e73ae} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{722c97fb-2966-424d-9432-fb0ae9275dd2} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{72b1c0d3-3957-453a-8f48-48cb854a569e} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{73766aaa-d49b-4fea-a46b-b288b97a91df} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7ebc5c68-c80a-41b2-bd12-0d51a3efd683} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{87da8e65-15bc-4b5d-8a7d-649f81a4003b} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8bfed1cd-14f8-497d-90f1-bada7d1e7f4e} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8df45a28-2cf7-4175-ac04-ce45d26b7d0b} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{9ada0fb8-1133-4c07-a46e-eaa8b6982727} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{9e809c16-5c6e-47e9-a58e-3d8cecaac5fe} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a5357862-4be9-4eeb-af92-02efd2a2a8a8} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b6ae969b-8eb6-4173-a696-ca39a0a50165} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ca243c53-890c-4e0e-ba24-6c01431993b3} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cea21171-37d9-48c1-bc42-466071222381} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{db0c739d-8790-4a6b-9f9f-de43c08a6e23} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ec66f0db-f509-42c8-b0f3-92eaf64affad} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{31ce147e-178c-4c35-9520-319db1143a2f} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{35d5e9e8-9110-479d-a3d5-1ce203e7cff8} (Rogue.InfeStopRemover) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{394d4140-4bab-465e-b6ed-61252c1e983c} (Rogue.InfeStopRemover) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3977a3c5-6ece-42b8-9932-d36192a351bf} (Rogue.InfeStopRemover) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{57cc0b7e-163e-4f94-ae52-ef9c8665db96} (Rogue.InfeStopRemover) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{62f7f9c4-151f-45a3-92cb-c0bdde482b5b} (Rogue.InfeStopRemover) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{63ca0638-fbca-4487-b4d2-706603a687c1} (Rogue.InfeStopRemover) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7618d3e7-84b8-45e1-9b3d-14c164b0ae85} (Rogue.InfeStopRemover) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7878f678-230d-4c64-a66c-d25bb140552f} (Rogue.InfeStopRemover) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7d3dd1e8-b95e-4eae-a1d3-da34cf97ca35} (Rogue.InfeStopRemover) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{81fbff49-8b79-4a90-8325-709fb4fba7b5} (Rogue.InfeStopRemover) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8e7bd10f-872e-42b2-961d-45d6d6405d7c} (Rogue.InfeStopRemover) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{91bc4b60-9252-4e13-9c49-2e917174b109} (Rogue.InfeStopRemover) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{968042b1-bded-41e4-b758-18adad406c33} (Rogue.InfeStopRemover) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{9dc36da5-9635-4fa0-9dab-8a7ce65b8b65} (Rogue.InfeStopRemover) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ac191b5e-c5d5-49e0-a96a-3589c14e48b4} (Rogue.InfeStopRemover) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{acf09d30-013c-4fd7-96f2-b5331b7cb400} (Rogue.InfeStopRemover) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ad980ef9-797e-4392-a036-e1a9cb8c67c1} (Rogue.InfeStopRemover) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{bf5ec252-e290-42f4-a907-bec9640d99f5} (Rogue.InfeStopRemover) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c1023d23-a735-4b74-9850-13cfb45c138f} (Rogue.InfeStopRemover) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c1746d8b-71c5-49d4-9b26-c500cbe42d81} (Rogue.InfeStopRemover) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c3dfcbcb-f7d0-4909-8ee0-308305b1e0cd} (Rogue.InfeStopRemover) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d1b10638-06cd-4683-9486-fa8144c120db} (Rogue.InfeStopRemover) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{daa0f52a-e3e9-429d-96ec-1ee45fc01517} (Rogue.InfeStopRemover) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e92aa001-ceed-412b-9fc9-bb91c7c8c9dc} (Rogue.InfeStopRemover) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ea3f9b9e-3ee5-452c-9046-f177dd8d0c52} (Rogue.InfeStopRemover) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ed349e37-a7cc-4337-aabe-b8cea6816ce3} (Rogue.InfeStopRemover) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f2c72a7f-5d3c-4c2f-8240-8b62c1ba66f2} (Rogue.InfeStopRemover) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f57b0fcc-c093-49a9-9627-7008868b2799} (Rogue.InfeStopRemover) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fab32c1a-f718-4d11-8a36-dfaf3b6fe4dc} (Rogue.InfeStopRemover) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{12f9ab4e-091e-4270-9c7f-61caf32eb345} (Rogue.InfeStopRemover) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\WinIFixer.com (Rogue.WinIFixer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\SCSDelete (Rogue.SysCleaner) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\SCSDelete (Rogue.SysCleaner) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Start Menu\Programs\SysCleaner (Rogue.SysCleaner) -> Quarantined and deleted successfully.

Files Infected:
C:\Deckard\System Scanner\backup\WINDOWS\temp\AE8AB41F91F72503.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\cru629.dat.vir (Trojan.Proxy) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\SysCleaner\Register SysCleaner.lnk (Rogue.SysCleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\SysCleaner\Start SysCleaner.lnk (Rogue.SysCleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\SysCleaner\Uninstall SysCleaner.lnk (Rogue.SysCleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sarah Vanek\Application Data\Microsoft\Internet Explorer\Quick Launch\Start SysCleaner.lnk (Rogue.SysCleaner) -> Quarantined and deleted successfully.
  • 0

#13
kahdah
Posted 16 March 2008 - 04:20 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Yes you can turn it back on now.

Those found are just leftovers in the registry and some leftover files.
===============================================
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
=================================================================
Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#14
balbert
Posted 16 March 2008 - 05:35 PM

balbert

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
OK -- so ran ATF Cleaner and Kaspersky Scanner. The Kaspersky Scan log is below.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, March 16, 2008 3:30:55 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 16/03/2008
Kaspersky Anti-Virus database records: 634388
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 26913
Number of viruses found: 7
Number of infected objects: 15
Number of suspicious objects: 0
Duration of the scan process: 00:33:18

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\backup\DOCUME~1\SARAHV~1\LOCALS~1\Temp\.tt4B.tmp/stream/data0010 Infected: not-a-virus:FraudTool.Win32.SpyRid.a skipped
C:\Deckard\System Scanner\backup\DOCUME~1\SARAHV~1\LOCALS~1\Temp\.tt4B.tmp/stream Infected: not-a-virus:FraudTool.Win32.SpyRid.a skipped
C:\Deckard\System Scanner\backup\DOCUME~1\SARAHV~1\LOCALS~1\Temp\.tt4B.tmp NSIS: infected - 2 skipped
C:\Deckard\System Scanner\backup\DOCUME~1\SARAHV~1\LOCALS~1\Temp\.tt50.tmp/stream/data0010 Infected: not-a-virus:FraudTool.Win32.InfeStopRemover.a skipped
C:\Deckard\System Scanner\backup\DOCUME~1\SARAHV~1\LOCALS~1\Temp\.tt50.tmp/stream/data0012 Infected: not-a-virus:FraudTool.Win32.InfeStopRemover.a skipped
C:\Deckard\System Scanner\backup\DOCUME~1\SARAHV~1\LOCALS~1\Temp\.tt50.tmp/stream Infected: not-a-virus:FraudTool.Win32.InfeStopRemover.a skipped
C:\Deckard\System Scanner\backup\DOCUME~1\SARAHV~1\LOCALS~1\Temp\.tt50.tmp NSIS: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PWSLDPinchIE4.zip/partnership.dll Infected: Trojan-Proxy.Win32.Xorpix.cx skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PWSLDPinchIE4.zip ZIP: infected - 1 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Sarah Vanek\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Sarah Vanek\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Sarah Vanek\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Sarah Vanek\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Sarah Vanek\Local Settings\History\History.IE5\MSHist012008031620080317\index.dat Object is locked skipped
C:\Documents and Settings\Sarah Vanek\Local Settings\Temp\~DF6676.tmp Object is locked skipped
C:\Documents and Settings\Sarah Vanek\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Sarah Vanek\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Sarah Vanek\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Sarah Vanek\UserData\index.dat Object is locked skipped
C:\SDFix\backups\backups.zip/backups/cru629.dat Infected: Backdoor.Win32.Small.cyb skipped
C:\SDFix\backups\backups.zip/backups/users32.dat Infected: not-a-virus:AdWare.Win32.Agent.zo skipped
C:\SDFix\backups\backups.zip ZIP: infected - 2 skipped
C:\SDFix\backups\catchme.zip/Ecqe50.sys Infected: Rootkit.Win32.Agent.abe skipped
C:\SDFix\backups\catchme.zip/kduke.exe Infected: Trojan.Win32.DNSChanger.axh skipped
C:\SDFix\backups\catchme.zip ZIP: infected - 2 skipped
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP3\change.log Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\SARAHIBM.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\RTacDbg.txt Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\Temp\ZLT05393.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT053ba.TMP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
  • 0

#15
kahdah
Posted 16 March 2008 - 05:40 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Open up Spybot and go to the Recovery tab.
Remove everything listed in there.

Also delete C:\SDFix
========================
Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

  • Posted Image

Doing this unistalls Combofix and does the following:

  • Deletes ComboFix and its associated files and folders.
  • Deletes VundoFix backups, if present
  • Deletes the C:\Deckard folder, if present
  • Deletes the C:_OtMoveIt folder, if present
  • Resets the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Clean System Restore points.

Also delete\uninstall anything that we used that is left over.
=============================================
After that Your log is clean. :)

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein ->Here

Edited by kahdah, 16 March 2008 - 05:40 PM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP