Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

computer infected with who know what [RESOLVED]


  • This topic is locked This topic is locked

#1
Overclocked

Overclocked

    New Member

  • Member
  • Pip
  • 8 posts
i was tasked to clean up a friends computer, but to my surprise it was infected. The computer that is infected is not the one that i am posting form and the computer that is infected dose not have internet access so i will have to transfer fix programs on a USB stick

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:20:53 PM, on 3/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\QW1iZXI\command.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\system32\mgmrwmrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\mrofinu1000106.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\NETGEAR\WG311v3\WG311v3.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe
C:\WINDOWS\SoftwareDistribution\Download\0077a7fa5d15590d526d63a5048a5445\update\update.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://antispywareup...?aid=496.cbcbcb
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [448b8978] rundll32.exe "C:\WINDOWS\system32\mhwdwiny.dll",b
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311v3\WG311v3.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1205010008345
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driver...driveragent.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QW1iZXI\command.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe

--
End of file - 3688 bytes
  • 0

Advertisements


#2
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hi Overclocked

welcome to geekstogo :)

sorry to keep you waiting. lets do a deeper scan of your machine for me to analyse.

(if your problem has already been resolved, could you just let me know so that i an move onto other logs to help others, thanks)

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

you may need to post the logs over 2 replies to ensure all the information is posted.

andrewuk
  • 0

#3
Overclocked

Overclocked

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
the main.txt

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-03-21 16:14:32
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
8: 2008-03-22 00:16:12 UTC - RP31 - Deckard's System Scanner Restore Point
7: 2008-03-21 05:50:25 UTC - RP30 - System Checkpoint
6: 2008-03-19 23:40:44 UTC - RP29 - Software Distribution Service 3.0
5: 2008-03-19 02:14:15 UTC - RP28 - Installed AVG 7.5
4: 2008-03-19 00:37:44 UTC - RP27 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-03-16 22:12:27 UTC - RP24 - Software Distribution Service 3.0


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 88% (more than 75%).
Total Physical Memory: 128 MiB (512 MiB recommended).
System Drive C: has 0.44 GiB (less than 15%) free.


-- HijackThis (run as Administrator.exe) ---------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-03-21 16:24:08
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\mrofinu1000106.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\NETGEAR\WG311v3\WG311v3.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Desktop\Administrator.exe
C:\WINDOWS\SoftwareDistribution\Download\2abaeb659824de5967ddf7181c6befdb\update\update.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsof...search.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://antispywareup...?aid=496.cbcbcb
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft...amp;ar=iesearch
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {433AC9B7-0878-76DF-0A1B-5E00CEC58EEE} - C:\WINDOWS\system32\cje.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: BatBHO - {63F7460B-C831-4142-A4AA-5EC303EC4343} - C:\Program Files\Bat\Bat.dll
O2 - BHO: (no name) - {74460762-BDEB-4466-9653-69B4369D146D} - C:\Program Files\Outlook Express\mepov555077.dll
O2 - BHO: (no name) - {75A469FF-0681-4EC3-8CEC-95DB40C9A285} - C:\WINDOWS\system32\pmnmnop.dll
O2 - BHO: (no name) - {84BB2147-33FD-4F0E-B964-A31E461416FD} - C:\WINDOWS\system32\ljjji.dll
O2 - BHO: (no name) - {8A52504F-B31D-4974-BB9D-8B0A9E5C8C13} - C:\Program Files\Common Files\zecojyv777444.dll
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: {e563cf2a-065f-f1f9-35e4-63059017a9fa} - {af9a7109-5036-4e53-9f1f-f560a2fc365e} - C:\WINDOWS\system32\wcuqhkaw.dll (file missing)
O2 - BHO: 0 - {DED879B8-C95C-4649-28B7-B9C6F97E5AE1} - C:\Program Files\Movie Maker\qubapik.dll (file missing)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [448b8978] rundll32.exe "C:\WINDOWS\system32\mhwdwiny.dll",b
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311v3\WG311v3.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1205010008345
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driver...driveragent.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O20 - Winlogon Notify: pmnmnop - C:\WINDOWS\system32\pmnmnop.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgemc.exe


--
End of file - 5498 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 W8335XP (NETGEAR WG311v3 802.11g Wireless PCI Adapter for Windows XP (8335)) - c:\windows\system32\drivers\wg311v3xp.sys <Not Verified; Marvell Semiconductor, Inc; Device driver for Marvell 802.11 NIC>

S3 TVICHW32 - c:\windows\system32\drivers\tvichw32.sys <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-02-21 and 2008-03-21 -----------------------------

2008-03-21 16:19:07 0 d-------- C:\WINDOWS\LastGood
2008-03-20 19:10:39 1600 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-20 18:47:03 0 d-------- C:\Program Files\180searchassistant
2008-03-20 18:47:03 0 d-------- C:\Program Files\180search assistant
2008-03-20 18:47:01 0 d-------- C:\Program Files\180solutions
2008-03-18 19:05:31 0 dr-h----- C:\$VAULT$.AVG
2008-03-18 18:28:07 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-03-18 18:22:41 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-18 18:15:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-18 18:15:54 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-18 16:36:39 0 d-------- C:\VundoFix Backups
2008-03-18 16:04:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-18 10:48:25 0 d-------- C:\Documents and Settings\Administrator\Application Data\U3
2008-03-18 10:27:01 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-03-18 10:23:40 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-03-18 10:23:40 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-03-18 10:23:40 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-03-18 10:23:40 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-03-18 10:23:40 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-03-18 10:23:40 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-03-18 10:23:40 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-03-18 10:23:40 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-03-18 10:23:40 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-03-18 10:23:40 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-03-18 10:23:40 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-03-18 10:23:40 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-03-18 10:23:39 2097152 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-03-16 17:08:04 99904 --a------ C:\WINDOWS\system32\ofvutfod.dll
2008-03-16 15:30:33 92224 --a------ C:\WINDOWS\system32\vwydxkei.dll
2008-03-16 15:26:19 99904 --a------ C:\WINDOWS\system32\tqwjvdgp.dll
2008-03-16 14:45:22 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-03-16 14:45:15 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-03-16 14:37:00 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-03-16 14:28:37 135168 --a------ C:\WINDOWS\tk58.exe
2008-03-16 14:27:05 136627 --a------ C:\WINDOWS\POTA777444.exe
2008-03-16 14:26:21 23296 --a------ C:\WINDOWS\stcloader.exe
2008-03-16 14:26:21 0 d-------- C:\Program Files\stc
2008-03-16 14:26:20 14848 --a------ C:\WINDOWS\voiceip.dll
2008-03-16 14:26:19 24064 --a------ C:\WINDOWS\swin32.dll
2008-03-16 14:26:18 31744 --a------ C:\WINDOWS\bokja.exe
2008-03-16 14:26:00 12800 --a------ C:\WINDOWS\mssvr.exe
2008-03-16 14:25:59 8448 --a------ C:\WINDOWS\mspphe.dll
2008-03-16 14:25:51 0 d-------- C:\Program Files\seekmo
2008-03-16 14:25:50 0 d-------- C:\Program Files\zango
2008-03-16 14:25:48 20480 --a------ C:\WINDOWS\system32\WER8274.DLL
2008-03-16 14:25:39 0 d-------- C:\WINDOWS\FLEOK
2008-03-16 14:25:38 18176 --a------ C:\WINDOWS\saiemod.dll
2008-03-16 14:25:32 27392 --a------ C:\WINDOWS\system32\MSNSA32.dll
2008-03-16 14:25:28 20736 --a------ C:\WINDOWS\msapasrc.dll
2008-03-16 14:25:27 16896 --a------ C:\WINDOWS\msa64chk.dll
2008-03-16 14:25:23 28416 --a------ C:\WINDOWS\system32\SIPSPI32.dll
2008-03-16 14:25:21 15616 --a------ C:\WINDOWS\system32\shdocpe.dll
2008-03-16 14:25:21 17664 --a------ C:\WINDOWS\system32\ntnut32.exe
2008-03-16 14:25:20 25856 --a------ C:\WINDOWS\shdocpl.dll
2008-03-16 14:25:19 17920 --a------ C:\WINDOWS\ntnut.exe
2008-03-16 14:25:18 13824 --a------ C:\WINDOWS\shdocpe.dll
2008-03-16 14:25:17 11008 --a------ C:\WINDOWS\winsb.dll
2008-03-16 14:25:17 0 d-------- C:\Program Files\Sysmnt
2008-03-16 14:25:15 11008 --a------ C:\WINDOWS\browserad.dll
2008-03-16 14:25:15 10496 --a------ C:\WINDOWS\aviwrap32.dll
2008-03-16 14:25:15 13312 --a------ C:\WINDOWS\avisynthex32.dll
2008-03-16 14:25:14 15872 --a------ C:\WINDOWS\avifile32.dll
2008-03-16 14:25:14 12544 --a------ C:\WINDOWS\autodisc32.dll
2008-03-16 14:25:14 10752 --a------ C:\WINDOWS\audiosrv32.dll
2008-03-16 14:25:13 16128 --a------ C:\WINDOWS\ati2dvag32.dll
2008-03-16 14:25:13 13312 --a------ C:\WINDOWS\ati2dvaa32.dll
2008-03-16 14:25:13 10752 --a------ C:\WINDOWS\athprxy32.dll
2008-03-16 14:25:13 26112 --a------ C:\WINDOWS\asycfilt32.dll
2008-03-16 14:25:11 9216 --a------ C:\WINDOWS\asferror32.dll
2008-03-16 14:25:11 17408 --a------ C:\WINDOWS\apphelp32.dll
2008-03-16 14:25:10 12800 --a------ C:\WINDOWS\changeurl_30.dll
2008-03-16 14:24:43 99904 --a------ C:\WINDOWS\system32\pcyntmwo.dll
2008-03-16 14:11:38 234723 --ahs---- C:\WINDOWS\system32\ijjjl.ini2
2008-03-16 14:11:37 63 --a------ C:\WINDOWS\system32\448b9bf6
2008-03-16 14:11:24 290816 --a------ C:\WINDOWS\system32\ljjji.dll
2008-03-16 14:10:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-03-16 14:08:30 0 d-------- C:\Program Files\Outerinfo
2008-03-16 14:08:24 0 d-------- C:\WINDOWS\system32\?icrosoft.NET
2008-03-16 14:08:04 0 d-------- C:\Program Files\Bat
2008-03-16 14:07:41 60928 --a------ C:\WINDOWS\system32\cje.dll
2008-03-16 14:07:26 0 d--hs---- C:\WINDOWS\QW1iZXI
2008-03-16 14:07:18 37376 --a------ C:\WINDOWS\mrofinu1000106.exe
2008-03-16 14:06:36 0 d-------- C:\WINDOWS\system32\IDME
2008-03-16 14:06:36 0 d-------- C:\WINDOWS\system32\FxTmp
2008-03-16 14:06:07 44544 --a------ C:\WINDOWS\system32\pmnmnop.dll
2008-03-16 14:06:04 0 d-------- C:\WINDOWS\system32\aqVreo19
2008-03-16 14:06:03 0 d-------- C:\Temp
2008-03-16 14:06:03 41724 ---hs---- C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
2008-03-16 14:06:01 0 d-------- C:\Documents and Settings\Amber\Application Data\?dobe
2008-03-14 18:23:06 0 d-------- C:\WINDOWS\system32\PreInstall
2008-03-14 18:22:59 0 d--h----- C:\WINDOWS\$hf_mig$
2008-03-13 20:02:18 0 d-------- C:\Documents and Settings\LocalService\Start Menu
2008-03-13 19:58:04 0 d-------- C:\WINDOWS\Prefetch
2008-03-13 19:30:40 0 d-------- C:\WINDOWS\peernet
2008-03-13 19:30:33 0 d-------- C:\WINDOWS\provisioning
2008-03-13 19:16:16 0 d-------- C:\WINDOWS\ServicePackFiles
2008-03-13 19:00:20 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2008-03-13 07:32:28 0 d-------- C:\WINDOWS\EHome
2008-03-11 07:23:53 0 d-------- C:\WINDOWS\system32\appmgmt
2008-03-09 15:56:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-03-09 15:54:01 26112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-09 15:54:01 0 d--h---c- C:\WINDOWS\$xpsp1hfm$
2008-03-08 19:35:19 0 d-------- C:\WINDOWS\ShellNew
2008-03-08 19:21:20 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Identities
2008-03-08 19:06:38 0 d---s---- C:\WINDOWS\system32\Microsoft
2008-03-08 19:06:06 282624 -ra------ C:\WINDOWS\system32\drivers\WG311v3XP.sys <Not Verified; Marvell Semiconductor, Inc; Device driver for Marvell 802.11 NIC>
2008-03-08 18:20:01 0 d-------- C:\WINDOWS\system32\bits
2008-03-08 18:11:50 0 d-------- C:\OEMSettings
2008-03-08 18:08:53 0 d-------- C:\WINDOWS\Downloaded Installations
2008-03-08 18:05:17 0 d-------- C:\Documents and Settings\Amber\Application Data\Macromedia
2008-03-08 18:05:16 0 d-------- C:\Documents and Settings\Amber\Application Data\Adobe
2008-03-08 18:04:44 23600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>
2008-03-08 13:07:36 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-03-08 12:59:35 0 d---s---- C:\Documents and Settings\Amber\UserData
2008-03-08 09:37:13 0 d--hs---- C:\WINDOWS\Installer
2008-03-08 09:37:06 0 d-------- C:\Documents and Settings\Amber\Application Data\Identities
2008-03-08 09:36:22 0 dr------- C:\Documents and Settings\Amber\Favorites
2008-03-08 09:36:22 0 d-------- C:\Documents and Settings\Amber\Desktop
2008-03-08 09:36:22 0 d---s---- C:\Documents and Settings\Amber\Cookies
2008-03-08 09:36:22 0 dr-h----- C:\Documents and Settings\Amber\Application Data
2008-03-08 09:36:22 0 d---s---- C:\Documents and Settings\Amber\Application Data\Microsoft
2008-03-08 09:36:21 0 d--h----- C:\Documents and Settings\Amber\Templates
2008-03-08 09:36:21 0 dr------- C:\Documents and Settings\Amber\Start Menu
2008-03-08 09:36:21 0 dr-h----- C:\Documents and Settings\Amber\SendTo
2008-03-08 09:36:21 0 dr-h----- C:\Documents and Settings\Amber\Recent
2008-03-08 09:36:21 0 d--h----- C:\Documents and Settings\Amber\PrintHood
2008-03-08 09:36:21 1437696 --a------ C:\Documents and Settings\Amber\NTUSER.DAT
2008-03-08 09:36:21 0 d--h----- C:\Documents and Settings\Amber\NetHood
2008-03-08 09:36:21 0 dr------- C:\Documents and Settings\Amber\My Documents
2008-03-08 09:36:21 0 d--h----- C:\Documents and Settings\Amber\Local Settings
2008-03-08 01:03:14 0 d--hs---- C:\System Volume Information
2008-03-08 01:03:09 237568 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2008-03-08 01:03:09 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2008-03-08 01:03:09 0 d---s---- C:\Documents and Settings\LocalService\Cookies
2008-03-08 01:03:09 0 d-------- C:\Documents and Settings\LocalService\Application Data
2008-03-08 01:03:09 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2008-03-08 01:03:07 1572864 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2008-03-08 01:03:07 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2008-03-08 01:03:07 0 d---s---- C:\Documents and Settings\NetworkService\Cookies
2008-03-08 01:03:07 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2008-03-08 01:03:07 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2008-03-08 00:52:19 0 d-------- C:\WINDOWS\system32\xircom
2008-03-08 00:52:18 0 d-------- C:\Program Files\microsoft frontpage
2008-03-08 00:50:26 237568 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2008-03-08 00:44:50 0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-03-08 00:44:05 0 dr------- C:\WINDOWS\Offline Web Pages
2008-03-08 00:44:05 0 d---s---- C:\WINDOWS\Downloaded Program Files
2008-03-08 00:42:27 0 d-------- C:\WINDOWS\srchasst
2008-03-08 00:42:03 0 d-------- C:\WINDOWS\system32\DirectX
2008-03-08 00:42:02 0 d-------- C:\WINDOWS\system32\Macromed
2008-03-08 00:40:41 0 d-------- C:\WINDOWS\system32\Restore
2008-03-08 00:40:29 0 d-------- C:\WINDOWS\PCHEALTH
2008-03-08 00:40:23 0 d---s---- C:\WINDOWS\Tasks
2008-03-08 00:40:16 0 d-------- C:\Program Files\Common Files\MSSoap
2008-03-08 00:38:00 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-03-08 00:37:14 0 d-------- C:\WINDOWS\Registration
2008-03-08 00:35:30 0 d-------- C:\Program Files\Windows NT
2008-03-08 00:35:01 0 d-------- C:\WINDOWS\system32\MsDtc
2008-03-08 00:34:57 0 d-------- C:\WINDOWS\system32\Com
2008-03-07 16:19:30 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-03-07 16:18:35 0 d--h----- C:\Documents and Settings\Default User\Templates
2008-03-07 16:18:35 0 dr------- C:\Documents and Settings\Default User\Start Menu
2008-03-07 16:18:35 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-03-07 16:18:35 0 d--h----- C:\Documents and Settings\Default User\Recent
2008-03-07 16:18:35 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2008-03-07 16:18:35 0 d--h----- C:\Documents and Settings\Default User\NetHood
2008-03-07 16:18:35 0 d-------- C:\Documents and Settings\Default User\My Documents
2008-03-07 16:18:35 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2008-03-07 16:18:35 0 d-------- C:\Documents and Settings\Default User\Favorites
2008-03-07 16:18:35 0 d-------- C:\Documents and Settings\Default User\Desktop
2008-03-07 16:18:35 0 d---s---- C:\Documents and Settings\Default User\Cookies
2008-03-07 16:18:35 0 d--h----- C:\Documents and Settings\All Users\Templates
2008-03-07 16:18:35 0 dr------- C:\Documents and Settings\All Users\Start Menu
2008-03-07 16:18:35 0 d-------- C:\Documents and Settings\All Users\Favorites
2008-03-07 16:18:35 0 dr------- C:\Documents and Settings\All Users\Documents
2008-03-07 16:18:35 0 d-------- C:\Documents and Settings\All Users\Desktop
2008-03-07 16:18:02 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-03-07 16:18:02 0 d-------- C:\WINDOWS\system32\CatRoot
2008-03-07 16:17:56 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-03-07 16:17:56 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-03-07 16:17:55 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2008-03-07 16:17:55 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-03-07 16:17:26 0 d-------- C:\Documents and Settings
2008-03-07 16:06:24 0 d-------- C:\WINDOWS
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\WinSxS
2008-03-07 16:06:24 0 dr------- C:\WINDOWS\Web
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\twain_32
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\wins
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\wbem
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\usmt
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\spool
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\ShellExt
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\Setup
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\ras
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\oobe
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\npp
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\mui
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\inetsrv
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\IME
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\icsxml
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\ias
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\export
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\drivers
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\drivers\etc
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\drivers\disdn
2008-03-07 16:06:24 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\dhcp
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\config
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\3com_dmi
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\3076
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\2052
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\1054
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\1042
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\1041
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\1037
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\1033
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\1031
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\1028
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\1025
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\security
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\Resources
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\repair
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\mui
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\msapps
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\msagent
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\Media
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\java
2008-03-07 16:06:24 0 d--h----- C:\WINDOWS\inf
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\ime
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\Help
2008-03-07 16:06:24 0 dr--s---- C:\WINDOWS\Fonts
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\Driver Cache
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\Debug
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\Cursors
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\Connection Wizard
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\Config
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\AppPatch
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\addins
2008-03-05 10:43:16 187904 ---hs---- C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
2008-02-27 17:54:15 217088 --a------ C:\Program Files\Common Files\zecojyv777444.dll


-- Find3M Report ---------------------------------------------------------------

2008-03-18 19:05:35 0 dr------- C:\Program Files\Movie Maker
2008-03-16 14:27:34 0 dr------- C:\Program Files\Common Files
2008-03-13 19:57:02 0 dr------- C:\Program Files\Messenger
2008-03-08 18:10:35 0 d-------- C:\Program Files\NETGEAR
2008-03-08 13:14:27 0 d--h----- C:\Program Files\WindowsUpdate
2008-03-08 00:43:08 0 d-------- C:\Program Files\Online Services
2008-03-07 16:18:35 62 --ahs---- C:\Documents and Settings\Administrator\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{433AC9B7-0878-76DF-0A1B-5E00CEC58EEE}]
01/28/2008 08:29 AM 60928 --a------ C:\WINDOWS\system32\cje.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63F7460B-C831-4142-A4AA-5EC303EC4343}]
03/07/2008 09:15 PM 413696 --a------ C:\Program Files\Bat\Bat.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74460762-BDEB-4466-9653-69B4369D146D}]
08/02/2007 05:43 AM 282624 --a------ C:\Program Files\Outlook Express\mepov555077.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{75A469FF-0681-4EC3-8CEC-95DB40C9A285}]
03/16/2008 02:06 PM 44544 --a------ C:\WINDOWS\system32\pmnmnop.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{84BB2147-33FD-4F0E-B964-A31E461416FD}]
03/16/2008 02:11 PM 290816 --a------ C:\WINDOWS\system32\ljjji.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8A52504F-B31D-4974-BB9D-8B0A9E5C8C13}]
02/27/2008 05:54 PM 217088 --a------ C:\Program Files\Common Files\zecojyv777444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9c5b2f29-1f46-4639-a6b4-828942301d3e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{af9a7109-5036-4e53-9f1f-f560a2fc365e}]
C:\WINDOWS\system32\wcuqhkaw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DED879B8-C95C-4649-28B7-B9C6F97E5AE1}]
C:\Program Files\Movie Maker\qubapik.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"runner1"="C:\WINDOWS\mrofinu1000106.exe" [03/16/2008 02:07 PM]
"448b8978"="C:\WINDOWS\system32\mhwdwiny.dll" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [03/18/2008 06:17 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/12/2001 5:01:04 PM]
NETGEAR WG311v3 Smart Wizard.lnk - C:\Program Files\NETGEAR\WG311v3\WG311v3.exe [11/21/2007 5:51:20 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{75A469FF-0681-4EC3-8CEC-95DB40C9A285}"= C:\WINDOWS\system32\pmnmnop.dll [03/16/2008 02:06 PM 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnmnop]
pmnmnop.dll 03/16/2008 02:06 PM 44544 C:\WINDOWS\system32\pmnmnop.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ljjji.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe -a




-- Hosts -----------------------------------------------------------------------

127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 00hq.com
127.0.0.1 www.00hq.com
127.0.0.1 010402.com
127.0.0.1 032439.com
127.0.0.1 www.032439.com

8027 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-03-21 17:00:01 ------------

and the extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel Celeron processor
Percentage of Memory in Use: 74%
Physical Memory (total/avail): 127.42 MiB / 32.96 MiB
Pagefile Memory (total/avail): 307.09 MiB / 64.48 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1949.39 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 5.59 GiB total, 0.38 GiB free.
D: is CDROM (No Media)
E: is CDROM (CDFS)
F: is Removable (FAT)

\\.\PHYSICALDRIVE0 - TOSHIBA MK6015MAP - 5.59 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 5.59 GiB - C:

\\.\PHYSICALDRIVE1 - SanDisk U3 Cruzer Micro USB Device - 1953.22 MiB - 1 partition
\PARTITION0 - MS-DOS V4 Huge - 1952.88 MiB - F:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: AVG 7.5.503 v7.5.503 (Grisoft) Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=AMBER-BW9KC1SN8
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\AMBER-BW9KC1SN8
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS;C:\WINDOWS\COMMAND
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0803
ProgramFiles=C:\Program Files
PROMPT=$p$g
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=AMBER-BW9KC1SN8
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
winbootdir=C:\WINDOWS
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Amber (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\System32\Macromed\Flash\uninstall_activeX.exe
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
Bat --> "C:\Program Files\Bat\un_BatSetup_15041.exe"
HijackThis 2.0.2 --> "C:\Documents and Settings\Administrator\Desktop\HijackThis.exe" /uninstall
Microsoft Office XP Standard --> MsiExec.exe /I{90120409-6000-11D3-8CFE-0050048383C9}
NETGEAR WG311v3 PCI Adapter --> C:\Program Files\InstallShield Installation Information\{70014586-7BBA-4A92-A610-CDC896C48F8F}\setup.exe -runfromtemp -l0x0409
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type143 / Error
Event Submitted/Written: 03/19/2008 04:46:17 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application rundll32.exe, version 5.1.2600.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type137 / Error
Event Submitted/Written: 03/19/2008 03:42:56 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application mgmrwmrv.exe, version 1.0.0.384, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type132 / Error
Event Submitted/Written: 03/18/2008 07:20:18 PM
Event ID/Source: 100 / AVG7
Event Description:
2008-03-19 03:20:18,656 AMBER-BW9KC1SN8 [001436:001448] ERROR 000 AVG7.WTS.CAvgAmWts ProcessIdToSessionId(468) call failed with WIN32 error 87, returning session id is 0

Event Record #/Type131 / Error
Event Submitted/Written: 03/18/2008 07:20:11 PM / 03/18/2008 07:20:12 PM
Event ID/Source: 100 / AVG7
Event Description:
2008-03-19 03:20:11,936 AMBER-BW9KC1SN8 [001436:001448] ERROR 000 AVG7.WTS.CAvgAmWts ProcessIdToSessionId(468) call failed with WIN32 error 87, returning session id is 0

Event Record #/Type127 / Error
Event Submitted/Written: 03/18/2008 06:48:51 PM
Event ID/Source: 100 / AVG7
Event Description:
2008-03-19 02:48:51,873 AMBER-BW9KC1SN8 [001392:001400] ERROR 000 AVG7.WTS.CAvgAmWts ProcessIdToSessionId(1604) call failed with WIN32 error 87, returning session id is 0



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type1105 / Error
Event Submitted/Written: 03/21/2008 03:59:19 PM / 03/21/2008 04:01:40 PM
Event ID/Source: 5 / ACPI
Event Description:
AMLI: ACPI BIOS is attempting to write to an illegal IO port address (0x4d0), which lies in the 0x4d0 - 0x4d1 protected
address range. This could lead to system instability. Please contact your system vendor for technical assistance.

Event Record #/Type1104 / Error
Event Submitted/Written: 03/21/2008 03:59:19 PM / 03/21/2008 04:01:39 PM
Event ID/Source: 4 / ACPI
Event Description:
AMLI: ACPI BIOS is attempting to read from an illegal IO port address (0x4d0), which lies in the 0x4d0 - 0x4d1 protected
address range. This could lead to system instability. Please contact your system vendor for technical assistance.

Event Record #/Type1095 / Error
Event Submitted/Written: 03/20/2008 09:36:58 PM
Event ID/Source: 16 / Windows Update Agent
Event Description:
Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.

Event Record #/Type1083 / Error
Event Submitted/Written: 03/20/2008 08:45:56 PM / 03/20/2008 08:47:51 PM
Event ID/Source: 5 / ACPI
Event Description:
AMLI: ACPI BIOS is attempting to write to an illegal IO port address (0x4d0), which lies in the 0x4d0 - 0x4d1 protected
address range. This could lead to system instability. Please contact your system vendor for technical assistance.

Event Record #/Type1082 / Error
Event Submitted/Written: 03/20/2008 08:45:56 PM / 03/20/2008 08:47:51 PM
Event ID/Source: 4 / ACPI
Event Description:
AMLI: ACPI BIOS is attempting to read from an illegal IO port address (0x4d0), which lies in the 0x4d0 - 0x4d1 protected
address range. This could lead to system instability. Please contact your system vendor for technical assistance.



-- End of Deckard's System Scanner: finished at 2008-03-21 17:00:01 ------------
  • 0

#4
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts

......and the computer that is infected dose not have internet access so i will have to transfer fix programs on a USB stick

that will explain why the AVG antivirus is out of date. when we get the machine clean, your friend will need to update the AVG as a matter of priority.

in can see plenty of malware in those logs, but before we start the fix i want to check if there is a smitfraud varient.

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.


Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm

andrewuk
  • 0

#5
Overclocked

Overclocked

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
SmitFraudFix v2.305

Scan done at 19:40:32.58, Fri 03/21/2008
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\mrofinu1000106.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\NETGEAR\WG311v3\WG311v3.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\0091ab299e899a5920ad91739ad99c67\update\update.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

127.0.0.1 legal-at-spybot.info
127.0.0.1 www.legal-at-spybot.info

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS



»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
  • 0

#6
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
in this post we will clear your hosts file (it is corrupted) and continue with the fix.

====STEP 1====
Download the HostsXpert 4.2 - Hosts File Manager.
  • Unzip HostsXpert 4.2 - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.2 - Hosts File Manager
  • Run HostsXpert 4.2 - Hosts File Manager from its new home
  • Click on "File Handling".
  • Click on "Restore MS Hosts File".
  • Click OK on the Confirmation box.
  • Click on "Make Read Only?"
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

====STEP 2====
Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

andrewuk
  • 0

#7
Overclocked

Overclocked

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
combofix log

ComboFix 08-03-22.1 - Administrator 2008-03-22 13:14:10.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.22 [GMT -8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\41893928.exe
C:\Documents and Settings\Amber\Application Data\DOBE~1
C:\Documents and Settings\Amber\Application Data\DOBE~1\?dobe\
C:\Documents and Settings\Amber\Application Data\DOBE~1\userinit.exe
C:\Documents and Settings\Amber\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Amber\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Amber\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\Amber\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Amber\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Amber\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\Program Files\Common Files\zecojyv777444.dll
C:\Program Files\Outlook Express\mepov555077.dll
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\system32\cje.dll
C:\WINDOWS\system32\iekxdywv.ini
C:\WINDOWS\system32\ijjjl.ini
C:\WINDOWS\system32\ijjjl.ini2
C:\WINDOWS\system32\ljjji.dll
C:\WINDOWS\system32\ofvutfod.dll
C:\WINDOWS\system32\pcyntmwo.dll
C:\WINDOWS\system32\pmnmnop.dll
C:\WINDOWS\system32\tqwjvdgp.dll
C:\WINDOWS\system32\vwydxkei.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2008-02-22 to 2008-03-22 )))))))))))))))))))))))))))))))
.

2008-03-22 12:19 . 2008-03-22 12:20 <DIR> d-------- C:\HostsXpert
2008-03-21 16:13 . 2008-03-21 16:13 <DIR> d-------- C:\Deckard
2008-03-20 19:10 . 2008-03-21 19:42 1,600 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-20 18:47 . 2008-03-20 18:47 <DIR> d-------- C:\Program Files\180solutions
2008-03-20 18:47 . 2008-03-20 18:47 <DIR> d-------- C:\Program Files\180searchassistant
2008-03-20 18:47 . 2008-03-20 18:47 <DIR> d-------- C:\Program Files\180search assistant
2008-03-19 15:42 . 2006-08-21 01:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-03-19 15:42 . 2006-08-21 01:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-03-19 15:42 . 2006-08-21 04:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-03-18 18:28 . 2008-03-22 12:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-03-18 18:22 . 2008-03-18 18:22 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-18 18:20 . 2008-03-18 18:20 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-03-18 18:20 . 2008-03-18 18:20 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-03-18 18:15 . 2008-03-18 18:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-18 18:15 . 2008-03-18 19:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-18 16:36 . 2008-03-18 16:36 <DIR> d-------- C:\VundoFix Backups
2008-03-18 16:04 . 2008-03-18 16:04 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-18 16:04 . 2008-03-21 20:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-18 10:48 . 2008-03-22 12:28 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\U3
2008-03-17 06:23 . 2008-03-18 17:44 1,371,284 ---hs---- C:\WINDOWS\system32\yniwdwhm.ini
2008-03-16 17:10 . 2008-03-17 06:18 1,366,743 ---hs---- C:\WINDOWS\system32\ovuuwlch.ini
2008-03-16 14:27 . 2008-03-16 14:27 136,627 --a------ C:\WINDOWS\POTA777444.exe
2008-03-16 14:26 . 2008-03-16 14:26 <DIR> d-------- C:\Program Files\stc
2008-03-16 14:26 . 2008-03-16 15:34 1,366,681 ---hs---- C:\WINDOWS\system32\fbeuaybd.ini
2008-03-16 14:25 . 2008-03-16 14:25 <DIR> d-------- C:\Program Files\zango
2008-03-16 14:25 . 2008-03-16 14:25 <DIR> d-------- C:\Program Files\Sysmnt
2008-03-16 14:11 . 2008-03-16 14:11 63 --a------ C:\WINDOWS\system32\448b9bf6
2008-03-16 14:10 . 2008-03-16 14:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-03-16 14:08 . 2008-03-16 14:13 <DIR> d-------- C:\Program Files\Bat
2008-03-16 14:07 . 2008-03-16 14:07 <DIR> d--hs---- C:\WINDOWS\QW1iZXI
2008-03-16 14:06 . 2008-03-16 14:06 <DIR> d-------- C:\WINDOWS\system32\IDME
2008-03-16 14:06 . 2008-03-16 14:06 <DIR> d-------- C:\WINDOWS\system32\FxTmp
2008-03-16 14:06 . 2008-03-16 14:06 <DIR> d-------- C:\WINDOWS\system32\aqVreo19
2008-03-16 14:06 . 2008-03-16 14:06 <DIR> d-------- C:\Temp\gbRve12
2008-03-16 14:06 . 2008-03-22 12:44 <DIR> d-------- C:\Temp
2008-03-16 14:05 . 2008-03-16 14:05 229,532 --a------ C:\WINDOWS\system32\L5C77.tmp
2008-03-16 14:05 . 2008-03-16 14:06 111,840 --a------ C:\WINDOWS\system32\L9468.tmp
2008-03-16 14:05 . 2008-03-16 14:05 23,040 --a------ C:\WINDOWS\system32\L8EC6.tmp
2008-03-15 04:58 . 2008-03-15 04:58 32,768 --a------ C:\WINDOWS\system32\aqVreo19\aqVreo192547.exe
2008-03-14 18:22 . 2008-03-22 12:25 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-03-13 19:42 . 2008-03-13 20:04 316,640 --a------ C:\WINDOWS\WMSysPr9.prx
2008-03-13 19:30 . 2008-03-13 19:30 <DIR> d-------- C:\WINDOWS\provisioning
2008-03-13 19:30 . 2008-03-13 19:30 <DIR> d-------- C:\WINDOWS\peernet
2008-03-13 19:16 . 2008-03-13 19:16 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-03-13 18:59 . 2005-06-28 09:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-03-13 07:32 . 2008-03-13 18:51 <DIR> d-------- C:\WINDOWS\EHome
2008-03-09 17:01 . 2004-08-04 00:56 11,776 --------- C:\WINDOWS\system32\spnpinst.exe
2008-03-09 17:01 . 2004-08-02 14:20 7,208 --------- C:\WINDOWS\system32\secupd.sig
2008-03-09 17:01 . 2004-08-02 14:20 4,569 --------- C:\WINDOWS\system32\secupd.dat
2008-03-09 16:19 . 2004-08-03 23:56 614,912 --a------ C:\WINDOWS\system32\h323msp.dll
2008-03-09 16:19 . 2004-08-03 23:56 331,264 --a------ C:\WINDOWS\system32\ipnathlp.dll
2008-03-09 16:19 . 2004-08-03 23:56 265,728 --a------ C:\WINDOWS\system32\h323.tsp
2008-03-09 16:19 . 2004-08-03 23:56 77,312 --a------ C:\WINDOWS\system32\browser.dll
2008-03-09 16:19 . 2004-08-03 23:56 39,936 --a------ C:\WINDOWS\system32\mf3216.dll
2008-03-09 16:04 . 2004-08-03 23:56 239,104 --a------ C:\WINDOWS\system32\srrstr.dll
2008-03-09 15:54 . 2008-03-09 16:21 <DIR> d--h-c--- C:\WINDOWS\$xpsp1hfm$
2008-03-09 15:54 . 2004-01-09 21:11 26,112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2008-03-08 19:38 . 2008-03-08 19:38 376 --a------ C:\WINDOWS\ODBC.INI
2008-03-08 19:35 . 2008-03-08 19:36 <DIR> d-------- C:\WINDOWS\ShellNew
2008-03-08 19:06 . 2008-03-08 19:06 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2008-03-08 19:06 . 2005-12-29 18:07 282,624 -ra------ C:\WINDOWS\system32\drivers\WG311v3XP.sys
2008-03-08 18:20 . 2008-03-08 18:20 <DIR> d-------- C:\WINDOWS\system32\bits
2008-03-08 18:18 . 2004-08-03 23:56 438,784 --------- C:\WINDOWS\system32\xpob2res.dll
2008-03-08 18:18 . 2004-08-03 23:56 351,232 --a------ C:\WINDOWS\system32\winhttp.dll
2008-03-08 18:18 . 2004-08-03 23:56 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2008-03-08 18:18 . 2004-08-03 23:56 8,192 --------- C:\WINDOWS\system32\bitsprx2.dll
2008-03-08 18:18 . 2004-08-03 23:56 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2008-03-08 18:11 . 2008-03-08 18:11 <DIR> d-------- C:\OEMSettings
2008-03-08 18:08 . 2008-03-08 18:08 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-03-08 18:04 . 2008-03-08 18:04 23,600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS
2008-03-08 13:14 . 2007-07-30 19:19 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2008-03-08 13:14 . 2007-07-30 19:19 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2008-03-08 13:14 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\system32\wuaucpl.cpl
2008-03-08 13:14 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-03-08 13:14 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-03-08 13:14 . 2007-07-30 19:18 33,624 --a------ C:\WINDOWS\system32\wups.dll
2008-03-08 13:14 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-03-08 13:14 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-03-08 13:14 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-03-08 12:59 . 2008-03-08 12:59 <DIR> d---s---- C:\Documents and Settings\Amber\UserData
2008-03-08 09:37 . 2008-03-18 10:30 <DIR> d--hs---- C:\WINDOWS\Installer
2008-03-08 01:02 . 2008-03-08 01:02 8,192 --a------ C:\WINDOWS\REGLOCS.OLD

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-09 02:10 --------- d-----w C:\Program Files\NETGEAR
2008-03-08 08:52 --------- d-----w C:\Program Files\microsoft frontpage
2008-02-18 18:11 8,659,544 ----a-w C:\interactualplayer.exe
2007-05-24 22:58 249,856 ----a-w C:\WINDOWS\inf\WG311v3\InsDrv2k.exe
2006-12-04 19:38 212,992 ----a-w C:\WINDOWS\inf\WG311v3\CopyWHQLDriver.exe
2005-12-30 02:07 282,624 ----a-r C:\WINDOWS\inf\WG311v3\WG311v3XP.sys
2000-07-25 20:58 271 --sh--w C:\Program Files\desktop.ini
2000-07-25 20:58 23,357 ---ha-w C:\Program Files\folder.htt
2002-08-12 20:42 98,304 ----a-w C:\Program Files\internet explorer\plugins\IEHelper.dll
2005-08-03 00:46 187,904 --sha-r C:\WINDOWS\QW1iZXI\asappsrv.dll
2005-08-03 00:58 293,888 --sha-r C:\WINDOWS\QW1iZXI\command.exe
2005-07-30 00:24 472 --sha-r C:\WINDOWS\QW1iZXI\kqY2trK.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63F7460B-C831-4142-A4AA-5EC303EC4343}]
2008-03-07 21:15 413696 --a------ C:\Program Files\Bat\Bat.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{af9a7109-5036-4e53-9f1f-f560a2fc365e}]
C:\WINDOWS\system32\wcuqhkaw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DED879B8-C95C-4649-28B7-B9C6F97E5AE1}]
C:\Program Files\Movie Maker\qubapik.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"448b8978"="C:\WINDOWS\system32\mhwdwiny.dll" [ ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-18 18:17 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-18 18:17 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 17:01:04 83360]
NETGEAR WG311v3 Smart Wizard.lnk - C:\Program Files\NETGEAR\WG311v3\WG311v3.exe [2007-11-21 17:51:20 1507328]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8e6d1820-f51b-11dc-8c62-00146c84a4ad}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-22 13:34:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SoftwareDistribution\Download\b3ba2a040ecf3ac2cd2da399851bda00\update\update.exe
.
**************************************************************************
.
Completion time: 2008-03-22 13:45:36 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-03-22 21:44:10
.
2008-03-22 20:43:27 --- E O F ---

Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:52:03 PM, on 3/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\NETGEAR\WG311v3\WG311v3.exe
C:\WINDOWS\Explorer.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://antispywareup...?aid=496.cbcbcb
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: BatBHO - {63F7460B-C831-4142-A4AA-5EC303EC4343} - C:\Program Files\Bat\Bat.dll
O2 - BHO: {e563cf2a-065f-f1f9-35e4-63059017a9fa} - {af9a7109-5036-4e53-9f1f-f560a2fc365e} - C:\WINDOWS\system32\wcuqhkaw.dll (file missing)
O2 - BHO: 0 - {DED879B8-C95C-4649-28B7-B9C6F97E5AE1} - C:\Program Files\Movie Maker\qubapik.dll (file missing)
O4 - HKLM\..\Run: [448b8978] rundll32.exe "C:\WINDOWS\system32\mhwdwiny.dll",b
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311v3\WG311v3.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1205010008345
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driver...driveragent.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

--
End of file - 3605 bytes
  • 0

#8
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
====STEP 1====
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://antispywareup...?aid=496.cbcbcb

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.



====STEP 2====
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\POTA777444.exe
C:\WINDOWS\system32\L5C77.tmp
C:\WINDOWS\system32\L9468.tmp
C:\WINDOWS\system32\L8EC6.tmp
C:\Program Files\Bat\Bat.dll
C:\WINDOWS\system32\wcuqhkaw.dll
C:\Program Files\Movie Maker\qubapik.dll

Folder::
C:\Program Files\180solutions
C:\Program Files\180searchassistant
C:\Program Files\180search assistant

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63F7460B-C831-4142-A4AA-5EC303EC4343}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{af9a7109-5036-4e53-9f1f-f560a2fc365e}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DED879B8-C95C-4649-28B7-B9C6F97E5AE1}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8e6d1820-f51b-11dc-8c62-00146c84a4ad}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"448b8978"=-


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

andrewuk
  • 0

#9
Overclocked

Overclocked

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
ComboFix 08-03-22.1 - Administrator 2008-03-22 16:22:07.3 - NTFSx86
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: F:\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Program Files\Bat\Bat.dll
C:\Program Files\Movie Maker\qubapik.dll
C:\WINDOWS\POTA777444.exe
C:\WINDOWS\system32\L5C77.tmp
C:\WINDOWS\system32\L8EC6.tmp
C:\WINDOWS\system32\L9468.tmp
C:\WINDOWS\system32\wcuqhkaw.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\180search assistant
C:\Program Files\180search assistant\180sa.exe
C:\Program Files\180search assistant\sau.exe
C:\Program Files\180searchassistant
C:\Program Files\180searchassistant\saap.exe
C:\Program Files\180searchassistant\sac.exe
C:\Program Files\180solutions
C:\Program Files\180solutions\sais.exe
C:\Program Files\Bat\Bat.dll
C:\WINDOWS\POTA777444.exe
C:\WINDOWS\system32\L5C77.tmp
C:\WINDOWS\system32\L8EC6.tmp
C:\WINDOWS\system32\L9468.tmp

.
((((((((((((((((((((((((( Files Created from 2008-02-23 to 2008-03-23 )))))))))))))))))))))))))))))))
.

2008-03-22 15:14 . 2008-03-22 15:14 <DIR> d-------- C:\WINDOWS\LastGood
2008-03-22 12:19 . 2008-03-22 12:20 <DIR> d-------- C:\HostsXpert
2008-03-21 16:13 . 2008-03-21 16:13 <DIR> d-------- C:\Deckard
2008-03-20 19:10 . 2008-03-21 19:42 1,600 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-19 15:42 . 2006-08-21 01:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-03-19 15:42 . 2006-08-21 01:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-03-19 15:42 . 2006-08-21 04:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-03-18 18:28 . 2008-03-22 12:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-03-18 18:22 . 2008-03-18 18:22 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-18 18:20 . 2008-03-18 18:20 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-03-18 18:20 . 2008-03-18 18:20 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-03-18 18:15 . 2008-03-18 18:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-18 18:15 . 2008-03-18 19:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-18 16:36 . 2008-03-18 16:36 <DIR> d-------- C:\VundoFix Backups
2008-03-18 16:04 . 2008-03-18 16:04 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-18 16:04 . 2008-03-21 20:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-18 10:48 . 2008-03-22 12:28 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\U3
2008-03-17 06:23 . 2008-03-18 17:44 1,371,284 ---hs---- C:\WINDOWS\system32\yniwdwhm.ini
2008-03-16 17:10 . 2008-03-17 06:18 1,366,743 ---hs---- C:\WINDOWS\system32\ovuuwlch.ini
2008-03-16 14:26 . 2008-03-16 14:26 <DIR> d-------- C:\Program Files\stc
2008-03-16 14:26 . 2008-03-16 15:34 1,366,681 ---hs---- C:\WINDOWS\system32\fbeuaybd.ini
2008-03-16 14:25 . 2008-03-16 14:25 <DIR> d-------- C:\Program Files\zango
2008-03-16 14:25 . 2008-03-16 14:25 <DIR> d-------- C:\Program Files\Sysmnt
2008-03-16 14:11 . 2008-03-16 14:11 63 --a------ C:\WINDOWS\system32\448b9bf6
2008-03-16 14:10 . 2008-03-16 14:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-03-16 14:08 . 2008-03-22 16:23 <DIR> d-------- C:\Program Files\Bat
2008-03-16 14:07 . 2008-03-16 14:07 <DIR> d--hs---- C:\WINDOWS\QW1iZXI
2008-03-16 14:06 . 2008-03-16 14:06 <DIR> d-------- C:\WINDOWS\system32\IDME
2008-03-16 14:06 . 2008-03-16 14:06 <DIR> d-------- C:\WINDOWS\system32\FxTmp
2008-03-16 14:06 . 2008-03-16 14:06 <DIR> d-------- C:\WINDOWS\system32\aqVreo19
2008-03-16 14:06 . 2008-03-16 14:06 <DIR> d-------- C:\Temp\gbRve12
2008-03-16 14:06 . 2008-03-22 12:44 <DIR> d-------- C:\Temp
2008-03-15 04:58 . 2008-03-15 04:58 32,768 --a------ C:\WINDOWS\system32\aqVreo19\aqVreo192547.exe
2008-03-14 18:22 . 2008-03-22 12:25 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-03-13 19:42 . 2008-03-13 20:04 316,640 --a------ C:\WINDOWS\WMSysPr9.prx
2008-03-13 19:30 . 2008-03-13 19:30 <DIR> d-------- C:\WINDOWS\provisioning
2008-03-13 19:30 . 2008-03-13 19:30 <DIR> d-------- C:\WINDOWS\peernet
2008-03-13 19:16 . 2008-03-13 19:16 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-03-13 18:59 . 2005-06-28 09:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-03-13 07:32 . 2008-03-13 18:51 <DIR> d-------- C:\WINDOWS\EHome
2008-03-09 17:01 . 2004-08-04 00:56 11,776 --------- C:\WINDOWS\system32\spnpinst.exe
2008-03-09 17:01 . 2004-08-02 14:20 7,208 --------- C:\WINDOWS\system32\secupd.sig
2008-03-09 17:01 . 2004-08-02 14:20 4,569 --------- C:\WINDOWS\system32\secupd.dat
2008-03-09 16:19 . 2004-08-03 23:56 614,912 --a------ C:\WINDOWS\system32\h323msp.dll
2008-03-09 16:19 . 2004-08-03 23:56 331,264 --a------ C:\WINDOWS\system32\ipnathlp.dll
2008-03-09 16:19 . 2004-08-03 23:56 265,728 --a------ C:\WINDOWS\system32\h323.tsp
2008-03-09 16:19 . 2004-08-03 23:56 77,312 --a------ C:\WINDOWS\system32\browser.dll
2008-03-09 16:19 . 2004-08-03 23:56 39,936 --a------ C:\WINDOWS\system32\mf3216.dll
2008-03-09 16:04 . 2004-08-03 23:56 239,104 --a------ C:\WINDOWS\system32\srrstr.dll
2008-03-09 15:54 . 2008-03-09 16:21 <DIR> d--h-c--- C:\WINDOWS\$xpsp1hfm$
2008-03-09 15:54 . 2004-01-09 21:11 26,112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2008-03-08 19:38 . 2008-03-08 19:38 376 --a------ C:\WINDOWS\ODBC.INI
2008-03-08 19:35 . 2008-03-08 19:36 <DIR> d-------- C:\WINDOWS\ShellNew
2008-03-08 19:06 . 2008-03-08 19:06 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2008-03-08 19:06 . 2005-12-29 18:07 282,624 -ra------ C:\WINDOWS\system32\drivers\WG311v3XP.sys
2008-03-08 18:20 . 2008-03-08 18:20 <DIR> d-------- C:\WINDOWS\system32\bits
2008-03-08 18:18 . 2004-08-03 23:56 438,784 --------- C:\WINDOWS\system32\xpob2res.dll
2008-03-08 18:18 . 2004-08-03 23:56 351,232 --a------ C:\WINDOWS\system32\winhttp.dll
2008-03-08 18:18 . 2004-08-03 23:56 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2008-03-08 18:18 . 2004-08-03 23:56 8,192 --------- C:\WINDOWS\system32\bitsprx2.dll
2008-03-08 18:18 . 2004-08-03 23:56 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2008-03-08 18:11 . 2008-03-08 18:11 <DIR> d-------- C:\OEMSettings
2008-03-08 18:08 . 2008-03-08 18:08 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-03-08 18:04 . 2008-03-08 18:04 23,600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS
2008-03-08 13:14 . 2007-07-30 19:19 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2008-03-08 13:14 . 2007-07-30 19:19 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2008-03-08 13:14 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\system32\wuaucpl.cpl
2008-03-08 13:14 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-03-08 13:14 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-03-08 13:14 . 2007-07-30 19:18 33,624 --a------ C:\WINDOWS\system32\wups.dll
2008-03-08 13:14 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-03-08 13:14 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-03-08 13:14 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-03-08 12:59 . 2008-03-08 12:59 <DIR> d---s---- C:\Documents and Settings\Amber\UserData
2008-03-08 09:37 . 2008-03-22 15:53 <DIR> d--hs---- C:\WINDOWS\Installer
2008-03-08 01:02 . 2008-03-08 01:02 8,192 --a------ C:\WINDOWS\REGLOCS.OLD

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-09 02:10 --------- d-----w C:\Program Files\NETGEAR
2008-03-08 08:52 --------- d-----w C:\Program Files\microsoft frontpage
2008-02-18 18:11 8,659,544 ----a-w C:\interactualplayer.exe
2007-05-24 22:58 249,856 ----a-w C:\WINDOWS\inf\WG311v3\InsDrv2k.exe
2006-12-04 19:38 212,992 ----a-w C:\WINDOWS\inf\WG311v3\CopyWHQLDriver.exe
2005-12-30 02:07 282,624 ----a-r C:\WINDOWS\inf\WG311v3\WG311v3XP.sys
2000-07-25 20:58 271 --sh--w C:\Program Files\desktop.ini
2000-07-25 20:58 23,357 ---ha-w C:\Program Files\folder.htt
2002-08-12 20:42 98,304 ----a-w C:\Program Files\internet explorer\plugins\IEHelper.dll
2005-08-03 00:46 187,904 --sha-r C:\WINDOWS\QW1iZXI\asappsrv.dll
2005-08-03 00:58 293,888 --sha-r C:\WINDOWS\QW1iZXI\command.exe
2005-07-30 00:24 472 --sha-r C:\WINDOWS\QW1iZXI\kqY2trK.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-18 18:17 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-18 18:17 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 17:01:04 83360]
NETGEAR WG311v3 Smart Wizard.lnk - C:\Program Files\NETGEAR\WG311v3\WG311v3.exe [2007-11-21 17:51:20 1507328]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=


.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-22 16:28:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2008-03-22 16:33:53
ComboFix-quarantined-files.txt 2008-03-23 00:32:51
ComboFix2.txt 2008-03-22 21:45:39
.
2008-03-22 20:43:27 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:36:54 PM, on 3/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\NETGEAR\WG311v3\WG311v3.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311v3\WG311v3.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1205010008345
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driver...driveragent.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

--
End of file - 3145 bytes
  • 0

#10
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
in this post i want to do some scans, which will require downloading programs, updating them and running them. i am not too sure how effective that will be when you pass them over to the infected computer - so it may be worth downloading them straight to the USB stick

firstly, do you know what these are?
NETGEAR WG311v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311v3\WG311v3.exe
C:\WINDOWS\system32\aqVreo19\aqVreo192547.exe



====STEP 1====
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


====STEP 2====
Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.


In your next reply could i see:
1. the answers to the above questions on those files
2. the malwarebytes log
3. the SUPERantispyware log
4. a new hijackthis log
5. some idea of how the machine is running now

andrewuk
  • 0

Advertisements


#11
Overclocked

Overclocked

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts

NETGEAR WG311v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311v3\WG311v3.exe

This belongs to the wireless internet card

C:\WINDOWS\system32\aqVreo19\aqVreo192547.exe

no idea

the Malwarebytes log

Malwarebytes' Anti-Malware 1.09
Database version: 507

Scan type: Quick Scan
Objects scanned: 26712
Time elapsed: 13 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 15
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 7
Files Infected: 42

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{f663b917-591f-4172-8d87-3d7d729007ca} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bat.batbho (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bat.batbho.1 (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d279bc2b-a85b-4559-8fd9-ddc55f5d402d} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{b80a3586-caa5-41c8-89bf-e617f0b6cfbf} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\BATCO (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Batco (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\bat.DLL (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Bat (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bat (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\zango (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Bat (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\stc (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\Sysmnt (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\FLEOK (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Rabio\Search Enhancer (Adware.SearchEnhancer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Rabio (Adware.Rabio) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\zango\zango.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Bat\Bat.dll.intermediate.manifest (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Bat\Bat.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Bat\Bat.info (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Bat\Bat.original (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Bat\Info.dll (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Bat\un_BatSetup_15041.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Bat\un_BatSetup_15041.txt (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Bat\X_Bat.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Bat\X_Bat.log (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\stc\csv5p070.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\Sysmnt\Ssmgr.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\FLEOK\180ax.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\avifile32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\avisynthex32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\aviwrap32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\browserad.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\changeurl_30.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\msa64chk.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\msapasrc.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\123messenger.per (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ntnut.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\shdocpe.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\shdocpl.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\winsb.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MSNSA32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ntnut32.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\shdocpe.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SIPSPI32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\Installer\id53.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\apphelp32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\asferror32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\asycfilt32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\athprxy32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ati2dvaa32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ati2dvag32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\audiosrv32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\autodisc32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\licencia.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\telefonos.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\textos.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amber\Start Menu\Programs\Startup\Bat - Auto Update.lnk (Adware.Batco) -> Quarantined and deleted successfully.

and the SUPERAntiSpyware log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/22/2008 at 07:44 PM

Application Version : 4.0.1154

Core Rules Database Version : 3412
Trace Rules Database Version: 1415

Scan type : Complete Scan
Total Scan Time : 01:04:32

Memory items scanned : 299
Memory threats detected : 0
Registry items scanned : 3414
Registry threats detected : 0
File items scanned : 13133
File threats detected : 5

Adware.180solutions/ZangoSearch
C:\MY DOCUMENTS\AMBERS\AMBERS STUFF\SCHOOL RELATED\HISTORY\SETUP.EXE

Adware.Adservs
C:\WINDOWS\QW1IZXI\ASAPPSRV.DLL
C:\WINDOWS\SYSTEM32\FXTMP\V32API.EXE

Unclassified.Unknown Origin
C:\WINDOWS\QW1IZXI\COMMAND.EXE

Trojan.Unknown Origin
C:\WINDOWS\QW1IZXI\KQY2TRK.VBS

The HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:09:51 PM, on 3/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\NETGEAR\WG311v3\WG311v3.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311v3\WG311v3.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1205010008345
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driver...driveragent.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

--
End of file - 2993 bytes

The computer seems to be running fine. I think it just needs to be defragmented and cleaned up a bit and it will be working fine.
  • 0

#12
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
lets just do a full DSS scan to make sure. the malwarebytes scan cleared infections that were not seen in the combofix logs (but were seen in the original DSS scans).

click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /config
This will open up DSS configuration
click on Check All
click Scan
DSS will now run again when finished
Please post back both logs that open in notepad
Main txt and extra txt

andrewuk
  • 0

#13
Overclocked

Overclocked

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
main.txt

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-03-22 20:42:25
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 3 Restore Point(s) --
3: 2008-03-23 04:42:55 UTC - RP37 - Deckard's System Scanner Restore Point
2: 2008-03-23 02:31:30 UTC - RP36 - Installed SUPERAntiSpyware Free Edition
1: 2008-03-23 01:54:03 UTC - RP35 - System Checkpoint


Performed disk cleanup.

Percentage of Memory in Use: 86% (more than 75%).
Total Physical Memory: 128 MiB (512 MiB recommended).
System Drive C: has 0.59 GiB (less than 15%) free.


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:44:09 PM, on 3/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\NETGEAR\WG311v3\WG311v3.exe
C:\Documents and Settings\Administrator\desktop\dss.exe
C:\DOCUME~1\ADMINI~1\Desktop\Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311v3\WG311v3.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1205010008345
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driver...driveragent.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

--
End of file - 3001 bytes

-- HijackThis Fixed Entries (C:\DOCUME~1\ADMINI~1\Desktop\backups\) ------------

backup-20080322-161839-628 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://antispywareup...?aid=496.cbcbcb

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe"%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S3 TVICHW32 - c:\windows\system32\drivers\tvichw32.sys <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>
S3 W8335XP (NETGEAR WG311v3 802.11g Wireless PCI Adapter for Windows XP (8335)) - c:\windows\system32\drivers\wg311v3xp.sys <Not Verified; Marvell Semiconductor, Inc; Device driver for Marvell 802.11 NIC>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\system32\winlogon.exe (pid 800)
2007-04-19 12:41:36 294912 --a------ C:\Program Files\SUPERAntiSpyware\SASWINLO.dll <Not Verified; SUPERAntiSpyware.com; SUPERAntiSpyware WinLogon Processor>

C:\WINDOWS\explorer.exe (pid 1192)
2006-12-20 12:55:48 77824 --a------ C:\Program Files\SUPERAntiSpyware\SASSEH.DLL <Not Verified; SuperAdBlocker.com; SuperAntiSpyware>
2007-02-27 11:39:26 61440 --a------ C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL <Not Verified; SUPERAntiSpyware.com; SUPERAntiSpyware Context Menu Extension>


-- Files created between 2008-02-22 and 2008-03-22 -----------------------------

2008-03-22 20:00:58 0 d-------- C:\WINDOWS\LastGood
2008-03-22 18:32:20 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-22 18:31:39 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-03-22 18:31:38 0 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-03-22 18:30:31 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-22 18:14:08 0 d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-03-22 17:59:12 0 d-------- C:\Documents and Settings\Administrator\Application Data\Help
2008-03-20 19:10:39 1600 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-18 19:05:31 0 dr-h----- C:\$VAULT$.AVG
2008-03-18 18:28:07 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-03-18 18:22:41 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-18 18:15:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-18 18:15:54 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-18 16:04:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-18 10:48:25 0 d-------- C:\Documents and Settings\Administrator\Application Data\U3
2008-03-18 10:27:01 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-03-18 10:23:40 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-03-18 10:23:40 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-03-18 10:23:40 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-03-18 10:23:40 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-03-18 10:23:40 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-03-18 10:23:40 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-03-18 10:23:40 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-03-18 10:23:40 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-03-18 10:23:40 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-03-18 10:23:40 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-03-18 10:23:40 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-03-18 10:23:40 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-03-18 10:23:39 2359296 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-03-16 14:45:22 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-03-16 14:45:15 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-03-16 14:37:00 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-03-16 14:11:37 63 --a------ C:\WINDOWS\system32\448b9bf6
2008-03-16 14:07:26 0 d--hs---- C:\WINDOWS\QW1iZXI
2008-03-16 14:06:36 0 d-------- C:\WINDOWS\system32\IDME
2008-03-16 14:06:36 0 d-------- C:\WINDOWS\system32\FxTmp
2008-03-16 14:06:04 0 d-------- C:\WINDOWS\system32\aqVreo19
2008-03-14 18:23:06 0 d-------- C:\WINDOWS\system32\PreInstall
2008-03-14 18:22:59 0 d--h----- C:\WINDOWS\$hf_mig$
2008-03-13 20:02:18 0 d-------- C:\Documents and Settings\LocalService\Start Menu
2008-03-13 19:58:04 0 d-------- C:\WINDOWS\Prefetch
2008-03-13 19:30:40 0 d-------- C:\WINDOWS\peernet
2008-03-13 19:30:33 0 d-------- C:\WINDOWS\provisioning
2008-03-13 19:16:16 0 d-------- C:\WINDOWS\ServicePackFiles
2008-03-13 19:00:20 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2008-03-13 07:32:28 0 d-------- C:\WINDOWS\EHome
2008-03-11 07:23:53 0 d-------- C:\WINDOWS\system32\appmgmt
2008-03-09 15:56:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-03-09 15:54:01 26112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-09 15:54:01 0 d--h---c- C:\WINDOWS\$xpsp1hfm$
2008-03-08 19:35:19 0 d-------- C:\WINDOWS\ShellNew
2008-03-08 19:21:20 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Identities
2008-03-08 19:06:38 0 d---s---- C:\WINDOWS\system32\Microsoft
2008-03-08 19:06:06 282624 -ra------ C:\WINDOWS\system32\drivers\WG311v3XP.sys <Not Verified; Marvell Semiconductor, Inc; Device driver for Marvell 802.11 NIC>
2008-03-08 18:20:01 0 d-------- C:\WINDOWS\system32\bits
2008-03-08 18:11:50 0 d-------- C:\OEMSettings
2008-03-08 18:08:53 0 d-------- C:\WINDOWS\Downloaded Installations
2008-03-08 18:05:17 0 d-------- C:\Documents and Settings\Amber\Application Data\Macromedia
2008-03-08 18:05:16 0 d-------- C:\Documents and Settings\Amber\Application Data\Adobe
2008-03-08 18:04:44 23600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>
2008-03-08 13:07:36 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-03-08 12:59:35 0 d---s---- C:\Documents and Settings\Amber\UserData
2008-03-08 09:37:13 0 d--hs---- C:\WINDOWS\Installer
2008-03-08 09:37:06 0 d-------- C:\Documents and Settings\Amber\Application Data\Identities
2008-03-08 09:36:22 0 dr------- C:\Documents and Settings\Amber\Favorites
2008-03-08 09:36:22 0 d-------- C:\Documents and Settings\Amber\Desktop
2008-03-08 09:36:22 0 d---s---- C:\Documents and Settings\Amber\Cookies
2008-03-08 09:36:22 0 dr-h----- C:\Documents and Settings\Amber\Application Data
2008-03-08 09:36:22 0 d---s---- C:\Documents and Settings\Amber\Application Data\Microsoft
2008-03-08 09:36:21 0 d--h----- C:\Documents and Settings\Amber\Templates
2008-03-08 09:36:21 0 dr------- C:\Documents and Settings\Amber\Start Menu
2008-03-08 09:36:21 0 dr-h----- C:\Documents and Settings\Amber\SendTo
2008-03-08 09:36:21 0 dr-h----- C:\Documents and Settings\Amber\Recent
2008-03-08 09:36:21 0 d--h----- C:\Documents and Settings\Amber\PrintHood
2008-03-08 09:36:21 1437696 --a------ C:\Documents and Settings\Amber\NTUSER.DAT
2008-03-08 09:36:21 0 d--h----- C:\Documents and Settings\Amber\NetHood
2008-03-08 09:36:21 0 dr------- C:\Documents and Settings\Amber\My Documents
2008-03-08 09:36:21 0 d--h----- C:\Documents and Settings\Amber\Local Settings
2008-03-08 01:03:14 0 d--hs---- C:\System Volume Information
2008-03-08 01:03:09 237568 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2008-03-08 01:03:09 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2008-03-08 01:03:09 0 d---s---- C:\Documents and Settings\LocalService\Cookies
2008-03-08 01:03:09 0 d-------- C:\Documents and Settings\LocalService\Application Data
2008-03-08 01:03:09 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2008-03-08 01:03:07 1572864 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2008-03-08 01:03:07 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2008-03-08 01:03:07 0 d---s---- C:\Documents and Settings\NetworkService\Cookies
2008-03-08 01:03:07 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2008-03-08 01:03:07 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2008-03-08 00:52:19 0 d-------- C:\WINDOWS\system32\xircom
2008-03-08 00:52:18 0 d-------- C:\Program Files\microsoft frontpage
2008-03-08 00:50:26 237568 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2008-03-08 00:44:50 0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-03-08 00:44:05 0 dr------- C:\WINDOWS\Offline Web Pages
2008-03-08 00:44:05 0 d---s---- C:\WINDOWS\Downloaded Program Files
2008-03-08 00:42:27 0 d-------- C:\WINDOWS\srchasst
2008-03-08 00:42:03 0 d-------- C:\WINDOWS\system32\DirectX
2008-03-08 00:42:02 0 d-------- C:\WINDOWS\system32\Macromed
2008-03-08 00:40:41 0 d-------- C:\WINDOWS\system32\Restore
2008-03-08 00:40:29 0 d-------- C:\WINDOWS\PCHEALTH
2008-03-08 00:40:23 0 d---s---- C:\WINDOWS\Tasks
2008-03-08 00:40:16 0 d-------- C:\Program Files\Common Files\MSSoap
2008-03-08 00:38:00 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-03-08 00:37:14 0 d-------- C:\WINDOWS\Registration
2008-03-08 00:35:30 0 d-------- C:\Program Files\Windows NT
2008-03-08 00:35:01 0 d-------- C:\WINDOWS\system32\MsDtc
2008-03-08 00:34:57 0 d-------- C:\WINDOWS\system32\Com
2008-03-07 16:19:30 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-03-07 16:18:35 0 d--h----- C:\Documents and Settings\Default User\Templates
2008-03-07 16:18:35 0 dr------- C:\Documents and Settings\Default User\Start Menu
2008-03-07 16:18:35 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-03-07 16:18:35 0 d--h----- C:\Documents and Settings\Default User\Recent
2008-03-07 16:18:35 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2008-03-07 16:18:35 0 d--h----- C:\Documents and Settings\Default User\NetHood
2008-03-07 16:18:35 0 d-------- C:\Documents and Settings\Default User\My Documents
2008-03-07 16:18:35 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2008-03-07 16:18:35 0 d-------- C:\Documents and Settings\Default User\Favorites
2008-03-07 16:18:35 0 d-------- C:\Documents and Settings\Default User\Desktop
2008-03-07 16:18:35 0 d---s---- C:\Documents and Settings\Default User\Cookies
2008-03-07 16:18:35 0 d--h----- C:\Documents and Settings\All Users\Templates
2008-03-07 16:18:35 0 dr------- C:\Documents and Settings\All Users\Start Menu
2008-03-07 16:18:35 0 d-------- C:\Documents and Settings\All Users\Favorites
2008-03-07 16:18:35 0 dr------- C:\Documents and Settings\All Users\Documents
2008-03-07 16:18:35 0 d-------- C:\Documents and Settings\All Users\Desktop
2008-03-07 16:18:02 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-03-07 16:18:02 0 d-------- C:\WINDOWS\system32\CatRoot
2008-03-07 16:17:56 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-03-07 16:17:56 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-03-07 16:17:55 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2008-03-07 16:17:55 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-03-07 16:17:26 0 d-------- C:\Documents and Settings
2008-03-07 16:06:24 0 d-------- C:\WINDOWS
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\WinSxS
2008-03-07 16:06:24 0 dr------- C:\WINDOWS\Web
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\twain_32
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\wins
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\wbem
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\usmt
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\spool
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\ShellExt
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\Setup
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\ras
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\oobe
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\npp
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\mui
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\inetsrv
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\IME
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\icsxml
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\ias
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\export
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\drivers
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\drivers\etc
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\drivers\disdn
2008-03-07 16:06:24 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\dhcp
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\config
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\3com_dmi
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\3076
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\2052
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\1054
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\1042
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\1041
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\1037
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\1033
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\1031
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\1028
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system32\1025
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\system
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\security
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\Resources
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\repair
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\mui
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\msapps
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\msagent
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\Media
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\java
2008-03-07 16:06:24 0 d--h----- C:\WINDOWS\inf
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\ime
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\Help
2008-03-07 16:06:24 0 dr--s---- C:\WINDOWS\Fonts
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\Driver Cache
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\Debug
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\Cursors
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\Connection Wizard
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\Config
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\AppPatch
2008-03-07 16:06:24 0 d-------- C:\WINDOWS\addins


-- Find3M Report ---------------------------------------------------------------

2008-03-22 18:30:31 0 dr------- C:\Program Files\Common Files
2008-03-18 19:05:35 0 dr------- C:\Program Files\Movie Maker
2008-03-13 19:57:02 0 dr------- C:\Program Files\Messenger
2008-03-08 18:10:35 0 d-------- C:\Program Files\NETGEAR
2008-03-08 13:14:27 0 d--h----- C:\Program Files\WindowsUpdate
2008-03-08 00:43:08 0 d-------- C:\Program Files\Online Services
2008-03-07 16:18:35 62 --ahs---- C:\Documents and Settings\Administrator\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [03/18/2008 06:17 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [02/29/2008 04:03 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/12/2001 5:01:04 PM]
NETGEAR WG311v3 Smart Wizard.lnk - C:\Program Files\NETGEAR\WG311v3\WG311v3.exe [11/21/2007 5:51:20 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 12:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8e6d1820-f51b-11dc-8c62-00146c84a4ad}]
AutoRun\command- E:\LaunchU3.exe -a




-- End of Deckard's System Scanner: finished at 2008-03-22 20:48:37 ------------

extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel Celeron processor
Percentage of Memory in Use: 80%
Physical Memory (total/avail): 127.42 MiB / 25.2 MiB
Pagefile Memory (total/avail): 307.1 MiB / 152.7 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1928.41 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 5.59 GiB total, 0.59 GiB free.
D: is CDROM (No Media)
E: is CDROM (CDFS)
F: is Removable (FAT)

\\.\PHYSICALDRIVE0 - TOSHIBA MK6015MAP - 5.59 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 5.59 GiB - C:

\\.\PHYSICALDRIVE1 - SanDisk U3 Cruzer Micro USB Device - 1953.22 MiB - 1 partition
\PARTITION0 - MS-DOS V4 Huge - 1952.88 MiB - F:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is enabled.

AV: AVG 7.5.503 v7.5.503 (Grisoft) Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=AMBER-BW9KC1SN8
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\AMBER-BW9KC1SN8
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS;C:\WINDOWS\COMMAND
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0803
ProgramFiles=C:\Program Files
PROMPT=$p$g
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=AMBER-BW9KC1SN8
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
winbootdir=C:\WINDOWS
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Amber (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\System32\Macromed\Flash\uninstall_activeX.exe
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
HijackThis 2.0.2 --> "C:\Documents and Settings\Administrator\Desktop\HijackThis.exe" /uninstall
Microsoft Office XP Standard --> MsiExec.exe /I{90120409-6000-11D3-8CFE-0050048383C9}
NETGEAR WG311v3 PCI Adapter --> C:\Program Files\InstallShield Installation Information\{70014586-7BBA-4A92-A610-CDC896C48F8F}\setup.exe -runfromtemp -l0x0409
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}


-- Application Event Log -------------------------------------------------------

Event Record #/Type201 / Warning
Event Submitted/Written: 03/22/2008 03:53:04 PM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{90120409-6000-11D3-8CFE-0050048383C9}', feature 'WordUserData', component '{8ADD2C93-C8B7-11D1-9C67-0000F81F1B38}' failed. The resource 'HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\UserData' does not exist.

Event Record #/Type199 / Warning
Event Submitted/Written: 03/22/2008 03:52:51 PM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{90120409-6000-11D3-8CFE-0050048383C9}', feature 'OfficeUserData', component '{4A31E933-6F67-11D2-AAA2-00A0C90F57B0}' failed. The resource 'HKEY_CURRENT_USER\Software\ODBC\ODBC.INI\MS Access Database\' does not exist.

Event Record #/Type191 / Error
Event Submitted/Written: 03/22/2008 01:24:01 PM
Event ID/Source: 100 / AVG7
Event Description:
2008-03-22 21:24:01,226 AMBER-BW9KC1SN8 [001384:001416] ERROR 000 AVG7.WTS.CAvgAmWts ProcessIdToSessionId(508) call failed with WIN32 error 87, returning session id is 0

Event Record #/Type190 / Error
Event Submitted/Written: 03/22/2008 01:23:57 PM
Event ID/Source: 100 / AVG7
Event Description:
2008-03-22 21:23:57,341 AMBER-BW9KC1SN8 [001384:001416] ERROR 000 AVG7.WTS.CAvgAmWts ProcessIdToSessionId(1772) call failed with WIN32 error 87, returning session id is 0

Event Record #/Type189 / Error
Event Submitted/Written: 03/22/2008 01:23:56 PM
Event ID/Source: 100 / AVG7
Event Description:
2008-03-22 21:23:56,199 AMBER-BW9KC1SN8 [001384:001416] ERROR 000 AVG7.WTS.CAvgAmWts ProcessIdToSessionId(1708) call failed with WIN32 error 87, returning session id is 0



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type1365 / Error
Event Submitted/Written: 03/22/2008 07:54:04 PM / 03/22/2008 07:55:27 PM
Event ID/Source: 4 / E100B
Event Description:
Adapter Intel® PRO/100+ MiniPCI: Adapter Link Down

Event Record #/Type1363 / Error
Event Submitted/Written: 03/22/2008 07:53:34 PM / 03/22/2008 07:55:27 PM
Event ID/Source: 5 / ACPI
Event Description:
AMLI: ACPI BIOS is attempting to write to an illegal IO port address (0x4d0), which lies in the 0x4d0 - 0x4d1 protected
address range. This could lead to system instability. Please contact your system vendor for technical assistance.

Event Record #/Type1362 / Error
Event Submitted/Written: 03/22/2008 07:53:34 PM / 03/22/2008 07:55:27 PM
Event ID/Source: 4 / ACPI
Event Description:
AMLI: ACPI BIOS is attempting to read from an illegal IO port address (0x4d0), which lies in the 0x4d0 - 0x4d1 protected
address range. This could lead to system instability. Please contact your system vendor for technical assistance.

Event Record #/Type1332 / Error
Event Submitted/Written: 03/22/2008 05:45:30 PM / 03/22/2008 05:46:35 PM
Event ID/Source: 4 / E100B
Event Description:
Adapter Intel® PRO/100+ MiniPCI: Adapter Link Down

Event Record #/Type1330 / Error
Event Submitted/Written: 03/22/2008 05:44:59 PM / 03/22/2008 05:46:35 PM
Event ID/Source: 5 / ACPI
Event Description:
AMLI: ACPI BIOS is attempting to write to an illegal IO port address (0x4d0), which lies in the 0x4d0 - 0x4d1 protected
address range. This could lead to system instability. Please contact your system vendor for technical assistance.



-- End of Deckard's System Scanner: finished at 2008-03-22 20:48:37 ------------
  • 0

#14
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
the logs look clean :)

if we had an internet connection on the machine we could have done an online scan and updated the AVG anti-virus program. once the machine gets back its internet connection then you should certainly update the AVG and do a full system scan.

it may be a good idea doing a Perform Full Scan with the malwarebytes progra.

in this post we will clear away the fix tools, reset your restore points (there will be infections lurking in there) and i will leave you with some ideas on how to enhance the protection of your machine against future infection.


====STEP 1====
clearing away the fix tools......

without an internet connection we are going to have to do this the manual way. could you delete the combofix program and folder and text files, the smitfraudfix program and folder, the HostsXpert program.


====STEP 2====
To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

Instructions with screenshots to help is http://www.f-secure..../sfc_dis1.shtml

(Windows XP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/kb/310405


====AND FINALLY====
The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

andrewuk
  • 0

#15
Overclocked

Overclocked

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thank you for all your hard work and labor My friend will be very very happy that all is well with her computer once again!
now i can get to my original task of tidying up the computer

Overclocked :)
(a very happy customer)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP