Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Wall paper reads Warning: Spyware has been detected on your PC

Started by atwitsend32 , Apr 06 2008 11:26 PM

  • Please log in to reply

#1
atwitsend32
Posted 06 April 2008 - 11:26 PM

atwitsend32

    Member

  • Member
  • PipPip
  • 15 posts
I have tried a scan with Spy Sweeper, AVG Anti-Spyware and SUPERAntiSpyware and the wall paper is still present. I am getting pops ups and a little yellow yield sign. Every now and then the monitor flickers. Please help. Below are the results from Hijackthis and SUPERAntiSpyware

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:20:50 AM, on 4/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Documents and Settings\Home\My Documents\AVG\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Documents and Settings\Home\My Documents\AVG\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.syracuse.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Documents and Settings\Home\My Documents\AVG\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Saoh] "C:\PROGRA~1\ICROSO~1.NET\mshta.exe" -vt yazb
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com...OnlineGames.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://syr.mlxchange...ectComboBox.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h30155.www3.h...nosticsxp2k.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1175613378046
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgall..._2/axofupld.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://syr.mlxchange...ClientUtils.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://syr.mlxchange...ol/IRCSharc.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driverage...driveragent.cab
O17 - HKLM\System\CS2\Services\Tcpip\..\{0B020943-B49D-4858-AAF6-E0BFBB595ECB}: NameServer = 192.168.0.1
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: byxvwwv - byxvwwv.dll (file missing)
O20 - Winlogon Notify: byxyayx - byxyayx.dll (file missing)
O20 - Winlogon Notify: xxywwvs - xxywwvs.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Documents and Settings\Home\My Documents\AVG\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 9792 bytes





SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/07/2008 at 00:54 AM

Application Version : 4.0.1154

Core Rules Database Version : 3432
Trace Rules Database Version: 1424

Scan type : Complete Scan
Total Scan Time : 03:36:57

Memory items scanned : 438
Memory threats detected : 0
Registry items scanned : 4830
Registry threats detected : 67
File items scanned : 81024
File threats detected : 122

Adware.Vundo-Variant/Small-A
HKLM\Software\Classes\CLSID\{214dd2c5-4721-4e82-9b4a-93ca624bfb26}
HKCR\CLSID\{214DD2C5-4721-4E82-9B4A-93CA624BFB26}
HKCR\CLSID\{214DD2C5-4721-4E82-9B4A-93CA624BFB26}\InprocServer32
HKCR\CLSID\{214DD2C5-4721-4E82-9B4A-93CA624BFB26}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\ONOSDDNB.DLL
HKLM\Software\Classes\CLSID\{49fb568a-06be-4e74-bdbe-9a16503902f5}
HKCR\CLSID\{49FB568A-06BE-4E74-BDBE-9A16503902F5}
HKCR\CLSID\{49FB568A-06BE-4E74-BDBE-9A16503902F5}\InprocServer32
HKCR\CLSID\{49FB568A-06BE-4E74-BDBE-9A16503902F5}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\HSOSSPYW.DLL
HKLM\Software\Classes\CLSID\{4fe2db00-e6f1-4ccb-97a6-d34b5886d64a}
HKCR\CLSID\{4FE2DB00-E6F1-4CCB-97A6-D34B5886D64A}
HKCR\CLSID\{4FE2DB00-E6F1-4CCB-97A6-D34B5886D64A}\InprocServer32
HKCR\CLSID\{4FE2DB00-E6F1-4CCB-97A6-D34B5886D64A}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\ATALDAYQ.DLL
HKLM\Software\Classes\CLSID\{83a05df0-4ccb-461d-852b-c51ce880ff7b}
HKCR\CLSID\{83A05DF0-4CCB-461D-852B-C51CE880FF7B}
HKCR\CLSID\{83A05DF0-4CCB-461D-852B-C51CE880FF7B}\InprocServer32
HKCR\CLSID\{83A05DF0-4CCB-461D-852B-C51CE880FF7B}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\QTHBEXDG.DLL
HKLM\Software\Classes\CLSID\{8959b8cb-4c42-48bd-8b97-1aa0c0b2aff4}
HKCR\CLSID\{8959B8CB-4C42-48BD-8B97-1AA0C0B2AFF4}
HKCR\CLSID\{8959B8CB-4C42-48BD-8B97-1AA0C0B2AFF4}\InprocServer32
HKCR\CLSID\{8959B8CB-4C42-48BD-8B97-1AA0C0B2AFF4}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\VBQEOAVI.DLL
HKLM\Software\Classes\CLSID\{8b34ed6e-01a8-430b-9348-a44ca868626a}
HKCR\CLSID\{8B34ED6E-01A8-430B-9348-A44CA868626A}
HKCR\CLSID\{8B34ED6E-01A8-430B-9348-A44CA868626A}\InprocServer32
HKCR\CLSID\{8B34ED6E-01A8-430B-9348-A44CA868626A}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\RVFUKOUE.DLL
HKLM\Software\Classes\CLSID\{ffd2f15b-b5f1-46fe-96b0-91a91d88f804}
HKCR\CLSID\{FFD2F15B-B5F1-46FE-96B0-91A91D88F804}
HKCR\CLSID\{FFD2F15B-B5F1-46FE-96B0-91A91D88F804}\InprocServer32
HKCR\CLSID\{FFD2F15B-B5F1-46FE-96B0-91A91D88F804}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\HNFJAFQE.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{45F331F7-3889-4584-8184-B61259B10987}\RP505\A0199579.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{45F331F7-3889-4584-8184-B61259B10987}\RP505\A0199581.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{45F331F7-3889-4584-8184-B61259B10987}\RP505\A0199582.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{45F331F7-3889-4584-8184-B61259B10987}\RP505\A0199584.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{45F331F7-3889-4584-8184-B61259B10987}\RP505\A0199585.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{45F331F7-3889-4584-8184-B61259B10987}\RP505\A0199586.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{45F331F7-3889-4584-8184-B61259B10987}\RP505\A0199587.DLL
C:\WINDOWS\SYSTEM32\AIVSJOKB.DLL
C:\WINDOWS\SYSTEM32\BJTFLVYA.DLL
C:\WINDOWS\SYSTEM32\CQQYTRFK.DLL
C:\WINDOWS\SYSTEM32\ENLOFOGY.DLL
C:\WINDOWS\SYSTEM32\EXXOPPJQ.DLL
C:\WINDOWS\SYSTEM32\FPTTDSIB.DLL
C:\WINDOWS\SYSTEM32\FXCJDCAR.DLL
C:\WINDOWS\SYSTEM32\GCFVENOR.DLL
C:\WINDOWS\SYSTEM32\GEUUMRKV.DLL
C:\WINDOWS\SYSTEM32\GOJGGPXD.DLL
C:\WINDOWS\SYSTEM32\GPDYOLQI.DLL
C:\WINDOWS\SYSTEM32\HACLBMJQ.DLL
C:\WINDOWS\SYSTEM32\HKJFWBQA.DLL
C:\WINDOWS\SYSTEM32\IIWWUTCX.DLL
C:\WINDOWS\SYSTEM32\INLOQYME.DLL
C:\WINDOWS\SYSTEM32\JCLBWYOB.DLL
C:\WINDOWS\SYSTEM32\JKYSXVOE.DLL
C:\WINDOWS\SYSTEM32\KTEGPJUG.DLL
C:\WINDOWS\SYSTEM32\KURHPPVW.DLL
C:\WINDOWS\SYSTEM32\LCMQAKWS.DLL
C:\WINDOWS\SYSTEM32\OJTVWETB.DLL
C:\WINDOWS\SYSTEM32\QGYAYJJN.DLL
C:\WINDOWS\SYSTEM32\QXXIEQFB.DLL
C:\WINDOWS\SYSTEM32\RRIATGBV.DLL
C:\WINDOWS\SYSTEM32\RRKBMAGW.DLL
C:\WINDOWS\SYSTEM32\SIECOKKD.DLL
C:\WINDOWS\SYSTEM32\TXWEMJGV.DLL
C:\WINDOWS\SYSTEM32\VBCUVYBK.DLL
C:\WINDOWS\SYSTEM32\WEUWRCQG.DLL
C:\WINDOWS\SYSTEM32\YALOFMKC.DLL
C:\WINDOWS\SYSTEM32\YBFEPTYC.DLL
C:\WINDOWS\SYSTEM32\YCEXJDGC.DLL
C:\WINDOWS\SYSTEM32\YJCGBPNS.DLL

Trojan.WinFixer
HKLM\Software\Classes\CLSID\{56E1F8C3-C2D1-4B7D-86D8-4B0603BD59E2}
HKCR\CLSID\{56E1F8C3-C2D1-4B7D-86D8-4B0603BD59E2}
HKCR\CLSID\{56E1F8C3-C2D1-4B7D-86D8-4B0603BD59E2}\InprocServer32
HKCR\CLSID\{56E1F8C3-C2D1-4B7D-86D8-4B0603BD59E2}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\PMKJH.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{56E1F8C3-C2D1-4B7D-86D8-4B0603BD59E2}

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{8E3FBDE2-7DBD-4040-85D9-29BBC559C129}
HKCR\CLSID\{8E3FBDE2-7DBD-4040-85D9-29BBC559C129}
HKCR\CLSID\{8E3FBDE2-7DBD-4040-85D9-29BBC559C129}\InprocServer32
HKCR\CLSID\{8E3FBDE2-7DBD-4040-85D9-29BBC559C129}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\BYXYAYX.DLL
HKLM\Software\Classes\CLSID\{CA4F0D8D-5F2B-4F16-838A-8D52249EAB21}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8E3FBDE2-7DBD-4040-85D9-29BBC559C129}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{8E3FBDE2-7DBD-4040-85D9-29BBC559C129}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{CA4F0D8D-5F2B-4F16-838A-8D52249EAB21}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{D7FD6C15-4927-4AAE-BF12-FBDABD287EB1}
HKCR\CLSID\{8E3FBDE2-7DBD-4040-85D9-29BBC559C129}
HKCR\CLSID\{CA4F0D8D-5F2B-4F16-838A-8D52249EAB21}
HKCR\CLSID\{CA4F0D8D-5F2B-4F16-838A-8D52249EAB21}\InprocServer32
HKCR\CLSID\{CA4F0D8D-5F2B-4F16-838A-8D52249EAB21}\InprocServer32#ThreadingModel

Transponder Variant BHO
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352}

Unclassified.Unknown Origin
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d}

Adware.2020Search
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d}

Adware.180solutions/SurfAssistant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}

Adware.Second Thought
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1}
C:\WINDOWS\BOKJA.EXE
C:\WINDOWS\STCLOADER.EXE

Adware.Tracking Cookie
C:\Documents and Settings\Home\Cookies\[email protected][1].txt
C:\Documents and Settings\Home\Cookies\home@adinterax[2].txt
C:\Documents and Settings\Home\Cookies\home@centralmediaserver[2].txt
C:\Documents and Settings\Home\Cookies\[email protected][4].txt
C:\Documents and Settings\Home\Cookies\home@revsci[2].txt
C:\Documents and Settings\Home\Cookies\[email protected][2].txt
C:\Documents and Settings\Home\Cookies\home@insightexpressai[10].txt
C:\Documents and Settings\Home\Cookies\home@insightexpressai[11].txt
C:\Documents and Settings\Home\Cookies\home@insightexpressai[12].txt
C:\Documents and Settings\Home\Cookies\home@insightexpressai[13].txt
C:\Documents and Settings\Home\Cookies\home@insightexpressai[14].txt
C:\Documents and Settings\Home\Cookies\home@insightexpressai[15].txt
C:\Documents and Settings\Home\Cookies\home@insightexpressai[16].txt
C:\Documents and Settings\Home\Cookies\home@insightexpressai[17].txt
C:\Documents and Settings\Home\Cookies\home@insightexpressai[18].txt
C:\Documents and Settings\Home\Cookies\home@insightexpressai[19].txt
C:\Documents and Settings\Home\Cookies\home@insightexpressai[1].txt
C:\Documents and Settings\Home\Cookies\home@insightexpressai[20].txt
C:\Documents and Settings\Home\Cookies\home@insightexpressai[21].txt
C:\Documents and Settings\Home\Cookies\home@insightexpressai[2].txt
C:\Documents and Settings\Home\Cookies\home@insightexpressai[3].txt
C:\Documents and Settings\Home\Cookies\home@insightexpressai[4].txt
C:\Documents and Settings\Home\Cookies\home@insightexpressai[5].txt
C:\Documents and Settings\Home\Cookies\home@insightexpressai[6].txt
C:\Documents and Settings\Home\Cookies\home@insightexpressai[7].txt
C:\Documents and Settings\Home\Cookies\home@insightexpressai[8].txt
C:\Documents and Settings\Home\Cookies\home@insightexpressai[9].txt
C:\Documents and Settings\Home\Cookies\home@media6degrees[2].txt
C:\Documents and Settings\Home\Cookies\[email protected][1].txt
C:\Documents and Settings\Home\Local Settings\Temp\Cookies\home@adinterax[2].txt
C:\Documents and Settings\Home\Local Settings\Temp\Cookies\home@adlegend[2].txt
C:\Documents and Settings\Home\Local Settings\Temp\Cookies\home@adnetserver[2].txt
C:\Documents and Settings\Home\Local Settings\Temp\Cookies\home@adultfriendfinder[2].txt
C:\Documents and Settings\Home\Local Settings\Temp\Cookies\home@atwola[1].txt
C:\Documents and Settings\Home\Local Settings\Temp\Cookies\home@insightexpressai[1].txt
C:\Documents and Settings\Home\Local Settings\Temp\Cookies\home@interclick[2].txt
C:\Documents and Settings\Home\Local Settings\Temp\Cookies\home@media6degrees[2].txt
C:\Documents and Settings\Home\Local Settings\Temp\Cookies\[email protected][1].txt
C:\Documents and Settings\Home\Local Settings\Temp\Cookies\home@sexmedo[1].txt
C:\Documents and Settings\Home\Local Settings\Temp\Cookies\home@socialmedia[1].txt
C:\Documents and Settings\Home\Local Settings\Temp\Cookies\[email protected][2].txt

Adware.180solutions/ZangoSearch
C:\Program Files\Zango\zango.exe
C:\Program Files\Zango

Adware.180solutions/Seekmo
C:\Program Files\Seekmo\seekmohook.dll
  • 0

Advertisements

#2
RatHat
Posted 07 April 2008 - 07:35 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Hi there,

Welcome to GeeksToGo. My name is RatHat, and I will help you get through the process of cleaning the malware from your computer.


OK firstly, I need you to print out each post I make so that you can refer to it while we fix your computer. This is because there will be times when you are unable to be online to read my instructions, and I will want you to do everything very carefully. I also need you to follow my instructions in the order that they are given. If however, you cannot carry out one of them, please continue on with the next and let me know what you were unsuccessful with. Please ensure you turn off word wrap in Notepad. To do this, open Notepad, choose Format, then Un-check Word Wrap. (Word Wrap makes reading your log difficult).


Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

O20 - Winlogon Notify: byxvwwv - byxvwwv.dll (file missing)
O20 - Winlogon Notify: byxyayx - byxyayx.dll (file missing)
O20 - Winlogon Notify: xxywwvs - xxywwvs.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, DSS will open two Notepad files: main.txt and extra.txt
  • Use Save As to save both Notepad files to your Desktop and post them in your next reply.
Note: A copy of these files can be found in you root drive, usually C:\Deckard\System Scanner\

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


So in your next reply, please include the contents of:
  • The MBAM log
  • Combofix.txt
  • The two DSS logs
Regards,
RatHat
  • 0

#3
atwitsend32
Posted 08 April 2008 - 07:41 AM

atwitsend32

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
When I did a rescan all of the boxes that I am supposed to check are not present in the rescan...should I go ahead a check the boxes that do match?
  • 0

#4
atwitsend32
Posted 08 April 2008 - 07:42 AM

atwitsend32

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Sorry, I should have added this:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:39:50 AM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Home\My Documents\AVG\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Home\My Documents\AVG\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Program Files\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.syracuse.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Documents and Settings\Home\My Documents\AVG\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Saoh] "C:\PROGRA~1\ICROSO~1.NET\mshta.exe" -vt yazb
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com...OnlineGames.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://syr.mlxchange...ectComboBox.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h30155.www3.h...nosticsxp2k.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1175613378046
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgall..._2/axofupld.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://syr.mlxchange...ClientUtils.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://syr.mlxchange...ol/IRCSharc.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driverage...driveragent.cab
O17 - HKLM\System\CS2\Services\Tcpip\..\{0B020943-B49D-4858-AAF6-E0BFBB595ECB}: NameServer = 192.168.0.1
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: byxvwwv - byxvwwv.dll (file missing)
O20 - Winlogon Notify: byxyayx - byxyayx.dll (file missing)
O20 - Winlogon Notify: xxywwvs - xxywwvs.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Documents and Settings\Home\My Documents\AVG\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 9384 bytes
  • 0

#5
RatHat
Posted 08 April 2008 - 07:46 AM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Hi there,

Check the boxes that do match, then carry on with MBAM and Combofix. We can clean up any outstanding HijackThis entries later.

Regards,
RatHat
  • 0

#6
atwitsend32
Posted 08 April 2008 - 08:39 AM

atwitsend32

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
This is completed, now I have to download Combofix... I will post after results, thanks RatHat

Malwarebytes' Anti-Malware 1.11
Database version: 599

Scan type: Quick Scan
Objects scanned: 58664
Time elapsed: 20 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 17
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 8
Files Infected: 63

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d} (Adware.123Mania) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a} (Adware.123Mania) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndblock4.band.1 (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{1fe2ebe5-42ff-4586-a144-ca420c84ff6a} (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d4a714f6-af40-4425-b708-ff03cbbc0a84} (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BndBlock4.Band.1 (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{07aa283a-43d7-4cbe-a064-32a21112d94d} (Adware.Zango) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\180searchassistant (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180solutions (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\zango (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\seekmo (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180search assistant (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\stc (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\Sysmnt (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\FLEOK (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\180searchassistant\saap.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180searchassistant\sac.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180solutions\sais.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\seekmo\seekmohook.dll (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180search assistant\180sa.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180search assistant\sau.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\stc\csv5p070.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\Sysmnt\Ssmgr.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\FLEOK\180ax.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\000080.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\000090.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\a.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\x.dat (Worm.Alcra) -> Quarantined and deleted successfully.
C:\WINDOWS\avifile32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\avisynthex32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\aviwrap32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\bokja.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\browserad.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\cdsm32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\changeurl_30.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\didduid.ini (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\msa64chk.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\msapasrc.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\mspphe.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\123messenger.per (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\mssvr.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ntnut.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\saiemod.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\salm.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\shdocpe.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\shdocpl.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\swin32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\updatetc.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\voiceip.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\winsb.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MSIXU.DLL (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MSNSA32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ntnut32.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\shdocpe.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SIPSPI32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WER8274.DLL (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\Installer\id53.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\180ax.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\2020search.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\2020search2.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\apphelp32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\asferror32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\asycfilt32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\athprxy32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ati2dvaa32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ati2dvag32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\audiosrv32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\autodisc32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\licencia.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\telefonos.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\textos.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\n.bat (Malware.Trace) -> Quarantined and deleted successfully.
C:\z.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winfrun32.bin (Malware.Trace) -> Quarantined and deleted successfully.
C:\Program Files\setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Home\services.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
  • 0

#7
atwitsend32
Posted 08 April 2008 - 09:34 AM

atwitsend32

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
ComboFix 08-04-07.5 - Home 2008-04-08 11:19:47.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.122 [GMT -4:00]
Running from: C:\Documents and Settings\Home\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-08 to 2008-04-08 )))))))))))))))))))))))))))))))
.

2008-04-08 09:58 . 2008-04-08 09:58 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-08 09:58 . 2008-04-08 09:58 <DIR> d-------- C:\Documents and Settings\Home\Application Data\Malwarebytes
2008-04-08 09:58 . 2008-04-08 09:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-07 01:09 . 2008-04-07 01:09 <DIR> d-------- C:\Program Files\Panda Security
2008-04-06 21:11 . 2008-04-07 01:01 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-06 21:11 . 2008-04-06 21:11 <DIR> d-------- C:\Documents and Settings\Home\Application Data\SUPERAntiSpyware.com
2008-04-06 21:11 . 2008-04-06 21:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-06 21:10 . 2008-04-06 21:10 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-06 16:26 . 2008-04-06 16:26 <DIR> d-------- C:\Documents and Settings\Home\Application Data\Grisoft
2008-04-06 16:24 . 2008-04-06 16:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-06 16:24 . 2007-05-30 08:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-04-05 10:01 . 2003-03-31 08:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-04-05 09:59 . 2008-04-05 10:00 91,561 --a------ C:\WINDOWS\system32\wmsdkns.exe
2008-04-01 19:59 . 2008-04-01 19:59 <DIR> d-------- C:\Program Files\Take2 Interactive
2008-03-10 10:42 . 2008-03-10 10:42 2,560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2008-03-10 10:39 . 2008-03-10 10:44 <DIR> d-------- C:\Program Files\Free Internet Window Washer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-08 15:12 --------- d-----w C:\Documents and Settings\Home\Application Data\OpenOffice.org2
2008-04-06 23:58 2,955,776 ----a-w C:\WINDOWS\Internet Logs\xDB15.tmp
2008-03-30 18:30 2,186,240 ----a-w C:\WINDOWS\Internet Logs\xDB14.tmp
2008-03-30 17:00 2,821,632 ----a-w C:\WINDOWS\Internet Logs\xDB12.tmp
2008-03-30 17:00 2,185,216 ----a-w C:\WINDOWS\Internet Logs\xDB13.tmp
2008-03-28 16:07 --------- d-----w C:\Program Files\AIM
2008-03-26 14:10 --------- d-----w C:\Program Files\Yahoo!
2008-03-21 19:34 --------- d-----w C:\Documents and Settings\Home\Application Data\FrostWire
2008-03-08 03:51 --------- d-----w C:\Documents and Settings\Home\Application Data\Canon
2008-03-08 03:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-08 03:50 --------- d-----w C:\Program Files\Canon
2008-03-01 13:14 2,191,360 ----a-w C:\WINDOWS\Internet Logs\xDB11.tmp
2008-03-01 01:12 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-28 23:35 --------- d-----w C:\Program Files\Maxis
2008-02-24 17:31 3,521,536 ----a-w C:\WINDOWS\Internet Logs\xDB10.tmp
2008-02-13 11:52 7,096,111 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-02-08 23:17 --------- d-----w C:\Program Files\FrostWire
2008-02-03 01:29 1,413,120 ----a-w C:\WINDOWS\Internet Logs\xDBF.tmp
2008-01-29 11:19 2,675,712 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp
2008-01-29 11:19 2,156,544 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp
2008-01-08 22:55 843,776 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2008-01-08 22:55 2,138,624 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp
2008-01-08 22:52 164 ----a-w C:\install.dat
2008-01-05 22:45 391,680 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp
2008-01-05 22:45 2,136,064 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp
2008-01-04 16:40 2,883,584 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2008-01-04 16:40 2,133,504 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2007-09-08 17:01 2,017,792 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2007-07-05 18:07 1,853,952 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2007-06-16 11:45 1,773,568 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2007-05-15 23:02 1,659,904 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2007-05-09 16:01 1,637,376 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2007-04-13 21:40 1,486,848 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2007-04-03 19:10 236,704 ----a-w C:\Program Files\RS2007.exe
2007-04-03 19:10 2,807,202 ----a-w C:\Program Files\Sound card.zip
2007-04-03 19:00 25,668,710 ----a-w C:\Program Files\WDM_R164.zip
2007-04-02 00:52 661,367 ----a-w C:\Program Files\mpsetup.exe
2007-04-02 00:44 3,467,872 ----a-w C:\Program Files\registryboosteraff.exe
2007-04-01 23:07 40,738,456 ----a-w C:\Program Files\zlsSetup_70_337_000_en.exe
2007-04-01 22:01 1,085,960 ----a-w C:\Program Files\advisor.exe
2007-04-01 21:54 132,528 ----a-w C:\Program Files\SP1764.EXE
2007-03-31 14:41 113,849,647 ----a-w C:\Program Files\OOo_2.2.0_Win32Intel_install_wJRE_en-US.exe
2007-03-31 13:51 2,566,736 ----a-w C:\Program Files\spywareblastersetup351.exe
2007-03-31 13:46 18,265,688 ----a-w C:\Program Files\avinstall.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 18:45 68856]
"Saoh"="C:\PROGRA~1\ICROSO~1.NET\mshta.exe" [ ]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 10:37 2321600]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43 83608]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02 919280]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 09:06 88363 C:\WINDOWS\AGRSMMSG.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-13 21:05 344064]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 16:44 61440]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-04-27 11:25 257088]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-07-08 02:33 185896]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 09:00 79224]
"!AVG Anti-Spyware"="C:\Documents and Settings\Home\My Documents\AVG\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25 6731312]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-07-19 23:54 5361464]

C:\Documents and Settings\Home\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 17:54:56 393216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-04-09 18:41:38 323646]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-09 19:11:12 28672]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.alf2cd"= alf2cd.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\FrostWire\\FrostWire.exe"=

R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINDOWS\system32\Drivers\SSFS0BB8.SYS [2007-07-19 23:42]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c15d56de-b3f6-11dc-8b1a-0013d3b9bbb6}]
\Shell\AutoRun\command - E:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e4b5822a-bccf-11dc-8b30-0013d3b9bbb6}]
\Shell\AutoRun\command - E:\autorun.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-01 19:38:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-07 02:37:12 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2200 series#1194394909.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-04-08 08:00:06 C:\WINDOWS\Tasks\wrSpySweeper_L943E8E71F14E4E678263787BB7600B06.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe>/ScheduleSweep=wrSpySweeper_L943E8E71F14E4E678263787BB7600B06
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- C:\
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-08 11:23:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\clb.dll 10752 bytes executable
C:\WINDOWS\system32\clbcatex.dll 110080 bytes executable
C:\WINDOWS\system32\clbcatq.dll 498688 bytes executable
C:\WINDOWS\system32\clbcfg.dat 1775 bytes
C:\WINDOWS\system32\clbdll.dll 28672 bytes executable
C:\WINDOWS\system32\drivers\clbdriver.sys 7168 bytes executable

scan completed successfully
hidden files: 6

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\clbdriver]
"imagepath"="\??\globalroot\systemroot\system32\drivers\clbdriver.sys"
.
Completion time: 2008-04-08 11:25:35
ComboFix-quarantined-files.txt 2008-04-08 15:25:24
ComboFix2.txt 2008-04-08 15:16:49
Pre-Run: 127,341,355,008 bytes free
Post-Run: 127,327,338,496 bytes free
.
2008-03-12 07:01:54 --- E O F ---


All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: SM Bus Controller
Device ID: PCI\VEN_1002&DEV_4372&SUBSYS_2A24103C&REV_11\3&61AAA01&0&A0
Manufacturer:
Name: SM Bus Controller
PNP Device ID: PCI\VEN_1002&DEV_4372&SUBSYS_2A24103C&REV_11\3&61AAA01&0&A0
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-04-08 04:00:06 1670 --a------ C:\WINDOWS\Tasks\wrSpySweeper_L943E8E71F14E4E678263787BB7600B06.job
2008-04-01 15:38:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-02-06 22:37:12 340 --a------ C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2200 series#1194394909.job


-- Files created between 2008-03-08 and 2008-04-08 -----------------------------

2008-04-08 11:25:38 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-04-08 10:41:27 68096 --a------ C:\WINDOWS\zip.exe
2008-04-08 10:41:27 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-08 10:41:27 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-08 10:41:27 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-08 10:41:27 98816 --a------ C:\WINDOWS\sed.exe
2008-04-08 10:41:27 80412 --a------ C:\WINDOWS\grep.exe
2008-04-08 10:41:27 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-08 10:41:26 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-08 09:58:28 0 d-------- C:\Documents and Settings\Home\Application Data\Malwarebytes
2008-04-08 09:58:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-08 09:58:00 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-07 01:09:44 0 d-------- C:\Program Files\Panda Security
2008-04-06 21:11:50 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-06 21:11:38 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-04-06 21:11:38 0 d-------- C:\Documents and Settings\Home\Application Data\SUPERAntiSpyware.com
2008-04-06 21:10:58 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-06 16:26:27 0 d-------- C:\Documents and Settings\Home\Application Data\Grisoft
2008-04-06 16:24:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-05 09:59:58 91561 --a------ C:\WINDOWS\system32\wmsdkns.exe <Not Verified; Microsoft; XML Media>
2008-04-01 19:59:06 0 d-------- C:\Program Files\Take2 Interactive
2008-03-10 10:42:31 2560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2008-03-10 10:39:24 0 d-------- C:\Program Files\Free Internet Window Washer


-- Find3M Report ---------------------------------------------------------------

2008-04-08 11:12:31 0 d-------- C:\Documents and Settings\Home\Application Data\OpenOffice.org2
2008-04-07 00:54:56 0 d-------- C:\Program Files\Common Files
2008-03-28 12:07:17 0 d-------- C:\Program Files\AIM
2008-03-26 10:10:54 0 d-------- C:\Program Files\Yahoo!
2008-03-21 15:34:14 0 d-------- C:\Documents and Settings\Home\Application Data\FrostWire
2008-03-07 23:51:55 0 d-------- C:\Documents and Settings\Home\Application Data\Canon
2008-03-07 23:50:14 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-07 23:50:06 0 d-------- C:\Program Files\Canon
2008-02-28 19:42:15 535 --a------ C:\WINDOWS\eReg.dat
2008-02-28 19:35:30 0 d-------- C:\Program Files\Maxis
2008-02-08 19:17:09 0 d-------- C:\Program Files\FrostWire
2008-01-08 18:52:23 164 --a------ C:\install.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [03/14/2007 03:43 AM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [03/09/2007 12:02 AM]
"AGRSMMSG"="AGRSMMSG.exe" [06/29/2004 09:06 AM C:\WINDOWS\AGRSMMSG.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [08/13/2005 09:05 PM]
"KBD"="C:\HP\KBD\KBD.EXE" [02/02/2005 04:44 PM]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [06/06/2005 11:46 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [04/27/2007 09:41 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [04/27/2007 11:25 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 08:51 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [07/08/2007 02:33 AM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [12/04/2007 09:00 AM]
"!AVG Anti-Spyware"="C:\Documents and Settings\Home\My Documents\AVG\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 05:25 AM]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [07/19/2007 11:54 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/20/2007 06:45 PM]
"Saoh"="C:\PROGRA~1\ICROSO~1.NET\mshta.exe" []
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [03/01/2007 10:37 AM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [02/29/2008 04:03 PM]

C:\Documents and Settings\Home\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2/2/2007 5:54:56 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [4/9/2003 6:41:38 PM]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [4/9/2003 7:11:12 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 12:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c15d56de-b3f6-11dc-8b1a-0013d3b9bbb6}]
AutoRun\command- E:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e4b5822a-bccf-11dc-8b30-0013d3b9bbb6}]
AutoRun\command- E:\autorun.exe




-- End of Deckard's System Scanner: finished at 2008-04-08 11:29:52 ------------





-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type9363 / Warning
Event Submitted/Written: 04/08/2008 10:46:41 AM
Event ID/Source: 11050 / dnscache
Event Description:
The DNS Client service could not contact any DNS servers for
a repeated number of attempts. For the next 30 seconds the
DNS Client service will not use the network to avoid further
network performance problems. It will resume its normal behavior
after that. If this problem persists, verify your TCP/IP
configuration, specifically check that you have a preferred
(and possibly an alternate) DNS server configured. If the problem
continues, verify network conditions to these DNS servers or contact
your network administrator.

Event Record #/Type9352 / Warning
Event Submitted/Written: 04/08/2008 04:05:37 AM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0013D3B9BBB6. The following
error occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type9351 / Warning
Event Submitted/Written: 04/07/2008 08:50:03 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type9350 / Warning
Event Submitted/Written: 04/07/2008 04:28:08 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type9349 / Warning
Event Submitted/Written: 04/07/2008 03:15:38 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.



-- End of Deckard's System Scanner: finished at 2008-04-08 11:29:52 ------------
  • 0

#8
RatHat
Posted 08 April 2008 - 12:26 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Please uninstall the following programs:


FrostWire

  • Go to Start then Settings, then Control Panel
  • Choose Add or Remove Programs
  • Remove all of the above
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\Internet Logs\xDB15.tmp
C:\WINDOWS\Internet Logs\xDB14.tmp
C:\WINDOWS\Internet Logs\xDB12.tmp
C:\WINDOWS\Internet Logs\xDB13.tmp
C:\WINDOWS\Internet Logs\xDB11.tmp
C:\WINDOWS\Internet Logs\xDB10.tmp
C:\WINDOWS\Internet Logs\xDB9.tmp
C:\WINDOWS\Internet Logs\xDB8.tmp
C:\WINDOWS\Internet Logs\xDB7.tmp
C:\WINDOWS\Internet Logs\xDB6.tmp
C:\WINDOWS\Internet Logs\xDB5.tmp
C:\WINDOWS\Internet Logs\xDB4.tmp
C:\WINDOWS\Internet Logs\xDB3.tmp
C:\WINDOWS\Internet Logs\xDB2.tmp
C:\WINDOWS\Internet Logs\xDB1.tmp
C:\WINDOWS\Internet Logs\xDBA.tmp
C:\WINDOWS\Internet Logs\xDBB.tmp
C:\WINDOWS\Internet Logs\xDBC.tmp
C:\WINDOWS\Internet Logs\xDBD.tmp
C:\WINDOWS\Internet Logs\xDBE.tmp
C:\WINDOWS\Internet Logs\xDBF.tmp

Folder::
C:\Program Files\FrostWire

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Saoh"=-


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.
And let me know how your computer is behaving now.

Regards,
RatHat
  • 0

#9
atwitsend32
Posted 08 April 2008 - 06:17 PM

atwitsend32

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Computer seems to be a bit better, however we can not sign on to secure websites that need passwords, it says to enable cookies and they are already enabled.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:11:21 PM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Home\My Documents\AVG\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Home\My Documents\AVG\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.syracuse.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Documents and Settings\Home\My Documents\AVG\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com...OnlineGames.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://syr.mlxchange...ectComboBox.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h30155.www3.h...nosticsxp2k.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1175613378046
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgall..._2/axofupld.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://syr.mlxchange...ClientUtils.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://syr.mlxchange...ol/IRCSharc.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driverage...driveragent.cab
O17 - HKLM\System\CS2\Services\Tcpip\..\{0B020943-B49D-4858-AAF6-E0BFBB595ECB}: NameServer = 192.168.0.1
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Documents and Settings\Home\My Documents\AVG\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 8254 bytes



ComboFix 08-04-07.5 - Home 2008-04-08 17:39:25.3 - NTFSx86
Running from: C:\Documents and Settings\Home\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Home\My Documents\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\Internet Logs\xDB1.tmp
C:\WINDOWS\Internet Logs\xDB10.tmp
C:\WINDOWS\Internet Logs\xDB11.tmp
C:\WINDOWS\Internet Logs\xDB12.tmp
C:\WINDOWS\Internet Logs\xDB13.tmp
C:\WINDOWS\Internet Logs\xDB14.tmp
C:\WINDOWS\Internet Logs\xDB15.tmp
C:\WINDOWS\Internet Logs\xDB2.tmp
C:\WINDOWS\Internet Logs\xDB3.tmp
C:\WINDOWS\Internet Logs\xDB4.tmp
C:\WINDOWS\Internet Logs\xDB5.tmp
C:\WINDOWS\Internet Logs\xDB6.tmp
C:\WINDOWS\Internet Logs\xDB7.tmp
C:\WINDOWS\Internet Logs\xDB8.tmp
C:\WINDOWS\Internet Logs\xDB9.tmp
C:\WINDOWS\Internet Logs\xDBA.tmp
C:\WINDOWS\Internet Logs\xDBB.tmp
C:\WINDOWS\Internet Logs\xDBC.tmp
C:\WINDOWS\Internet Logs\xDBD.tmp
C:\WINDOWS\Internet Logs\xDBE.tmp
C:\WINDOWS\Internet Logs\xDBF.tmp
C:\WINDOWS\system32\wmsdkns.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\FrostWire
C:\Program Files\FrostWire\clink.jar
C:\Program Files\FrostWire\commons-httpclient.jar
C:\Program Files\FrostWire\commons-logging.jar
C:\Program Files\FrostWire\commons-net.jar
C:\Program Files\FrostWire\commons-pool.jar
C:\Program Files\FrostWire\daap.jar
C:\Program Files\FrostWire\FrostWire.exe
C:\Program Files\FrostWire\FrostWire.jar
C:\Program Files\FrostWire\i18n.jar
C:\Program Files\FrostWire\icu4j.jar
C:\Program Files\FrostWire\id3v2.jar
C:\Program Files\FrostWire\irc.jar
C:\Program Files\FrostWire\jcraft.jar
C:\Program Files\FrostWire\jdic.dll
C:\Program Files\FrostWire\jdic.jar
C:\Program Files\FrostWire\jdic_stub.jar
C:\Program Files\FrostWire\jl011.jar
C:\Program Files\FrostWire\jmdns.jar
C:\Program Files\FrostWire\jython.jar
C:\Program Files\FrostWire\log.txt
C:\Program Files\FrostWire\log4j.jar
C:\Program Files\FrostWire\looks.jar
C:\Program Files\FrostWire\MessagesBundles.jar
C:\Program Files\FrostWire\mp3sp14.jar
C:\Program Files\FrostWire\ProgressTabs.jar
C:\Program Files\FrostWire\SystemUtilities.dll
C:\Program Files\FrostWire\themes.jar
C:\Program Files\FrostWire\tray.dll
C:\Program Files\FrostWire\tritonus.jar
C:\Program Files\FrostWire\vorbis.jar
C:\Program Files\FrostWire\xml-apis.jar
C:\WINDOWS\Internet Logs\xDB1.tmp
C:\WINDOWS\Internet Logs\xDB10.tmp
C:\WINDOWS\Internet Logs\xDB11.tmp
C:\WINDOWS\Internet Logs\xDB12.tmp
C:\WINDOWS\Internet Logs\xDB13.tmp
C:\WINDOWS\Internet Logs\xDB14.tmp
C:\WINDOWS\Internet Logs\xDB15.tmp
C:\WINDOWS\Internet Logs\xDB2.tmp
C:\WINDOWS\Internet Logs\xDB3.tmp
C:\WINDOWS\Internet Logs\xDB4.tmp
C:\WINDOWS\Internet Logs\xDB5.tmp
C:\WINDOWS\Internet Logs\xDB6.tmp
C:\WINDOWS\Internet Logs\xDB7.tmp
C:\WINDOWS\Internet Logs\xDB8.tmp
C:\WINDOWS\Internet Logs\xDB9.tmp
C:\WINDOWS\Internet Logs\xDBA.tmp
C:\WINDOWS\Internet Logs\xDBB.tmp
C:\WINDOWS\Internet Logs\xDBC.tmp
C:\WINDOWS\Internet Logs\xDBD.tmp
C:\WINDOWS\Internet Logs\xDBE.tmp
C:\WINDOWS\Internet Logs\xDBF.tmp
C:\WINDOWS\system32\wmsdkns.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-08 to 2008-04-08 )))))))))))))))))))))))))))))))
.

2008-04-08 11:26 . 2008-04-08 11:26 <DIR> d-------- C:\Deckard
2008-04-08 09:58 . 2008-04-08 11:50 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-08 09:58 . 2008-04-08 09:58 <DIR> d-------- C:\Documents and Settings\Home\Application Data\Malwarebytes
2008-04-08 09:58 . 2008-04-08 09:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-07 01:09 . 2008-04-07 01:09 <DIR> d-------- C:\Program Files\Panda Security
2008-04-06 21:11 . 2008-04-07 01:01 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-06 21:11 . 2008-04-06 21:11 <DIR> d-------- C:\Documents and Settings\Home\Application Data\SUPERAntiSpyware.com
2008-04-06 21:11 . 2008-04-06 21:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-06 21:10 . 2008-04-06 21:10 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-06 16:26 . 2008-04-06 16:26 <DIR> d-------- C:\Documents and Settings\Home\Application Data\Grisoft
2008-04-06 16:24 . 2008-04-06 16:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-06 16:24 . 2007-05-30 08:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-04-05 10:01 . 2003-03-31 08:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-04-01 19:59 . 2008-04-01 19:59 <DIR> d-------- C:\Program Files\Take2 Interactive
2008-03-10 10:42 . 2008-03-10 10:42 2,560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2008-03-10 10:39 . 2008-03-10 10:44 <DIR> d-------- C:\Program Files\Free Internet Window Washer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-08 15:41 --------- d-----w C:\Documents and Settings\Home\Application Data\OpenOffice.org2
2008-03-28 16:07 --------- d-----w C:\Program Files\AIM
2008-03-26 14:10 --------- d-----w C:\Program Files\Yahoo!
2008-03-21 19:34 --------- d-----w C:\Documents and Settings\Home\Application Data\FrostWire
2008-03-08 03:51 --------- d-----w C:\Documents and Settings\Home\Application Data\Canon
2008-03-08 03:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-08 03:50 --------- d-----w C:\Program Files\Canon
2008-03-01 01:12 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-28 23:35 --------- d-----w C:\Program Files\Maxis
2008-02-13 11:52 7,096,111 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-01-08 22:52 164 ----a-w C:\install.dat
2007-04-03 19:10 236,704 ----a-w C:\Program Files\RS2007.exe
2007-04-03 19:10 2,807,202 ----a-w C:\Program Files\Sound card.zip
2007-04-03 19:00 25,668,710 ----a-w C:\Program Files\WDM_R164.zip
2007-04-02 00:52 661,367 ----a-w C:\Program Files\mpsetup.exe
2007-04-02 00:44 3,467,872 ----a-w C:\Program Files\registryboosteraff.exe
2007-04-01 23:07 40,738,456 ----a-w C:\Program Files\zlsSetup_70_337_000_en.exe
2007-04-01 22:01 1,085,960 ----a-w C:\Program Files\advisor.exe
2007-04-01 21:54 132,528 ----a-w C:\Program Files\SP1764.EXE
2007-03-31 14:41 113,849,647 ----a-w C:\Program Files\OOo_2.2.0_Win32Intel_install_wJRE_en-US.exe
2007-03-31 13:51 2,566,736 ----a-w C:\Program Files\spywareblastersetup351.exe
2007-03-31 13:46 18,265,688 ----a-w C:\Program Files\avinstall.exe
.

((((((((((((((((((((((((((((( snapshot@2008-04-08_11.15.47.29 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-08 15:04:34 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-08 15:37:23 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-04-08 15:04:34 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-08 15:37:23 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-04-08 15:04:34 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-08 15:37:23 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-08 15:37:32 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5a8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 18:45 68856]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 10:37 2321600]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43 83608]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02 919280]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 09:06 88363 C:\WINDOWS\AGRSMMSG.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-13 21:05 344064]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 16:44 61440]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-04-27 11:25 257088]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-07-08 02:33 185896]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 09:00 79224]
"!AVG Anti-Spyware"="C:\Documents and Settings\Home\My Documents\AVG\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25 6731312]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-07-19 23:54 5361464]

C:\Documents and Settings\Home\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 17:54:56 393216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-04-09 18:41:38 323646]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-09 19:11:12 28672]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.alf2cd"= alf2cd.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINDOWS\system32\Drivers\SSFS0BB8.SYS [2007-07-19 23:42]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c15d56de-b3f6-11dc-8b1a-0013d3b9bbb6}]
\Shell\AutoRun\command - E:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e4b5822a-bccf-11dc-8b30-0013d3b9bbb6}]
\Shell\AutoRun\command - E:\autorun.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-08 19:38:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-07 02:37:12 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2200 series#1194394909.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
"2008-04-08 08:00:06 C:\WINDOWS\Tasks\wrSpySweeper_L943E8E71F14E4E678263787BB7600B06.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
- C:\
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-08 17:46:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\clb.dll 10752 bytes executable
C:\WINDOWS\system32\clbcatex.dll 110080 bytes executable
C:\WINDOWS\system32\clbcatq.dll 498688 bytes executable
C:\WINDOWS\system32\clbcfg.dat 1775 bytes
C:\WINDOWS\system32\clbdll.dll 28672 bytes executable
C:\WINDOWS\system32\drivers\clbdriver.sys 7168 bytes executable

scan completed successfully
hidden files: 6

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\clbdriver]
"imagepath"="\??\globalroot\systemroot\system32\drivers\clbdriver.sys"
.
Completion time: 2008-04-08 17:49:39
ComboFix-quarantined-files.txt 2008-04-08 21:49:25
ComboFix2.txt 2008-04-08 15:25:36
ComboFix3.txt 2008-04-08 15:16:49
Pre-Run: 127,467,921,408 bytes free
Post-Run: 127,451,668,480 bytes free
.
2008-03-12 07:01:54 --- E O F ---
  • 0

#10
RatHat
Posted 08 April 2008 - 08:00 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Hi there,


Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
  • Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
  • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan tab" and UNcheck "Heuristic analysis"
  • Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
  • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  • When done, a message will be displayed at the bottom advising if any viruses were found.
  • Click "Yes to all" if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
    (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please save that report to your desktop as Smitfraud.txt, and copy/paste the content into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.


Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please run an online scan with Kaspersky WebScanner. Note: You must use Internet Explorer to run this scan.

Click the Accept button.

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display the results if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop as Kaspersky.txt.
  • Copy and paste that information in your next post.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


So in your next reply, please include:
  • The contents of the DrWeb-CureIt report
  • The contents of Smitfraud.txt
  • The contents of Kaspersky.txt
Regards,
RatHat
  • 0

Advertisements

#11
atwitsend32
Posted 08 April 2008 - 08:19 PM

atwitsend32

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
The hyperlink for ATF Clean will not allow me to download it, messages states try later.
  • 0

#12
RatHat
Posted 08 April 2008 - 08:27 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Try this: Attachment removed

Note: I will remove this file after you have told me you have successfully downloaded it.
  • 0

#13
atwitsend32
Posted 09 April 2008 - 06:20 AM

atwitsend32

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Thank you RatHat, I couldnt get yours to download either so I went ahead last night with the other tasks. I did get it to download today, a bit late but still done.

here are the reports:
wmsdkns.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Fakealert.496;Deleted.;
A0181262.DLL;C:\System Volume Information\_restore{45F331F7-3889-4584-8184-B61259B10987}\RP482;Adware.Msearch.origin;Moved.;
A0199613.dll;C:\System Volume Information\_restore{45F331F7-3889-4584-8184-B61259B10987}\RP505;Trojan.Virtumod.340;Deleted.;
A0199614.dll;C:\System Volume Information\_restore{45F331F7-3889-4584-8184-B61259B10987}\RP505;Trojan.Juan.29;Deleted.;
A0199615.dll;C:\System Volume Information\_restore{45F331F7-3889-4584-8184-B61259B10987}\RP505;Trojan.Virtumod.232;Deleted.;
A0199616.dll;C:\System Volume Information\_restore{45F331F7-3889-4584-8184-B61259B10987}\RP505;Trojan.Virtumod.232;Deleted.;
A0199617.dll;C:\System Volume Information\_restore{45F331F7-3889-4584-8184-B61259B10987}\RP505;Trojan.Juan.29;Deleted.;
A0199618.dll;C:\System Volume Information\_restore{45F331F7-3889-4584-8184-B61259B10987}\RP505;Trojan.Juan.29;Deleted.;
A0199619.dll;C:\System Volume Information\_restore{45F331F7-3889-4584-8184-B61259B10987}\RP505;Trojan.Juan.29;Deleted.;
A0199620.dll;C:\System Volume Information\_restore{45F331F7-3889-4584-8184-B61259B10987}\RP505;Trojan.Juan.29;Deleted.;
A0199622.dll;C:\System Volume Information\_restore{45F331F7-3889-4584-8184-B61259B10987}\RP505;Trojan.Virtumod.240;Deleted.;
A0199625.dll;C:\System Volume Information\_restore{45F331F7-3889-4584-8184-B61259B10987}\RP505;Trojan.Virtumod.232;Deleted.;
A0199626.dll;C:\System Volume Information\_restore{45F331F7-3889-4584-8184-B61259B10987}\RP505;Trojan.Virtumod.232;Deleted.;
A0199628.dll;C:\System Volume Information\_restore{45F331F7-3889-4584-8184-B61259B10987}\RP505;Trojan.Virtumod.232;Deleted.;
A0199629.dll;C:\System Volume Information\_restore{45F331F7-3889-4584-8184-B61259B10987}\RP505;Trojan.Virtumod.232;Deleted.;
A0199630.dll;C:\System Volume Information\_restore{45F331F7-3889-4584-8184-B61259B10987}\RP505;Trojan.Virtumod.232;Deleted.;
A0199632.dll;C:\System Volume Information\_restore{45F331F7-3889-4584-8184-B61259B10987}\RP505;Trojan.Juan.29;Deleted.;
A0199634.dll;C:\System Volume Information\_restore{45F331F7-3889-4584-8184-B61259B10987}\RP505;Trojan.Virtumod.232;Deleted.;
A0199636.dll;C:\System Volume Information\_restore{45F331F7-3889-4584-8184-B61259B10987}\RP505;Trojan.Juan.29;Deleted.;
A0199640.dll;C:\System Volume Information\_restore{45F331F7-3889-4584-8184-B61259B10987}\RP505;Trojan.Juan.29;Deleted.;
A0199643.dll;C:\System Volume Information\_restore{45F331F7-3889-4584-8184-B61259B10987}\RP505;Trojan.Juan.29;Deleted.;
A0199645.dll;C:\System Volume Information\_restore{45F331F7-3889-4584-8184-B61259B10987}\RP505;Trojan.Virtumod.232;Deleted.;
A0199649.dll;C:\System Volume Information\_restore{45F331F7-3889-4584-8184-B61259B10987}\RP505;Trojan.Virtumod.232;Deleted.;
A0199650.dll;C:\System Volume Information\_restore{45F331F7-3889-4584-8184-B61259B10987}\RP505;Trojan.Juan.29;Deleted.;
A0199654.dll;C:\System Volume Information\_restore{45F331F7-3889-4584-8184-B61259B10987}\RP505;Trojan.Juan.29;Deleted.;
A0199658.dll;C:\System Volume Information\_restore{45F331F7-3889-4584-8184-B61259B10987}\RP505;Trojan.Virtumod.232;Deleted.;
A0201213.EXE;C:\System Volume Information\_restore{45F331F7-3889-4584-8184-B61259B10987}\RP507;Program.PsExec.170;Moved.;
A0201430.exe;C:\System Volume Information\_restore{45F331F7-3889-4584-8184-B61259B10987}\RP509;Trojan.Fakealert.496;Deleted.;
A0201433.EXE;C:\System Volume Information\_restore{45F331F7-3889-4584-8184-B61259B10987}\RP509;Program.PsExec.170;Moved.;
PSEXESVC.EXE;C:\WINDOWS;Program.PsExec.170;Moved.;

SmitFraudFix v2.310

Scan done at 2:10:26.12, Wed 04/09/2008
Run from C:\Documents and Settings\Home\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Home\My Documents\AVG\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Home\My Documents\AVG\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Home


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Home\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Home\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 24.92.226.40
DNS Server Search Order: 24.92.226.41

HKLM\SYSTEM\CCS\Services\Tcpip\..\{0B020943-B49D-4858-AAF6-E0BFBB595ECB}: DhcpNameServer=24.92.226.40 24.92.226.41
HKLM\SYSTEM\CS1\Services\Tcpip\..\{0B020943-B49D-4858-AAF6-E0BFBB595ECB}: DhcpNameServer=24.92.226.40 24.92.226.41
HKLM\SYSTEM\CS3\Services\Tcpip\..\{0B020943-B49D-4858-AAF6-E0BFBB595ECB}: DhcpNameServer=24.92.226.40 24.92.226.41
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.92.226.40 24.92.226.41
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.92.226.40 24.92.226.41
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=24.92.226.40 24.92.226.41


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End



KASPERSKY ONLINE SCANNER REPORT
Wednesday, April 09, 2008 8:13:22 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 9/04/2008
Kaspersky Anti-Virus database records: 691719


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
F:\
G:\
H:\
I:\

Scan Statistics
Total number of scanned objects 66967
Number of viruses found 14
Number of infected objects 40
Number of suspicious objects 0
Duration of the scan process 01:00:50

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\Home\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-4-9-2008( 2-7-19 ).LOG Object is locked skipped

C:\Documents and Settings\Home\Application Data\Webroot\Spy Sweeper\Logs\080409020700.ses Object is locked skipped

C:\Documents and Settings\Home\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Home\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Home\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Home\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Home\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped

C:\Documents and Settings\Home\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db Object is locked skipped

C:\Documents and Settings\Home\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped

C:\Documents and Settings\Home\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Home\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Home\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Home\Local Settings\History\History.IE5\MSHist012008040920080410\index.dat Object is locked skipped

C:\Documents and Settings\Home\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Home\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Home\NTUSER.DAT.LOG Object is locked skipped

C:\Documents and Settings\Home\Shared\apoligze one republic.mp3 Infected: Trojan-Downloader.WMA.Wimad.n skipped

C:\Documents and Settings\Home\Shared\shawn michales.mp3 Infected: Trojan-Downloader.WMA.Wimad.n skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS02CEB15F-44B5-4B56-9A4C-032ED2385F20.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS05878991-22DF-42F4-9ABC-EF91D4806E1C.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS0928AB27-05ED-4872-9D1B-F803453BAC83.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS09CE5DB5-F76F-4799-ADC5-068FAA5B98F0.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS0B19C2CA-9F1D-4AF8-BDA9-F273A096FF4F.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS0B759529-108A-4D3A-B4B7-F5D16699C576.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS0C404188-5DC4-4297-B030-762CB65C830D.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS0E206439-258F-41CB-835C-445D52BE5732.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS15F96A40-56C5-430C-95E2-DAE0572D9750.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS16FABF9B-1B27-4752-A361-1FF4B1D6606A.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS1786E7A3-F16D-43F3-89B7-0926859E732A.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS18480CC2-9CDB-4F58-A35F-A95FAEA047CF.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS1A84DDCA-5D02-4587-9210-85DE157A8E48.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS1AFCA711-BE22-4A73-A3E8-A6D70F604393.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS1B9D39F4-F1E8-44A6-B603-61E007042FBC.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS1D57E264-EE47-449A-9DCC-B232B99BB79C.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS22C3F53F-3DCF-4EA8-A9C2-2393DFF751BF.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS2426AD61-9106-460E-82A9-B22712D71E34.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS253141FB-5067-406B-91AD-1E7E4CC07F9B.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS25DF74AC-3C8B-42B9-98D7-875AD36C6BF7.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS27F2E750-11E8-490B-ADE8-85A244F1BEB4.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS2BB8673F-845E-495E-8F23-6187B9D8F06C.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS314D4DEB-558F-410A-8669-956C69AFD8F2.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS31B1F771-D877-4CE6-8BC8-7CA74BDE45A1.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS32545E96-B36B-4A2B-83D0-0FA30CFFE25C.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS32BB5D2D-8F87-4479-8D41-F2E08E830F79.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS35C3093D-517E-44B0-8672-E07F7DDD12A2.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS3D12BCD8-48E4-4B2C-8576-45AC7E9157F7.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS3D6782BA-768D-4928-826D-7033FEDF3B15.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS3DC314D4-BF80-4FFD-868E-DD5AEEB24D3D.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS41AECE92-438B-4499-BE26-6B5E1A32C5A8.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS45481B73-05B8-42CF-9201-ED41740D9CE3.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS47E913A5-64FF-4365-B4C6-A3D87E4FCE51.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS4A988325-F3C9-42F9-8BAF-D13A17002398.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS4B54E182-103A-47F2-923F-9A14A0B7538C.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS4BBB08AA-6D46-4E1D-8A03-90B2E9051233.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS50460316-37FD-406E-8646-989232D7DA21.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS53D646BB-A682-4363-BB65-9D4EBF18D39B.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS5729C18F-F432-4783-BF23-C049C82DD23F.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS57DD38E9-8CF6-41FF-91A6-98D50601D7F5.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS58180E4A-82A6-4F61-B599-CEEC7B41354F.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS6DAA0FF6-F453-432A-9978-625946B98009.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS72382351-9984-47E1-8EB3-5DDA05309C6F.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS7392D5B2-49EF-4D36-ACFD-A50C6CE3C2ED.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS7BAAF617-FBC4-44F1-AAC3-BFFC3EDE790C.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS7E6AA781-D6AA-4A12-90C4-90E2ED7FD9D2.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS7F4C9415-D52A-47A4-BBF1-ED23C36D8320.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS80D066BE-B97E-432C-BF0B-22E0B257A255.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS830EA27B-30D4-43CA-B5D2-A4223F506A74.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS846C1A8C-1A5F-4A51-A914-3DED8877A4EC.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS84ADD845-A72A-4823-BCC9-0E266E4DBF4F.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS84F2A576-28E9-4D24-93AD-593CFD94C4EF.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS8651C2F8-5154-4207-85C8-69FCE5378789.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS8A943AAA-5885-40D8-8326-9AAEB50873D0.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS8DE395DC-C6FA-454B-92D5-410AC4AB8621.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS90766F95-8BB3-4C24-987D-BBE66D53F8F6.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS90F39366-D91A-4365-BFED-97B7C8B1A8ED.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS930C8505-6D4F-4EC9-88A5-B4AFF9F21B02.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS935D118C-C209-42D1-BC8A-4D986A1E293A.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS93C94F5D-02C2-4D79-9694-0D521DC632A6.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSA278CAEB-5CB4-4C85-A351-36C078591C26.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSA2CDCDB6-C809-4840-9F9D-FD902A7E264E.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSA7262D0D-3A69-4D15-BC7A-A31CA53A9A78.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSB6708A91-E017-4EE8-8714-43C32B862707.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSB88B4B52-5F3C-4471-A53A-AF54C9013898.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSB99F095E-69D4-42C8-84D2-49CFD7737673.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSBFD6EFBC-524A-4313-8C35-B22372A7D42E.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSC0AD2D68-46A4-4EC6-A3AC-19AB3EEDBB35.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSC16AC43D-A8FD-428E-B954-6F304DFDE19F.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSC657FCF2-24C4-43A0-B979-9872339FC06F.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSC6C18378-E563-419A-9900-D3B6B27B974E.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSC6EF0E97-CE99-4E72-8CC9-23C18391B079.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSC949C11C-6BF3-4AD9-B750-B30D62D8D036.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSC959BE48-BCAC-404F-8125-E68200AD402C.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSC99BF7B2-4892-450D-B49B-4AE06FAB25B2.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSCC512546-8CF2-446A-BDD7-20ECBF3F7012.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSCE9B0F03-8E42-433B-8CB9-98BD651D6BA2.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSCF1DBCEA-11C2-4710-8499-2B88C5925A62.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSCF355306-895B-43A6-8AFA-1665BA47A6F2.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSD168893D-8321-4904-83AC-955F6FB4D42A.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSD2250A08-EDE9-4422-82A8-B90BBFBBB33C.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSD3FBE280-FE0C-45C4-999F-712517D143A7.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSDB1A426A-507C-4734-B197-5D8A5107A801.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSDCEA23E6-A29D-40A6-8594-B2B5E1A55A2B.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSDCEEB676-6DB3-4BCA-B6E2-E6BDE7E74EF0.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSE78154E5-E54A-431A-A429-3BA6F108F00F.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSF03A67BE-F75C-427E-80E8-8BE7AFCC7D18.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSF2899992-54B3-4208-BE1B-DB789171D0B8.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSFB84ACD2-ACEA-49FA-9D97-E226D3DF133E.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped

C:\Program Files\Webroot\Spy Sweeper\Masters\masters.bak Object is locked skipped

C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.const Object is locked skipped

C:\Program Files\Webroot\Spy Sweeper\Masters\masters.mst Object is locked skipped

C:\Program Files\Webroot\Spy Sweeper\Masters.base Object is locked skipped

C:\QooBox\Quarantine\C\WINDOWS\default.htm.vir Infected: not-virus:Hoax.HTML.Secureinvites.b skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{45F331F7-3889-4584-8184-B61259B10987}\RP502\A0191778.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.AdBand.q skipped

C:\System Volume Information\_restore{45F331F7-3889-4584-8184-B61259B10987}\RP502\A0191778.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.Agent.bgv skipped

C:\System Volume Information\_restore{45F331F7-3889-4584-8184-B61259B10987}\RP502\A0191778.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Agent.aev skipped

C:\System Volume Information\_restore{45F331F7-3889-4584-8184-B61259B10987}\RP502\A0191778.exe/stream Infected: not-a-virus:AdWare.Win32.Agent.aev skipped

C:\System Volume Information\_restore{45F331F7-3889-4584-8184-B61259B10987}\RP502\A0191778.exe NSIS: infected - 4 skipped

C:\System Volume Information\_restore{45F331F7-3889-4584-8184-B61259B10987}\RP505\A0199621.dll Infected: Packed.Win32.Monder.gen skipped

C:\System Volume Information\_restore{45F331F7-3889-4584-8184-B61259B10987}\RP505\A0199623.dll Infected: Packed.Win32.Monder.gen skipped

C:\System Volume Information\_restore{45F331F7-3889-4584-8184-B61259B10987}\RP505\A0199624.dll Infected: Packed.Win32.Monder.gen skipped

C:\System Volume Information\_restore{45F331F7-3889-4584-8184-B61259B10987}\RP505\A0199627.dll Infected: Backdoor.Win32.Agent.dlj skipped

C:\System Volume Information\_restore{45F331F7-3889-4584-8184-B61259B10987}\RP505\A0199631.dll Infected: Packed.Win32.Monder.gen skipped

C:\System Volume Information\_restore{45F331F7-3889-4584-8184-B61259B10987}\RP505\A0199633.dll Infected: Packed.Win32.Monder.gen skipped

C:\System Volume Information\_restore{45F331F7-3889-4584-8184-B61259B10987}\RP505\A0199635.dll Infected: Packed.Win32.Monder.gen skipped

C:\System Volume Information\_restore{45F331F7-3889-4584-8184-B61259B10987}\RP505\A0199637.dll Infected: Packed.Win32.Monder.gen skipped

C:\System Volume Information\_restore{45F331F7-3889-4584-8184-B61259B10987}\RP505\A0199639.dll Infected: Packed.Win32.Monder.gen skipped

C:\System Volume Information\_restore{45F331F7-3889-4584-8184-B61259B10987}\RP505\A0199641.dll Infected: Packed.Win32.Monder.gen skipped

C:\System Volume Information\_restore{45F331F7-3889-4584-8184-B61259B10987}\RP505\A0199642.dll Infected: Trojan.Win32.Pakes.bwd skipped

C:\System Volume Information\_restore{45F331F7-3889-4584-8184-B61259B10987}\RP505\A0199644.dll Infected: Backdoor.Win32.Agent.dlj skipped

C:\System Volume Information\_restore{45F331F7-3889-4584-8184-B61259B10987}\RP505\A0199646.dll Infected: Backdoor.Win32.Agent.dlj skipped

C:\System Volume Information\_restore{45F331F7-3889-4584-8184-B61259B10987}\RP505\A0199647.dll Infected: Packed.Win32.Monder.gen skipped

C:\System Volume Information\_restore{45F331F7-3889-4584-8184-B61259B10987}\RP505\A0199648.dll Infected: Packed.Win32.Monder.gen skipped

C:\System Volume Information\_restore{45F331F7-3889-4584-8184-B61259B10987}\RP505\A0199651.dll Infected: Packed.Win32.Monder.gen skipped

C:\System Volume Information\_restore{45F331F7-3889-4584-8184-B61259B10987}\RP505\A0199652.dll Infected: Packed.Win32.Monder.gen skipped

C:\System Volume Information\_restore{45F331F7-3889-4584-8184-B61259B10987}\RP505\A0199653.dll Infected: Packed.Win32.Monder.gen skipped

C:\System Volume Information\_restore{45F331F7-3889-4584-8184-B61259B10987}\RP505\A0199655.dll Infected: Packed.Win32.Monder.gen skipped

C:\System Volume Information\_restore{45F331F7-3889-4584-8184-B61259B10987}\RP505\A0199656.dll Infected: Packed.Win32.Monder.gen skipped

C:\System Volume Information\_restore{45F331F7-3889-4584-8184-B61259B10987}\RP505\A0199657.dll Infected: Backdoor.Win32.Agent.dlj skipped

C:\System Volume Information\_restore{45F331F7-3889-4584-8184-B61259B10987}\RP509\change.log Object is locked skipped

C:\temp\OHOWu1125.exe/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped

C:\temp\OHOWu1125.exe/data0003 Infected: not-a-virus:AdWare.Win32.Agent.co skipped

C:\temp\OHOWu1125.exe/data0004 Infected: Trojan-Downloader.Win32.Small.gwf skipped

C:\temp\OHOWu1125.exe/data0005/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped

C:\temp\OHOWu1125.exe/data0005 Infected: not-a-virus:AdWare.Win32.TTC.a skipped

C:\temp\OHOWu1125.exe/data0006 Infected: Trojan.Win32.Pakes.bvs skipped

C:\temp\OHOWu1125.exe NSIS: infected - 6 skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped

C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped

C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped

C:\WINDOWS\Internet Logs\MINE.ldb Object is locked skipped

C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped

C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\Perflib_Perfdata_5b0.dat Object is locked skipped

C:\WINDOWS\Temp\ZLT045f8.TMP Object is locked skipped

C:\WINDOWS\Temp\ZLT073ed.TMP Object is locked skipped

C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
  • 0

#14
RatHat
Posted 09 April 2008 - 07:03 AM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Please download OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Documents and Settings\Home\Shared\apoligze one republic.mp3
C:\Documents and Settings\Home\Shared\shawn michales.mp3
C:\temp\OHOWu1125.exe


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Open Notepad, and copy everything in the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy).
  • Save the Notepad file to your Desktop as OTM.txt.
  • Close OTMoveIt
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please include the contents of OTM.txt in your next reply.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


OK, lets do a bit of a tune up of your machine.

Firstly, lets get rid of all the old prefetch files, that could be slowing things down a bit:

Click Start then Run, type prefetch then press enter. Click Edit then Select All, (all files will highlight), right click any file, click delete, confirm. This will empty all the old prefetch files, and Windows will rebuild the new ones that it needs. If you want to find out more about what Prefetch does, click here.

Now, lets run Disk Cleanup:

Click Start then All Programmes, then Accessories, then system tools. Locate Disk Cleanup and click to run it. Clean all your drives, then reboot your computer.

Next run a defrag: Start then All Programmes, then Accessories, then system tools. Locate Disk Defragmenter and click to run it. Highlight a drive, and click Defragment. Repeat for each of your drives.

Another good way to improve the speed of your computer is by downloading and installing Tune-Up Utilities.

Run Tune Up disc clean up

Run Tune Up registry clean up

Disable the anti virus programme then click Optimize and Improve to run Reg Defrag, the screen will lose colour during the process which can take a few minutes and then needs a reboot

Check the anti virus programme is running

Those will have cleared the drive of obsolete software errors

These are suggestions for making the most of the free trial

Click optimize and improve then system optimizer to optimize the computer, select computer with an internet connection from the drop down menu, this also requires a reboot

After the reboot, click optimize then system optimizer to accelerate downloads, select the speed just above your actual connection speed, this requires a reboot.

After the reboot, click optimize then system optimizer to run system advisor.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


So in your next reply, please post me the contents of OTM.txt, a fresh HijackThis log, and let me know how your computer is performing now.


Regards,
RatHat
  • 0

#15
atwitsend32
Posted 09 April 2008 - 07:45 AM

atwitsend32

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hello RedHat, here is the OTM text
C:\Documents and Settings\Home\Shared\apoligze one republic.mp3 moved successfully.
C:\Documents and Settings\Home\Shared\shawn michales.mp3 moved successfully.
C:\temp\OHOWu1125.exe moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04092008_094228
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP