Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

" Warning: Spyware threat has been detected on your pc" [RES


  • This topic is locked This topic is locked

#1
learning fast

learning fast

    New Member

  • Member
  • Pip
  • 6 posts
Hi,

I would be grateful for any help offered on the problem described below. I have spent a number of days working to resolve this continuing problem following the advice and solutions that appeared relevant on your forum, and in the process I believe eradicated a number of other problems such as browser hijacking, popups, viruses, trojans, and keystroke loggers. I also managed to resolve my Task Manager being hijacked using a very handy utility from your forum if memory serves me correctly.

The Current Unresolved Problem: The following message in yellow and white text has forced itself onto my desktop, and also turned my desktop background plain skyblue, (which is different from the default XP background)

" Warning: Spyware threat has been detected on your pc

Your computer has several fatal errors due to spyware activity.
It is strongly recommended to install an antispyware software to close all security vulnerabilities
Anttispyware software helps protect your PC against spyware and other security threats.

click here to scan your pc for spyware..."

Incidentally it appears similar to the problem recounted by jsharrison Mar 24 2008, 12:58 PM, on this forum but has not been resolved by my running SDFix, nor Kaspersky (I used a locally installed verion of Kaspersky Anti virus Ver. 7.0.1.325) nor Deckard's System Scanner downloaded and run today.

Actions taken so far.
Read your forum instructions and preposting advice, and done my level best to follow them and action them.

Data fully backed up.
XP recovery console installed.
ATF Cleaner run
cccleaner run
System Restore point created using XP system tools & older ones flushed.
Zone Alarm installed and running
AVG Anti-Spyware for XP installed locally and running, and scan also run in safe mode rebooted to normal mode.
Kaspersky Antivirus installed locally and running
SuperAntispyware Home Edition and complete scan done.
Pandasoftware's Activescan Pro run
Windows Update and all security patches installed for SP2
Latest version of Java installed, old versions uninstalled.
SDFix run.
Reboot tests...quite a lot after all the above.
HijackThis installed
Deckard's System Scanner v20071014.68 (The partial log is shown at the bottom of this post, but is truncated, as whilst I can paste it in full, it does not appear in full once I have pressed 'complete edit' in this post. I tried a number of times without getting the full paste to stick)

Downloaded Combifix and installed it on desktop, and it appears as a red button with an X. Before double clicking it to run, I disabled Kaspersky, ZoneAlarm, and AVG from running. CombiFix ran only for a brief second, putting up a small command style screen for a few seconds. Then did not appear to do much. My PC did not go off or reboot itself. Tried running it from safe mode, and again a brief command screen appeared, and disappeared in about 2 seconds. As nothing appeared to be happening, I restarted in normal mode.

I hope the foregoing helps you help me resolve the issue, and I apologise in advance of any varience in your recommended procedure. I notice that conflicts can occur with different antivirus protections, and I point out that I have AVG, Kaspersky,and ZoneAlarm currently installed and running alongside each other, as well as SuperAntispyware. I guess you might soon be needing me to disable or uninstall at least one or two of these.

Finally I should point ot that the following directories C:XPCD and C:XPSP2 contain XP 'install' files downloaded AFTER the current infection, so as to allow me to create an XP Recovery Console, and as such I do not know if they can yet be deleted, but unfortunately they have added considerably to my malware scanning times since their creation.

Thanks in advance.

So here is the Hijack log (updated using forum edit 08/04/2008 09:56:00)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:51:10, on 08/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\mgabg.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe
C:\WINDOWS\system32\PDesk\PDesk.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\SPEEDB~1\VideoAccelerator.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\DAP\DAP.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.moneyam.com/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: (no name) - {0A94B116-4504-4e26-AB05-E61E474AA38B} - (no file)
O2 - BHO: Ask Search Assistant BHO - {0A94B111-4504-4e26-AB05-E61E474AA38B} - (no file)
O2 - BHO: (no name) - {72C7F75B-B10B-4477-A687-EF10300DE5DD} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: Ask Toolbar BHO - {F4D76F01-7896-458a-890F-E1F05C46069F} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {F4D76F09-7896-458a-890F-E1F05C46069F} - (no file)
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe"
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\system32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase2895.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1140454521275
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://acs.pandasoft...5/asproinst.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup163.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...203/mcfscan.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O21 - SSODL: AlrtCD - {c1ffb664-3e69-4682-86b5-d3b58c3a6b35} - C:\WINDOWS\Installer\{c1ffb664-3e69-4682-86b5-d3b58c3a6b35}\AlrtCD.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\system32\mgabg.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: VideoAcceleratorEngine - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 9514 bytes


********************************************************************************
*********
Hijack Uninstall List

4oD
Adobe Reader 8.1.2
Adobe® Photoshop® Album Starter Edition 3.2
AVG Anti-Spyware 7.5
Capture Express
CCleaner (remove only)
Cimaware OfficeFIX 6
C-Media WDM Audio Driver
Download Accelerator Plus (DAP)
E*TRADE Professional V2
FinePixViewer Ver.3.2
FUJIFILM USB Driver
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Windows XP (KB915865)
Intel® 536EP Modem
Intel® Extreme Graphics 2 Driver
IObit SmartDefrag Beta4.03
Java™ 6 Update 5
Kaspersky Anti-Virus 7.0
Kaspersky Anti-Virus 7.0
Kaspersky Online Scanner
LiveUpdate 2.6 (Symantec Corporation)
Macromedia Flash Player
Malwarebytes' Anti-Malware
Marketmaker CFD-FX Client
Matrox Graphics Software (remove only)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 Parser and SDK
Nikon Message Center
Panda ActiveScan
Panda ActiveScan 2.0
Panda ActiveScan Pro
PE Builder 3.1.10a
Picture Package
PictureProject
PictureProject In Touch Downloader 1.0
Realtek AC'97 Audio
RegistryCleanFixer2008
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
Sony USB Driver
SpeedBit Video Accelerator
SUPERAntiSpyware Free Edition
Temperature Converter
TuneUp Utilities 2008
Updata Application Suite
Update for Windows XP (KB894391)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
ZoneAlarm Pro

********************************************************************************
***
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/07/2008 at 00:46 AM

Application Version : 4.0.1154

Core Rules Database Version : 3432
Trace Rules Database Version: 1424

Scan type : Complete Scan
Total Scan Time : 01:06:21

Memory items scanned : 353
Memory threats detected : 1
Registry items scanned : 5228
Registry threats detected : 1
File items scanned : 91099
File threats detected : 21

Trojan.Unclassified/Multi-Dropper (Packed)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\HOZGHKTE\BOXYZORI.EXE
[tWLWGwTiEi] C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\HOZGHKTE\BOXYZORI.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\HOZGHKTE\BOXYZORI.EXE

Adware.Tracking Cookie
C:\Documents and Settings\New User\Cookies\[email protected][1].txt
C:\Documents and Settings\New User\Cookies\[email protected][2].txt
C:\Documents and Settings\New User\Cookies\[email protected][2].txt
C:\Documents and Settings\New User\Cookies\[email protected][2].txt
C:\Documents and Settings\New User\Cookies\[email protected][2].txt
C:\Documents and Settings\New User\Cookies\[email protected][2].txt
C:\Documents and Settings\New User\Cookies\[email protected][1].txt
C:\Documents and Settings\New User\Cookies\[email protected][2].txt
C:\Documents and Settings\New User\Cookies\[email protected][1].txt
C:\Documents and Settings\New User\Cookies\[email protected][1].txt
C:\Documents and Settings\New User\Cookies\[email protected][1].txt
C:\Documents and Settings\New User\Cookies\[email protected][1].txt
C:\Documents and Settings\New User\Cookies\[email protected][1].txt
C:\Documents and Settings\New User\Cookies\[email protected][1].txt
C:\Documents and Settings\New User\Cookies\[email protected][1].txt
C:\Documents and Settings\New User\Cookies\[email protected][1].txt
C:\Documents and Settings\New User\Cookies\[email protected][1].txt
C:\Documents and Settings\New User\Cookies\[email protected][1].txt
C:\Documents and Settings\New User\Cookies\[email protected][1].txt

Trojan.Unclassified/Multi-Dropper
C:\SYSTEM VOLUME INFORMATION\_RESTORE{882E65C6-9F8F-4959-8664-44854799AA57}\RP13\A0007047.EXE
********************************************************************************
******************************
AVG Anti-spyware (Strangely no reports available under their 'reports' menu). This does not seem right, although status shows 14 detected malware, with 0 in quarantine, and the message 'Everything OK'
********************************************************************************
******************************************

Panda Activescan Infection report. The last scan took around 4 hours, and involved more than 600K items. I am using the Pro version, and awaiting help with logging back in from panda support.

[Sorry the formating of the Panda text below is not very good or that easy to read....hope that is not a problem for you]

ANALYSIS: 2008-04-07 15:42:47
PROTECTIONS: 1
MALWARE: 1
SUSPECTS: 0
;*******************************************************************************
********************************************************************************
*
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
================================================================================
=
===================
Kaspersky Anti-Virus 7.0.1.325 Yes Yes
;===============================================================================
================================================================================
=
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
================================================================================
=
===================
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\New User\Cookies\[email protected][1].txt
;===============================================================================
================================================================================
=
===================
SUSPECTS
Sent Location

VULNERABILITIES
Id Severity Description
182048 HIGH MS07-69 qw
176382 HIGH MS07-057 qw
170906 HIGH MS07-045 qw
170904 HIGH MS07-043 qw
164913 HIGH MS07-033 qw
160623 HIGH MS07-027 qw
150253 HIGH MS07-016



********************************************************************************
*********************************************

SDFix: Version 1.167
Run by New User on 07/04/2008 at 19:37

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\Program Files\akl\akl.dll - Deleted
C:\Program Files\akl\akl.exe - Deleted
C:\Program Files\akl\uninstall.exe - Deleted
C:\Program Files\akl\unsetup.exe - Deleted
C:\WINDOWS\iTunesMusic.exe - Deleted
C:\WINDOWS\rs.txt - Deleted



Folder C:\Program Files\akl - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1351.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-07 19:52:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\Program Files\\DAP\\DAP.exe"="C:\\Program Files\\DAP\\DAP.exe:*:Enabled:Download Accelerator Plus (DAP)"
"C:\\Program Files\\Abacast\\Abaclient.exe"="C:\\Program Files\\Abacast\\Abaclient.exe:*:Enabled:Abaclient"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\SpeedBit Video Accelerator\\VideoAcceleratorEngine.exe"="C:\\Program Files\\SpeedBit Video Accelerator\\VideoAcceleratorEngine.exe:*:Enabled:VideoAcceleratorEngine"
"C:\\Program Files\\Kontiki\\KService.exe"="C:\\Program Files\\Kontiki\\KService.exe:*:Enabled:Delivery Manager Service"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\SpeedBit Video Accelerator\\VideoAccelerator.exe"="C:\\Program Files\\SpeedBit Video Accelerator\\VideoAccelerator.exe:*:Enabled:VideoAccelerator"
"C:\\kav\\kav7.0\\english\\setup.exe"="C:\\kav\\kav7.0\\english\\setup.exe:*:Disabled:Kaspersky Anti-Virus 7.0 Setup"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu 27 Mar 2008 211 A.SH. --- "C:\BOOT.BAK"

[Added Note by 'fast learner' there are a number of very old data files around 50 which precede this infection by many months which were reported as files with hidden attributes, but have been excluded from this report for privacy reasons as they have identifying file names]
********************************************************************************
********************************************
Deckard's System Scanner v20071014.68
Run by New User on 2008-04-07 19:11:31
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 2 Restore Point(s) --
2: 2008-04-07 18:11:38 UTC - RP20 - Deckard's System Scanner Restore Point
1: 2008-04-07 06:50:27 UTC - RP19 - System Restore Point 7th April 2008


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as New User.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:12:32, on 07/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\mgabg.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe
C:\WINDOWS\system32\PDesk\PDesk.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\SPEEDB~1\VideoAccelerator.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\DAP\DAP.EXE
C:\Documents and Settings\New User\My Documents\My Completed Downloads\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\New User.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.moneyam.com/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: (no name) - {0A94B116-4504-4e26-AB05-E61E474AA38B} - (no file)
O2 - BHO: Ask Search Assistant BHO - {0A94B111-4504-4e26-AB05-E61E474AA38B} - (no file)
O2 - BHO: (no name) - {72C7F75B-B10B-4477-A687-EF10300DE5DD} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: Ask Toolbar BHO - {F4D76F01-7896-458a-890F-E1F05C46069F} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {F4D76F09-7896-458a-890F-E1F05C46069F} - (no file)
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe"
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\system32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase2895.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1140454521275
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://acs.pandasoft...5/asproinst.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup163.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...203/mcfscan.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O21 - SSODL: AlrtCD - {c1ffb664-3e69-4682-86b5-d3b58c3a6b35} - C:\WINDOWS\Installer\{c1ffb664-3e69-4682-86b5-d3b58c3a6b35}\AlrtCD.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\system32\mgabg.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: VideoAcceleratorEngine - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 9577 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 cdrbsvsd - c:\windows\system32\drivers\cdrbsvsd.sys <Not Verified; B.H.A Corporation; B's Recorder GOLD7>
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R2 sbbotdi - c:\program files\speedbit video accelerator\sbbotdi.sys <Not Verified; SpeedBit Ltd.; Speedbit TDI Driver>
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S3 AC2003 - c:\windows\system32\drivers\ac2003.sys <Not Verified; ABIT Computer Corp.; AC2003 Device Driver>
S3 AmeAtmPc - c:\windows\system32\drivers\ameatmpc.sys (file missing)
S3 CnxTrLan (Zoom USB Network Adapter Driver) - c:\windows\system32\drivers\cnxtrlan.sys (file missing)
S3 CnxTrUsb (Zoom USB Network Interface Device Driver) - c:\windows\system32\drivers\cnxtrusb.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E968-E325-11CE-BFC1-08002BE10318}
Description: Intel® 82865G Graphics Controller
Device ID: PCI\VEN_8086&DEV_2572&SUBSYS_25721849&REV_02\3&267A616A&0&10
Manufacturer: Intel Corporation
Name: Intel® 82865G Graphics Controller
PNP Device ID: PCI\VEN_8086&DEV_2572&SUBSYS_25721849&REV_02\3&267A616A&0&10
Service: ialm


-- Scheduled Tasks -------------------------------------------------------------

2008-04-07 18:00:09 448 --a------ C:\WINDOWS\Tasks\ParetoLogic Registration.job
2008-04-07 15:38:16 370 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job
2008-04-07 03:30:00 416 --a------ C:\WINDOWS\Tasks\ErrorKiller Scheduled Scan.job
2008-03-30 22:00:02 352 --a------ C:\WINDOWS\Tasks\SmartDefrag.job
2008-03-07 18:58:02 382 --a------ C:\WINDOWS\Tasks\1-Click Maintenance.job


-- Files created between 2008-03-07 and 2008-04-07 -----------------------------

2008-04-07 11:49:36 0 d-------- C:\Program Files\Panda Security
2008-04-07 07:35:01 0 dr-h----- C:\Documents and Settings\New User\Recent
2008-03-30 01:36:19 69632 --a------ C:\WINDOWS\system32\asprouni.exe <Not Verified; Panda Software; Panda Software ASPRODesinstalador>
2008-03-30 01:35:38 0 d-------- C:\WINDOWS\system32\ASPRO
2008-03-29 12:31:42 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-03-28 21:43:37 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-28 21:43:25 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-03-28 21:43:25 0 d-------- C:\Documents and Settings\New User\Application Data\SUPERAntiSpyware.com
2008-03-28 18:02:50 0 d-------- C:\Documents and Settings\New User\Application Data\Grisoft
2008-03-28 16:31:59 0 d-------- C:\Program Files\Java
2008-03-28 16:31:57 0 d-------- C:\Program Files\Common Files\Java
2008-03-28 11:22:26 0 d-------- C:\Program Files\Trend Micro
2008-03-28 02:11:35 0 d-------- C:\Documents and Settings\New User\Application Data\Malwarebytes
2008-03-28 02:11:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-28 02:11:09 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-28 01:40:08 0 dr-hs---- C:\cmdcons
2008-03-28 01:39:45 0 d-------- C:\WINDOWS\setupupd
2008-03-27 20:30:52 0 d-------- C:\WINDOWS\Prefetch
2008-03-27 19:48:12 0 d-------- C:\WINDOWS\setup.pss
2008-03-27 16:53:23 0 d-------- C:\XPCD
2008-03-27 15:22:24 0 d-------- C:\XPSP2
2008-03-27 12:45:03 0 d-------- C:\Program Files\IObit
2008-03-27 12:12:06 0 d-------- C:\Program Files\CCleaner
2008-03-26 21:49:48 0 d-------- C:\pebuilder3110a
2008-03-26 01:40:04 91700 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-03-26 01:40:04 85860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-03-26 01:39:12 421920 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-03-26 01:39:12 10502944 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-03-26 01:39:12 0 d-------- C:\Program Files\Kaspersky Lab
2008-03-26 01:28:57 0 d-------- C:\kav
2008-03-26 00:15:32 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-26 00:15:31 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-25 23:26:07 0 d-------- C:\Program Files\RegistryCleanFixer2008
2008-03-25 21:26:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-25 17:19:15 4096 --a------ C:\WINDOWS\system32winlogonpc.exe
2008-03-25 17:19:14 4096 --a------ C:\WINDOWS\userconfig9x.dll
2008-03-25 17:19:14 4096 --a------ C:\WINDOWS\system32hoproxy.dll
2008-03-25 17:19:14 4096 --a------ C:\WINDOWS\FVProtect.exe
2008-03-25 17:19:13 4096 --a------ C:\WINDOWS\system32taack.exe
2008-03-25 17:19:13 4096 --a------ C:\WINDOWS\system32taack.dat
2008-03-25 17:19:13 4096 --a------ C:\WINDOWS\system32sncntr.exe
2008-03-25 17:19:13 4096 --a------ C:\WINDOWS\system32mwin32.exe
2008-03-25 17:19:13 4096 --a------ C:\WINDOWS\system32hxiwlgpm.exe
2008-03-25 17:19:13 4096 --a------ C:\WINDOWS\system32hxiwlgpm.dat
2008-03-25 17:19:13 4096 --a------ C:\WINDOWS\a.bat
2008-03-25 17:19:12 4096 --a------ C:\WINDOWS\iTunesMusic.exe
2008-03-25 17:19:12 0 d-------- C:\Documents and Settings\New User\Desktopvirii
2008-03-25 17:19:11 4096 --a------ C:\WINDOWS\system32psoft1.exe
2008-03-25 17:19:11 4096 --a------ C:\WINDOWS\system32psof1.exe
2008-03-25 17:19:11 4096 --a------ C:\WINDOWS\system32ps1.exe
2008-03-25 17:19:11 4096 --a------ C:\WINDOWS\system32msnbho.dll
2008-03-25 17:19:11 4096 --a------ C:\WINDOWS\system32bsva-egihsg52.exe
2008-03-25 17:19:10 4096 --a------ C:\WINDOWS\system32ssurf022.dll
2008-03-25 17:19:10 0 d-------- C:\WINDOWS\system32smp
2008-03-25 17:19:10 4096 --a------ C:\WINDOWS\system32netode.exe
2008-03-25 17:19:10 4096 --a------ C:\WINDOWS\system32medup020.dll
2008-03-25 17:19:10 4096 --a------ C:\WINDOWS\system32medup012.dll
2008-03-25 17:19:09 4096 --a------ C:\WINDOWS\system32temp#01.exe
2008-03-25 17:19:09 4096 --a------ C:\WINDOWS\system32mtr2.exe
2008-03-25 17:19:09 4096 --a------ C:\WINDOWS\system32msgp.exe
2008-03-25 17:19:08 4096 --a------ C:\WINDOWS\[email protected]@@k.dll
2008-03-25 17:19:08 4096 --a------ C:\WINDOWS\system32dpcproxy.exe
2008-03-25 17:19:07 4096 --a------ C:\WINDOWS\system32ssvchost.exe
2008-03-25 17:19:07 4096 --a------ C:\WINDOWS\system32ssvchost.com
2008-03-25 17:19:07 4096 --a------ C:\WINDOWS\system32regm64.dll
2008-03-25 17:19:07 4096 --a------ C:\WINDOWS\system32regc64.dll
2008-03-25 17:19:07 4096 --a------ C:\WINDOWS\system32msvchost.exe
2008-03-25 17:19:07 4096 --a------ C:\Documents and Settings\New User\Desktopfilemanagerclient.exe
2008-03-25 17:19:06 4096 --a------ C:\WINDOWS\system32thun32.dll
2008-03-25 17:19:06 4096 --a------ C:\WINDOWS\system32thun.dll
2008-03-25 17:19:06 4096 --a------ C:\WINDOWS\system32Rundl1.exe
2008-03-25 17:19:06 4096 --a------ C:\Documents and Settings\New User\DesktopFWebdEditor.exe
2008-03-25 17:19:06 4096 --a------ C:\Documents and Settings\New User\Desktopfwebd.exe
2008-03-25 17:19:05 4096 --a------ C:\WINDOWS\system32vcatchpi.dll
2008-03-25 17:19:05 4096 --a------ C:\WINDOWS\system32newsd32.exe
2008-03-25 17:19:05 4096 --a------ C:\WINDOWS\system32emesx.dll
2008-03-25 17:19:05 4096 --a------ C:\WINDOWS\system32anticipator.dll
2008-03-25 17:19:05 4096 --a------ C:\WINDOWS\system32akttzn.exe
2008-03-25 17:19:04 4096 --a------ C:\WINDOWS\winsystem.exe
2008-03-25 17:19:04 4096 --a------ C:\WINDOWS\system32WINWGPX.EXE
2008-03-25 17:19:04 4096 --a------ C:\WINDOWS\system32winsystem.exe
2008-03-25 17:19:04 4096 --a------ C:\WINDOWS\system32sysreq.exe
2008-03-25 17:19:04 4096 --a------ C:\WINDOWS\system32mssecu.exe
2008-03-25 17:19:04 4096 --a------ C:\WINDOWS\system32bdn.com
2008-03-25 17:19:04 4096 --a------ C:\WINDOWS\system32awtoolb.dll
2008-03-25 17:19:04 4096 --a------ C:\WINDOWS\mssecu.exe
2008-03-25 17:19:04 4096 --a------ C:\WINDOWS\bdn.com
2008-03-25 17:19:03 4096 --a------ C:\WINDOWS\system32vbsys2.dll
2008-03-25 17:19:03 0 d-------- C:\Program Files\akl
2008-03-25 17:17:23 0 d-------- C:\Documents and Settings\All Users\Application Data\hozghkte


-- Find3M Report ---------------------------------------------------------------

2008-03-30 09:55:13 0 d-------- C:\Program Files\SpeedBit Video Accelerator
2008-03-30 09:50:38 0 d-------- C:\Program Files\Kontiki
2008-03-30 09:48:51 0 d-------- C:\Program Files\Google
2008-03-30 09:48:40 0 d-------- C:\Program Files\DAP
2008-03-30 02:01:59 0 d-------- C:\Program Files\MSN Messenger
2008-03-28 21:42:18 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-28 16:31:57 0 d-------- C:\Program Files\Common Files
2008-03-28 14:34:38 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-03-27 20:19:05 23348 --a------ C:\WINDOWS\sy

Edited by learning fast, 08 April 2008 - 06:34 AM.

  • 0

Advertisements


#2
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,961 posts
Hi, learning fast :)

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R3 - URLSearchHook: (no name) - {0A94B116-4504-4e26-AB05-E61E474AA38B} - (no file)
O2 - BHO: Ask Search Assistant BHO - {0A94B111-4504-4e26-AB05-E61E474AA38B} - (no file)
O2 - BHO: (no name) - {72C7F75B-B10B-4477-A687-EF10300DE5DD} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Ask Toolbar BHO - {F4D76F01-7896-458a-890F-E1F05C46069F} - (no file)
O21 - SSODL: AlrtCD - {c1ffb664-3e69-4682-86b5-d3b58c3a6b35} - C:\WINDOWS\Installer\{c1ffb664-3e69-4682-86b5-d3b58c3a6b35}\AlrtCD.dll (file missing)



Now close all windows and browsers, other than HiJackThis, then click Fix Checked.

Close Hijackthis.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32winlogonpc.exe
    C:\WINDOWS\userconfig9x.dll
    C:\WINDOWS\system32hoproxy.dll
    C:\WINDOWS\FVProtect.exe
    C:\WINDOWS\system32taack.exe
    C:\WINDOWS\system32taack.dat
    C:\WINDOWS\system32sncntr.exe
    C:\WINDOWS\system32mwin32.exe
    C:\WINDOWS\system32hxiwlgpm.exe
    C:\WINDOWS\system32hxiwlgpm.dat
    C:\WINDOWS\a.bat
    C:\WINDOWS\iTunesMusic.exe
    C:\WINDOWS\system32psoft1.exe
    C:\WINDOWS\system32psof1.exe
    C:\WINDOWS\system32ps1.exe
    C:\WINDOWS\system32msnbho.dll
    C:\WINDOWS\system32bsva-egihsg52.exe
    C:\WINDOWS\system32ssurf022.dll
    C:\WINDOWS\system32netode.exe
    C:\WINDOWS\system32medup020.dll
    C:\WINDOWS\system32medup012.dll
    C:\WINDOWS\system32temp#01.exe
    C:\WINDOWS\system32mtr2.exe
    C:\WINDOWS\system32msgp.exe
    C:\WINDOWS\[email protected]@@k.dll
    C:\WINDOWS\system32dpcproxy.exe
    C:\WINDOWS\system32ssvchost.exe
    C:\WINDOWS\system32ssvchost.com
    C:\WINDOWS\system32regm64.dll
    C:\WINDOWS\system32regc64.dll
    C:\WINDOWS\system32msvchost.exe
    C:\Documents and Settings\New User\Desktopfilemanagerclient.exe
    C:\WINDOWS\system32thun32.dll
    C:\WINDOWS\system32thun.dll
    C:\WINDOWS\system32Rundl1.exe
    C:\Documents and Settings\New User\DesktopFWebdEditor.exe
    C:\Documents and Settings\New User\Desktopfwebd.exe
    C:\WINDOWS\system32vcatchpi.dll
    C:\WINDOWS\system32newsd32.exe
    C:\WINDOWS\system32emesx.dll
    C:\WINDOWS\system32anticipator.dll
    C:\WINDOWS\system32akttzn.exe
    C:\WINDOWS\winsystem.exe
    C:\WINDOWS\system32WINWGPX.EXE
    C:\WINDOWS\system32winsystem.exe
    C:\WINDOWS\system32sysreq.exe
    C:\WINDOWS\system32mssecu.exe
    C:\WINDOWS\system32bdn.com
    C:\WINDOWS\system32awtoolb.dll
    C:\WINDOWS\mssecu.exe
    C:\WINDOWS\bdn.com
    C:\WINDOWS\system32vbsys2.dll
    C:\Program Files\akl
    C:\Documents and Settings\All Users\Application Data\hozghkte
    C:\WINDOWS\sy
    C:\WINDOWS\system32smp

  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please re-scan with DSS and post the contents of a fresh main.txt.
  • 0

#3
learning fast

learning fast

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi JSntgRvr,

Thanks for the advice, which I have now followed.

I noticed during the MoveIT process that approximately 20 messages of the same type popped up, and I simply acknowledged by clicking ok.

MoveIt logfile 110408 1710

C:\WINDOWS\system32winlogonpc.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\userconfig9x.dll
C:\WINDOWS\userconfig9x.dll NOT unregistered.
C:\WINDOWS\userconfig9x.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32hoproxy.dll
C:\WINDOWS\system32hoproxy.dll NOT unregistered.
C:\WINDOWS\system32hoproxy.dll moved successfully.
C:\WINDOWS\FVProtect.exe moved successfully.
C:\WINDOWS\system32taack.exe moved successfully.
C:\WINDOWS\system32taack.dat moved successfully.
C:\WINDOWS\system32sncntr.exe moved successfully.
C:\WINDOWS\system32mwin32.exe moved successfully.
C:\WINDOWS\system32hxiwlgpm.exe moved successfully.
C:\WINDOWS\system32hxiwlgpm.dat moved successfully.
C:\WINDOWS\a.bat moved successfully.
File/Folder C:\WINDOWS\iTunesMusic.exe not found.
C:\WINDOWS\system32psoft1.exe moved successfully.
C:\WINDOWS\system32psof1.exe moved successfully.
C:\WINDOWS\system32ps1.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\system32msnbho.dll
C:\WINDOWS\system32msnbho.dll NOT unregistered.
C:\WINDOWS\system32msnbho.dll moved successfully.
C:\WINDOWS\system32bsva-egihsg52.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\system32ssurf022.dll
C:\WINDOWS\system32ssurf022.dll NOT unregistered.
C:\WINDOWS\system32ssurf022.dll moved successfully.
C:\WINDOWS\system32netode.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\system32medup020.dll
C:\WINDOWS\system32medup020.dll NOT unregistered.
C:\WINDOWS\system32medup020.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32medup012.dll
C:\WINDOWS\system32medup012.dll NOT unregistered.
C:\WINDOWS\system32medup012.dll moved successfully.
C:\WINDOWS\system32temp#01.exe moved successfully.
C:\WINDOWS\system32mtr2.exe moved successfully.
C:\WINDOWS\system32msgp.exe moved successfully.
< C:\WINDOWS\[email protected]@@k.dll >
LoadLibrary failed for C:\WINDOWS\[email protected]@@k.dll
C:\WINDOWS\[email protected]@@k.dll NOT unregistered.
C:\WINDOWS\[email protected]@@k.dll moved successfully.
C:\WINDOWS\system32dpcproxy.exe moved successfully.
C:\WINDOWS\system32ssvchost.exe moved successfully.
C:\WINDOWS\system32ssvchost.com moved successfully.
LoadLibrary failed for C:\WINDOWS\system32regm64.dll
C:\WINDOWS\system32regm64.dll NOT unregistered.
C:\WINDOWS\system32regm64.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32regc64.dll
C:\WINDOWS\system32regc64.dll NOT unregistered.
C:\WINDOWS\system32regc64.dll moved successfully.
C:\WINDOWS\system32msvchost.exe moved successfully.
C:\Documents and Settings\New User\Desktopfilemanagerclient.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\system32thun32.dll
C:\WINDOWS\system32thun32.dll NOT unregistered.
C:\WINDOWS\system32thun32.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32thun.dll
C:\WINDOWS\system32thun.dll NOT unregistered.
C:\WINDOWS\system32thun.dll moved successfully.
C:\WINDOWS\system32Rundl1.exe moved successfully.
C:\Documents and Settings\New User\DesktopFWebdEditor.exe moved successfully.
C:\Documents and Settings\New User\Desktopfwebd.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\system32vcatchpi.dll
C:\WINDOWS\system32vcatchpi.dll NOT unregistered.
C:\WINDOWS\system32vcatchpi.dll moved successfully.
C:\WINDOWS\system32newsd32.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\system32emesx.dll
C:\WINDOWS\system32emesx.dll NOT unregistered.
C:\WINDOWS\system32emesx.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32anticipator.dll
C:\WINDOWS\system32anticipator.dll NOT unregistered.
C:\WINDOWS\system32anticipator.dll moved successfully.
C:\WINDOWS\system32akttzn.exe moved successfully.
C:\WINDOWS\winsystem.exe moved successfully.
C:\WINDOWS\system32WINWGPX.EXE moved successfully.
C:\WINDOWS\system32winsystem.exe moved successfully.
C:\WINDOWS\system32sysreq.exe moved successfully.
C:\WINDOWS\system32mssecu.exe moved successfully.
C:\WINDOWS\system32bdn.com moved successfully.
LoadLibrary failed for C:\WINDOWS\system32awtoolb.dll
C:\WINDOWS\system32awtoolb.dll NOT unregistered.
C:\WINDOWS\system32awtoolb.dll moved successfully.
C:\WINDOWS\mssecu.exe moved successfully.
C:\WINDOWS\bdn.com moved successfully.
LoadLibrary failed for C:\WINDOWS\system32vbsys2.dll
C:\WINDOWS\system32vbsys2.dll NOT unregistered.
C:\WINDOWS\system32vbsys2.dll moved successfully.
File/Folder C:\Program Files\akl not found.
C:\Documents and Settings\All Users\Application Data\hozghkte moved successfully.
File/Folder C:\WINDOWS\sy not found.
C:\WINDOWS\system32smp moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04112008_165603
********************************************************************************
***************************

Deckard's System Scanner v20071014.68
Run by New User on 2008-04-11 17:23:50
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as New User.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:23:53, on 11/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe
C:\WINDOWS\system32\PDesk\PDesk.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\system32\mgabg.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\SPEEDB~1\VideoAccelerator.exe
C:\Program Files\DAP\DAP.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\TuneUp Utilities 2008\RegistryCleaner.exe
C:\WINDOWS\System32\TuneUpDefragService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\New User\My Documents\My Completed Downloads\dss.exe
C:\Documents and Settings\New User\My Documents\My Completed Downloads\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\NEWUSE~1.EXE
C:\PROGRA~1\TRENDM~1\HIJACK~1\NEWUSE~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.moneyam.com/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {F4D76F09-7896-458a-890F-E1F05C46069F} - (no file)
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe"
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\system32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase2895.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1140454521275
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://acs.pandasoft...5/asproinst.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup163.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...203/mcfscan.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\system32\mgabg.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: VideoAcceleratorEngine - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 9350 bytes

-- Files created between 2008-03-11 and 2008-04-11 -----------------------------

2008-04-10 18:02:29 0 d-------- C:\Program Files\Windows Defender
2008-04-07 19:32:18 0 d-------- C:\WINDOWS\ERUNT
2008-04-07 11:49:36 0 d-------- C:\Program Files\Panda Security
2008-04-07 07:35:01 0 dr-h----- C:\Documents and Settings\New User\Recent
2008-03-30 01:36:19 69632 --a------ C:\WINDOWS\system32\asprouni.exe <Not Verified; Panda Software; Panda Software ASPRODesinstalador>
2008-03-30 01:35:38 0 d-------- C:\WINDOWS\system32\ASPRO
2008-03-29 12:31:42 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-03-28 21:43:37 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-28 21:43:25 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-03-28 21:43:25 0 d-------- C:\Documents and Settings\New User\Application Data\SUPERAntiSpyware.com
2008-03-28 18:02:50 0 d-------- C:\Documents and Settings\New User\Application Data\Grisoft
2008-03-28 16:31:59 0 d-------- C:\Program Files\Java
2008-03-28 16:31:57 0 d-------- C:\Program Files\Common Files\Java
2008-03-28 11:22:26 0 d-------- C:\Program Files\Trend Micro
2008-03-28 02:11:35 0 d-------- C:\Documents and Settings\New User\Application Data\Malwarebytes
2008-03-28 02:11:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-28 02:11:09 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-28 01:40:08 0 dr-hs---- C:\cmdcons
2008-03-28 01:39:45 0 d-------- C:\WINDOWS\setupupd
2008-03-27 20:30:52 0 d-------- C:\WINDOWS\Prefetch
2008-03-27 19:48:12 0 d-------- C:\WINDOWS\setup.pss
2008-03-27 16:53:23 0 d-------- C:\XPCD
2008-03-27 15:22:24 0 d-------- C:\XPSP2
2008-03-27 12:45:03 0 d-------- C:\Program Files\IObit
2008-03-27 12:12:06 0 d-------- C:\Program Files\CCleaner
2008-03-26 21:49:48 0 d-------- C:\pebuilder3110a
2008-03-26 01:40:04 91700 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-03-26 01:40:04 85860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-03-26 01:39:12 492320 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-03-26 01:39:12 11449120 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-03-26 01:39:12 0 d-------- C:\Program Files\Kaspersky Lab
2008-03-26 01:28:57 0 d-------- C:\kav
2008-03-26 00:15:32 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-26 00:15:31 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-25 23:26:07 0 d-------- C:\Program Files\RegistryCleanFixer2008
2008-03-25 21:26:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-25 17:19:12 0 d-------- C:\Documents and Settings\New User\Desktopvirii


-- Find3M Report ---------------------------------------------------------------

2008-04-10 07:28:44 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-03-30 09:55:13 0 d-------- C:\Program Files\SpeedBit Video Accelerator
2008-03-30 09:50:38 0 d-------- C:\Program Files\Kontiki
2008-03-30 09:48:51 0 d-------- C:\Program Files\Google
2008-03-30 09:48:40 0 d-------- C:\Program Files\DAP
2008-03-30 02:01:59 0 d-------- C:\Program Files\MSN Messenger
2008-03-28 21:42:18 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-28 16:31:57 0 d-------- C:\Program Files\Common Files
2008-03-27 20:19:05 23348 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-03-27 12:07:15 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-27 11:46:13 0 d-------- C:\Program Files\Ahead
2008-03-27 11:44:25 0 d-------- C:\Program Files\Common Files\Ahead
2008-03-27 11:35:23 0 d-------- C:\Program Files\Recovery for Excel
2008-03-27 11:04:12 0 d-------- C:\Program Files\McAfee
2008-03-27 10:59:01 0 d-------- C:\Program Files\Microsoft AntiSpyware
2008-03-26 19:28:50 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-13 18:26:18 26296 --a------ C:\Documents and Settings\New User\Application Data\GDIPFONTCACHEV1.DAT
2008-03-09 10:01:18 0 d-------- C:\Documents and Settings\New User\Application Data\ErrorKiller
2008-03-01 01:20:21 3700 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-03-01 01:14:40 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-01 01:13:00 0 d-------- C:\Documents and Settings\New User\Application Data\Adobe
2008-02-28 19:11:36 0 d-------- C:\Documents and Settings\New User\Application Data\Cimaware
2008-02-28 19:07:12 0 d-------- C:\Program Files\Cimaware
2008-02-21 12:00:19 0 d-------- C:\Program Files\TuneUp Utilities 2008
2008-02-18 22:06:24 0 d-------- C:\Program Files\Channel4


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [08/02/2008 19:36]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [14/03/2008 00:11]

[HKEY_CLASSES_ROOT\CLSID\AVP]

[HKEY_CLASSES_ROOT\CLSID\ZoneAlarm Client]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 01:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07/12/2007 18:29]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [23/04/2007 12:23]

[-HKEY_CLASSES_ROOT\CLSID\ctfmon.exe]

[-HKEY_CLASSES_ROOT\CLSID\swg]

[-HKEY_CLASSES_ROOT\CLSID\kdx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [08/02/2008 19:36]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [14/03/2008 00:11]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05/11/2007 12:43]
"SoundMan"="SOUNDMAN.EXE" [14/05/2004 08:47 C:\WINDOWS\SOUNDMAN.EXE]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [04/02/2002 22:32]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [07/11/2006 15:49]
"MaxtorCombo"="C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe" [16/07/2002 03:23]
"Matrox Powerdesk"="C:\WINDOWS\system32\PDesk\PDesk.exe" [14/09/2004 10:13]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [20/09/2005 03:35]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [20/09/2005 03:36]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [20/09/2005 03:32]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 05:25]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [11/06/2007 10:25]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [03/11/2006 19:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 01:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07/12/2007 18:29]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [23/04/2007 12:23]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [30/03/2008 08:53]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [13/02/2001 01:01:04]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [27/08/2007 14:35:08]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [20/12/2006 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 30/03/2008 08:53 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"igfxhkcmd"=C:\WINDOWS\system32\hkcmd.exe
"igfxpers"=C:\WINDOWS\system32\igfxpers.exe




-- End of Deckard's System Scanner: finished at 2008-04-11 17:33:26 ------------


Hopefully nothing too serious??

Kind regards

'learning fast'
  • 0

#4
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,961 posts
Hi, learning fast :)

Everything looks clear except your background.

Right click on your desktop and select Properties (You can also do this by clicking Start->Control Panel->Display). Select the Desktop tab. click on Customize Desktop. Select the Web tab. Delete all lines therein except for My Current Web Page. Click OK out of the properties window and restart the computer.

Post a fresh Hijackthis log and let me know how is the computer doing.
  • 0

#5
learning fast

learning fast

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi JSntgRvr,

Happily the destop is restored to its status before the infection. Thank you for your advice and assistance.

May I just enquire of your brief opinion on a couple of concerns that arose during the early stage of disinfection, where I cleaned around 5 keyloggers. Is it sufficient to have cleaned them off or would you feel that its imperative to additionally change passwords to any online banking sites, and other similar class of site?

ActiveScanPro flagged 7 vulnerabilities, and pointed me at the fixes on Microsofts own site. I can't figure out if simply doing the Microsoft overall update creates the fixes, or if it requires individual fixes for each one. Would you happen to know off hand, before I do a deeper investigation myself.
The flagged vulnerabilities are
MS07-033
MS07-069
MS07-057
MS07-027
MS07-016
MS07-045
MS07-043

Well thanks for everything. Seeing the extent and importance of the work your team carry out against the forces of 'evil' I am more than happy to make a donation to contribute towards the continuation of this fine service.

Kind regards

learning fast!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:15:25, on 11/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\mgabg.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe
C:\WINDOWS\system32\PDesk\PDesk.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\PROGRA~1\SPEEDB~1\VideoAccelerator.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.moneyam.com/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {F4D76F09-7896-458a-890F-E1F05C46069F} - (no file)
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe"
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\system32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase2895.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1140454521275
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://acs.pandasoft...5/asproinst.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup163.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...203/mcfscan.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\system32\mgabg.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: VideoAcceleratorEngine - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9149 bytes

Edited by learning fast, 11 April 2008 - 03:18 PM.

  • 0

#6
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,961 posts
Hi, learning fast :)

Here are the security updates for those vulnerabilities:

(KB928090)
http://www.microsoft...;displaylang=en
(KB939653)
http://www.microsoft...;displaylang=en
(KB933566)
http://www.microsoft...;displaylang=en
(KB931768)
http://www.microsoft...;displaylang=en
(KB921503)
http://www.microsoft...;displaylang=en
(KB937143)
http://www.microsoft...;displaylang=en

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.
  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
  • Click Yes to beging the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process, choose Yes.
Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

Create a Restore point:
  • Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
  • In the System Restore dialog box, click Create a restore point, and then click Next.
  • Type a description for your restore point, such as "After Cleanup", then click Create.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • ZonedOut + IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  • Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.
  • Read and follow the suggestions given at this web site by Miekiemoes http://users.telenet...prevention.html .
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

Best wishes! Posted Image
  • 0

#7
learning fast

learning fast

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi JSntgRvr,

MoveIt cleanup ran successfully.

I ran all the vulnerability fixes from the links you supplied in your last post. They all ran succesfully, with the exception of the last one which reported an error.

'KB937143 setup error. The version of Internet Explorer you have installed does not match the update you are trying to install'

Prior the malware removal I recently ran an XP security update and an IE update, (I am running IE V7.005730.13). Can I assume this setup error is not significant?

I have now run the system restore clean up, and created a new restore point according to your advice.

I was just wondering if you had any thoughts regarding the possible impact of a threat arising from the removed keyloggers referred to in my last post?

Thanks for your advice list, and I have implemented some of these already, and working my way through the rest.

Kind regards

learning fast
  • 0

#8
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,961 posts
I don't see a problem with that update.

If you feel your identity has been compromised, you definitely should change your password. There are programs that can help you establish a hard to crack password, such as PC Tools Password Utilities and others. As long as you keep those passwords in a safe place, and remember where they were kept as they cannot be re-created, you should not have a problem.

For information read these articles:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall
  • 0

#9
learning fast

learning fast

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi JSntgRvr,

Thanks for all the help and advice throughout. It looks if this topic can be now closed.

All the best
learning fast
  • 0

#10
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,961 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP