Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

ADWARE problem! Smitfraud & other malware..HELP! [RESOLVED


  • This topic is locked This topic is locked

#1
frosty99

frosty99

    New Member

  • Member
  • Pip
  • 3 posts
:) HI I am new to this but need help badly.

The spyware on my computer is some fake anti-spyware for spy maxx and one other. It has changed my desktop background and keeps popping up with fake alerts. We have tried to get it off with Zero luck. I sure hope you guys can help!

I followed instructions on before you post page..still waiting for panda to send my user info..since yesterday..but have done everything else.

I just got panda going..finally lol

I have panda report now.

I ran the smitrem but dont know how to get report. I think its saved some where????




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:09:45 AM, on 4/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\winself.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: CafeMom Toolbar - {8151A608-00FB-4D5C-8B8D-40E239E32A42} - C:\Program Files\CafeMom Toolbar\cmtb.dll
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: CafeMom Toolbar - {8151A608-00FB-4D5C-8B8D-40E239E32A42} - C:\Program Files\CafeMom Toolbar\cmtb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {07DB8C18-9FD9-4e43-AF16-043E44D89768} - C:\Program Files\CafeMom Toolbar\cmtb.dll
O9 - Extra 'Tools' menuitem: CafeMom Toolbar - {07DB8C18-9FD9-4e43-AF16-043E44D89768} - C:\Program Files\CafeMom Toolbar\cmtb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MSSysInterv (MSSysInterv1) - Unknown owner - C:\WINDOWS\winself.exe

--
End of file - 7702 bytes



---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 3:07:14 PM 4/14/2008

+ Scan result:



C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP306\A0066804.exe -> Adware.Agent : Ignored.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP306\A0066802.dll -> Adware.BHO : Ignored.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38} -> Adware.Generic : Ignored.
HKU\S-1-5-21-724375985-3469145084-368789899-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5929CD6E-2062-44A4-B2C5-2C7E78FBAB38} -> Adware.Generic : Ignored.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP306\A0066803.exe -> Adware.NewDotNet : Ignored.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP310\A0066975.exe -> Adware.NewDotNet : Ignored.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP310\A0066976.exe -> Adware.NewDotNet : Ignored.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP292\A0064006.dll -> Adware.Solution : Ignored.
C:\Program Files\Online Services\PeoplePC\ISP5900\Branding\ppal3ppc.exe -> Not-A-Virus.Adware.Agent : Ignored.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP295\A0065806.exe -> Not-A-Virus.Adware.WebHancer : Ignored.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP299\A0065846.dll -> Not-A-Virus.Adware.WebHancer : Ignored.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP299\A0065850.dll -> Not-A-Virus.Adware.WebHancer : Ignored.


::Report end



ANALYSIS: 2008-04-15 08:25:44
PROTECTIONS: 1
MALWARE: 19
SUSPECTS: 1
;*******************************************************************************
********************************************************************************
*
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
================================================================================
=
===================
AVG 7.5.519 7.5.519 Yes Yes
;===============================================================================
================================================================================
=
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
================================================================================
=
===================
00020302 adware/ncase Adware No 0 Yes No c:\windows\didduid.ini
00048239 adware/adlogix Adware No 0 Yes No HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5FA6752A-C4A0-4222-88C2-928AE5AB4966}
00096188 spyware/searchcentrix Spyware No 1 Yes No HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4E1075F4-EEC4-4a86-ADD7-CD5F52858C31}
00106761 adware/123mania Adware No 0 Yes No HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9C5B2F29-1F46-4639-A6B4-828942301D3E}
00106761 adware/123mania Adware No 0 Yes No HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15651C7C-E812-44A2-A9AC-B467A2233E7D}
00106761 adware/123mania Adware No 0 Yes No HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{622CC208-B014-4FE0-801B-874A5E5E403A}
00135099 adware/powerstrip Adware No 0 Yes No HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{965A592F-8EFA-4250-8630-7960230792F1}
00139535 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\kendra mcclure\Desktop\smitRem\Process.exe
00139535 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\kendra mcclure\Desktop\SmitfraudFix\Process.exe
00139535 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\kendra mcclure\Desktop\smitRem.exe[smitRem/Process.exe]
00139535 Application/Processor HackTools No 0 Yes No C:\WINDOWS\system32\Process.exe
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\kendra mcclure\Cookies\kendra [email protected][1].txt
00217430 adware/surfassistant Adware No 0 Yes No HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}
00335152 Adware/Zango Adware No 0 Yes No C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP292\A0064005.exe
00367121 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\kendra mcclure\Cookies\kendra [email protected][2].txt
00377802 Spyware/PeoplePC Spyware No 0 Yes No C:\Program Files\Online Services\PeoplePC\ISP5900\Dll\RAS.DLL
00517584 Application/SuperFast HackTools No 0 Yes No C:\Documents and Settings\kendra mcclure\Desktop\SmitfraudFix\restart.exe
02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\Documents and Settings\kendra mcclure\Desktop\SmitfraudFix\Reboot.exe
02207436 Adware/Zango Adware No 0 No No C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP292\A0064012.exe[²ÖÇ\ZangoTBUninstaller.exe]
02812088 Adware/WebHancer Adware No 0 Yes No C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP299\A0065841.exe
02893775 Spyware/Iehelp Spyware No 1 Yes No C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP312\A0068144.exe
02901878 Adware/OneStep Adware No 0 Yes No C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP293\A0064352.exe
02910011 Adware/UltimateDefender Adware No 0 Yes No C:\WINDOWS\strictions.dll
02910011 Adware/UltimateDefender Adware No 0 Yes No C:\Documents and Settings\kendra mcclure\~.exe
02910981 Adware/iWinArcade Adware No 0 Yes No C:\Documents and Settings\All Users\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe
;===============================================================================
================================================================================
=
===================
SUSPECTS
Sent Location ԕ
;===============================================================================
================================================================================
=
===================
No C:\WINDOWS\SYSTEM32\WMSDKNS.EXE ԕ
;===============================================================================
================================================================================
=
===================
VULNERABILITIES
Id Severity Description ԕ
;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================



:) UPDATE: I ran Malwarebytes & smithfraud fix & seems to have worked. Or I hope so. Heres latest hijack to make sure I have done all I can. Any help would be great.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:18:30 PM, on 4/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\winself.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: CafeMom Toolbar - {8151A608-00FB-4D5C-8B8D-40E239E32A42} - C:\Program Files\CafeMom Toolbar\cmtb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: CafeMom Toolbar - {8151A608-00FB-4D5C-8B8D-40E239E32A42} - C:\Program Files\CafeMom Toolbar\cmtb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {07DB8C18-9FD9-4e43-AF16-043E44D89768} - C:\Program Files\CafeMom Toolbar\cmtb.dll
O9 - Extra 'Tools' menuitem: CafeMom Toolbar - {07DB8C18-9FD9-4e43-AF16-043E44D89768} - C:\Program Files\CafeMom Toolbar\cmtb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MSSysInterv (MSSysInterv1) - Unknown owner - C:\WINDOWS\winself.exe

--
End of file - 6420 bytes

Edited by frosty99, 16 April 2008 - 08:01 AM.

  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Still have some baddies left over there :)

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
O23 - Service: MSSysInterv (MSSysInterv1) - Unknown owner - C:\WINDOWS\winself.exe


Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\winself.exe
c:\windows\didduid.ini
C:\WINDOWS\strictions.dll
C:\Documents and Settings\kendra mcclure\~.exe


Go to http://www.bleepingc...to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.
  • 0

#3
frosty99

frosty99

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
:) HI
Thanks for your help!!
Heres the combo fix






ComboFix 08-04-18.3 - kendra mcclure 2008-04-20 8:42:10.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.196 [GMT -6:00]
Running from: C:\Documents and Settings\kendra mcclure\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\kendra mcclure\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Documents and Settings\kendra mcclure\Application Data\macromedia\Flash Player\#SharedObjects\SEGXU3CZ\www.broadcaster.com
C:\Documents and Settings\kendra mcclure\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\kendra mcclure\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\WINDOWS\conf.inf
C:\WINDOWS\ky.sxc
C:\WINDOWS\mscon.sio
C:\WINDOWS\system32\_000110_.tmp.dll
C:\WINDOWS\winself.exe
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NNSERV
-------\Legacy_SZKG5
-------\Service_NNServ
-------\Legacy_MSSysInterv1
-------\MSSysInterv1


((((((((((((((((((((((((( Files Created from 2008-03-20 to 2008-04-20 )))))))))))))))))))))))))))))))
.

2008-04-19 20:00 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-04-19 20:00 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\dllcache\mouhid.sys
2008-04-19 20:00 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-04-19 20:00 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\dllcache\hidusb.sys
2008-04-19 16:58 . 2008-04-19 16:58 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2008-04-19 08:31 . 2008-04-19 08:31 <DIR> d-------- C:\Documents and Settings\kendra mcclure\Application Data\MysteryStudio
2008-04-19 07:03 . 2008-04-19 07:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\iWin
2008-04-18 10:07 . 2008-04-18 10:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Aliasworlds
2008-04-18 08:23 . 2008-04-18 08:23 <DIR> d-------- C:\Documents and Settings\kendra mcclure\Application Data\Ohana Games
2008-04-17 18:41 . 2008-04-17 18:41 <DIR> d-------- C:\Documents and Settings\kendra mcclure\Application Data\Fever Frenzy
2008-04-17 17:07 . 2008-04-17 17:07 <DIR> d-------- C:\Program Files\bfgclient
2008-04-17 17:06 . 2008-04-17 17:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BigFishGamesCache
2008-04-17 08:01 . 2008-04-17 08:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Legacy Interactive
2008-04-16 06:46 . 2008-04-16 06:46 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-04-15 21:37 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-04-15 21:37 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-04-15 21:37 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-15 20:53 . 2008-04-15 20:54 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2008-04-15 20:53 . 2008-04-15 20:53 <DIR> d-------- C:\Program Files\Windows Live Favorites
2008-04-15 20:46 . 2008-04-15 20:46 <DIR> d-------- C:\Program Files\Microsoft SQL Server Compact Edition
2008-04-15 20:31 . 2008-04-15 20:51 <DIR> d-------- C:\Program Files\Windows Live
2008-04-15 20:31 . 2008-04-15 20:39 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-15 20:30 . 2008-04-15 20:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-15 18:53 . 2008-04-19 13:41 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-15 18:53 . 2008-04-15 18:53 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-15 15:46 . 2008-04-15 15:46 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-15 15:46 . 2008-04-15 15:46 <DIR> d-------- C:\Documents and Settings\kendra mcclure\Application Data\Malwarebytes
2008-04-15 15:46 . 2008-04-15 15:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-15 15:45 . 2008-04-15 15:45 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-04-15 04:32 . 2008-04-15 04:52 1,288 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-15 04:29 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-15 04:29 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-15 04:29 . 2008-04-14 19:28 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-15 04:29 . 2008-04-12 13:49 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-15 04:29 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-15 04:29 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-15 04:29 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-14 19:53 . 2008-04-14 19:53 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-14 15:24 . 2008-04-14 15:24 <DIR> d-------- C:\Program Files\Panda Security
2008-04-14 13:48 . 2008-04-14 13:48 <DIR> d-------- C:\Documents and Settings\kendra mcclure\Application Data\Grisoft
2008-04-14 13:48 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-04-14 10:06 . 2008-04-14 10:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-14 06:37 . 2008-04-14 06:37 <DIR> d-------- C:\Documents and Settings\kendra mcclure\Application Data\Uniblue
2008-04-13 17:15 . 2008-04-13 17:15 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-13 17:15 . 2008-04-13 17:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-13 16:56 . 2006-04-10 10:00 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intuit
2008-04-13 16:56 . 2008-04-13 16:56 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-13 16:56 . 2008-04-20 08:41 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-13 05:36 . 2008-04-13 06:54 <DIR> d-------- C:\Documents and Settings\kendra mcclure\Application Data\HouseCall 6.6
2008-04-12 21:45 . 2008-04-12 21:42 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-12 21:42 . 2008-04-12 23:19 <DIR> d-------- C:\Documents and Settings\kendra mcclure\.housecall6.6
2008-04-12 20:53 . 2008-04-12 21:36 <DIR> d-------- C:\Documents and Settings\kendra mcclure\Application Data\RegClean
2008-04-12 10:39 . 2008-04-19 05:47 <DIR> d-------- C:\Documents and Settings\kendra mcclure\Application Data\Gamelab
2008-04-12 10:18 . 2008-04-12 10:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-04-12 10:17 . 2008-04-12 10:17 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-04-12 10:17 . 2008-04-12 11:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-04-12 10:08 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-04-12 09:56 . 2008-04-13 17:41 <DIR> d-------- C:\Documents and Settings\kendra mcclure\Application Data\SpywareStop
2008-04-12 08:20 . 2008-04-12 21:15 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-04-12 07:40 . 2008-04-12 07:40 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2008-04-11 14:34 . 2008-04-11 14:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-04-10 08:25 . 2008-04-10 08:25 <DIR> d-------- C:\Documents and Settings\kendra mcclure\Application Data\GTek
2008-04-09 11:59 . 2008-04-10 08:11 <DIR> d-------- C:\GameFools
2008-04-08 17:54 . 2008-04-08 17:54 <DIR> d-------- C:\Documents and Settings\kendra mcclure\Application Data\funkitron
2008-04-08 15:46 . 2008-04-08 15:46 <DIR> d-------- C:\Documents and Settings\kendra mcclure\Application Data\Pogo Games
2008-04-08 15:29 . 2008-04-08 15:31 <DIR> d-------- C:\Documents and Settings\kendra mcclure\Application Data\SprillBermudeEng
2008-04-08 12:29 . 2008-04-08 12:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MonteCristo
2008-04-08 10:37 . 2008-04-19 15:13 <DIR> d-------- C:\Documents and Settings\kendra mcclure\Application Data\PlayFirst
2008-04-07 13:01 . 2008-04-07 13:01 <DIR> d-------- C:\Documents and Settings\kendra mcclure\Application Data\Jane s Hotel
2008-04-07 12:40 . 2008-04-07 12:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayPond
2008-04-07 12:35 . 2008-04-07 12:35 <DIR> d-------- C:\Documents and Settings\kendra mcclure\Application Data\SpinTop
2008-04-07 12:06 . 2008-04-07 12:11 <DIR> d-------- C:\Documents and Settings\kendra mcclure\Application Data\Super-Cow
2008-04-06 22:10 . 2008-04-06 22:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-06 22:09 . 2008-04-06 22:09 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-06 20:21 . 2008-04-06 20:21 <DIR> d-------- C:\My Games
2008-04-06 20:21 . 2008-04-06 20:21 <DIR> d-------- C:\My Download Files
2008-04-06 20:19 . 2008-04-06 20:19 774,144 --a------ C:\Program Files\RngInterstitial.dll
2008-04-06 10:47 . 2008-04-06 10:47 <DIR> d-------- C:\Documents and Settings\kendra mcclure\Application Data\iWinArcade
2008-04-06 10:47 . 2008-04-06 10:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\iWin Games
2008-04-06 09:07 . 2008-04-06 09:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Astar Games
2008-04-06 08:03 . 2008-04-06 08:03 <DIR> d-------- C:\Documents and Settings\kendra mcclure\Application Data\Meridian93
2008-04-05 13:44 . 2008-04-05 13:44 <DIR> d-------- C:\Documents and Settings\kendra mcclure\Application Data\Ludia
2008-04-05 13:44 . 2008-04-05 13:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ludia
2008-04-04 17:53 . 2008-04-04 17:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\EscapeTheMuseum
2008-04-04 16:33 . 2008-04-04 16:33 <DIR> d-------- C:\Documents and Settings\kendra mcclure\Application Data\Friday's games
2008-04-04 14:56 . 2008-04-04 15:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Fashion Solitaire 1.2
2008-04-04 14:14 . 2008-04-04 14:14 <DIR> d-------- C:\Documents and Settings\kendra mcclure\Application Data\Home Sweet Home
2008-04-04 13:20 . 2008-04-04 13:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Fugazo
2008-04-04 08:31 . 2008-04-04 08:31 <DIR> d-------- C:\Documents and Settings\kendra mcclure\Application Data\Oberon Games
2008-04-03 23:23 . 2008-04-03 23:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Escape From Paradise
2008-04-03 21:05 . 2008-04-07 12:39 <DIR> d-------- C:\Documents and Settings\kendra mcclure\Application Data\CaribbeanHideaway
2008-04-03 19:53 . 2008-04-03 19:53 4,096 --a------ C:\WINDOWS\d3dx.dat
2008-04-03 17:49 . 2008-04-03 17:49 <DIR> d-------- C:\Documents and Settings\kendra mcclure\Application Data\Jane s Hotel Family Hero
2008-04-03 11:08 . 2008-04-07 15:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sandlot Games
2008-04-03 11:07 . 2008-04-03 11:07 <DIR> d-------- C:\Documents and Settings\kendra mcclure\Application Data\Sandlot Games
2008-04-03 10:22 . 2008-04-18 20:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HipSoft
2008-04-02 17:58 . 2008-04-02 17:58 218 --a------ C:\WINDOWS\bbbconfig.dat
2008-04-02 09:46 . 2008-04-02 09:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Gogii
2008-04-02 09:06 . 2008-03-05 15:56 3,786,760 --a------ C:\WINDOWS\system32\D3DX9_37.dll
2008-04-02 09:06 . 2008-03-05 15:56 1,420,824 --a------ C:\WINDOWS\system32\D3DCompiler_37.dll
2008-04-02 09:06 . 2008-03-05 16:03 479,752 --a------ C:\WINDOWS\system32\XAudio2_0.dll
2008-04-02 09:06 . 2008-02-05 23:07 462,864 --a------ C:\WINDOWS\system32\d3dx10_37.dll
2008-04-02 09:06 . 2008-03-05 16:03 238,088 --a------ C:\WINDOWS\system32\xactengine3_0.dll
2008-04-02 09:06 . 2008-03-05 16:00 25,608 --a------ C:\WINDOWS\system32\X3DAudio1_3.dll
2008-04-02 09:00 . 2008-04-02 09:03 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-04-02 07:27 . 2008-04-02 07:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Go Go Gourmet
2008-04-01 12:02 . 2008-04-19 15:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-03-31 15:18 . 2008-03-31 15:18 <DIR> d-------- C:\Documents and Settings\kendra mcclure\Application Data\Skype
2008-03-20 17:45 . 2008-04-19 08:37 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-20 14:26 . 2008-04-19 07:03 <DIR> d-------- C:\Documents and Settings\kendra mcclure\Application Data\iWin
2008-03-20 08:26 . 2008-04-12 07:40 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\CafeMomToolbar

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-20 14:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-19 21:14 --------- d-----w C:\Program Files\Yahoo! Games
2008-04-16 14:38 --------- d-----w C:\Documents and Settings\kendra mcclure\Application Data\AVG7
2008-04-15 16:07 --------- d-----w C:\Program Files\LimeWire
2008-04-14 19:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-12 19:36 --------- d-----w C:\Program Files\Real
2008-04-12 19:36 --------- d-----w C:\Program Files\Common Files\Real
2008-04-12 19:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-11 20:34 --------- d-----w C:\Program Files\Yahoo!
2008-04-11 20:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2008-04-07 05:03 5,276 -c--a-w C:\Documents and Settings\kendra mcclure\Application Data\wklnhst.dat
2008-04-07 04:10 --------- d-----w C:\Program Files\Lavasoft
2008-03-31 21:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-31 21:53 --------- d-----w C:\Program Files\HPQ
2008-03-27 03:44 --------- d-----w C:\Program Files\QuickTime
2008-03-20 23:44 0 ----a-w C:\Program Files\temp01
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-16 19:08 --------- d-----w C:\Documents and Settings\kendra mcclure\Application Data\Snapfish
2008-03-15 16:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo
2008-03-15 15:43 --------- d-----w C:\Documents and Settings\kendra mcclure\Application Data\Yahoo
2008-03-13 03:07 --------- d-----w C:\Program Files\CONEXANT
2008-03-13 03:05 --------- d-----w C:\Program Files\Serif
2008-03-13 03:04 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-03-13 03:01 --------- d-----w C:\Program Files\Sonic
2008-03-13 02:57 --------- d-----w C:\Program Files\Quicken
2008-03-11 04:00 --------- d--h--r C:\Documents and Settings\kendra mcclure\Application Data\yahoo!
2008-03-08 02:10 --------- d-----w C:\Program Files\CafeMom Toolbar
2008-03-08 02:10 --------- d-----w C:\Documents and Settings\kendra mcclure\Application Data\CafeMomToolbar
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 09:07 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-10-01 18:05 97,080 -c--a-w C:\Documents and Settings\kendra mcclure\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8151A608-00FB-4D5C-8B8D-40E239E32A42}]
2007-10-15 11:15 357824 --a------ C:\Program Files\CafeMom Toolbar\cmtb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{8151A608-00FB-4D5C-8B8D-40E239E32A42}"= "C:\Program Files\CafeMom Toolbar\cmtb.dll" [2007-10-15 11:15 357824]

[HKEY_CLASSES_ROOT\clsid\{8151a608-00fb-4d5c-8b8d-40e239e32a42}]
[HKEY_CLASSES_ROOT\cmtb.Band.1]
[HKEY_CLASSES_ROOT\TypeLib\{8D501C84-C98F-4AE0-88A3-44A5FA67E72A}]
[HKEY_CLASSES_ROOT\cmtb.Band]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-25 11:49 219136]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 14:32 8699904]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 19:17 443968]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 05:44:06 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 05:21:22 288472]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 08:56:20 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\HP\\QuickPlay\\QP.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

S4 iWinGamesInstaller;iWinGamesInstaller;C:\Program Files\iWin Games\iWinGamesInstaller.exe []

.
Contents of the 'Scheduled Tasks' folder
"2008-04-20 14:35:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-20 08:48:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
.
**************************************************************************
.
Completion time: 2008-04-20 8:57:01 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-20 14:56:30

Pre-Run: 10,101,153,792 bytes free
Post-Run: 10,448,351,232 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

262 --- E O F --- 2008-04-18 15:31:19
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Delete this folder:

C:\Program Files\temp01

Download the Flash Disinfector at http://www.techsuppo...Disinfector.exe and save it to your desktop. Double-click on it to run it and follow the on-screen instructions.

Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run and type in combofix /u (notice the space) and hit OK to remove it. You should be set to go.
  • 0

#5
frosty99

frosty99

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
:) Cool thanks so much for your help!

Everything seems to be great now!

You have a great sunday!
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP