Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Help - DesktopTrojan BlackBird etc [CLOSED]

Started by coachv , Apr 24 2008 10:38 PM

  • This topic is locked This topic is locked

#1
coachv
Posted 24 April 2008 - 10:38 PM

coachv

    Member

  • Member
  • PipPip
  • 13 posts
Please help a novice rid my computer of infection(s). Below are logs after attempting to delete known bad file (cannot delete, file in use) and my task manager has been disabled by an administrator (not!). Thanks in advance for any help you can provide.

Malwarebytes' Anti-Malware 1.11
Database version: 622

Scan type: Quick Scan
Objects scanned: 36414
Time elapsed: 7 minute(s), 43 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 6
Registry Keys Infected: 74
Registry Values Infected: 8
Registry Data Items Infected: 2
Folders Infected: 10
Files Infected: 41

Memory Processes Infected:
C:\WINDOWS\system32\dipqbyho.exe (Trojan.FakeAlert) -> Unloaded process successfully.
C:\Documents and Settings\All Users\Application Data\xsfafolq\hunmnsbo.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
c:\WINDOWS\system32\geBssrOg.dll (Trojan.Vundo) -> Unloaded module successfully.
c:\WINDOWS\system32\rkvdr.dll (Trojan.Zlob) -> Unloaded module successfully.
C:\WINDOWS\system32\eacwhxaf.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\efcDUlkk.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\najfhent.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\rixxfruh.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{b82f29e4-8368-4b14-9c00-5138c0d94034} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b82f29e4-8368-4b14-9c00-5138c0d94034} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gebssrog (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{65bbf06c-ea06-4818-92a3-f3550d0e1004} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{92eb4930-7426-4f92-a88f-f3a96b4f69cc} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{92eb4930-7426-4f92-a88f-f3a96b4f69cc} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4d1c4e81-a32a-416b-bcdb-33b3ef3617d3} (Adware.Need2Find) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{daed9266-8c28-4c1c-8b58-5c66eff1d302} (Search.Hijack) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{aaeff552-3e8b-48b3-9ba2-576073e3acb7} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{43e7b8b8-0c4a-45a9-b94c-5f5b078d68d8} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4340df8e-d7a3-4675-be74-80077b2b3e81} (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{51a0888c-9970-44de-8c2c-835ba870d06f} (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5acae4b8-62d9-4124-a58a-9b1258b77e99} (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d12fb216-99da-4eb3-9cc0-c0f760b174a0} (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d56c1af1-3fde-471c-9bc2-c52515f260c1} (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e656b867-992c-4462-a27d-ebe604ec3a48} (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e656b867-aa2c-4462-a27d-ebe604ec3a48} (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7c109800-a5d5-438f-9640-18d17e168b88} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7c109800-a5d5-438f-9640-18d17e168b88} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{000000da-0786-4633-87c6-1aa7a4429ef1} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000000da-0786-4633-87c6-1aa7a4429ef1} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0656a137-b161-cadd-9777-e37a75727e78} (Fake.Dropped.Malware) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{0b682cc1-fb40-4006-a5dd-99edd3c9095d} (Fake.Dropped.Malware) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{54645654-2225-4455-44a1-9f4543d34545} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0e1230f8-ea50-42a9-983c-d22abc2eeb4c} (Fake.Dropped.Malware) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{5c7f15e1-f31a-44fd-aa1a-2ec63aaffd3a} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b8c0220d-763d-49a4-95f4-61dfdec66ee6} (Fake.Dropped.Malware) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b8c0220d-763d-49a4-95f4-61dfdec66ee6} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{014da6c9-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\HOL5_VXIEWER.FULL.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Classes\HOL5_VXIEWER.FULL.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Classes\applications\accessdiver.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\fwbd (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\HolLol (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Inet Delivery (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Inet Delivery (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\mslagent (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Invictus (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorertoolbar (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\mwc (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Golden Palace Casino PT (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Golden Palace Casino NEW (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\aldd (Malware.Trace) -> Delete on reboot.
HKEY_CURRENT_USER\Software\NetProject (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Service (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Secure Browsing (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{919b3c27-233d-444d-b0ac-922c27bef052} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\webvideo (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\vnbptxlf.bfna (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\vnbptxlf.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Safety Alert (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\videoPl.chl (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\SpywareBot (Rogue.SpywareBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VideoPlugin (Trojan.Fakealert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{b82f29e4-8368-4b14-9c00-5138c0d94034} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{65bbf06c-ea06-4818-92a3-f3550d0e1004} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uyqjfkyw (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\TKa2ahUmi0 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{0656a137-b161-cadd-9777-e37a75727e78} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{919b3c27-233d-444d-b0ac-922c27bef052} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\some (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\start (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\efcdulkk -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\efcdulkk -> Delete on reboot.

Folders Infected:
C:\Program Files\SpywareBot (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\Log (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\Quarantine (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\Registry Backups (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\Settings (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Casino (Adware.Casino) -> Quarantined and deleted successfully.
C:\WINDOWS\mslagent (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\215651 (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32smp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dan\Desktopvirii (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\system32\geBssrOg.dll (Trojan.Vundo) -> Delete on reboot.
c:\WINDOWS\system32\rkvdr.dll (Trojan.Zlob) -> Delete on reboot.
C:\WINDOWS\system32\eacwhxaf.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\faxhwcae.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\efcDUlkk.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\kklUDcfe.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kklUDcfe.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\najfhent.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\tnehfjan.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rixxfruh.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\hurfxxir.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dipqbyho.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\xsfafolq\hunmnsbo.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jkkHXrrs.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\DataBaseNew.ref (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\Log\log_2007_02_22_20_13_04.log (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\Log\log_2007_02_22_20_13_11.log (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\Settings\CustomScan.stg (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\Settings\IgnoreList.stg (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\Settings\ScanInfo.stg (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\Settings\ScanResults.stg (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\Settings\SelectedFolders.stg (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\Settings\Settings.stg (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\WINDOWS\mslagent\2_mslagent.dll (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\WINDOWS\mslagent\mslagent.exe (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\WINDOWS\mslagent\uninstall.exe (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\WINDOWS\system32smp\msrc.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dan\Desktopvirii\Trojan-Downloader.Win32.Agent.bl.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dan\Desktopvirii\Trojan-Downloader.Win32.Agent.p.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dan\Desktopvirii\Trojan-Downloader.Win32.Agent.r.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dan\Desktopvirii\Trojan-Downloader.Win32.Agent.t.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dan\Desktopvirii\Trojan-Downloader.Win32.Agent.v.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\bdn.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\iTunesMusic.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\mssecu.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\acrsecB.fon (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\acrsecI.fon (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\vnbptxlf.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\qdnkewfa.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\apoxqwfv.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.



CatalogDB: 3:01:35 AM 12/12/2007: Adding Catalog File: KB941568.cat
CatalogDB: 3:01:35 AM 12/12/2007: DONE Adding Catalog File: KB941568.cat
CatalogDB: 3:01:43 AM 12/12/2007: Adding Catalog File: oem32.CAT
CatalogDB: 3:01:44 AM 12/12/2007: DONE Adding Catalog File: oem32.CAT
CatalogDB: 3:02:05 AM 12/12/2007: Adding Catalog File: KB942615-IE7.cat
CatalogDB: 3:02:05 AM 12/12/2007: DONE Adding Catalog File: KB942615-IE7.cat
CatalogDB: 3:02:42 AM 12/12/2007: Adding Catalog File: oem32.CAT
CatalogDB: 3:02:42 AM 12/12/2007: DONE Adding Catalog File: oem32.CAT
CatalogDB: 3:03:17 AM 12/12/2007: Adding Catalog File: KB941569.cat
CatalogDB: 3:03:17 AM 12/12/2007: DONE Adding Catalog File: KB941569.cat
CatalogDB: 3:03:22 AM 12/12/2007: Adding Catalog File: oem32.CAT
CatalogDB: 3:03:22 AM 12/12/2007: DONE Adding Catalog File: oem32.CAT
CatalogDB: 3:03:27 AM 12/12/2007: Adding Catalog File: KB942763.cat
CatalogDB: 3:03:27 AM 12/12/2007: DONE Adding Catalog File: KB942763.cat
CatalogDB: 4:09:41 AM 1/9/2008: Adding Catalog File: oem32.CAT
CatalogDB: 4:09:41 AM 1/9/2008: DONE Adding Catalog File: oem32.CAT
CatalogDB: 4:09:53 AM 1/9/2008: Adding Catalog File: oem32.CAT
CatalogDB: 4:09:54 AM 1/9/2008: DONE Adding Catalog File: oem32.CAT
CatalogDB: 4:10:42 AM 1/9/2008: Adding Catalog File: oem32.CAT
CatalogDB: 4:10:42 AM 1/9/2008: DONE Adding Catalog File: oem32.CAT
CatalogDB: 4:10:48 AM 1/9/2008: Adding Catalog File: oem32.CAT
CatalogDB: 4:10:48 AM 1/9/2008: DONE Adding Catalog File: oem32.CAT
CatalogDB: 3:00:39 AM 1/10/2008: Adding Catalog File: oem32.CAT
CatalogDB: 3:00:39 AM 1/10/2008: DONE Adding Catalog File: oem32.CAT
CatalogDB: 3:01:15 AM 1/10/2008: Adding Catalog File: KB943485.cat
CatalogDB: 3:01:15 AM 1/10/2008: DONE Adding Catalog File: KB943485.cat
CatalogDB: 3:01:29 AM 1/10/2008: Adding Catalog File: oem32.CAT
CatalogDB: 3:01:29 AM 1/10/2008: DONE Adding Catalog File: oem32.CAT
CatalogDB: 3:01:33 AM 1/10/2008: Adding Catalog File: KB941644.cat
CatalogDB: 3:01:33 AM 1/10/2008: DONE Adding Catalog File: KB941644.cat
CatalogDB: 5:20:20 PM 2/11/2008: Adding Catalog File: oem32.CAT
CatalogDB: 5:20:20 PM 2/11/2008: DONE Adding Catalog File: oem32.CAT
CatalogDB: 5:22:36 AM 2/13/2008: Adding Catalog File: oem33.CAT
CatalogDB: 5:22:36 AM 2/13/2008: DONE Adding Catalog File: oem33.CAT
CatalogDB: 5:22:48 AM 2/13/2008: Adding Catalog File: oem33.CAT
CatalogDB: 5:22:49 AM 2/13/2008: DONE Adding Catalog File: oem33.CAT
CatalogDB: 5:23:20 AM 2/13/2008: Adding Catalog File: oem33.CAT
CatalogDB: 5:23:20 AM 2/13/2008: DONE Adding Catalog File: oem33.CAT
CatalogDB: 5:23:27 AM 2/13/2008: Adding Catalog File: oem33.CAT
CatalogDB: 5:23:27 AM 2/13/2008: DONE Adding Catalog File: oem33.CAT
CatalogDB: 5:24:25 AM 2/13/2008: Adding Catalog File: oem33.CAT
CatalogDB: 5:24:26 AM 2/13/2008: DONE Adding Catalog File: oem33.CAT
CatalogDB: 5:24:45 AM 2/13/2008: Adding Catalog File: oem33.CAT
CatalogDB: 5:24:45 AM 2/13/2008: DONE Adding Catalog File: oem33.CAT
CatalogDB: 3:00:40 AM 2/14/2008: Adding Catalog File: oem33.CAT
CatalogDB: 3:00:40 AM 2/14/2008: DONE Adding Catalog File: oem33.CAT
CatalogDB: 3:01:24 AM 2/14/2008: Adding Catalog File: KB943055.cat
CatalogDB: 3:01:24 AM 2/14/2008: DONE Adding Catalog File: KB943055.cat
CatalogDB: 3:01:37 AM 2/14/2008: Adding Catalog File: oem33.CAT
CatalogDB: 3:01:38 AM 2/14/2008: DONE Adding Catalog File: oem33.CAT
CatalogDB: 3:01:58 AM 2/14/2008: Adding Catalog File: KB944533-IE7.cat
CatalogDB: 3:01:58 AM 2/14/2008: DONE Adding Catalog File: KB944533-IE7.cat
CatalogDB: 3:02:42 AM 2/14/2008: Adding Catalog File: oem33.CAT
CatalogDB: 3:02:42 AM 2/14/2008: DONE Adding Catalog File: oem33.CAT
CatalogDB: 3:02:46 AM 2/14/2008: Adding Catalog File: KB946026.cat
CatalogDB: 3:02:46 AM 2/14/2008: DONE Adding Catalog File: KB946026.cat
CatalogDB: 12:09:44 AM 3/20/2008: Adding Catalog File: _000000_.cat
CatalogDB: 12:09:44 AM 3/20/2008: DONE Adding Catalog File: _000000_.cat
CatalogDB: 12:10:29 AM 3/20/2008: Adding Catalog File: KB892130.cat
CatalogDB: 12:10:29 AM 3/20/2008: DONE Adding Catalog File: KB892130.cat
CatalogDB: 1:01:12 AM 3/20/2008: Adding Catalog File: oem33.CAT
CatalogDB: 1:01:12 AM 3/20/2008: DONE Adding Catalog File: oem33.CAT
CatalogDB: 1:01:55 AM 3/20/2008: Adding Catalog File: Wudf01000.cat
CatalogDB: 1:01:55 AM 3/20/2008: DONE Adding Catalog File: Wudf01000.cat
CatalogDB: 1:02:24 AM 3/20/2008: Adding Catalog File: oem33.CAT
CatalogDB: 1:02:25 AM 3/20/2008: DONE Adding Catalog File: oem33.CAT
CatalogDB: 1:03:05 AM 3/20/2008: Adding Catalog File: WMFDist11.cat
CatalogDB: 1:03:06 AM 3/20/2008: DONE Adding Catalog File: WMFDist11.cat
CatalogDB: 1:04:07 AM 3/20/2008: Adding Catalog File: oem33.CAT
CatalogDB: 1:04:08 AM 3/20/2008: DONE Adding Catalog File: oem33.CAT
CatalogDB: 1:04:51 AM 3/20/2008: Adding Catalog File: wmp11.cat
CatalogDB: 1:04:51 AM 3/20/2008: DONE Adding Catalog File: wmp11.cat
CatalogDB: 1:05:56 AM 3/20/2008: Adding Catalog File: oem33.CAT
CatalogDB: 1:05:56 AM 3/20/2008: DONE Adding Catalog File: oem33.CAT
CatalogDB: 1:06:15 AM 3/20/2008: Adding Catalog File: MSCompPackV1.cat
CatalogDB: 1:06:15 AM 3/20/2008: DONE Adding Catalog File: MSCompPackV1.cat
CatalogDB: 1:06:28 AM 3/20/2008: Adding Catalog File: oem33.CAT
CatalogDB: 1:06:28 AM 3/20/2008: DONE Adding Catalog File: oem33.CAT
CatalogDB: 1:07:25 AM 3/20/2008: Adding Catalog File: KB926239.cat
CatalogDB: 1:07:25 AM 3/20/2008: DONE Adding Catalog File: KB926239.cat
CatalogDB: 1:19:13 AM 3/20/2008: Adding Catalog File: oem34.CAT
CatalogDB: 1:19:13 AM 3/20/2008: DONE Adding Catalog File: oem34.CAT
CatalogDB: 1:19:15 AM 3/20/2008: Adding Catalog File: oem36.CAT
CatalogDB: 1:19:15 AM 3/20/2008: DONE Adding Catalog File: oem36.CAT
CatalogDB: 1:19:24 AM 3/20/2008: Adding Catalog File: oem40.CAT
CatalogDB: 1:19:24 AM 3/20/2008: DONE Adding Catalog File: oem40.CAT
CatalogDB: 1:19:26 AM 3/20/2008: Adding Catalog File: oem42.CAT
CatalogDB: 1:19:26 AM 3/20/2008: DONE Adding Catalog File: oem42.CAT
CatalogDB: 1:19:26 AM 3/20/2008: Adding Catalog File: oem43.CAT
CatalogDB: 1:19:26 AM 3/20/2008: DONE Adding Catalog File: oem43.CAT
CatalogDB: 1:19:26 AM 3/20/2008: Adding Catalog File: oem44.CAT
CatalogDB: 1:19:27 AM 3/20/2008: DONE Adding Catalog File: oem44.CAT
CatalogDB: 3:00:37 AM 3/21/2008: Adding Catalog File: oem45.CAT
CatalogDB: 3:00:37 AM 3/21/2008: DONE Adding Catalog File: oem45.CAT
CatalogDB: 3:01:15 AM 3/21/2008: Adding Catalog File: Tmp.0.KB936782.cat
CatalogDB: 3:01:16 AM 3/21/2008: DONE Adding Catalog File: Tmp.0.KB936782.cat
CatalogDB: 3:01:22 AM 3/21/2008: Adding Catalog File: KB936782.cat
CatalogDB: 3:01:23 AM 3/21/2008: DONE Adding Catalog File: KB936782.cat
CatalogDB: 3:01:33 AM 3/21/2008: Adding Catalog File: oem45.CAT
CatalogDB: 3:01:33 AM 3/21/2008: DONE Adding Catalog File: oem45.CAT
CatalogDB: 3:02:00 AM 3/21/2008: Adding Catalog File: KB939683.cat
CatalogDB: 3:02:00 AM 3/21/2008: DONE Adding Catalog File: KB939683.cat
CatalogDB: 3:02:03 AM 3/21/2008: Adding Catalog File: oem45.CAT
CatalogDB: 3:02:03 AM 3/21/2008: DONE Adding Catalog File: oem45.CAT
CatalogDB: 3:02:29 AM 3/21/2008: Adding Catalog File: KB929399.cat
CatalogDB: 3:02:29 AM 3/21/2008: DONE Adding Catalog File: KB929399.cat
CatalogDB: 3:02:33 AM 3/21/2008: Adding Catalog File: oem45.CAT
CatalogDB: 3:02:33 AM 3/21/2008: DONE Adding Catalog File: oem45.CAT
CatalogDB: 3:02:59 AM 3/21/2008: Adding Catalog File: KB941569.cat
CatalogDB: 3:02:59 AM 3/21/2008: DONE Adding Catalog File: KB941569.cat
CatalogDB: 10:18:20 AM 4/8/2008: Adding Catalog File: oem45.CAT
CatalogDB: 10:18:21 AM 4/8/2008: DONE Adding Catalog File: oem45.CAT
CatalogDB: 10:18:43 AM 4/8/2008: Adding Catalog File: oem45.CAT
CatalogDB: 10:18:43 AM 4/8/2008: DONE Adding Catalog File: oem45.CAT
CatalogDB: 10:23:37 AM 4/8/2008: Adding Catalog File: oem45.CAT
CatalogDB: 10:23:37 AM 4/8/2008: DONE Adding Catalog File: oem45.CAT
CatalogDB: 10:23:48 AM 4/8/2008: Adding Catalog File: oem45.CAT
CatalogDB: 10:23:48 AM 4/8/2008: DONE Adding Catalog File: oem45.CAT
CatalogDB: 10:24:04 AM 4/8/2008: Adding Catalog File: oem45.CAT
CatalogDB: 10:24:04 AM 4/8/2008: DONE Adding Catalog File: oem45.CAT
CatalogDB: 10:24:17 AM 4/8/2008: Adding Catalog File: oem45.CAT
CatalogDB: 10:24:17 AM 4/8/2008: DONE Adding Catalog File: oem45.CAT
CatalogDB: 3:00:41 AM 4/9/2008: Adding Catalog File: oem45.CAT
CatalogDB: 3:00:41 AM 4/9/2008: DONE Adding Catalog File: oem45.CAT
CatalogDB: 3:01:25 AM 4/9/2008: Adding Catalog File: KB945553.cat
CatalogDB: 3:01:25 AM 4/9/2008: DONE Adding Catalog File: KB945553.cat
CatalogDB: 3:03:54 AM 4/9/2008: Adding Catalog File: oem45.CAT
CatalogDB: 3:03:54 AM 4/9/2008: DONE Adding Catalog File: oem45.CAT
CatalogDB: 3:03:58 AM 4/9/2008: Adding Catalog File: KB948590.cat
CatalogDB: 3:03:58 AM 4/9/2008: DONE Adding Catalog File: KB948590.cat
CatalogDB: 3:04:06 AM 4/9/2008: Adding Catalog File: oem45.CAT
CatalogDB: 3:04:06 AM 4/9/2008: DONE Adding Catalog File: oem45.CAT
CatalogDB: 3:04:30 AM 4/9/2008: Adding Catalog File: KB947864-IE7.cat
CatalogDB: 3:04:30 AM 4/9/2008: DONE Adding Catalog File: KB947864-IE7.cat
CatalogDB: 3:05:08 AM 4/9/2008: Adding Catalog File: oem45.CAT
CatalogDB: 3:05:08 AM 4/9/2008: DONE Adding Catalog File: oem45.CAT
CatalogDB: 3:05:13 AM 4/9/2008: Adding Catalog File: KB941693.cat
CatalogDB: 3:05:13 AM 4/9/2008: DONE Adding Catalog File: KB941693.cat
CatalogDB: 3:05:21 AM 4/9/2008: Adding Catalog File: oem45.CAT
CatalogDB: 3:05:21 AM 4/9/2008: DONE Adding Catalog File: oem45.CAT
CatalogDB: 3:05:26 AM 4/9/2008: Adding Catalog File: KB948881.cat
CatalogDB: 3:05:26 AM 4/9/2008: DONE Adding Catalog File: KB948881.cat
CatalogDB: 1:58:35 PM 4/13/2008: File #2 at line #1422 encountered error 0x00000057
CatalogDB: 1:58:35 PM 4/13/2008: File #2 at line #1422 encountered error 0x00000057
CatalogDB: 1:58:35 PM 4/13/2008: File #2 at line #1422 encountered error 0x00000057
CatalogDB: 1:58:36 PM 4/13/2008: File #2 at line #1422 encountered error 0x00000057
CatalogDB: 1:58:36 PM 4/13/2008: File #2 at line #1422 encountered error 0x00000057
CatalogDB: 1:58:36 PM 4/13/2008: File #2 at line #1422 encountered error 0x00000057
CatalogDB: 1:58:36 PM 4/13/2008: File #2 at line #1422 encountered error 0x00000057
CatalogDB: 1:58:36 PM 4/13/2008: File #2 at line #1422 encountered error 0x00000057




;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-04-13 21:26:17
PROTECTIONS: 1
MALWARE: 7
SUSPECTS: 0
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
avast! antivirus 4.8.1169 [VPS 080413-0] 4.8.1169 No Yes
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00029258 application/altnet HackTools No 0 Yes No c:\windows\smdat32a.sys
00029258 application/altnet HackTools No 0 Yes No HKEY_CLASSES_ROOT\Interface\{258A3625-183B-4477-AEE2-EA54DF6D878D}
00029258 application/altnet HackTools No 0 Yes No HKEY_CLASSES_ROOT\TypeLib\{5830698F-7FC0-40CD-A453-9A0CAFDF3A64}
00029258 application/altnet HackTools No 0 Yes No HKEY_CLASSES_ROOT\Interface\{AD5BC1F0-72D8-44B3-8E3D-8E8FECCE43FB}
00029258 application/altnet HackTools No 0 Yes No c:\program files\altnet
00029258 application/altnet HackTools No 0 Yes No HKEY_CLASSES_ROOT\Interface\{E813099D-5529-47F4-9B37-4AFAFCB00A43}
00029258 application/altnet HackTools No 0 Yes No HKEY_LOCAL_MACHINE\software\classes\CLSID\{B7156514-A76C-4545-9D5B-A4E1D02C7AEC}
00029258 application/altnet HackTools No 0 Yes No hkey_local_machine\software\classes\typelib\{676f6d1d-c559-42a9-860b-27c1477b7179}
00029258 application/altnet HackTools No 0 Yes No hkey_local_machine\software\classes\typelib\{bff4f684-677e-44f4-8c74-1d575c950e10}
00029258 application/altnet HackTools No 0 Yes No hkey_local_machine\software\altnet
00029258 application/altnet HackTools No 0 Yes No HKEY_CLASSES_ROOT\Interface\{582AB125-1403-42FB-9EFB-198690BA1496}
00029258 application/altnet HackTools No 0 Yes No hkey_classes_root\clsid\{1d3bce37-7834-4579-8169-e67681420a98}
00029258 application/altnet HackTools No 0 Yes No hkey_classes_root\clsid\{3646c2bd-3554-49ca-8125-44deefb881de}
00029258 application/altnet HackTools No 0 Yes No HKEY_LOCAL_MACHINE\software\classes\CLSID\{1D3BCE37-7834-4579-8169-E67681420A98}
00029258 application/altnet HackTools No 0 Yes No hkey_classes_root\clsid\{9bbcf06c-dcd7-495d-80df-cdd5399d0ff8}
00029258 application/altnet HackTools No 0 Yes No hkey_classes_root\clsid\{b7156514-a76c-4545-9d5b-a4e1d02c7aec}
00029258 application/altnet HackTools No 0 Yes No hkey_classes_root\clsid\{def37997-d9c9-4a4b-bf3c-88f99eaceec2}
00029258 application/altnet HackTools No 0 Yes No hkey_classes_root\clsid\{e813099d-5529-47f4-9b37-4afafcb00a43}
00029258 application/altnet HackTools No 0 Yes No hkey_local_machine\software\classes\appid\adm.exe
00029258 application/altnet HackTools No 0 Yes No hkey_local_machine\software\classes\appid\altnet signing module.exe
00029258 application/altnet HackTools No 0 Yes No hkey_local_machine\software\classes\appid\{99a8e2b2-3405-4c0d-9110-131c14caaf62}
00029258 application/altnet HackTools No 0 Yes No hkey_classes_root\appid\adm.exe
00029258 application/altnet HackTools No 0 Yes No hkey_classes_root\appid\{99a8e2b2-3405-4c0d-9110-131c14caaf62}
00029258 application/altnet HackTools No 0 Yes No hkey_local_machine\software\classes\adm.adm
00029258 application/altnet HackTools No 0 Yes No hkey_local_machine\software\classes\adm25.adm25
00029258 application/altnet HackTools No 0 Yes No hkey_local_machine\software\classes\adm25.adm25.1
00029258 application/altnet HackTools No 0 Yes No hkey_local_machine\software\classes\adm4.adm4
00029258 application/altnet HackTools No 0 Yes No hkey_local_machine\software\classes\signingmodule.signingmodule
00029258 application/altnet HackTools No 0 Yes No hkey_local_machine\software\classes\signingmodule.signingmodule.1
00029258 application/altnet HackTools No 0 Yes No hkey_local_machine\software\classes\topsearch.tslink
00029258 application/altnet HackTools No 0 Yes No hkey_local_machine\software\classes\topsearch.tslink.1
00029258 application/altnet HackTools No 0 Yes No hkey_classes_root\adm.adm
00029258 application/altnet HackTools No 0 Yes No hkey_classes_root\adm.adm.1
00029258 application/altnet HackTools No 0 Yes No hkey_classes_root\adm25.adm25
00029258 application/altnet HackTools No 0 Yes No hkey_classes_root\adm25.adm25.1
00029258 application/altnet HackTools No 0 Yes No hkey_classes_root\adm4.adm4
00029258 application/altnet HackTools No 0 Yes No hkey_classes_root\adm4.adm4.1
00029258 application/altnet HackTools No 0 Yes No HKEY_LOCAL_MACHINE\software\classes\CLSID\{3646C2BD-3554-49CA-8125-44DEEFB881DE}
00029258 application/altnet HackTools No 0 Yes No HKEY_CLASSES_ROOT\TypeLib\{676F6D1D-C559-42A9-860B-27C1477B7179}
00029258 application/altnet HackTools No 0 Yes No HKEY_CLASSES_ROOT\AppID\{8B0FEF15-54DC-49F5-8377-8172DE975F75}
00029258 application/altnet HackTools No 0 Yes No HKEY_LOCAL_MACHINE\software\classes\CLSID\{9BBCF06C-DCD7-495D-80DF-CDD5399D0FF8}
00029258 application/altnet HackTools No 0 Yes No hkey_classes_root\signingmodule.signingmodule
00029258 application/altnet HackTools No 0 Yes No hkey_classes_root\signingmodule.signingmodule.1
00029258 application/altnet HackTools No 0 Yes No hkey_classes_root\topsearch.tslink
00029258 application/altnet HackTools No 0 Yes No hkey_classes_root\topsearch.tslink.1
00029258 application/altnet HackTools No 0 Yes No HKEY_CLASSES_ROOT\Interface\{E79DADC6-18D0-4A2A-831F-D196D41F8438}
00029258 application/altnet HackTools No 0 Yes No HKEY_LOCAL_MACHINE\software\classes\CLSID\{DEF37997-D9C9-4A4B-BF3C-88F99EACEEC2}
00059895 adware/instafinder Adware No 0 Yes No c:\program files\instafink
00059895 adware/instafinder Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4E7BD74F-2B8D-469E-90F0-F66AB581A933}
00064489 adware/rxtoolbar Adware No 1 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{25D8BACF-3DE2-4B48-AE22-D659B8D835B0}
00169752 application/need2find HackTools No 0 Yes No hkey_classes_root\need2findbar.settingsplugin
00169752 application/need2find HackTools No 0 Yes No hkey_classes_root\clsid\{630d6140-04c5-4db0-b27a-020d766ff09b}
00169752 application/need2find HackTools No 0 Yes No hkey_local_machine\software\need2find
00169752 application/need2find HackTools No 0 Yes No hkey_classes_root\need2findbar.settingsplugin.1
00169752 application/need2find HackTools No 0 Yes No hkey_local_machine\software\microsoft\windows\currentversion\uninstall\need2findbar uninstall
00169752 application/need2find HackTools No 0 Yes No c:\program files\need2find
00169752 application/need2find HackTools No 0 Yes No hkey_classes_root\need2findbar.toolbarplugin
00169752 application/need2find HackTools No 0 Yes No HKEY_CLASSES_ROOT\Interface\{4D1C4E8A-A32A-416B-BCDB-33B3EF3617D3}
00169752 application/need2find HackTools No 0 Yes No hkey_current_user\software\need2find
00169752 application/need2find HackTools No 0 Yes No hkey_classes_root\need2findbar.toolbarplugin.1
00169752 application/need2find HackTools No 0 Yes No HKEY_LOCAL_MACHINE\software\classes\CLSID\{630D6140-04C5-4db0-B27A-020D766FF09B}
00211158 application/bestoffer HackTools No 0 Yes No c:\windows\smdat32m.sys
00735083 Application/Altnet HackTools No 0 Yes No C:\Program Files\Altnet\Download Manager\admdata.dll
02654465 Generic Malware Virus/Trojan No 0 Yes No C:\Documents and Settings\Dan\My Documents\bpssr.exe
;===============================================================================
=================================================================================
===================
SUSPECTS
Sent Location
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================
VULNERABILITIES
Id Severity Description
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================




UNINSTALL LIST
Adobe Acrobat 5.0
Adobe Download Manager 1.2 (Remove Only)
Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Reader 6.0
Adobe Shockwave Player
Apple Software Update
Atlantic Lounge
avast! Antivirus
BetRoyal Casino
Breakaway Casino
Casino Classic
Cirrus Casino
Club Player Casino
Club World Casinos
Compaq Advisor
Compaq Wallpaper
Compaq WinDVD
CompuServe 2000
Cool Cat Casino
Crown Vegas Casino
Disney's Toontown Online
EnglishHarbourCasino
EnglishHarbourCasino
E-PlayersCard
ESPN Version 2.0.6.88
FTDI USB Serial Converter Drivers
Full Tilt Poker
Full Tilt Poker.Net
Golden Casino
GoldenCasino
HetmanCasino
HijackThis 2.0.2
Homescan Internet Transporter
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:50:06 PM, on 4/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ACNielsen\Homescan Internet Transporter\HSTrans.exe
C:\Program Files\First Principle Group\fpg.exe
C:\Documents and Settings\Dan\Local Settings\Application Data\VTShared\GCNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MegaPanel] C:\Program Files\ACNielsen\Homescan Internet Transporter\HSTrans.exe
O4 - HKLM\..\Run: [First Principle Group] C:\Program Files\First Principle Group\fpg.exe /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcNotifier] C:\Documents and Settings\Dan\Local Settings\Application Data\VTShared\GCNotifier.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Search - http://kl.bar.need2f...earch.html?p=KL
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Support - {8D6BC837-B245-4828-9BB1-06092A487FE6} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: Yahoo! Backgammon - http://download.game...nts/y/at1_x.cab
O16 - DPF: Yahoo! Literati - http://download2.gam...nts/y/tt4_x.cab
O16 - DPF: Yahoo! Pinochle - http://download.game...nts/y/ut2_x.cab
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinn...rabblecubes.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {04063354-A10E-4427-A1EC-F3CC81587BC6} (Mines Control) - http://www.worldwinn...mines/mines.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab46479.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {18C3FD15-74F6-4280-9C98-3590C966B7B8} (SkillGam Control) - http://www.worldwinn...am/skillgam.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://www.worldwinn...GamesLoader.cab
O16 - DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} (Brickout Control) - http://www.worldwinn...ut/brickout.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://www.worldwinn...0/pool/pool.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/...dy.cab32846.cab
O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} (Jigsaw Genius Control) - http://www.worldwinn...gsaw/jigsaw.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {5445BE81-B796-11D2-B931-002018654E2E} (MeadCo Security Manager) - http://livesupport.h...g/ie/SecMgr.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab32846.cab
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - http://www.worldwinn...jattack/bja.cab
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinn...d/bejeweled.cab
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) - http://www.worldwinn...x/blockwerx.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell Control) - http://www.worldwinn...ll/freecell.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinn...jo/wordmojo.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://www.worldwinn...cubis/cubis.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinn...v46/sol/sol.cab
O16 - DPF: {A91FB93D-7561-4524-8484-5C27C8FA8D42} (WwLuxor Control) - http://www.worldwinn...luxor/luxor.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinn...apit/swapit.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (Download Helper Class) - http://activex.micro...n7/DLHelper.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://www.worldwinn...man/hangman.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab34246.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tilecity Control) - http://www.worldwinn...ty/tilecity.cab
O16 - DPF: {BB637307-92FA-47EC-B3F7-696907867
  • 0

Advertisements

#2
sage5
Posted 24 April 2008 - 11:58 PM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi coachv ,

Welcome to Geeks to Go!
My name is sage5, and I will be helping you with this problem.

Please download the following & save to your Desktop:
ComboFix

The real time protection used by programs like Windows Defender can interfere with malware cleaning procedures.
Please follow the steps below to temporarily disable Windows Defender
  • Open Windows Defender
  • Click Tools
  • Click General Settings
  • Scroll down to Real Time Protection Options
  • Uncheck Turn on Real Time Protection (recommended)
  • After you uncheck this, click on the Save button
  • Close Windows Defender
Once your system has been deemed free from malware, you can re-enable Windows Defender's Real Time Protection.



Run HijackThis.
  • Click the Do a system scan only button.
  • Check the boxes for the all the entries listed below:
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O4 - HKLM\..\Run: [gcNotifier] C:\Documents and Settings\Dan\Local Settings\Application Data\VTShared\GCNotifier.exe
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Support - {8D6BC837-B245-4828-9BB1-06092A487FE6} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinn...rabblecubes.cab
O16 - DPF: {04063354-A10E-4427-A1EC-F3CC81587BC6} (Mines Control) - http://www.worldwinn...mines/mines.cab
O16 - DPF: {18C3FD15-74F6-4280-9C98-3590C966B7B8} (SkillGam Control) - http://www.worldwinn...am/skillgam.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://www.worldwinn...GamesLoader.cab
O16 - DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} (Brickout Control) - http://www.worldwinn...ut/brickout.cab
O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} (Jigsaw Genius Control) - http://www.worldwinn...gsaw/jigsaw.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - http://www.worldwinn...jattack/bja.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://www.worldwinn...cubis/cubis.cab
O16 - DPF: {A91FB93D-7561-4524-8484-5C27C8FA8D42} (WwLuxor Control) - http://www.worldwinn...luxor/luxor.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (Download Helper Class) - http://activex.micro...n7/DLHelper.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://www.worldwinn...man/hangman.cab
  • Now close all windows other than HijackThis and click Fix Checked.
  • Close HijackThis.


Create a CombFix Script:
  • Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.
  • Now copy/paste the entire content of the codebox below into the Notepad window:
File::
C:\Documents and Settings\Dan\Local Settings\Application Data\VTShared\GCNotifier.exe
C:\Program Files\PokerStars\PokerStarsUpdate.exe
C:\Program Files\UltimateBet\UltimateBet.exe
C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
C:\Program Files\Internet Explorer\SIGNUP\Presario.htm
c:\windows\smdat32a.sys
c:\windows\smdat32m.sys
C:\Program Files\Altnet\Download Manager\admdata.dll
C:\Documents and Settings\Dan\My Documents\bpssr.exe

Folder::
c:\program files\altnet
c:\program files\instafink
c:\program files\need2find

Registry::
[-hkey_local_machine\software\classes\typelib\{676f6d1d-c559-42a9-860b-27c1477b7179}]
[-hkey_local_machine\software\classes\typelib\{bff4f684-677e-44f4-8c74-1d575c950e10}]
[-hkey_local_machine\software\altnet]
[-hkey_classes_root\clsid\{3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF}]
[-hkey_classes_root\clsid\{94148DB5-B42D-4915-95DA-2CBB4F7095BF}]
[-hkey_classes_root\clsid\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}]
[-hkey_classes_root\clsid\{8D6BC837-B245-4828-9BB1-06092A487FE6}]
[-hkey_classes_root\clsid\{1d3bce37-7834-4579-8169-e67681420a98}]
[-hkey_classes_root\clsid\{3646c2bd-3554-49ca-8125-44deefb881de}]
[-hkey_classes_root\clsid\{9bbcf06c-dcd7-495d-80df-cdd5399d0ff8}]
[-hkey_classes_root\clsid\{b7156514-a76c-4545-9d5b-a4e1d02c7aec}]
[-hkey_classes_root\clsid\{def37997-d9c9-4a4b-bf3c-88f99eaceec2}]
[-hkey_classes_root\clsid\{e813099d-5529-47f4-9b37-4afafcb00a43}]
[-hkey_local_machine\software\classes\appid\adm.exe]
[-hkey_local_machine\software\classes\appid\altnet signing module.exe]
[-hkey_local_machine\software\classes\appid\{99a8e2b2-3405-4c0d-9110-131c14caaf62}]
[-hkey_classes_root\appid\adm.exe]
[-hkey_classes_root\appid\{99a8e2b2-3405-4c0d-9110-131c14caaf62}]
[-hkey_local_machine\software\classes\adm.adm]
[-hkey_local_machine\software\classes\adm25.adm25]
[-hkey_local_machine\software\classes\adm25.adm25.1]
[-hkey_local_machine\software\classes\adm4.adm4]
[-hkey_local_machine\software\classes\signingmodule.signingmodule]
[-hkey_local_machine\software\classes\signingmodule.signingmodule.1]
[-hkey_local_machine\software\classes\topsearch.tslink]
[-hkey_local_machine\software\classes\topsearch.tslink.1]
[-hkey_classes_root\adm.adm]
[-hkey_classes_root\adm.adm.1]
[-hkey_classes_root\adm25.adm25]
[-hkey_classes_root\adm25.adm25.1]
[-hkey_classes_root\adm4.adm4]
[-hkey_classes_root\adm4.adm4.1]
[-hkey_classes_root\signingmodule.signingmodule]
[-hkey_classes_root\signingmodule.signingmodule.1]
[-hkey_classes_root\topsearch.tslink]
[-hkey_classes_root\topsearch.tslink.1]
[-hkey_classes_root\need2findbar.settingsplugin]
[-hkey_classes_root\clsid\{630d6140-04c5-4db0-b27a-020d766ff09b}]
[-hkey_local_machine\software\need2find]
[-hkey_classes_root\need2findbar.settingsplugin.1]
[-hkey_local_machine\software\microsoft\windows\currentversion\uninstall\need2findbar uninstall]
[-hkey_classes_root\need2findbar.toolbarplugin]
[-hkey_current_user\software\need2find]
[-hkey_classes_root\need2findbar.toolbarplugin.1]
[-HKEY_CLASSES_ROOT\Interface\{258A3625-183B-4477-AEE2-EA54DF6D878D}]
[-HKEY_CLASSES_ROOT\TypeLib\{5830698F-7FC0-40CD-A453-9A0CAFDF3A64}]
[-HKEY_CLASSES_ROOT\Interface\{AD5BC1F0-72D8-44B3-8E3D-8E8FECCE43FB}]
[-HKEY_CLASSES_ROOT\Interface\{E813099D-5529-47F4-9B37-4AFAFCB00A43}]
[-HKEY_LOCAL_MACHINE\software\classes\CLSID\{B7156514-A76C-4545-9D5B-A4E1D02C7AEC}]
[-HKEY_CLASSES_ROOT\Interface\{582AB125-1403-42FB-9EFB-198690BA1496}]
[-HKEY_LOCAL_MACHINE\software\classes\CLSID\{3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF}]
[-HKEY_LOCAL_MACHINE\software\classes\CLSID\{94148DB5-B42D-4915-95DA-2CBB4F7095BF}]
[-HKEY_LOCAL_MACHINE\software\classes\CLSID\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}]
[-HKEY_LOCAL_MACHINE\software\classes\CLSID\{8D6BC837-B245-4828-9BB1-06092A487FE6}]
[-HKEY_LOCAL_MACHINE\software\classes\CLSID\{1D3BCE37-7834-4579-8169-E67681420A98}]
[-HKEY_LOCAL_MACHINE\software\classes\CLSID\{3646C2BD-3554-49CA-8125-44DEEFB881DE}]
[-HKEY_CLASSES_ROOT\TypeLib\{676F6D1D-C559-42A9-860B-27C1477B7179}]
[-HKEY_CLASSES_ROOT\AppID\{8B0FEF15-54DC-49F5-8377-8172DE975F75}]
[-HKEY_LOCAL_MACHINE\software\classes\CLSID\{9BBCF06C-DCD7-495D-80DF-CDD5399D0FF8}]
[-HKEY_CLASSES_ROOT\Interface\{E79DADC6-18D0-4A2A-831F-D196D41F8438}]
[-HKEY_LOCAL_MACHINE\software\classes\CLSID\{DEF37997-D9C9-4A4B-BF3C-88F99EACEEC2}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4E7BD74F-2B8D-469E-90F0-F66AB581A933}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{25D8BACF-3DE2-4B48-AE22-D659B8D835B0}]
[-HKEY_CLASSES_ROOT\Interface\{4D1C4E8A-A32A-416B-BCDB-33B3EF3617D3}]
[-HKEY_LOCAL_MACHINE\software\classes\CLSID\{630D6140-04C5-4db0-B27A-020D766FF09B}]

  • Save the above as CFScript.txt
  • Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
    Posted Image
  • After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

The text from these files may exceed the maximum post length for this forum, and may need to be sent over 2 or more posts. Please ensure all text is posted.


Cheers,

sage5

Edited by sage5, 25 April 2008 - 12:00 AM.

  • 0

#3
coachv
Posted 25 April 2008 - 01:24 AM

coachv

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I was unable to follow your instructions to disable Windows Defender so I uninstalled the program. Below are the logs reqested.

Thank you for such a quick response, I appreciate it very much.

ComboFix 08-04-22.5 - Dan 2008-04-24 23:55:03.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.191 [GMT -7:00]
Running from: C:\Documents and Settings\Dan\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dan\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Dan\Local Settings\Application Data\VTShared\GCNotifier.exe
C:\Documents and Settings\Dan\My Documents\bpssr.exe
C:\Program Files\Altnet\Download Manager\admdata.dll
C:\Program Files\Internet Explorer\SIGNUP\Presario.htm
C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
C:\Program Files\PokerStars\PokerStarsUpdate.exe
C:\Program Files\UltimateBet\UltimateBet.exe
c:\windows\smdat32a.sys
c:\windows\smdat32m.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Dan\DesktopTrojan.Win32.BlackBird.exe
C:\Documents and Settings\Dan\Local Settings\Application Data\VTShared\GCNotifier.exe
C:\Documents and Settings\Dan\My Documents\bpssr.exe
c:\program files\altnet
c:\program files\altnet\DBBackup\Sigfiles.db
c:\program files\altnet\Download Manager\admdata.dll
c:\program files\altnet\Download Manager\dminfo3.cab
c:\program files\altnet\Download Manager\dminstall7.cab
c:\program files\altnet\Download Manager\dmsetup.bmp
c:\program files\altnet\Download Manager\dmsetupbig.bmp
c:\program files\altnet\Download Manager\jsinstall.cab
c:\program files\altnet\Download Manager\jslegals.txt
c:\program files\altnet\Download Manager\selectdir.txt
c:\program files\altnet\Download Manager\selectdir1st.txt
c:\program files\instafink
C:\Program Files\Internet Explorer\SIGNUP\Presario.htm
c:\program files\need2find
c:\program files\need2find\bar\1.bin\N2FFXTBR.JAR
c:\program files\need2find\bar\1.bin\N2NTSTBR.JAR
c:\program files\need2find\bar\1.bin\PARTNER.DAT
c:\program files\need2find\bar\Cache\0B7A9807
c:\program files\need2find\bar\Cache\0B7AA381
c:\program files\need2find\bar\Cache\0B7B7A39
c:\program files\need2find\bar\Cache\files.ini
c:\program files\need2find\bar\History\search
c:\program files\need2find\bar\Settings\prevcfg.htm
C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
C:\Program Files\PokerStars\PokerStarsUpdate.exe
C:\Program Files\UltimateBet\UltimateBet.exe
C:\WINDOWS\a.bat
C:\WINDOWS\base64.tmp
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\Fonts\acrsec.fon
C:\WINDOWS\FVProtect.exe
C:\WINDOWS\smdat32a.sys
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\system32\kklUDcfe.ini
C:\WINDOWS\system32\kklUDcfe.ini2
C:\WINDOWS\system32akttzn.exe
C:\WINDOWS\system32anticipator.dll
C:\WINDOWS\system32awtoolb.dll
C:\WINDOWS\system32bdn.com
C:\WINDOWS\system32bsva-egihsg52.exe
C:\WINDOWS\system32dpcproxy.exe
C:\WINDOWS\system32emesx.dll
C:\WINDOWS\system32h@tkeysh@@k.dll
C:\WINDOWS\system32hoproxy.dll
C:\WINDOWS\system32hxiwlgpm.dat
C:\WINDOWS\system32hxiwlgpm.exe
C:\WINDOWS\system32medup012.dll
C:\WINDOWS\system32medup020.dll
C:\WINDOWS\system32msgp.exe
C:\WINDOWS\system32msnbho.dll
C:\WINDOWS\system32mssecu.exe
C:\WINDOWS\system32msvchost.exe
C:\WINDOWS\system32mtr2.exe
C:\WINDOWS\system32mwin32.exe
C:\WINDOWS\system32netode.exe
C:\WINDOWS\system32newsd32.exe
C:\WINDOWS\system32ps1.exe
C:\WINDOWS\system32psof1.exe
C:\WINDOWS\system32psoft1.exe
C:\WINDOWS\system32regc64.dll
C:\WINDOWS\system32regm64.dll
C:\WINDOWS\system32Rundl1.exe
C:\WINDOWS\system32sncntr.exe
C:\WINDOWS\system32ssurf022.dll
C:\WINDOWS\system32ssvchost.com
C:\WINDOWS\system32ssvchost.exe
C:\WINDOWS\system32sysreq.exe
C:\WINDOWS\system32taack.dat
C:\WINDOWS\system32taack.exe
C:\WINDOWS\system32temp#01.exe
C:\WINDOWS\system32thun.dll
C:\WINDOWS\system32thun32.dll
C:\WINDOWS\system32VBIEWER.OCX
C:\WINDOWS\system32vbsys2.dll
C:\WINDOWS\system32vcatchpi.dll
C:\WINDOWS\system32winlogonpc.exe
C:\WINDOWS\system32winsystem.exe
C:\WINDOWS\system32WINWGPX.EXE
C:\WINDOWS\userconfig9x.dll
C:\WINDOWS\winsystem.exe
C:\WINDOWS\zip1.tmp
C:\WINDOWS\zip2.tmp
C:\WINDOWS\zip3.tmp
C:\WINDOWS\zipped.tmp

.
((((((((((((((((((((((((( Files Created from 2008-03-25 to 2008-04-25 )))))))))))))))))))))))))))))))
.

2100-04-01 18:22 . 2008-04-10 17:38 193 --a------ C:\WINDOWS\X83_DS.ini
2100-02-24 15:15 . 2001-04-02 17:30 821 --a------ C:\WINDOWS\Lexmark_ICM.ini
2100-02-16 17:09 . 2001-02-16 16:37 62 --a------ C:\WINDOWS\system32\LXASUSCI.INI
2008-04-13 21:48 . 2008-04-13 21:48 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-13 17:39 . 2008-04-13 17:41 <DIR> d-------- C:\Program Files\Panda Security
2008-04-13 13:50 . 2008-04-13 17:30 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-13 13:50 . 2008-04-13 13:50 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\SUPERAntiSpyware.com
2008-04-13 13:50 . 2008-04-13 13:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-13 13:49 . 2008-04-13 13:49 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-13 13:20 . 2008-04-13 13:20 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\Malwarebytes
2008-04-13 13:19 . 2008-04-13 13:19 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-13 13:19 . 2008-04-13 13:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-13 13:18 . 2008-04-13 13:18 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-04-10 17:26 . 2008-04-13 13:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\xsfafolq

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-25 06:56 --------- d-----w C:\Program Files\UltimateBet
2008-04-25 06:56 --------- d-----w C:\Program Files\PokerStars
2008-04-05 03:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-04 04:43 --------- d-----w C:\Program Files\Full Tilt Poker
2008-03-20 22:07 --------- d-----w C:\Program Files\MayanFortune
2008-03-20 08:18 --------- d-----w C:\Program Files\Common Files\Motorola Shared
2008-03-20 08:05 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-16 22:30 --------- d-----w C:\Program Files\Qtrax_20080125
2008-02-20 19:55 2,768,131 ---ha-w C:\Program Files\VersionIns.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [ ]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WorksFUD"="" []
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2000-07-13 13:00 311350]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-07-13 13:00 28739]
"srmclean"="C:\Cpqs\Scom\srmclean.exe" [2001-07-24 14:34 36864]
"Lexmark X83 Button Monitor"="C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe" [2001-10-18 11:25 40960]
"Lexmark X83 Button Manager"="C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe" [2001-06-14 13:42 53248]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [2001-10-25 11:20 36864]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43 83608]
"MegaPanel"="C:\Program Files\ACNielsen\Homescan Internet Transporter\HSTrans.exe" [2006-05-11 14:30 2064384]
"First Principle Group"="C:\Program Files\First Principle Group\fpg.exe" [2007-08-15 08:23 1802240]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [ ]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-09 18:21:38 147456]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-09 18:11:12 28672]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 13:05:56 65588]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-07-13 13:00:00 24633]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\StubInstaller.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 11:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 11:35]
R2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe [2001-08-17 15:36]
R3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys [2001-08-17 06:28]
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;C:\WINDOWS\system32\Drivers\usbscan.sys [2004-08-03 22:58]
S3 Gcr432;Gcr432;C:\WINDOWS\system32\Drivers\gcr432.sys [2001-05-10 13:54]
S3 lredbooo;lredbooo;C:\DOCUME~1\Dan\LOCALS~1\Temp\lredbooo.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-04-23 03:19:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-25 06:56:01 C:\WINDOWS\Tasks\Comprobar actualizaciones de Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2007-11-27 20:15:16 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1180258201.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2001-12-31 20:52:15 C:\WINDOWS\Tasks\Registration reminder 1.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2001-12-31 20:52:16 C:\WINDOWS\Tasks\Registration reminder 2.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2001-12-31 20:52:16 C:\WINDOWS\Tasks\Registration reminder 3.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-25 00:03:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\scardsvr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2008-04-25 0:13:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-25 07:13:46

Pre-Run: 61,428,342,784 bytes free
Post-Run: 61,446,877,184 bytes free

226 --- E O F --- 2008-04-09 10:05:29



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:15:46 AM, on 4/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\ACNielsen\Homescan Internet Transporter\HSTrans.exe
C:\Program Files\First Principle Group\fpg.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [MegaPanel] C:\Program Files\ACNielsen\Homescan Internet Transporter\HSTrans.exe
O4 - HKLM\..\Run: [First Principle Group] C:\Program Files\First Principle Group\fpg.exe /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Search - http://kl.bar.need2f...earch.html?p=KL
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: Yahoo! Backgammon - http://download.game...nts/y/at1_x.cab
O16 - DPF: Yahoo! Literati - http://download2.gam...nts/y/tt4_x.cab
O16 - DPF: Yahoo! Pinochle - http://download.game...nts/y/ut2_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab46479.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://www.worldwinn...0/pool/pool.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/...dy.cab32846.cab
O16 - DPF: {5445BE81-B796-11D2-B931-002018654E2E} (MeadCo Security Manager) - http://livesupport.h...g/ie/SecMgr.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab32846.cab
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinn...d/bejeweled.cab
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) - http://www.worldwinn...x/blockwerx.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell Control) - http://www.worldwinn...ll/freecell.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinn...jo/wordmojo.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinn...v46/sol/sol.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinn...apit/swapit.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab34246.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tilecity Control) - http://www.worldwinn...ty/tilecity.cab
O16 - DPF: {BB637307-92FA-47EC-B3F7-6969078673CC} (Royal Control) - http://www.worldwinn...royal/royal.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,26/mcgdmgr.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.to...0.16/ttinst.cab
O16 - DPF: {C5326A4D-E9AA-40AD-A09A-E74304D86B47} (DinerDash Control) - http://www.worldwinn...h/dinerdash.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - http://www.worldwinn...paint/paint.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://jackpotflash...ash/FlashAX.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/...xy.cab41227.cab
O16 - DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} (GolfSol Control) - http://www.worldwinn...sol/golfsol.cab
O16 - DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} (WWSpades Control) - http://www.worldwinn...es/wwspades.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/...on.cab40641.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 10452 bytes
  • 0

#4
sage5
Posted 25 April 2008 - 04:34 AM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi coachv ,


Run HijackThis.
  • Click the Do a system scan only button.
  • Check the boxes for the all the entries listed below:
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell Control) - http://www.worldwinn...ll/freecell.cab
O16 - DPF: {BB637307-92FA-47EC-B3F7-6969078673CC} (Royal Control) - http://www.worldwinn...royal/royal.cab
O16 - DPF: {C5326A4D-E9AA-40AD-A09A-E74304D86B47} (DinerDash Control) - http://www.worldwinn...h/dinerdash.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - http://www.worldwinn...paint/paint.cab
O16 - DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} (GolfSol Control) - http://www.worldwinn...sol/golfsol.cab
O16 - DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} (WWSpades Control) - http://www.worldwinn...es/wwspades.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/...on.cab40641.cab
  • Now close all windows other than HijackThis and click Fix Checked.
  • Close HijackThis.


Delete bad services
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad. Save it as "All Files" and name it FixServices.bat Please save it on your desktop.

@echo off
sc stop Gcr432
sc stop lredbooo
sc delete Gcr432
sc delete lredbooo
exit


Double click FixServices.bat. A window will open and close. This is normal.


Reboot into Safe Mode:
  • Restart your Computer
  • As soon as it starts to boot up, tap your F8 key repeatedly.
  • This should bring up the Windows Advanced Options Menu.
  • Use your arrow keys to select Safe Mode and click the Enter key.


Remove folders & files:
  • Please go to Start > Control Panel > Add/Remove Programs and remove the following, (if present):
    Full Tilt Poker
    PokerStars
    UltimateBet
    Please take note of any other programs that you don't recognise in that list, and include them in your next response
  • Using Windows Explorer, (to get there right-click your Start button and go to "Explore"), delete these folders, (if present):
    C:\Program Files\Full Tilt Poker
    C:\Program Files\PokerStars
    C:\Program Files\UltimateBet
  • Delete these files, (if present):
    C:\WINDOWS\system32\Drivers\gcr432.sys
    C:\Documents & Settings\Dan\Local Settings\Temp\lredbooo.sys


Please go HERE to run Panda's TotalScan
  • Select the bubble for Full scan
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • Then the scan will begin
  • When the scan completes, click the Save button on the right of Scan details
  • Save it to C:\active_scan.txt
  • Post the contents of the TotalScan report


You don't appear to be running a 3rd party firewall. These are essential to protect from trojans, viruses, spyware etc.

You should check out:- Comodo Firewall Pro or Sunbelt Personal Firewall

User manuals are available for both:
Comodo's manual is built in and accessable from the Help Menu.

Sunbelt Manual Here

Both are simple to install & free to use.
Please install only 1

I need you to post me a fresh HijackThis log to confirm correct installation of the Firewall.

Cheers,

sage5
  • 0

#5
coachv
Posted 25 April 2008 - 06:37 PM

coachv

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I have followed the instructions to download Panda's TotalScan. I continue to get an error "Sorry, loading is incomplete due to an error. Please try again. Error 2147467259.

I have attempted to download multiple times with no success.
  • 0

#6
sage5
Posted 26 April 2008 - 07:11 AM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Alright lets try a different scanner>
Please download the following & save to your Desktop:

OTScanIt.exe

Install OTScanIt:
  • Double-click on OTScanIt.exe to extract the files. It will create a folder named OTScanIt on your desktop.
  • Close any open browsers.
  • If your Real protection or Antivirus intervenes with OTScanIt, allow it to run.
  • Open the OTScanit folder and double-click on OTScanit.exe to start the program.
  • Make sure that the Non Microsoft option is clicked in the following Headings:
    • Processes
    • Services
    • Drivers
    • Registry
  • Click Yes under Rootkit scan
  • Make sure that you tick these in the Additional Scans box
    • Reg - BotCheck
    • Reg - Security Settings
  • Now click the Run Scan button on the toolbar.
  • The program will be scanning large amounts of data so depending on your system it could take a while to complete.
  • When the scan is done Notepad will open with the report file loaded in it.
  • Save the file in the new OTScanIt folder as Scan1.txt
If the log is too large to post, use the Reply button, scroll down to the Attachments section and attach the Notepad file here.
  • 0

#7
coachv
Posted 26 April 2008 - 12:19 PM

coachv

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Scan1.txt is attached as well as a new hijack log after installing Comodo firewall.

Attached Files


Edited by coachv, 27 April 2008 - 12:30 AM.

  • 0

#8
coachv
Posted 27 April 2008 - 02:13 AM

coachv

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I was not able to access the internet after installing Comodo. I assume it was an incorrect setting, but did not figure out how to correct it. I uninstalled in order to view this forum for additional assistance. Thanks again.
  • 0

#9
sage5
Posted 27 April 2008 - 06:21 AM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi coachv ,


Run the Fix:
  • Open the OTScanIT folder on the Desktop
  • Run OTScanIt.exe.
  • Copy all the text in the Code box below, and Paste it into the pane under the GREEN bar, titled Paste fix here and then click the green Run Fix button.


    [Kill Explorer]
[Unregister Dlls]
[Driver Services - Non-Microsoft Only]
NY -> (szkg) szkg [Kernel | Boot | Stopped] -> %SystemRoot%\system32\DRIVERS\szkg.sys
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> WorksFUD -> []
< Trusted Sites Domains [HKEY_USERS\S-1-5-21-1484400983-2845621009-2907011200-1006\] > -> HKEY_USERS\S-1-5-21-1484400983-2845621009-2907011200-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
YN ->   .[msn] -> My Computer
< Internet Explorer Bars [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {4528BBE0-4E08-11D5-AD55-00010333D0AD} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Bars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {4528BBE0-4E08-11D5-AD55-00010333D0AD} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Bars [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Bars [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Bars [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Bars [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Bars [HKEY_USERS\S-1-5-21-1484400983-2845621009-2907011200-1006\] > -> HKEY_USERS\S-1-5-21-1484400983-2845621009-2907011200-1006\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {4528BBE0-4E08-11D5-AD55-00010333D0AD} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> {0BF43445-2F28-4351-9252-17FE6E806AA0} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-1484400983-2845621009-2907011200-1006\] > -> HKEY_USERS\S-1-5-21-1484400983-2845621009-2907011200-1006\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
YN -> {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. []
< Internet Explorer Menu Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\
YN -> &Search -> 
< Internet Explorer Extensions [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
YN -> CmdMapping\\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} [HKEY_LOCAL_MACHINE] -> [Reg Error: Value MenuText does not exist or could not be read.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
YN -> CmdMapping\\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} [HKEY_LOCAL_MACHINE] -> [Reg Error: Value MenuText does not exist or could not be read.]
< Internet Explorer Menu Extensions [HKEY_USERS\S-1-5-21-1484400983-2845621009-2907011200-1006\] > -> HKEY_USERS\S-1-5-21-1484400983-2845621009-2907011200-1006\Software\Microsoft\Internet Explorer\MenuExt\
YN -> &Search -> 
< Default Protocols [HKEY_USERS\.DEFAULT\] - Select to Repair > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults
YN -> shell -> shell protocol not assigned
< Default Protocols [HKEY_USERS\S-1-5-18\] - Select to Repair > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults
YN -> shell -> shell protocol not assigned
< Default Protocols [HKEY_USERS\S-1-5-19\] - Select to Repair > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults
YN -> shell -> shell protocol not assigned
< Default Protocols [HKEY_USERS\S-1-5-20\] - Select to Repair > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults
YN -> shell -> shell protocol not assigned
< Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\
YN -> ipp: [HKEY_LOCAL_MACHINE] -> No CLSID value
YN -> msdaipp: [HKEY_LOCAL_MACHINE] -> No CLSID value
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
YN -> {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab[Java Plug-in 1.5.0_09]
YN -> {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab[Java Plug-in 1.5.0_10]
[Registry - Additional Scans - Non-Microsoft Only]
< BotCheck > -> 
YN -> ~EmptyValue -> Reg Error: Key does not exist or could not be opened.
< Security Settings > -> 
YN -> ~EmptyValue -> Reg Error: Key does not exist or could not be opened.
[Files/Folders - Created Within 30 days]
NY -> 1 C:\*.tmp files -> C:\*.tmp
NY -> 5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> X83_DS.ini -> %SystemRoot%\X83_DS.ini
[Files/Folders - Modified Within 30 days]
NY -> X83_DS.bmp -> %SystemDrive%\X83_DS.bmp
NY -> 5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> 5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> ACMonitor_X83.ini -> %SystemRoot%\ACMonitor_X83.ini
NY -> bootstat.dat -> %SystemRoot%\bootstat.dat
NY -> cdcert_casino_vegas.cat -> %SystemRoot%\cdcert_casino_vegas.cat
NY -> X83_DS.ini -> %SystemRoot%\X83_DS.ini
NY -> Comprobar actualizaciones de Windows Live Toolbar.job -> %SystemRoot%\tasks\Comprobar actualizaciones de Windows Live Toolbar.job
NY -> _unps.exe -> C:\Documents and Settings\Dan\Local Settings\Temp\_unps.exe
NY -> 2 C:\Documents and Settings\Dan\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Dan\Local Settings\Temp\*.tmp
[CatchMe Rootkit Scan by GMER]
YN -> IPC error: 2 The system cannot find the file specified. -> 
YN -> IPC error: 2 The system cannot find the file specified. -> 
NY -> C:\Documents and Settings\Dan\Favorites\poker\Poker Forum - Welcome to the Poker Source Online Poker Forum.url:favicon 894 bytes -> 
NY -> C:\Documents and Settings\Dan\Favorites\poker\Online Poker Tournaments, FreeRolls & Best Deposit Bonus deals. Internet Poker Room Ratings by Players. Poker News.url:favicon 7406 bytes -> 
NY -> C:\Documents and Settings\Dan\Favorites\poker\poker news.url:favicon 7406 bytes -> 
[Extra Files]
Purity
[Empty Temp Folders]
[Start Explorer]

  • The fix should only take a very short time.
  • When the fix is done, click the OK button in the message box.
  • Notepad will open with a log of actions taken during the fix.
    This file is saved in the Moved Files folder and is named in date_time format (mmddyyyy_hhmmss.log format, so e.g. 04012008_082852.log)
  • I need you to Post the text from that file back here.
I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
  • 0

#10
coachv
Posted 27 April 2008 - 03:00 PM

coachv

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I continue to have "running fix" at the bottom left of the OTScanIt screen. It has remained this way for 1.5 hours now. I will leave that screen running, but am beginning to wonder if it is somehow hung up.

It has now run for 3 hours with no change.

Edited by coachv, 27 April 2008 - 04:24 PM.

  • 0

Advertisements

#11
sage5
Posted 27 April 2008 - 04:53 PM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
See if you can close that window, it has clearly hung up.

Restart the PC & re-run the instructions in post #6, name the file Scan2.txt
Then send me the Scan2.txt file
  • 0

#12
coachv
Posted 27 April 2008 - 06:11 PM

coachv

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Scan2.txt is attached.

Attached Files


  • 0

#13
sage5
Posted 28 April 2008 - 11:34 PM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi coachv ,


1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
%systemdrive%\x83_ds.bmp
%systemroot%\acmonitor_x83.ini
%systemroot%\tasks\comprobar actualizaciones de windows live toolbar.job
%systemroot%\x83_ds.ini
c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr0.dat
c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr1.dat
c:\documents and settings\dan\local settings\temp\_unps.exe
Folders to delete:
c:\documents and settings\dan\local settings\temp\cdiresdata
c:\documents and settings\dan\local settings\temp\wzse0.tmp\
c:\documents and settings\dan\local settings\temp\wzse1.tmp\

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Run The Avenger by double-clicking on its icon on your desktop.
  • Click OK at the warning window.
  • Click the top right hand side button to Paste script from clipboard.
  • Click on the Execute button.
  • Answer Yes twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. (In cases where the code to execute contains Drivers to Unload, The Avenger will actually restart your system twice.)
  • After the restart, a log file should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger backs up all the files, etc., that you asked it to delete, and archives them to C:\avenger\backup.zip.
5. Please copy/paste the content of C:\avenger.txt into your reply along with a fresh HJT log


Cheers,

sage5
  • 0

#14
coachv
Posted 29 April 2008 - 12:56 AM

coachv

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\x83_ds.bmp" deleted successfully.
File "C:\WINDOWS\acmonitor_x83.ini" deleted successfully.
File "C:\WINDOWS\tasks\comprobar actualizaciones de windows live toolbar.job" deleted successfully.
File "C:\WINDOWS\x83_ds.ini" deleted successfully.
File "c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr0.dat" deleted successfully.
File "c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr1.dat" deleted successfully.
File "c:\documents and settings\dan\local settings\temp\_unps.exe" deleted successfully.
Folder "c:\documents and settings\dan\local settings\temp\cdiresdata" deleted successfully.
Folder "c:\documents and settings\dan\local settings\temp\wzse0.tmp" deleted successfully.
Folder "c:\documents and settings\dan\local settings\temp\wzse1.tmp" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:55:17 PM, on 4/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\ACNielsen\Homescan Internet Transporter\HSTrans.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [MegaPanel] C:\Program Files\ACNielsen\Homescan Internet Transporter\HSTrans.exe
O4 - HKLM\..\Run: [First Principle Group] C:\Program Files\First Principle Group\fpg.exe /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: Yahoo! Backgammon - http://download.game...nts/y/at1_x.cab
O16 - DPF: Yahoo! Literati - http://download2.gam...nts/y/tt4_x.cab
O16 - DPF: Yahoo! Pinochle - http://download.game...nts/y/ut2_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab46479.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://www.worldwinn...0/pool/pool.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/...dy.cab32846.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan....s/ascstubie.cab
O16 - DPF: {5445BE81-B796-11D2-B931-002018654E2E} (MeadCo Security Manager) - http://livesupport.h...g/ie/SecMgr.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab32846.cab
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinn...d/bejeweled.cab
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) - http://www.worldwinn...x/blockwerx.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinn...jo/wordmojo.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinn...v46/sol/sol.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinn...apit/swapit.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab34246.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tilecity Control) - http://www.worldwinn...ty/tilecity.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,26/mcgdmgr.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.to...0.16/ttinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://jackpotflash...ash/FlashAX.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/...xy.cab41227.cab
O20 - AppInit_DLLs:
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 8938 bytes
  • 0

#15
sage5
Posted 30 April 2008 - 09:14 PM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi coachv ,

Sorry for the delay, I had some access issues with my provider.

Run HijackThis.
  • Click the Do a system scan only button.
  • Check the boxes for the all the entries listed below:
O20 - AppInit_DLLs:
  • Now close all windows other than HijackThis and click Fix Checked.
  • Close HijackThis.


I need you to reinstall the firewall & make sure that it doesn't block your internet access.
You may need to consult Comodo's built in manual which is accessable from the Help Menu.

I need you to post me a fresh HijackThis log to confirm correct installation of the Firewall.

Cheers,

sage5
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP