Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

TrojanDownloader.xs [CLOSED]

Started by dalejrfan5874 , Apr 28 2008 12:37 PM

  • This topic is locked This topic is locked

#1
dalejrfan5874
Posted 28 April 2008 - 12:37 PM

dalejrfan5874

    New Member

  • Member
  • Pip
  • 5 posts
My computer is infected with TrojanDownloader.xs among other items. My background has changed to a warning, I keep getting popups, and small yellow triangle is appearing in the right corner. The yellow triangles are showing small yellow popups stating my computer is infected. I'm also getting Windows security popups showing the TrojanDownloader.xs along with others. Below are my logs. I am running Windows XP with SP2. It will not let me access the internet from the computer. I cannot access the task manager or the registry. It tells me they have been locked by the administrator.

Malwarebytes Log:


Malwarebytes' Anti-Malware 1.11
Database version: 599

Scan type: Quick Scan
Objects scanned: 32772
Time elapsed: 7 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 15
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 39

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d} (Adware.123Mania) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a} (Adware.123Mania) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9c5b2f29-1f46-4639-a6b4-828942301d3e} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5fa6752a-c4a0-4222-88c2-928ae5ab4966} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spa_start (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM1f043a15 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\SpybotDeletingA8188 (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\SpybotDeletingC5788 (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\{8bd51b11-dbab-a266-3f35-29a2ba1df245}.dll (Adware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\avifile32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\avisynthex32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\aviwrap32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\bjam.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\bokja.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\browserad.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\cdsm32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\changeurl_30.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\didduid.ini (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\msa64chk.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\msapasrc.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\mspphe.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\123messenger.per (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\mssvr.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ntnut.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\saiemod.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\shdocpe.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\shdocpl.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\stcloader.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\swin32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\voiceip.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\winsb.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\2020search.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\2020search2.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\apphelp32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\asferror32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\asycfilt32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\athprxy32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ati2dvaa32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ati2dvag32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\audiosrv32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\autodisc32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\licencia.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\telefonos.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\textos.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\core.cache.dsk (Malware.Trace) -> Delete on reboot.
C:\Documents and Settings\HP_Owner.YOUR-AE066C3A9B\Start Menu\Programs\Startup\Deewoo.lnk (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner.YOUR-AE066C3A9B\Start Menu\Programs\Startup\DW_Start.lnk (Trojan.Agent) -> Quarantined and deleted successfully.


SUPER AntiSpyware Log

SUPERAntiSpyware Scan Log
Generated 04/28/2008 at 05:17 AM

Application Version : 3.6.1000

Core Rules Database Version : 3190
Trace Rules Database Version: 1200

Scan type : Complete Scan
Total Scan Time : 02:23:20

Memory items scanned : 387
Memory threats detected : 0
Registry items scanned : 6205
Registry threats detected : 24
File items scanned : 168460
File threats detected : 6

Transponder Variant BHO
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352}

Unclassified.Unknown Origin
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d}

Adware.2020Search
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d}

Adware.180solutions/SurfAssistant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}

Adware.Second Thought
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1}
C:\WINDOWS\BOKJA.EXE
C:\WINDOWS\STCLOADER.EXE

Trojan.NetMon/DNSChange
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#DeviceDesc

Trojan.cmdService
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#DeviceDesc

Adware.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP286\A0017904.CFG

Trojan.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP286\A0017908.VBS
C:\WINDOWS\IA\KE.VBS

Adware.Tracking Cookie
D:\Documents and Settings\Owner\Cookies\owner@2o7[2].txt




I could not access the internet to run the Panda Software scan. I ran AVG and it found nothing. Here is my Hijack This log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:00:14 PM, on 4/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\winself.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = file://c:/windows/homepage.html
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {077997D4-1377-4EFA-B0A8-F38E9059625A} - C:\WINDOWS\system32\iiffGAQj.dll (file missing)
O2 - BHO: (no name) - {0E014D4A-1670-4C42-BABF-FBF3BE9054CF} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {1D0B1B2F-4D44-48DC-AE5A-F4BBBAE2A83F} - C:\WINDOWS\system32\nnnkKeDT.dll (file missing)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {42601263-D69B-440E-A278-58712847CE85} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {6156A32A-C512-4e23-AA9A-2315F4265681} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {6C2496B4-268C-43FD-808D-BC79A585602E} - (no file)
O2 - BHO: StFlex IE Helper - {8334A30C-49E5-489a-B63D-5B927C1EF46E} - C:\Program Files\QdrDrive\QdrDrive15.dll (file missing)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9B88158A-FB31-81E4-40E3-A68F765A7DB2} - C:\WINDOWS\system32\ukje.dll (file missing)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {A807E62D-4795-443C-BD70-E5F19C880C06} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: (no name) - {CE6832A1-4299-4EF3-9265-EEBBCC5621C8} - C:\WINDOWS\system32\rqRHwUNH.dll (file missing)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {e14dfa1b-ee8d-b9a1-b599-5f76444a620a} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O2 - BHO: Microsoft copyright - {FFFFFFFF-BBBB-4146-86FD-A722E8AB3489} - sockins32.dll (file missing)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [spa_start] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{8bd51b11-dbab-a266-3f35-29a2ba1df245}.dll" DllInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Dora Fairytale Adventures Registration.lnk = F:\ATR1.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\webhancer\programs\webhdll.dll' missing
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Monopoly\Images\stg_drm.ocx
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Monopoly\Images\armhelper.ocx
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: nnnkKeDT - C:\WINDOWS\
O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 9847 bytes



Here is my Uninstall List

3D Ultra Pinball Thrillride
Ad-Aware 2007
Adobe Acrobat - Reader 6.0.2 Update
Adobe Flash Player ActiveX
Adobe PageMaker 6.5
Adobe Reader 6.0.1
Agere Systems PCI Soft Modem
AutoCAD LT 2004
Autodesk Express Viewer
AVG Free 8.0
Blackhawk Striker from Hewlett-Packard Desktops (remove only)
Blasterball 2 from Hewlett-Packard Desktops (remove only)
Blasterball 2 Remix from Hewlett-Packard Desktops (remove only)
Bob the Builder - Bob Builds a Park
Bounce Symphony from Hewlett-Packard Desktops (remove only)
CC_ccProxyMSI
CC_ccStart
ClickArt Fonts
Creative Memories StoryBook Creator Plus
Crystal Maze from Hewlett-Packard Desktops (remove only)
Customizer 19010
Disney's Extremely Goofy Skateboarding Preview
Dora Fairytale Adventure
Dora's World Adventure
Easy Internet Sign-up
Help and Support Additions
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows XP (KB935448)
HP Deskjet Preloaded Printer Drivers
HP Extended Capabilities 5.3
HP Image Zone 4.2
HP Image Zone Express
HP Image Zone Plus 4.2
HP Imaging Device Functions 5.3
HP Organize
HP Photo & Imaging 3.5 - HP Devices
HP Photosmart 330,380,420,470,7800,8000,8200 Series
HP PSC & OfficeJet 4.0
HP Software Update
HP Solution Center & Imaging Support Tools 5.3
HPIZ402
Indeo® software
Intel® Graphics Media Accelerator Driver
IntelliMover Data Transfer Demo
InterVideo WinDVD Creator 2
InterVideo WinDVD Player
iTunes
Java 2 Runtime Environment, SE v1.4.2_03
Kid Pix Deluxe 3
Kid's College CFA
Learning in Toyland
LEGO Creator
Lernout & Hauspie TruVoice American English TTS Engine
LiveReg (Symantec Corporation)
Malwarebytes' Anti-Malware
Media Graphics Browser+
Metafile Companion 1.10
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Office Standard Edition 2003
Microsoft Plus! Dancer LE
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Visual C++ 2005 Redistributable
Microsoft Word 2000
Microsoft Works 2000
Microsoft Works 2000 Setup Launcher
Microsoft Works 7.0
Monopoly
Mozilla Firefox (2.0)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
muvee autoProducer 3.5 magicMoments - HPD
Norton AntiVirus 2004
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Personal Firewall
Norton WMI Update
Orbital from Hewlett-Packard Desktops (remove only)
Overball from Hewlett-Packard Desktops (remove only)
Photosmart 320,370,7400,8100,8400 Series
Polar Bowler from Hewlett-Packard Desktops (remove only)
Python 2.2 combined Win32 extensions
Python 2.2.1
QuickTime
RealArcade
RealPlayer
Road Ready Streetwise from Hewlett-Packard Desktops (remove only)
Scholastic's I SPY Mystery
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Shrek 2 Ogre Bowler from Hewlett-Packard Desktops (remove only)
Slyder from Hewlett-Packard Desktops (remove only)
Sonic RecordNow!
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
Tradewinds from Hewlett-Packard Desktops (remove only)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Updates from HP
Virtools 3D Life Player
Who Wants To Be A Millionaire 3rd Edition
Windows Installer 3.1 (KB893803)
Windows Live OneCare safety scanner
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Word in Works Suite add-in



This is my ComboFix Log.
ComboFix 08-04-27.3 - HP_Owner 2008-04-28 14:17:39.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.129 [GMT -4:00]
Running from: C:\Documents and Settings\HP_Owner.YOUR-AE066C3A9B\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Program Files\Common Files\sstem3~1
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\123messenger.per
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\apphelp32.dll
C:\WINDOWS\asferror32.dll
C:\WINDOWS\asycfilt32.dll
C:\WINDOWS\athprxy32.dll
C:\WINDOWS\ati2dvaa32.dll
C:\WINDOWS\ati2dvag32.dll
C:\WINDOWS\audiosrv32.dll
C:\WINDOWS\autodisc32.dll
C:\WINDOWS\avifile32.dll
C:\WINDOWS\avisynthex32.dll
C:\WINDOWS\aviwrap32.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\browserad.dll
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\changeurl_30.dll
C:\WINDOWS\cookies.ini
C:\WINDOWS\default.htm
C:\WINDOWS\didduid.ini
C:\WINDOWS\IA
C:\WINDOWS\lfn.exe
C:\WINDOWS\licencia.txt
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\msa64chk.dll
C:\WINDOWS\msapasrc.dll
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\muotr.so
C:\WINDOWS\ntnut.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\saiemod.dll
C:\WINDOWS\shdocpe.dll
C:\WINDOWS\shdocpl.dll
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\aqjkksej.ini
C:\WINDOWS\system32\drivers\audstubb.sys
C:\WINDOWS\system32\HNUwHRqr.ini
C:\WINDOWS\system32\HNUwHRqr.ini2
C:\WINDOWS\system32\jQAGffii.ini
C:\WINDOWS\system32\jQAGffii.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\n3
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\telefonos.txt
C:\WINDOWS\textos.txt
C:\WINDOWS\voiceip.dll
C:\WINDOWS\winsb.dll
C:\WINDOWS\winself.exe
C:\WINDOWS\wintst32.tmp
C:\WINDOWS\ymbols~1
C:\WINDOWS\ymbols~1\?ymbols\
E:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://80.93.48.74
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AUDSTUBB
-------\Legacy_MSSECURITY1.209.4
-------\Service_audstubb
-------\Service_MsSecurity1.209.4


((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-28 )))))))))))))))))))))))))))))))
.

2008-04-28 02:05 . 2008-04-28 02:05 932 --------- C:\WINDOWS\system32\drivers\core.cache.dsk
2008-04-28 00:42 . 2008-04-28 00:42 1,446 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-28 00:34 . 2004-08-07 17:22 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-04-28 00:34 . 2004-08-08 10:56 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-04-28 00:34 . 2004-08-07 17:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-04-28 00:34 . 2004-08-07 17:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-04-28 00:34 . 2008-04-28 00:34 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-28 00:34 . 2008-04-28 14:17 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-28 00:08 . 2008-04-28 00:08 <DIR> d-------- C:\VundoFix Backups
2008-04-27 23:38 . 2008-04-27 23:38 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-27 23:37 . 2008-04-27 23:37 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-27 23:37 . 2008-04-27 23:37 <DIR> d-------- C:\Documents and Settings\HP_Owner.YOUR-AE066C3A9B\Application Data\Malwarebytes
2008-04-27 23:37 . 2008-04-27 23:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-27 20:08 . 2008-04-27 20:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-27 20:07 . 2008-04-28 06:30 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-27 20:07 . 2008-04-27 20:07 <DIR> d-------- C:\Documents and Settings\HP_Owner.YOUR-AE066C3A9B\Application Data\SUPERAntiSpyware.com
2008-04-27 20:03 . 2008-04-28 13:54 <DIR> d--h----- C:\$AVG8.VAULT$
2008-04-27 20:02 . 2008-04-28 14:25 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-04-27 20:02 . 2008-04-27 20:02 <DIR> d-------- C:\Program Files\AVG
2008-04-27 20:02 . 2008-04-27 20:04 <DIR> d-------- C:\Documents and Settings\HP_Owner.YOUR-AE066C3A9B\Application Data\AVGTOOLBAR
2008-04-27 20:02 . 2008-04-27 20:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-04-27 20:02 . 2008-04-27 20:02 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-04-27 20:02 . 2008-04-27 20:02 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-04-27 20:02 . 2008-04-27 20:02 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-04-27 19:08 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-04-27 19:08 . 2004-08-04 00:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2008-04-27 19:08 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-04-27 19:08 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-04-27 19:08 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-04-27 19:08 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-04-27 16:14 . 2008-04-27 16:14 <DIR> d-------- C:\Program Files\InterMute
2008-04-27 14:19 . 2008-04-27 14:20 572 --ah----- C:\aaw7boot.cmd
2008-04-27 12:55 . 2008-04-27 12:55 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-27 12:55 . 2008-04-27 12:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-27 12:53 . 2008-04-27 20:06 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-27 11:58 . 2008-04-27 11:58 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-04-27 11:58 . 2008-04-27 11:58 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUK.ico
2008-04-27 11:58 . 2008-04-27 11:58 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconFR.ico
2008-04-27 11:48 . 2008-04-27 11:48 298,303 --a------ C:\WINDOWS\system32\gside.exe
2008-04-27 11:48 . 2008-04-27 11:48 88,961 --a------ C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
2008-04-27 11:22 . 2008-04-27 11:22 57,546 --a------ C:\WINDOWS\promogif3.gif
2008-04-27 11:22 . 2008-04-27 11:22 24,351 --a------ C:\WINDOWS\promogif1.gif
2008-04-27 11:22 . 2008-04-27 11:22 24,066 --a------ C:\WINDOWS\promogif2.gif
2008-04-27 11:21 . 2008-04-27 11:21 32,768 --a------ C:\WINDOWS\system32\sockins32.dll
2008-04-27 11:21 . 2008-04-27 11:21 578 --a------ C:\WINDOWS\index.html
2008-04-27 06:26 . 2008-04-27 14:15 109,770 --a------ C:\WINDOWS\BM1f043a15.xml
2008-04-26 23:45 . 2008-04-26 23:45 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-26 22:53 . 2008-04-27 12:18 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-26 22:53 . 2008-04-27 15:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-26 18:14 . 2008-04-26 18:14 859 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-04-26 18:13 . 2008-04-28 00:16 <DIR> d-------- C:\WINDOWS\system32\wTMP
2008-04-26 18:13 . 2008-04-26 18:13 <DIR> d-------- C:\WINDOWS\system32\pnVes06
2008-04-26 18:13 . 2008-04-26 18:13 <DIR> d-------- C:\temp\zvebs14
2008-04-26 18:13 . 2008-04-26 18:13 <DIR> d-------- C:\temp\kvebs14
2008-04-26 18:13 . 2008-04-26 18:13 400,070 --a------ C:\WINDOWS\system32\g90.exe
2008-04-26 18:13 . 2004-08-04 08:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-04-26 18:11 . 2008-04-27 13:33 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-26 18:11 . 2008-04-26 18:11 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-18 18:13 . 2008-04-18 18:13 <DIR> d-------- C:\Documents and Settings\HP_Owner.YOUR-AE066C3A9B\Application Data\Eyeblaster
2008-04-18 18:12 . 2008-04-18 18:12 <DIR> d-------- C:\My Games
2008-04-18 18:12 . 2008-04-18 18:12 <DIR> d-------- C:\My Download Files
2008-04-18 18:11 . 2008-04-18 18:11 774,144 --a------ C:\Program Files\RngInterstitial.dll
2008-04-18 18:07 . 2008-04-18 18:07 <DIR> d-------- C:\Documents and Settings\HP_Owner.YOUR-AE066C3A9B\Application Data\Talkback
2008-04-18 18:03 . 2008-04-18 18:03 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-04-17 20:19 . 2008-04-17 20:20 <DIR> d-------- C:\Program Files\Monopoly
2008-04-17 20:19 . 2008-04-17 20:19 <DIR> d-------- C:\Documents and Settings\HP_Owner.YOUR-AE066C3A9B\Application Data\SpinTop
2008-04-17 20:19 . 2008-04-27 22:46 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-27 19:52 --------- d-----w C:\Program Files\Google
2008-04-27 19:45 --------- d-----w C:\Program Files\Symantec
2008-04-27 19:45 --------- d-----w C:\Program Files\Norton Personal Firewall
2008-04-27 19:45 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-27 19:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-27 19:42 --------- d-----w C:\Program Files\Norton AntiVirus
2008-04-27 19:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-18 22:11 --------- d-----w C:\Program Files\Real
2008-04-18 22:11 --------- d-----w C:\Program Files\Common Files\Real
2008-04-13 01:46 --------- d-----w C:\Documents and Settings\HP_Owner.YOUR-AE066C3A9B\Application Data\AdobeUM
2008-03-22 00:49 --------- d-----w C:\Program Files\Disney Interactive
2008-03-16 23:05 --------- d-----w C:\Program Files\Scholastic
2008-03-16 23:05 --------- d-----w C:\Documents and Settings\HP_Owner.YOUR-AE066C3A9B\Application Data\Scholastic
2008-03-14 03:10 3,885 ----a-w C:\WINDOWS\viassary-hp.reg
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 61,440 2003-02-12 03:02:48 C:\hp\KBD\bak\KBD.EXE

----a-w 180,269 2004-08-07 21:03:31 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
----a-w 185,896 2008-04-18 22:02:33 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

----a-w 70,776 2003-12-09 06:18:34 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe

----a-w 124,056 2004-01-21 00:25:14 C:\Program Files\Common Files\Symantec Shared\bak\CfgWiz.exe

----a-w 218,240 2004-08-06 07:23:14 C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe

----a-w 49,152 2005-06-01 16:35:55 C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\bak\hphupd08.exe

----a-w 49,152 2004-06-08 01:53:26 C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\bak\hphupd06.exe

----a-w 286,720 2004-04-22 01:28:18 C:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 286,720 2004-04-21 15:28:18 C:\Program Files\iTunes\iTunesHelper.exe

----a-w 32,881 2004-08-07 19:36:59 C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe

----a-w 98,304 2004-08-07 21:20:54 C:\Program Files\QuickTime\bak\qttask.exe

----a-w 233,472 2004-04-15 03:43:46 C:\WINDOWS\SMINST\bak\RECGUARD.EXE

----a-w 52,736 1998-05-07 23:04:38 C:\WINDOWS\system\bak\hpsysdrv.exe

----a-w 15,360 2004-08-04 19:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 19:00:00 C:\WINDOWS\system32\ctfmon.exe

----a-w 118,784 2004-08-04 01:43:24 C:\WINDOWS\system32\bak\hkcmd.exe
----a-w 118,784 2004-08-20 19:51:14 C:\WINDOWS\system32\hkcmd.exe

----a-w 659,456 2004-06-08 01:42:30 C:\WINDOWS\system32\bak\hphmon06.exe

----a-w 81,920 2002-10-16 23:57:10 C:\WINDOWS\system32\bak\ps2.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{077997D4-1377-4EFA-B0A8-F38E9059625A}]
C:\WINDOWS\system32\iiffGAQj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0E014D4A-1670-4C42-BABF-FBF3BE9054CF}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1D0B1B2F-4D44-48DC-AE5A-F4BBBAE2A83F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{42601263-D69B-440E-A278-58712847CE85}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5fa6752a-c4a0-4222-88c2-928ae5ab4966}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6156A32A-C512-4e23-AA9A-2315F4265681}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6C2496B4-268C-43FD-808D-BC79A585602E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8334A30C-49E5-489a-B63D-5B927C1EF46E}]
C:\Program Files\QdrDrive\QdrDrive15.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9B88158A-FB31-81E4-40E3-A68F765A7DB2}]
C:\WINDOWS\system32\ukje.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9c5b2f29-1f46-4639-a6b4-828942301d3e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
2008-04-27 20:02 2050816 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A807E62D-4795-443C-BD70-E5F19C880C06}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CE6832A1-4299-4EF3-9265-EEBBCC5621C8}]
C:\WINDOWS\system32\rqRHwUNH.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e14dfa1b-ee8d-b9a1-b599-5f76444a620a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= "C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" [2008-04-27 20:02 2050816]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-04-27 20:02 2050816]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 20:06 88363 C:\WINDOWS\AGRSMMSG.exe]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-04-27 20:02 1177368]
"spa_start"="C:\WINDOWS\system32\{8bd51b11-dbab-a266-3f35-29a2ba1df245}.dll" [ ]

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\
HP Organize.lnk - C:\Program Files\Hewlett-Packard\HP Organize\bin\displayAgent.exe [2004-08-07 17:29:30 36864]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 00:23:26 282624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-09-04 18:23:00 65588]
Updates from HP.lnk - C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe [2004-08-07 17:33:32 16423]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnkKeDT]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"navapsvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-04-27 20:02]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-04-27 20:02]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-04-27 20:02]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-04-27 20:02]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{66186F05-BBBB-4a39-864F-72D84615C679}]
rundll32 sockins32.dll,InitModule
.
Contents of the 'Scheduled Tasks' folder
"2008-04-26 00:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - HP_Owner.job"
- c:\PROGRA~1\NORTON~1\Navw32.exeh/task:
"2008-04-28 18:31:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-28 14:24:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\drivers\vmdesched.sys 6656 bytes executable
C:\Program Files\Common Files\Real\Plugins\clbascauth.dll 25088 bytes executable
C:\WINDOWS\system32\clb.dll 10752 bytes executable
C:\WINDOWS\system32\clbcatex.dll 110080 bytes executable
C:\WINDOWS\system32\clbcatq.dll 498688 bytes executable
C:\WINDOWS\system32\clbcfg.dat 1695 bytes
C:\WINDOWS\system32\cdosys.dll 29184 bytes executable
C:\WINDOWS\system32\clbdll.old 28160 bytes executable

scan completed successfully
hidden files: 8

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\clbdriver]
"imagepath"="\??\globalroot\systemroot\system32\drivers\vmdesched.sys"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
.
**************************************************************************
.
Completion time: 2008-04-28 14:32:17 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-28 18:32:11

Pre-Run: 92,600,483,840 bytes free
Post-Run: 92,643,348,480 bytes free

315 --- E O F --- 2008-04-13 15:00:06
  • 0

Advertisements

#2
Essexboy
Posted 28 April 2008 - 02:02 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Well we have a very eclectic collection of malware there.. Lets try to clean you up

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.


This will be a long fix so I would recommend that you copy this post to a text file for reference

TO BEGIN

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 6...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement". The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.

THEN

A malicious .DLL file is disrupting the LSP chain on your computer. We need to get rid of it.
  • Please download LSPFix from here.
  • Run the LSPFix.exe that you have just finished downloading.
  • Check the I know what I'm doing box.
  • In the Keep box you should see one or more instances of webhdll.dll .
  • Select every instance of webhdll.dll and move each one to the Remove box by clicking the >> button.
  • When you are done click Finish>>.

FOLLOWED BY

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below (if present).

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {077997D4-1377-4EFA-B0A8-F38E9059625A} - C:\WINDOWS\system32\iiffGAQj.dll (file missing)
O2 - BHO: (no name) - {0E014D4A-1670-4C42-BABF-FBF3BE9054CF} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {1D0B1B2F-4D44-48DC-AE5A-F4BBBAE2A83F} - C:\WINDOWS\system32\nnnkKeDT.dll (file missing)
O2 - BHO: (no name) - {42601263-D69B-440E-A278-58712847CE85} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {6156A32A-C512-4e23-AA9A-2315F4265681} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {6C2496B4-268C-43FD-808D-BC79A585602E} - (no file)
O2 - BHO: StFlex IE Helper - {8334A30C-49E5-489a-B63D-5B927C1EF46E} - C:\Program Files\QdrDrive\QdrDrive15.dll (file missing)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9B88158A-FB31-81E4-40E3-A68F765A7DB2} - C:\WINDOWS\system32\ukje.dll (file missing)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {A807E62D-4795-443C-BD70-E5F19C880C06} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: (no name) - {CE6832A1-4299-4EF3-9265-EEBBCC5621C8} - C:\WINDOWS\system32\rqRHwUNH.dll (file missing)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {e14dfa1b-ee8d-b9a1-b599-5f76444a620a} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O2 - BHO: Microsoft copyright - {FFFFFFFF-BBBB-4146-86FD-A722E8AB3489} - sockins32.dll (file missing)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [spa_start] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{8bd51b11-dbab-a266-3f35-29a2ba1df245}.dll" DllInit
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O20 - Winlogon Notify: nnnkKeDT - C:\WINDOWS\
O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - (no file)
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

NEXT

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\winself.exe
C:\WINDOWS\system32\iiffGAQj.dll 
C:\WINDOWS\system32\nnnkKeDT.dll 
C:\Program Files\QdrDrive
C:\WINDOWS\system32\ukje.dll
C:\WINDOWS\system32\rqRHwUNH.dll
C:\WINDOWS\system32\{8bd51b11-dbab-a266-3f35-29a2ba1df245}.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
C:\WINDOWS\promogif3.gif
C:\WINDOWS\promogif1.gif
C:\WINDOWS\promogif2.gif
C:\WINDOWS\system32\sockins32.dll
C:\WINDOWS\BM1f043a15.xml
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\wTMP
C:\WINDOWS\system32\pnVes06
C:\temp\zvebs14
C:\temp\kvebs14
C:\WINDOWS\system32\g90.exe
c:\program files\webhancer
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{66186F05-BBBB-4a39-864F-72D84615C679}
Purity
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

NEARLY THERE

@echo off
sc stop MsSecurity1.209.4
sc delete MsSecurity1.209.4
exit

Next you will need to create the batch fix to do that copy and paste ALL of the above in the quote box to a notepad file.
Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.bat

This will create a batch file Posted Image

Then run fix.bat by double clicking you may see a black box appear this is normal

FINALLY FOR NOW

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

AWF::
C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\bak\CfgWiz.exe
C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\bak\hphupd08.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe
C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\bak\hphupd06.exe
C:\Program Files\iTunes\bak\iTunesHelper.exe
C:\Program Files\QuickTime\bak\qttask.exe
C:\WINDOWS\SMINST\bak\RECGUARD.EXE
C:\WINDOWS\system\bak\hpsysdrv.exe
C:\WINDOWS\system32\bak\ctfmon.exe
C:\WINDOWS\system32\bak\hkcmd.exe
C:\WINDOWS\system32\bak\hphmon06.exe
C:\WINDOWS\system32\bak\ps2.exe

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Logs required : OTMoveit, Combofix and a new Hijackthis log
  • 0

#3
dalejrfan5874
Posted 28 April 2008 - 03:21 PM

dalejrfan5874

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
I have ran all the programs you suggested and my logs are below. When I ran the LSPfix, the file webhdll.dll was not there.

OTMoveit Log

File/Folder C:\WINDOWS\system32\wmsdkns.exe not found.
File/Folder C:\WINDOWS\winself.exe not found.
File/Folder C:\WINDOWS\system32\iiffGAQj.dll not found.
File/Folder C:\WINDOWS\system32\nnnkKeDT.dll not found.
File/Folder C:\Program Files\QdrDrive not found.
File/Folder C:\WINDOWS\system32\ukje.dll not found.
File/Folder C:\WINDOWS\system32\rqRHwUNH.dll not found.
File/Folder C:\WINDOWS\system32\{8bd51b11-dbab-a266-3f35-29a2ba1df245}.dll not found.
C:\WINDOWS\system32\drivers\core.cache.dsk moved successfully.
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe moved successfully.
C:\WINDOWS\promogif3.gif moved successfully.
C:\WINDOWS\promogif1.gif moved successfully.
C:\WINDOWS\promogif2.gif moved successfully.
File/Folder C:\WINDOWS\system32\sockins32.dll not found.
C:\WINDOWS\BM1f043a15.xml moved successfully.
C:\WINDOWS\system32\winpfz33.sys moved successfully.
C:\WINDOWS\system32\wTMP moved successfully.
C:\WINDOWS\system32\pnVes06 moved successfully.
C:\temp\zvebs14 moved successfully.
C:\temp\kvebs14 moved successfully.
C:\WINDOWS\system32\g90.exe moved successfully.
File/Folder c:\program files\webhancer not found.
< HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{66186F05-BBBB-4a39-864F-72D84615C679} >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{66186F05-BBBB-4a39-864F-72D84615C679}\\ deleted successfully.
< Purity >

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04282008_170415


Combofix Log

ComboFix 08-04-27.3 - HP_Owner 2008-04-28 17:10:12.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.200 [GMT -4:00]
Running from: C:\Documents and Settings\HP_Owner.YOUR-AE066C3A9B\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Owner.YOUR-AE066C3A9B\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-28 )))))))))))))))))))))))))))))))
.

2008-04-28 17:04 . 2008-04-28 17:04 <DIR> d-------- C:\_OTMoveIt
2008-04-28 16:39 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-28 16:38 . 2008-04-28 16:38 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-28 00:42 . 2008-04-28 00:42 1,446 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-28 00:34 . 2004-08-07 17:22 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-04-28 00:34 . 2004-08-08 10:56 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-04-28 00:34 . 2004-08-07 17:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-04-28 00:34 . 2004-08-07 17:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-04-28 00:34 . 2008-04-28 00:34 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-28 00:34 . 2008-04-28 16:20 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-28 00:08 . 2008-04-28 00:08 <DIR> d-------- C:\VundoFix Backups
2008-04-27 23:38 . 2008-04-27 23:38 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-27 23:37 . 2008-04-27 23:37 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-27 23:37 . 2008-04-27 23:37 <DIR> d-------- C:\Documents and Settings\HP_Owner.YOUR-AE066C3A9B\Application Data\Malwarebytes
2008-04-27 23:37 . 2008-04-27 23:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-27 20:08 . 2008-04-27 20:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-27 20:07 . 2008-04-28 16:19 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-27 20:07 . 2008-04-27 20:07 <DIR> d-------- C:\Documents and Settings\HP_Owner.YOUR-AE066C3A9B\Application Data\SUPERAntiSpyware.com
2008-04-27 20:03 . 2008-04-28 16:06 <DIR> d--h----- C:\$AVG8.VAULT$
2008-04-27 20:02 . 2008-04-28 14:27 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-04-27 20:02 . 2008-04-27 20:02 <DIR> d-------- C:\Program Files\AVG
2008-04-27 20:02 . 2008-04-27 20:04 <DIR> d-------- C:\Documents and Settings\HP_Owner.YOUR-AE066C3A9B\Application Data\AVGTOOLBAR
2008-04-27 20:02 . 2008-04-27 20:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-04-27 20:02 . 2008-04-27 20:02 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-04-27 20:02 . 2008-04-27 20:02 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-04-27 20:02 . 2008-04-27 20:02 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-04-27 19:08 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-04-27 19:08 . 2004-08-04 00:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2008-04-27 19:08 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-04-27 19:08 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-04-27 19:08 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-04-27 19:08 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-04-27 16:14 . 2008-04-27 16:14 <DIR> d-------- C:\Program Files\InterMute
2008-04-27 14:19 . 2008-04-27 14:20 572 --ah----- C:\aaw7boot.cmd
2008-04-27 12:55 . 2008-04-27 12:55 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-27 12:55 . 2008-04-27 12:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-27 12:53 . 2008-04-27 20:06 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-27 11:58 . 2008-04-27 11:58 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-04-27 11:58 . 2008-04-27 11:58 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUK.ico
2008-04-27 11:58 . 2008-04-27 11:58 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconFR.ico
2008-04-27 11:48 . 2008-04-27 11:48 298,303 --a------ C:\WINDOWS\system32\gside.exe
2008-04-27 11:21 . 2008-04-27 11:21 578 --a------ C:\WINDOWS\index.html
2008-04-26 23:45 . 2008-04-26 23:45 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-26 22:53 . 2008-04-27 12:18 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-26 22:53 . 2008-04-27 15:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-26 18:13 . 2004-08-04 08:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-04-26 18:11 . 2008-04-27 13:33 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-26 18:11 . 2008-04-26 18:11 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-18 18:13 . 2008-04-18 18:13 <DIR> d-------- C:\Documents and Settings\HP_Owner.YOUR-AE066C3A9B\Application Data\Eyeblaster
2008-04-18 18:12 . 2008-04-18 18:12 <DIR> d-------- C:\My Games
2008-04-18 18:12 . 2008-04-18 18:12 <DIR> d-------- C:\My Download Files
2008-04-18 18:11 . 2008-04-18 18:11 774,144 --a------ C:\Program Files\RngInterstitial.dll
2008-04-18 18:07 . 2008-04-18 18:07 <DIR> d-------- C:\Documents and Settings\HP_Owner.YOUR-AE066C3A9B\Application Data\Talkback
2008-04-18 18:03 . 2008-04-18 18:03 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-04-17 20:19 . 2008-04-17 20:20 <DIR> d-------- C:\Program Files\Monopoly
2008-04-17 20:19 . 2008-04-17 20:19 <DIR> d-------- C:\Documents and Settings\HP_Owner.YOUR-AE066C3A9B\Application Data\SpinTop
2008-04-17 20:19 . 2008-04-27 22:46 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-28 21:13 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-28 21:10 --------- d-----w C:\Program Files\QuickTime
2008-04-28 21:10 --------- d-----w C:\Program Files\iTunes
2008-04-28 20:39 --------- d-----w C:\Program Files\Java
2008-04-27 19:52 --------- d-----w C:\Program Files\Google
2008-04-27 19:45 --------- d-----w C:\Program Files\Symantec
2008-04-27 19:45 --------- d-----w C:\Program Files\Norton Personal Firewall
2008-04-27 19:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-27 19:42 --------- d-----w C:\Program Files\Norton AntiVirus
2008-04-27 19:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-18 22:11 --------- d-----w C:\Program Files\Real
2008-04-18 22:11 --------- d-----w C:\Program Files\Common Files\Real
2008-04-13 01:46 --------- d-----w C:\Documents and Settings\HP_Owner.YOUR-AE066C3A9B\Application Data\AdobeUM
2008-03-22 00:49 --------- d-----w C:\Program Files\Disney Interactive
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-16 23:05 --------- d-----w C:\Program Files\Scholastic
2008-03-16 23:05 --------- d-----w C:\Documents and Settings\HP_Owner.YOUR-AE066C3A9B\Application Data\Scholastic
2008-03-14 03:10 3,885 ----a-w C:\WINDOWS\viassary-hp.reg
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 08:59 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((( snapshot@2008-04-28_14.31.34.42 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-28 18:23:44 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-28 20:36:11 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2004-04-15 03:43:46 233,472 ----a-w C:\WINDOWS\SMINST\RECGUARD.EXE
+ 1998-05-07 23:04:38 52,736 ----a-w C:\WINDOWS\system\hpsysdrv.exe
- 2008-04-28 18:23:45 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-28 20:36:12 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-04-28 18:23:45 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-28 20:36:12 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-04-28 18:23:45 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-28 20:36:12 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2004-08-20 19:51:14 118,784 ----a-w C:\WINDOWS\system32\hkcmd.exe
+ 2004-08-04 01:43:24 118,784 ----a-w C:\WINDOWS\system32\hkcmd.exe
+ 2004-06-08 01:42:30 659,456 ----a-w C:\WINDOWS\system32\hphmon06.exe
- 2004-08-07 19:36:59 24,681 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-03-25 05:28:39 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2004-08-07 19:36:59 28,779 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-03-25 05:28:43 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-03-25 06:37:01 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2002-10-16 23:57:10 81,920 ----a-w C:\WINDOWS\system32\ps2.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
2008-04-27 20:02 2050816 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= "C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" [2008-04-27 20:02 2050816]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-04-27 20:02 2050816]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-04-28 16:19 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 20:06 88363 C:\WINDOWS\AGRSMMSG.exe]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-04-27 20:02 1177368]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\
HP Organize.lnk - C:\Program Files\Hewlett-Packard\HP Organize\bin\displayAgent.exe [2004-08-07 17:29:30 36864]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 00:23:26 282624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-09-04 18:23:00 65588]
Updates from HP.lnk - C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe [2004-08-07 17:33:32 16423]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-04-28 16:19 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner.YOUR-AE066C3A9B^Start Menu^Programs^Startup^Dora Fairytale Adventures Registration.lnk]
path=C:\Documents and Settings\HP_Owner.YOUR-AE066C3A9B\Start Menu\Programs\Startup\Dora Fairytale Adventures Registration.lnk
backup=C:\WINDOWS\pss\Dora Fairytale Adventures Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"navapsvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-04-27 20:02]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-04-27 20:02]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-04-27 20:02]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-04-27 20:02]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-26 00:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - HP_Owner.job"
- c:\PROGRA~1\NORTON~1\Navw32.exeh/task:
"2008-04-28 21:11:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-28 17:14:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\drivers\clbdriver.sys 6656 bytes executable
C:\Program Files\Common Files\Real\Plugins\clbascauth.dll 25088 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\clbdriver]
"imagepath"="\??\globalroot\systemroot\system32\drivers\clbdriver.sys"
.
Completion time: 2008-04-28 17:15:56
ComboFix-quarantined-files.txt 2008-04-28 21:15:53
ComboFix2.txt 2008-04-28 18:32:18

Pre-Run: 92,455,821,312 bytes free
Post-Run: 92,443,525,120 bytes free

191 --- E O F --- 2008-04-13 15:00:06


HiJackthis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:16:58 PM, on 4/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Monopoly\Images\stg_drm.ocx
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Monopoly\Images\armhelper.ocx
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 6085 bytes
  • 0

#4
Essexboy
Posted 28 April 2008 - 03:54 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK that looks a lot better now :)

Two things more to do

First I can see evidence of two antivirus programmes Norton and AVG

Anti-Virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.

If you choose to install more than one Anti-Virus program on your computer, then only one of them should be active in memory at a time.

There are basically two types of these programs:
On-Access and On-Demand

On-Access Scanners
As the name implies, are scanners that run in the background all the time the PC is turned on and running. The main function of an On-Access scanner is to monitor activity on your machine.

On-Demand Scanners
As the name implies, are scanners that only run when you ask them to.
Such as:
Online Scans and scanners that run on your machine but are not actively scanning your machine

You will need to uninstall one

Second

  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\gside.exe
Purity
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

THEN

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Logs required : MBAM and how is your system running now ?
  • 0

#5
dalejrfan5874
Posted 28 April 2008 - 04:59 PM

dalejrfan5874

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
The computer seems to be running ok now. The only problem I am having is when I try to access the internet, I get an error from Internet Explorer saying it must close. Here is my log.

MBAM

Malwarebytes' Anti-Malware 1.11
Database version: 694

Scan type: Quick Scan
Objects scanned: 37155
Time elapsed: 9 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{1e404d48-670a-4085-a6a0-d195793ddd33} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{9f593aac-ca4c-4a41-a7ff-a00812192d61} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{749ec66f-a838-4b38-b8e5-e65d905fff74} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1e404d48-670a-4085-a6a0-d195793ddd33} (Adware.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

#6
Essexboy
Posted 29 April 2008 - 11:34 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
That looks a lot better now. So lets see if we can cure the IE problem

Download and Install IE7 from here http://www.microsoft...ie/default.mspx

Then could you let me know if that works along with a fresh Hijackthis log :)
  • 0

#7
Essexboy
Posted 02 May 2008 - 09:11 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP