Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

WinIFixer has crippled my computer [CLOSED]

Started by Draga X , May 06 2008 03:45 PM

  • This topic is locked This topic is locked

#1
Draga X
Posted 06 May 2008 - 03:45 PM

Draga X

    Member

  • Member
  • PipPip
  • 29 posts
Ello G2G people.I have discovered a program called WinIFixer on my computer(It has a different appearance to WinFixer and my Vundo programs that I got from here last time don't detect it.) and I've uninstalled it,but the program files remain and it's still operating.

I keep getting a popup saying that my computer has malicious software(Not a system message,just a popup) and it's asking me if I want to continue unprotected or get a program to "fix it"(It appeared about every 10 minutes or so)

Oh yeah,it turned of my firewall(but I fixed that),and it's disabled my task manager saying I can't access it due to administrative properties,WHILE I'M ON THE ADMIN ACCOUNT.Now whenever I put CTRL ALT DEL,it opens up a menu that asks me if I want to Shut Down,Log Off,Lock the Computer,or Change the Password,and the Task Manager option is disabled.

Yes I have used and seen your topics on WinFixer,VundoFix doesn't help and AVG doesn't seem to be picking up anything either

HiJackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:42:40 PM, on 5/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmona.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\ms1210096481.exe
C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WinIFixer\WinIFixer.exe
C:\Program Files\Grisoft\AVG Free\avgwb.dat
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\Anti Malware Files\HiJackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - {13FC2B8F-F41A-45AA-90D3-16BB34582E05} - C:\WINDOWS\system32\mljgh.dll (file missing)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [hcsystray] C:\Program Files\Kuma Games\hcsystray\hc_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [XoftSpy] C:\Program Files\XoftSpy\XoftSpy.exe -s
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
O4 - HKLM\..\Run: [WinIFixer] C:\Program Files\WinIFixer\WinIFixer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ParetoLogic Anti-Spyware] "C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe" -NM -hidesplash
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [InetChk] C:\DOCUME~1\Owner\LOCALS~1\Temp\ms1210096481.exe work
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: WinCinema Manager.lnk = C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyds...DSL/tgctlcm.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1109349097765
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1167431190484
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://tv.disney.go....y/OTOYAX29b.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames...ctivex/YoYo.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai...l/installer.exe
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/.../default/ct.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...ploader_v10.cab
O20 - Winlogon Notify: awtsrqo - awtsrqo.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 8305 bytes

Edited by Draga X, 06 May 2008 - 03:48 PM.

  • 0

Advertisements

#2
andrewuk
Posted 06 May 2008 - 05:29 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hi Draga X

welcome back to geekstogo :)

i can see several infections in your logs, so in this post we will remove the ones i can see and then do a couple of scans to see what else is lurking on your machine.

the scans will likely take 2 hours, quite possibly much longer. so just let them run.



====STEP 1====
could you delete the current version of vundoFix.exe you have on your machine (if you do have it).

then, please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.



====STEP 2====
Please download the OTMoveIt2 by OldTimer and Save it to your desktop.



Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {13FC2B8F-F41A-45AA-90D3-16BB34582E05} - C:\WINDOWS\system32\mljgh.dll (file missing)
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe <==make sure you get this one, note the spelling
O4 - HKLM\..\Run: [WinIFixer] C:\Program Files\WinIFixer\WinIFixer.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...ploader_v10.cab
O20 - Winlogon Notify: awtsrqo - awtsrqo.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.



Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
C:\WINDOWS\system32\mljgh.dll
C:\WINDOWS\system32\ctfmona.exe
C:\Program Files\WinIFixer
C:\WINDOWS\awtsrqo.dll
HKEY_CLASSES_ROOT\PopCapLoader.PopCapLoaderCtrl2 
HKEY_CLASSES_ROOT\PopCapLoader.PopCapLoaderCtrl2.1 
HKEY_CLASSES_ROOT\CLSID\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A} 
HKEY_CLASSES_ROOT\Interface\{E4E3E0F8-CD30-4380-8CE9-B96904BDEFCA} 
HKEY_CLASSES_ROOT\TypeLib\{C9C5DEAF-0A1F-4660-8279-9EDFAD6FEFE1} 
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PopCapLoader.PopCapLoaderCtrl2 
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PopCapLoader.PopCapLoaderCtrl2.1 
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A} 
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E4E3E0F8-CD30-4380-8CE9-B96904BDEFCA} 
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FE8A736F-4124-4D9C-B4B1-3B12381EFABE} 
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C9C5DEAF-0A1F-4660-8279-9EDFAD6FEFE1} 
purity 
[start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

====STEP 3====
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.



====STEP 4====
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



====STEP 5====
Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

In your next reply could i see:
1. the vundofix log
2. the OTMoveIT log
3. the malwarebytes log
4. the 2 DSS logs (though there may only be one)

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

#3
Draga X
Posted 06 May 2008 - 08:12 PM

Draga X

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Okay,I got it

VundoFix gave me nothing,I don't know where to find the log

All the logs are attached and labeled by program

DSS1 is the Main
DSS2 is the extra

Oh and I inserted the HiJackThis log,just in case...

I've noticed that Andy is receiving similar problems to mine.He might have the same virus:
http://www.geekstogo...wn-t182537.html

Attached Files


Edited by Draga X, 06 May 2008 - 08:45 PM.

  • 0

#4
andrewuk
Posted 07 May 2008 - 11:53 AM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
posting users attached logs (always post the logs, unless i ask them to be attached.....makes it much easier to work with and review):

OTMoveIT log

Explorer killed successfully
File/Folder C:\WINDOWS\system32\mljgh.dll not found.
C:\WINDOWS\system32\ctfmona.exe moved successfully.
C:\Program Files\WinIFixer moved successfully.
File/Folder C:\WINDOWS\awtsrqo.dll not found.
< HKEY_CLASSES_ROOT\PopCapLoader.PopCapLoaderCtrl2 >
Registry key HKEY_CLASSES_ROOT\PopCapLoader.PopCapLoaderCtrl2 \\ not found.
< HKEY_CLASSES_ROOT\PopCapLoader.PopCapLoaderCtrl2.1 >
Registry key HKEY_CLASSES_ROOT\PopCapLoader.PopCapLoaderCtrl2.1 \\ not found.
< HKEY_CLASSES_ROOT\CLSID\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A} >
Registry key HKEY_CLASSES_ROOT\CLSID\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A} \\ not found.
< HKEY_CLASSES_ROOT\Interface\{E4E3E0F8-CD30-4380-8CE9-B96904BDEFCA} >
Registry key HKEY_CLASSES_ROOT\Interface\{E4E3E0F8-CD30-4380-8CE9-B96904BDEFCA} \\ not found.
< HKEY_CLASSES_ROOT\TypeLib\{C9C5DEAF-0A1F-4660-8279-9EDFAD6FEFE1} >
Registry key HKEY_CLASSES_ROOT\TypeLib\{C9C5DEAF-0A1F-4660-8279-9EDFAD6FEFE1} \\ not found.
< HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PopCapLoader.PopCapLoaderCtrl2 >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PopCapLoader.PopCapLoaderCtrl2 \\ not found.
< HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PopCapLoader.PopCapLoaderCtrl2.1 >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PopCapLoader.PopCapLoaderCtrl2.1 \\ not found.
< HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A} >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A} \\ not found.
< HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E4E3E0F8-CD30-4380-8CE9-B96904BDEFCA} >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E4E3E0F8-CD30-4380-8CE9-B96904BDEFCA} \\ not found.
< HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FE8A736F-4124-4D9C-B4B1-3B12381EFABE} >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FE8A736F-4124-4D9C-B4B1-3B12381EFABE} \\ not found.
< HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C9C5DEAF-0A1F-4660-8279-9EDFAD6FEFE1} >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C9C5DEAF-0A1F-4660-8279-9EDFAD6FEFE1} \\ not found.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05062008_192211
=================================================

Malwarebytes' Anti-Malware 1.12
Database version: 726

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 151354
Time elapsed: 55 minute(s), 47 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 12
Files Infected: 8

Memory Processes Infected:
c:\Documents and Settings\Owner\Local Settings\Temp\ms1210096481.exe (Trojan.Clicker) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\WinIFixer.com (Rogue.WinIFixer) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\SpywareBot (Rogue.SpywareBot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\InetChk (Trojan.Clicker) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Owner\Application Data\WinIFixer.com (Rogue.WinIFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\WinIFixer.com\WinIFixer (Rogue.WinIFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\WinIFixer.com\WinIFixer\Quarantine (Rogue.WinIFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\WinIFixer.com\WinIFixer\Quarantine\Autorun (Rogue.WinIFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\WinIFixer.com\WinIFixer\Quarantine\BrowserObjects (Rogue.WinIFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\WinIFixer.com\WinIFixer\Quarantine\Packages (Rogue.WinIFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\WinIFixer.com\WinIFixer\Quarantine\Autorun\HKCU (Rogue.WinIFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\WinIFixer.com\WinIFixer\Quarantine\Autorun\HKLM (Rogue.WinIFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\WinIFixer.com\WinIFixer\Quarantine\Autorun\StartMenuAllUsers (Rogue.WinIFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\WinIFixer.com\WinIFixer\Quarantine\Autorun\StartMenuCurrentUser (Rogue.WinIFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\WinIFixer.com\WinIFixer\Quarantine\Autorun\HKCU\RunOnce (Rogue.WinIFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\WinIFixer.com\WinIFixer\Quarantine\Autorun\HKLM\RunOnce (Rogue.WinIFixer) -> Quarantined and deleted successfully.

Files Infected:
c:\Documents and Settings\Owner\Local Settings\Temp\ms1210096481.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DST4PJ00\init[1].php (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4C6E9B3C-F1BE-4527-8708-5AE69FD346FA}\RP409\A0405898.scr (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\blackster.scr (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ctfmonb.bmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\05062008_192211\Program Files\WinIFixer\WinIFixer.exe (Rogue.WinIFixer) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\05062008_192211\WINDOWS\system32\ctfmona.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\WINDOWS\inf\ultra.PNF (Malware.Trace) -> Quarantined and deleted successfully.
  • 0

#5
andrewuk
Posted 07 May 2008 - 11:53 AM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Deckard's System Scanner v20071014.68
Run by Owner on 2008-05-06 20:53:33
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
85: 2008-05-07 01:53:55 UTC - RP412 - Deckard's System Scanner Restore Point
84: 2008-05-06 21:26:22 UTC - RP411 - Removed WarRock
83: 2008-05-06 18:31:02 UTC - RP410 - Software Distribution Service 3.0
82: 2008-05-06 15:53:44 UTC - RP409 - System Checkpoint
81: 2008-05-05 15:17:52 UTC - RP408 - System Checkpoint


-- First Restore Point --
1: 2008-02-22 04:03:52 UTC - RP328 - Software Distribution Service 3.0


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 77% (more than 75%).
Total Physical Memory: 247 MiB (512 MiB recommended).


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:59:31 PM, on 5/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
C:\Documents and Settings\Owner\Desktop\Anti Malware Files\Anti Winfixer\DSS\dss.exe
C:\DOCUME~1\Owner\Desktop\ANTIMA~1\ANTIWI~1\Owner.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [hcsystray] C:\Program Files\Kuma Games\hcsystray\hc_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [XoftSpy] C:\Program Files\XoftSpy\XoftSpy.exe -s
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ParetoLogic Anti-Spyware] "C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe" -NM -hidesplash
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: WinCinema Manager.lnk = C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyds...DSL/tgctlcm.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1109349097765
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1167431190484
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://tv.disney.go....y/OTOYAX29b.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames...ctivex/YoYo.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai...l/installer.exe
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/.../default/ct.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 8283 bytes

-- HijackThis Fixed Entries (C:\DOCUME~1\Owner\Desktop\ANTIMA~1\ANTIWI~1\backups\) --------------------------------------------------------------------------------

backup-20080506-192031-162 O4 - HKLM\..\Run: [WinIFixer] C:\Program Files\WinIFixer\WinIFixer.exe
backup-20080506-192031-776 O2 - BHO: (no name) - {13FC2B8F-F41A-45AA-90D3-16BB34582E05} - C:\WINDOWS\system32\mljgh.dll (file missing)
backup-20080506-192031-941 O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...ploader_v10.cab
backup-20080506-192032-858 O20 - Winlogon Notify: awtsrqo - awtsrqo.dll (file missing)

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 Iviaspi (IVI ASPI Shell) - c:\windows\system32\drivers\iviaspi.sys <Not Verified; InterVideo, Inc.; InterVideo ASPI Shell>

S0 _wff - c:\windows\system32\drivers\_wff.sys (file missing)
S3 CO_Mon - c:\windows\system32\drivers\co_mon.sys
S3 hamachi_oem (PlayLinc Adapter) - c:\windows\system32\drivers\gan_adapter.sys <Not Verified; Applied Networking Inc.; Hamachi Virtual Network Interface Driver, OEM>
S3 MREMPR5 (MREMPR5 NDIS Protocol Driver) - c:\progra~1\common~1\motive\mrempr5.sys (file missing)
S3 MRENDIS5 (MRENDIS5 NDIS Protocol Driver) - c:\progra~1\common~1\motive\mrendis5.sys (file missing)
S3 SunkFilt (Alcor Micro Corp - 9360) - c:\windows\system32\drivers\sunkfilt.sys <Not Verified; Alcor Micro Corp.; SunkFilt92>
S3 SunkFilt39 (Alcor Micro Corp - 3239) - c:\windows\system32\drivers\sunkfilt39.sys <Not Verified; Alcor Micro Corp.; SunkFilt39>
S3 Sunkfiltp (HP && Alcor Micro Corp for Phison) - c:\windows\system32\drivers\sunkfiltp.sys (file missing)
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: PlayLinc Adapter
Device ID: ROOT\NET\0000
Manufacturer: Super Computer Inc.
Name: PlayLinc Adapter
PNP Device ID: ROOT\NET\0000
Service: hamachi_oem


-- Scheduled Tasks -------------------------------------------------------------

2008-05-06 20:44:05 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-05-06 18:00:02 406 --a------ C:\WINDOWS\Tasks\Pareto UNS.job
2008-05-04 00:33:19 412 --a------ C:\WINDOWS\Tasks\ParetoLogic Update.job
2008-04-25 03:00:02 448 --a------ C:\WINDOWS\Tasks\ParetoLogic Anti-Spyware.job
2005-02-25 11:26:16 258 --a------ C:\WINDOWS\Tasks\ISP signup reminder 1.job


-- Files created between 2008-04-06 and 2008-05-06 -----------------------------

2008-05-06 19:30:03 0 d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-05-06 19:29:49 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-06 18:38:01 0 d-------- C:\VundoFix Backups
2008-05-06 17:09:46 0 d-------- C:\Program Files\Spyware Doctor
2008-05-06 17:09:46 0 d-------- C:\Documents and Settings\Owner\Application Data\PC Tools
2008-05-06 12:54:45 1 --a------ C:\WINDOWS\system32\kr_done1de
2008-04-25 01:59:50 0 d-------- C:\Program Files\Common Files\xing shared
2008-04-15 21:49:28 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-15 21:48:23 0 d-------- C:\Program Files\Windows Live
2008-04-15 21:47:43 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-10 12:56:09 0 d-------- C:\Documents and Settings\All Users\Application Data\YoYoGames


-- Find3M Report ---------------------------------------------------------------

2008-05-06 16:28:08 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-01 14:26:46 47612 --a------ C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2008-04-25 01:59:50 0 d-------- C:\Program Files\Common Files
2008-04-25 01:57:51 0 d-------- C:\Program Files\Common Files\Real
2008-04-25 01:37:17 0 d-------- C:\Program Files\Google
2008-04-10 06:12:51 0 d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2008-04-02 16:11:12 0 d-------- C:\Documents and Settings\Owner\Application Data\Talkback
2008-03-31 20:08:20 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2008-03-31 15:53:54 0 d-------- C:\Documents and Settings\Owner\Application Data\Mozilla
2008-03-26 14:58:44 9539 --a------ C:\WINDOWS\scedunin.dat
2008-03-26 14:58:42 967 --a------ C:\WINDOWS\ScEdUnin.pif
2008-03-26 14:58:42 68608 --a------ C:\WINDOWS\ScEdUnin.exe <Not Verified; Blizzard Entertainment; Starcraft Uninstaller>
2008-03-12 21:44:46 0 d-------- C:\Program Files\Realspace3_at
2008-03-12 21:39:42 0 d-------- C:\Program Files\The Creative Assembly


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [04/17/2008 10:06 AM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 09:20 PM]
"hcsystray"="C:\Program Files\Kuma Games\hcsystray\hc_tray.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/23/2007 12:40 PM]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [01/01/2007 04:22 PM]
"XoftSpy"="C:\Program Files\XoftSpy\XoftSpy.exe" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [04/25/2008 01:52 AM]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [04/10/2008 03:14 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]
"ParetoLogic Anti-Spyware"="C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe" [10/24/2007 01:59 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [04/25/2008 01:37 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WinCinema Manager.lnk - C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe [9/23/2007 12:36:22 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoColorChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)
"NoDispAppearancePage"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=0 (0x0)
"NoThemesTab"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{51C55F9E-C308-4c95-89AB-8858D8AFD819}"= C:\Program Files\ParetoLogic\Anti-Spyware\PASShlExt.dll [10/24/2007 01:59 PM 98304]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, xlibgfl254.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp officejet 7100 series) - 1.lnk]
backup=C:\WINDOWS\pss\HPAiODevice(hp officejet 7100 series) - 1.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp officejet 7100 series) - 2.lnk]
backup=C:\WINDOWS\pss\HPAiODevice(hp officejet 7100 series) - 2.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon Internet Security Suite]
"C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VerizonServicepoint.exe]
C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Symantec NetDriver Monitor"=C:\PROGRA~1\SYMNET~1\SNDMon.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
AutoRun\command- J:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{20fe3fd9-8df3-11dc-87a1-000cf1f2cfb1}]
AutoRun\command- J:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8c3b3722-b498-11db-852c-000cf1f2cfb1}]
AutoRun\command- J:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d35593f9-726d-11dc-876d-000cf1f2cfb1}]
AutoRun\command- J:\Autorun.exe /run
Shell00\Command- J:\Autorun.exe /run
Shell01\Command- J:\Autorun.exe /action
Shell02\Command- J:\Autorun.exe /uninstall




-- End of Deckard's System Scanner: finished at 2008-05-06 21:02:23 ------------
  • 0

#6
andrewuk
Posted 07 May 2008 - 11:54 AM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® CPU 2.66GHz
Percentage of Memory in Use: 77%
Physical Memory (total/avail): 246.8 MiB / 55.32 MiB
Pagefile Memory (total/avail): 605.86 MiB / 102.44 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1936.1 MiB

C: is Fixed (NTFS) - 53.19 GiB total, 13.61 GiB free.
D: is CDROM (No Media)
E: is Fixed (FAT32) - 4.07 GiB total, 0.67 GiB free.
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)

\\.\PHYSICALDRIVE0 - HDS722580VLAT20 - 57.27 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 53.19 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 4.08 GiB - E:

\\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: AVG 7.5.524 v7.5.524 (Grisoft)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"="C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe:*:Enabled:Age of Empires 3"
"C:\\WINDOWS\\system32\\dplaysvr.exe"="C:\\WINDOWS\\system32\\dplaysvr.exe:*:Disabled:Microsoft DirectPlay Helper"
"C:\\Program Files\\pac-man.exe"="C:\\Program Files\\pac-man.exe:*:Enabled:Pac-Man: Adventures in Time"
"C:\\Documents and Settings\\Owner\\My Documents\\My Pictures\\Sean's things\\Game Maker Stuff\\PNT Project\\PNT\\PNT Client.exe"="C:\\Documents and Settings\\Owner\\My Documents\\My Pictures\\Sean's things\\Game Maker Stuff\\PNT Project\\PNT\\PNT Client.exe:*:Enabled:PNT Client"
"C:\\Documents and Settings\\Owner\\My Documents\\My Pictures\\Sean's things\\Game Maker Stuff\\PNT Project\\PNT\\PNT Server.exe"="C:\\Documents and Settings\\Owner\\My Documents\\My Pictures\\Sean's things\\Game Maker Stuff\\PNT Project\\PNT\\PNT Server.exe:*:Enabled:PNT Server"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Servant Salamander 2.0\\salamand.exe"="C:\\Program Files\\Servant Salamander 2.0\\salamand.exe:*:Enabled:File Manager for Windows NT/95/98/2000"
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Java\\j2re1.4.2\\bin\\javaw.exe"="C:\\Program Files\\Java\\j2re1.4.2\\bin\\javaw.exe:*:Disabled:javaw"
"C:\\Documents and Settings\\Owner\\My Documents\\My Pictures\\Sean's things\\Games from the Internet\\Risk 2\\Risk II\\RiskII.exe"="C:\\Documents and Settings\\Owner\\My Documents\\My Pictures\\Sean's things\\Games from the Internet\\Risk 2\\Risk II\\RiskII.exe:*:Disabled:Risk II"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Documents and Settings\\Owner\\Desktop\\Games\\[ PC Games ] - Age of Empires II(FULL)\\age2_x1.exe"="C:\\Documents and Settings\\Owner\\Desktop\\Games\\[ PC Games ] - Age of Empires II(FULL)\\age2_x1.exe:*:Enabled:Age of Empires II Expansion"
"C:\\Documents and Settings\\Owner\\Desktop\\Games\\[ PC Games ] - Age of Empires II(FULL)\\empires2.EXE"="C:\\Documents and Settings\\Owner\\Desktop\\Games\\[ PC Games ] - Age of Empires II(FULL)\\empires2.EXE:*:Enabled:Age of Empires II"
"C:\\Documents and Settings\\Owner\\Desktop\\Games\\Defcon\\defcon.exe"="C:\\Documents and Settings\\Owner\\Desktop\\Games\\Defcon\\defcon.exe:*:Enabled:Defcon"
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"="C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe:*:Enabled:Age of Empires III - The WarChiefs"
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"="C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe:*:Enabled:Age of Empires III - The Asian Dynasties"
"C:\\Documents and Settings\\Administrator\\Desktop\\Defcon\\defcon.exe"="C:\\Documents and Settings\\Administrator\\Desktop\\Defcon\\defcon.exe:*:Enabled:Defcon"
"C:\\Documents and Settings\\Owner\\Desktop\\Games\\Warcraft III\\Warcraft III.exe"="C:\\Documents and Settings\\Owner\\Desktop\\Games\\Warcraft III\\Warcraft III.exe:*:Enabled:Warcraft III"
"C:\\Program Files\\EA GAMES\\The Battle for Middle-earth ™\\game.dat"="C:\\Program Files\\EA GAMES\\The Battle for Middle-earth ™\\game.dat:*:Enabled:The Battle for Middle-earth ™"
"C:\\Documents and Settings\\Owner\\Desktop\\Games\\Empire Earth\\Empire Earth.exe"="C:\\Documents and Settings\\Owner\\Desktop\\Games\\Empire Earth\\Empire Earth.exe:*:Enabled:Empire Earth"
"C:\\Program Files\\The Creative Assembly\\Rome - Total War\\RomeTW.exe"="C:\\Program Files\\The Creative Assembly\\Rome - Total War\\RomeTW.exe:*:Enabled:Rome: Total War"
"C:\\Program Files\\The Creative Assembly\\Rome - Total War\\RomeTW-BI.exe"="C:\\Program Files\\The Creative Assembly\\Rome - Total War\\RomeTW-BI.exe:*:Enabled:Rome: Total War - Barbarian Invasion"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=FITCH1
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\FITCH1
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 3 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0304
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=FITCH1
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\AOL digiCam\Uninst.isu"
--> MsiExec.exe /X{EE43210C-266E-4101-8FBC-04378D5E9D42}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
3D Maker --> C:\PROGRA~1\SANDYK~1\3DMAKE~1\UNWISE.EXE C:\PROGRA~1\SANDYK~1\3DMAKE~1\INSTALL.LOG
Ace Utilities --> "C:\Program Files\Ace Utilities\uninstall.exe"
Adobe Atmosphere Player for Acrobat and Adobe Reader --> C:\WINDOWS\atmoUn.exe
Adobe Download Manager 2.2 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Photoshop Album 2.0 Starter Edition --> MsiExec.exe /I{11B569C2-4BF6-4ED0-9D17-A4273943CB24}
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Age of Empires III --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{7B9CC60A-9B81-46A3-A953-76B6BF9EEC97}
Age of Empires III - The Asian Dynasties --> C:\Program Files\InstallShield Installation Information\{C43C1415-3DFC-4089-9A32-0BECF28A6046}\setup.exe -runfromtemp -l0x0409
Age of Empires III - The WarChiefs --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{1C08A24C-B168-407E-A826-68FAF5F20710}
ArcSoft PhotoImpression 2000 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ArcSoft\PhotoImpression 2000\Uninst.isu"
AVG Free Edition --> C:\Program Files\Grisoft\AVG Free\setup.exe /UNINSTALL
Battalion Map Editor 1.4 --> C:\Documents and Settings\Owner\My Documents\My Pictures\Sean's things\Other Stuff\Advance Wars Online Map Maker\Battalion Map Editor\uninst.exe
CrypTool 1.4.10 --> C:\Documents and Settings\Owner\My Documents\My Pictures\Sean's things\Games from the Internet\Enigma\CrypTool\uninstall.exe
Defcon v1.43 --> "C:\Documents and Settings\Administrator\Desktop\Defcon\unins000.exe"
Fastlink Browser --> C:\Documents and Settings\Uninstall_FLB.exe #uninstall "C:\Documents and Settings\Owner\My Documents\My Pictures\Sean's things\Games from the Internet\SoulNet stuff\FLB_1.0\uinst.log"
Feudalism --> "J:\Feudalism_at\unins000.exe"
FreeBASIC 0.18.2b --> C:\Documents and Settings\Owner\My Documents\My Pictures\Sean's things\Games from the Internet\FreeBASIC\uninst.exe
Game Maker 7.0 --> C:\Documents and Settings\Owner\My Documents\My Pictures\Sean's things\Game Maker Stuff\Game Maker\Game Maker 7\Uninstal.exe
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
Google Talk (remove only) --> "C:\Program Files\Google\Google Talk\uninstall.exe"
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
HijackThis 2.0.2 --> "C:\Documents and Settings\Owner\Desktop\Anti Malware Files\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
hp officejet 7100 series --> C:\WINDOWS\system32\hpocon09.exe /u 1109977579 /d "hp officejet 7100 series"
hp officejet 7100 series - 2 --> C:\WINDOWS\system32\hpocon09.exe /u 1112312173 /d "hp officejet 7100 series"
Image Resizer Powertoy for Windows XP --> MsiExec.exe /I{1CB92574-96F2-467B-B793-5CEB35C40C29}
Intel® Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
Intel® PRO Network Adapters and Drivers --> Prounstl.exe
Intel® PROSet --> MsiExec.exe /I{EF4EF65F-4D62-44D7-82C9-1AECCBA74C50}
InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
Java 2 Runtime Environment, SE v1.4.2 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142000}
Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe
LEGO Racers --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\LEGO Media\Games\LEGO Racers\Uninst.isu"
LEGO Star Wars II --> C:\Program Files\InstallShield Installation Information\{578FA426-47C0-4A3F-98A4-01ACD26B7556}\setup.exe -runfromtemp -l0x0409
Malwarebytes' Anti-Malware --> "C:\Documents and Settings\Owner\Desktop\Anti Malware Files\Anti Winfixer\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Money 2004 --> MsiExec.exe /I{1D643CD7-4DD6-11D7-A4E0-000874180BB3}
Microsoft Money 2004 System Pack --> MsiExec.exe /I{8C64E145-54BA-11D6-91B1-00500462BE80}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Works --> MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
Mozilla Firefox (2.0.0.13) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN --> C:\Program Files\MSN\MsnInstaller\msniadm.exe /Action:ARP
MSN Music Assistant --> rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
MSN Toolbar --> C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\mtbs.exe c
NFL Head Coach --> C:\Program Files\EA SPORTS\NFL Head Coach\EAUninstall.exe
OTOY --> RunDll32 C:\WINDOWS\DOWNLO~1\OTOYAX.dll,_RemoveGroove@16
Pac-Man Adventures in Time --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D2023740-9AAC-11D4-B54D-006008571948}\setup.exe" FromAddRemove
ParetoLogic Anti-Spyware --> C:\Program Files\ParetoLogic\Anti-Spyware\Uninst_Pareto_AS.exe
PlayLinc --> MsiExec.exe /I{9CCE527D-356F-41A8-9718-77A68AC065FB}
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
Prentice Hall's Simulations and Data Graphing CD-ROM --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{286B31C0-2FCA-11D4-B26B-0050DA713C67}\setup.exe"
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Rhapsody Player Engine --> MsiExec.exe /I{84F1DE76-C48C-4281-87A0-CC9548D1E7F9}
Risk II (remove only) --> "C:\Documents and Settings\Owner\My Documents\My Pictures\Sean's things\Games from the Internet\Risk 2\Risk II\Uninstall.exe"
Rome - Total War --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{51D386C4-0227-46A9-AC45-61F0A50E7AFF}\setup.exe" -l0x9 -removeonly
Rome: Total War - Barbarian Invasion --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD69C8CB-6964-432C-98AB-A5A09ED50EEA}\setup.exe" -l0x9
Sansa Media Converter --> "C:\Program Files\InstallShield Installation Information\{FC053571-8507-44E4-8B6D-AACEAB8CA57C}\setup.exe" --u:{FC053571-8507-44E4-8B6D-AACEAB8CA57C}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Servant Salamander 2.0 --> C:\Program Files\Servant Salamander 2.0\remove\remove.exe
ShowIP v1.6.4 --> "C:\Program Files\ShowIP\unins000.exe"
SoftV92 Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200014F1\HXFSETUP.EXE -U -IVEN_14F1&DEV_2F20&SUBSYS_200014F1
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Spyware Doctor 5.5 --> C:\Program Files\Spyware Doctor\unins000.exe /LOG
Starcraft Shareware(ED) --> C:\WINDOWS\scedunin.exe C:\WINDOWS\scedunin.dat
The Battle for Middle-earth ™ --> C:\Program Files\EA GAMES\The Battle for Middle-earth ™\EAUninstall.exe
Virtools 3D Life Player --> C:\Program Files\Virtools\3D Life Player\WebplayerConfig.exe -u
Visual Basic 5.0 Control Creation Edition --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\vb5cce.inf, Uninstall
Windows Backup Utility --> MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type415 / Error
Event Submitted/Written: 05/06/2008 00:54:49 PM
Event ID/Source: 100 / AVG7
Event Description:
2008-05-06 17:54:49,281 FITCH1 [000316:000304] ERROR 000 AVG7.WTS.CAvgAmWts ProcessIdToSessionId(2772) call failed with WIN32 error 87, returning session id is 0

Event Record #/Type414 / Error
Event Submitted/Written: 05/06/2008 00:54:49 PM
Event ID/Source: 100 / AVG7
Event Description:
2008-05-06 17:54:49,281 FITCH1 [000316:000304] ERROR 000 AVG7.WTS.CAvgAmWts ProcessIdToSessionId(2772) call failed with WIN32 error 87, returning session id is 0

Event Record #/Type413 / Error
Event Submitted/Written: 05/06/2008 00:54:49 PM
Event ID/Source: 100 / AVG7
Event Description:
2008-05-06 17:54:49,265 FITCH1 [000316:000304] ERROR 000 AVG7.WTS.CAvgAmWts ProcessIdToSessionId(2772) call failed with WIN32 error 87, returning session id is 0

Event Record #/Type412 / Error
Event Submitted/Written: 05/06/2008 00:54:49 PM
Event ID/Source: 100 / AVG7
Event Description:
2008-05-06 17:54:49,265 FITCH1 [000316:000304] ERROR 000 AVG7.WTS.CAvgAmWts ProcessIdToSessionId(4032) call failed with WIN32 error 87, returning session id is 0

Event Record #/Type411 / Error
Event Submitted/Written: 05/06/2008 00:54:48 PM
Event ID/Source: 100 / AVG7
Event Description:
2008-05-06 17:54:47,859 FITCH1 [000316:000304] ERROR 000 AVG7.WTS.CAvgAmWts ProcessIdToSessionId(2772) call failed with WIN32 error 87, returning session id is 0



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type9340 / Error
Event Submitted/Written: 05/06/2008 08:41:40 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
_wff

Event Record #/Type9335 / Warning
Event Submitted/Written: 05/06/2008 08:38:41 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%FITCH127 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %FITCH127 can't undo changes that you allow.

For more information please see the following:
%FITCH1275

Scan ID: {F63C1BDD-BED9-43EA-9C37-D31C74A37F1F}

User: FITCH1\Owner

Name: %FITCH1271

ID: %FITCH1272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %FITCH1276

Alert Type: %FITCH1278

Detection Type: 1.1.1593.02

Event Record #/Type9334 / Warning
Event Submitted/Written: 05/06/2008 08:38:32 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%FITCH127 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %FITCH127 can't undo changes that you allow.

For more information please see the following:
%FITCH1275

Scan ID: {B2643F32-A518-4738-9D5C-264FC4773C97}

User: FITCH1\Owner

Name: %FITCH1271

ID: %FITCH1272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %FITCH1276

Alert Type: %FITCH1278

Detection Type: 1.1.1593.02

Event Record #/Type9333 / Warning
Event Submitted/Written: 05/06/2008 08:38:28 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%FITCH127 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %FITCH127 can't undo changes that you allow.

For more information please see the following:
%FITCH1275

Scan ID: {FE3EC813-4579-4148-A019-02A9D3242BEA}

User: FITCH1\Owner

Name: %FITCH1271

ID: %FITCH1272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %FITCH1276

Alert Type: %FITCH1278

Detection Type: 1.1.1593.02

Event Record #/Type9332 / Warning
Event Submitted/Written: 05/06/2008 08:38:28 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%FITCH127 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %FITCH127 can't undo changes that you allow.

For more information please see the following:
%FITCH1275

Scan ID: {8782BC7C-F4B6-477C-874D-AE0072DA47E9}

User: FITCH1\Owner

Name: %FITCH1271

ID: %FITCH1272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %FITCH1276

Alert Type: %FITCH1278

Detection Type: 1.1.1593.02



-- End of Deckard's System Scanner: finished at 2008-05-06 21:02:23 ------------
  • 0

#7
andrewuk
Posted 07 May 2008 - 12:36 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
in this post we will fix your file associations, clear out some more malware and run 2 more scans.

but first a question: you have an ActiveX component on your machine from this website http://www.yoyogames.com - do you recognise it?

the scans will likely take 2 hours, quite possibly much longer. so just let them run.


====STEP 1====
Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
C:\WINDOWS\system32\ultra\xlibgfl254.dll
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system\\DisableTaskMgr
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{20fe3fd9-8df3-11dc-87a1-000cf1f2cfb1}
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8c3b3722-b498-11db-852c-000cf1f2cfb1}
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d35593f9-726d-11dc-876d-000cf1f2cfb1}
purity 
[start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



====STEP 2====
could you delete the current version of combofix you have and then follow these instructions:

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet. For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**



====STEP 3====
Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

====STEP 4====
click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /daft
This will open up Deckard's File Association Tool
  • Click on the Scan button.
  • Select everything it is displaying there
  • Click the Fix button.
  • Then rescan with DAFT again - it should say now that "All associations are OK"
  • Close DAFT if you receive that message. This means that it is fixed now.
if that does not work then Please download DAFT and save it to your desktop and Double-click the daft.exe icon, and then follow the above instructions from "Click on the Scan button"


In your next reply could i see:
1. the answer to the above question
2. the OTMoveIT log
3. the combofix log
4. a new hijackthis log
5. the kaspersky log

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

#8
Draga X
Posted 07 May 2008 - 08:56 PM

Draga X

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
1.Yes is trust YoYoGames plugin

2.Kaspersky didn't show me any button that said SAVE AS TEXT,when I tried to see if an ActiveX control IE is blocking was the problem,it refreshed the page and erased the data :) So I don't have it but it said there were six viruses and 15 infected files over a time duration of about 1:54:34. When I opened DAFT the first time,it said that "All associations are ok!" so FYI.

OTMove it:
Explorer killed successfully
File/Folder C:\WINDOWS\system32\ultra\xlibgfl254.dll not found.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system\\DisableTaskMgr >
Registry value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system\\DisableTaskMgr deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{20fe3fd9-8df3-11dc-87a1-000cf1f2cfb1} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{20fe3fd9-8df3-11dc-87a1-000cf1f2cfb1}\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8c3b3722-b498-11db-852c-000cf1f2cfb1} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8c3b3722-b498-11db-852c-000cf1f2cfb1}\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d35593f9-726d-11dc-876d-000cf1f2cfb1} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d35593f9-726d-11dc-876d-000cf1f2cfb1}\\ deleted successfully.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05072008_151940

ComboFix:
ComboFix 08-05-01.3 - Owner 2008-05-07 15:50:39.1 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\Anti Malware Files\Anti Winfixer\ComboFix\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\privprotect.exe
C:\temp\17o7
C:\temp\17o7\tmpTF.log
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\smpi1
C:\WINDOWS\system32\smpi1\lb66.exe
C:\WINDOWS\system32\tfhswqyw.ini
C:\WINDOWS\wbun.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-07 to 2008-05-07 )))))))))))))))))))))))))))))))
.

2008-05-06 20:53 . 2008-05-06 20:53 <DIR> d-------- C:\Deckard
2008-05-06 19:30 . 2008-05-06 19:30 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-05-06 19:29 . 2008-05-06 19:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-06 19:29 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-06 19:29 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-06 19:22 . 2008-05-06 19:22 <DIR> d-------- C:\_OTMoveIt
2008-05-06 18:38 . 2008-05-06 18:38 <DIR> d-------- C:\VundoFix Backups
2008-05-06 17:10 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-05-06 17:10 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-05-06 17:10 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-05-06 17:10 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-05-06 17:09 . 2008-05-07 06:32 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-05-06 17:09 . 2008-05-06 17:09 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\PC Tools
2008-05-06 12:54 . 2008-05-06 12:54 1 --a------ C:\WINDOWS\system32\kr_done1de
2008-04-25 01:59 . 2008-04-25 01:59 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-04-15 21:49 . 2008-04-15 21:50 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-15 21:48 . 2008-04-15 21:48 <DIR> d-------- C:\Program Files\Windows Live
2008-04-15 21:47 . 2008-04-15 21:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-10 12:56 . 2008-04-10 12:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\YoYoGames

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-07 19:01 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-07 18:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-05-07 16:00 47,612 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2008-05-06 21:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-27 06:53 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-04-25 06:57 --------- d-----w C:\Program Files\Common Files\Real
2008-04-25 06:37 --------- d-----w C:\Program Files\Google
2008-04-10 11:12 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
2008-04-02 21:11 --------- d-----w C:\Documents and Settings\Owner\Application Data\Talkback
2008-03-26 19:58 68,608 ----a-w C:\WINDOWS\ScEdUnin.exe
2008-03-13 02:44 --------- d-----w C:\Program Files\Realspace3_at
2008-03-13 02:39 --------- d-----w C:\Program Files\The Creative Assembly
2007-02-10 18:29 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2007-02-04 17:14 0 ----a-w C:\Documents and Settings\Owner\GoToAssist_phone__317_en.exe
2006-12-23 16:43 56 ----a-w C:\Program Files\options.dat
2006-12-21 14:54 547 ----a-w C:\Program Files\slot1.dat
2006-04-13 23:42 364 ----a-w C:\Program Files\scores.dat
2000-10-12 02:50 581,632 ----a-w C:\Program Files\pac-man.exe
2000-10-12 00:37 33,257 ----a-w C:\Program Files\ReadMe.txt
2000-10-11 18:12 57,061,717 ----a-w C:\Program Files\menu.pac
2000-10-11 16:47 193,159,064 ----a-w C:\Program Files\game.pac
2000-10-03 23:16 13 ------w C:\Program Files\override.dat
2000-09-27 02:23 547 ------w C:\Program Files\slot2.dat
2000-09-27 02:19 547 ------w C:\Program Files\slot3.dat
2000-09-26 20:51 547 ------w C:\Program Files\slot6.dat
2000-09-26 20:51 547 ------w C:\Program Files\slot5.dat
2000-09-26 20:51 547 ------w C:\Program Files\slot4.dat
2000-04-06 10:13 263,168 ------w C:\Program Files\binkw32.dll
2000-03-03 08:01 81,920 ------w C:\Program Files\eaxman.dll
2000-02-11 22:04 4,775,936 ----a-w C:\Program Files\hsbr.exe
1999-09-09 00:36 126,976 ------w C:\Program Files\ffc10.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"ParetoLogic Anti-Spyware"="C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe" [2007-10-24 13:59 2643312]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-04-25 01:37 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-04-17 10:06 579584]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 21:20 866584]
"hcsystray"="C:\Program Files\Kuma Games\hcsystray\hc_tray.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-09-23 12:40 98304]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 16:22 3739648]
"XoftSpy"="C:\Program Files\XoftSpy\XoftSpy.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-25 01:52 185896]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-04-10 15:14 1107848]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-24 10:18 219136]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 15:38 39264]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{51C55F9E-C308-4c95-89AB-8858D8AFD819}"= C:\Program Files\ParetoLogic\Anti-Spyware\PASShlExt.dll [2007-10-24 13:59 98304]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, xlibgfl254.dll,

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp officejet 7100 series) - 1.lnk]
backup=C:\WINDOWS\pss\HPAiODevice(hp officejet 7100 series) - 1.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp officejet 7100 series) - 2.lnk]
backup=C:\WINDOWS\pss\HPAiODevice(hp officejet 7100 series) - 2.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 02:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 14:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2004-01-09 05:54 65536 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-04-25 01:52 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon Internet Security Suite]
C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VerizonServicepoint.exe]
C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Symantec NetDriver Monitor"=C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Program Files\\pac-man.exe"=
"C:\\Documents and Settings\\Owner\\My Documents\\My Pictures\\Sean's things\\Game Maker Stuff\\PNT Project\\PNT\\PNT Client.exe"=
"C:\\Documents and Settings\\Owner\\My Documents\\My Pictures\\Sean's things\\Game Maker Stuff\\PNT Project\\PNT\\PNT Server.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Servant Salamander 2.0\\salamand.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Java\\j2re1.4.2\\bin\\javaw.exe"=
"C:\\Documents and Settings\\Owner\\My Documents\\My Pictures\\Sean's things\\Games from the Internet\\Risk 2\\Risk II\\RiskII.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Documents and Settings\\Owner\\Desktop\\Games\\[ PC Games ] - Age of Empires II(FULL)\\age2_x1.exe"=
"C:\\Documents and Settings\\Owner\\Desktop\\Games\\[ PC Games ] - Age of Empires II(FULL)\\empires2.EXE"=
"C:\\Documents and Settings\\Owner\\Desktop\\Games\\Defcon\\defcon.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=
"C:\\Documents and Settings\\Owner\\Desktop\\Games\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\EA GAMES\\The Battle for Middle-earth ™\\game.dat"=
"C:\\Documents and Settings\\Owner\\Desktop\\Games\\Empire Earth\\Empire Earth.exe"=
"C:\\Program Files\\The Creative Assembly\\Rome - Total War\\RomeTW.exe"=
"C:\\Program Files\\The Creative Assembly\\Rome - Total War\\RomeTW-BI.exe"=

S0 _wff;_wff;C:\WINDOWS\system32\drivers\_wff.sys []
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-09-27 19:12]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2005-02-25 16:26:16 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2008-05-07 18:32:48 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-05-06 23:00:02 C:\WINDOWS\Tasks\Pareto UNS.job"
- C:\Program Files\Common Files\ParetoLogic\UUS\UUS.dll\Pareto_Update.exe
"2008-04-25 08:00:02 C:\WINDOWS\Tasks\ParetoLogic Anti-Spyware.job"
- C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe
"2008-05-04 05:33:19 C:\WINDOWS\Tasks\ParetoLogic Update.job"
- C:\Program Files\Common Files\ParetoLogic\UUS\Pareto_Update.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-07 16:01:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\TEMP\TMP00000056396242647E33FBF7 524288 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************
.
Completion time: 2008-05-07 16:13:15
ComboFix-quarantined-files.txt 2008-05-07 21:13:08

Pre-Run: 14,414,880,768 bytes free
Post-Run: 14,528,077,824 bytes free

192 --- E O F --- 2008-04-25 07:19:10

HiJackThis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:38:53 PM, on 5/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\Anti Malware Files\Anti Winfixer\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [hcsystray] C:\Program Files\Kuma Games\hcsystray\hc_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [XoftSpy] C:\Program Files\XoftSpy\XoftSpy.exe -s
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ParetoLogic Anti-Spyware] "C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe" -NM -hidesplash
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: WinCinema Manager.lnk = C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyds...DSL/tgctlcm.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1109349097765
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1167431190484
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://tv.disney.go....y/OTOYAX29b.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames...ctivex/YoYo.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai...l/installer.exe
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/.../default/ct.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 8505 bytes
  • 0

#9
andrewuk
Posted 08 May 2008 - 10:22 AM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
looking better now, though we need to do an online scan. i dont know if the infections found by kaspersky were already quarantined by us before, so we will try a different scan. we will also scan one file and just check for another infection. and we will also update your java, and remove one item of malware i can see.

the scan will likely take 2 hours, quite possibly much longer. so just let them run.


====STEP 1====
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\system32\drivers\_wff.sys

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=-

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=" msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Driver::
_wff


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt

====STEP 2====
i dont think you have this infection, but there was an odd sign in the last log, so we will check anyway.


You may have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. Please follow the directions below to run FindAWF so we can identify the files that have been infected and the backups then restore them.

Download FindAWF.exe from here or here, and save it to your desktop.
  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • You will be presented with a Menu.

    1. Press 1 then Enter to scan for bak folders
    2. Press 2 then Enter to restore files from bak folders
    3. Press 3 then Enter to remove bak folders
    4. Press 4 then Enter to reset domain zones
    5. Press E then Enter to EXIT

  • Press 1, then press Enter
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt.
  • Please copy and paste the contents of the AWF.txt file in your next reply.

====STEP 3====
Jotti File Submission:

Please go to Jotti's malware scan
Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
C:\WINDOWS\system32\kr_done1de

Click on the submit button

Please post the results of the scan in your next reply.

If Jotti is busy, try the same atVirustotal



====STEP 4====
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
[/list]If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.



====STEP 5====
Please go HERE to run Panda's TotalScan
  • Select the bubble for Full scan
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • Then the scan will begin
  • When the scan completes, click the Save button on the right of Scan details
  • Save it to a convenient location. Post the contents of the TotalScan report

====STEP 6====
Clearing the Java cache:
there is a nice set of instructions http://www.java.com/.../5000020300.xml

  • Click Start > Control Panel.
  • Double-click the Java icon in the control panel and then the Java Control Panel will appear.
  • Click Settings under Temporary Internet Files and the Temporary Files Settings dialog box appears.
  • Click Delete Files and the Delete Temporary Files dialog box appears.
  • Make sure all three boxes are ticked: Downloaded Applets, Downloaded Applications and Other Files and then Click OK on Delete Temporary Files window. Note: This deletes all the Downloaded Applications and Applets from the cache.
  • Click OK on Temporary Files Settings window.
Removing old java:
Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

Java 2 Runtime Environment, SE v1.4.2
Spybot - Search & Destroy 1.4 <== we might as well remove this now, it is out of date and i will direct you to the recent version when we are done


Upgrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 6.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.

In your next reply could i see:
1. the combofix log
2. the AWF.txt log
3. the jotti log
4. the Total scan log

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

#10
Draga X
Posted 09 May 2008 - 09:21 PM

Draga X

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Okay okay okay,I've waited a day and I got most of it done.I don't have the ActiveScan log because I waited 6 hours of it scanning and it was still on 18% and has scanned 736,000+ files with 36 infected files.I DID manage to get it's log so it's not as bad as it could be. Oh and Jotti said I was clean.I"m gonna post this and then run the Java file..

ComboFix:
ComboFix 08-05-01.3 - Owner 2008-05-08 16:31:59.2 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\drivers\_wff.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy__WFF
-------\Service__wff


((((((((((((((((((((((((( Files Created from 2008-04-08 to 2008-05-08 )))))))))))))))))))))))))))))))
.

2008-05-07 19:09 . 2008-05-07 19:09 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-07 19:09 . 2008-05-07 19:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-06 20:53 . 2008-05-06 20:53 <DIR> d-------- C:\Deckard
2008-05-06 19:30 . 2008-05-06 19:30 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-05-06 19:29 . 2008-05-06 19:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-06 19:29 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-06 19:29 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-06 19:22 . 2008-05-06 19:22 <DIR> d-------- C:\_OTMoveIt
2008-05-06 18:38 . 2008-05-06 18:38 <DIR> d-------- C:\VundoFix Backups
2008-05-06 17:10 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-05-06 17:10 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-05-06 17:10 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-05-06 17:10 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-05-06 17:09 . 2008-05-08 12:31 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-05-06 17:09 . 2008-05-06 17:09 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\PC Tools
2008-05-06 12:54 . 2008-05-06 12:54 1 --a------ C:\WINDOWS\system32\kr_done1de
2008-04-25 01:59 . 2008-04-25 01:59 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-04-15 21:49 . 2008-04-15 21:50 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-15 21:48 . 2008-04-15 21:48 <DIR> d-------- C:\Program Files\Windows Live
2008-04-15 21:47 . 2008-04-15 21:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-10 12:56 . 2008-04-10 12:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\YoYoGames

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-08 21:57 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-08 20:27 47,612 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2008-05-08 18:56 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-08 18:53 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-05-08 15:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-05-06 21:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-27 06:53 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-04-27 06:52 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-04-25 06:57 --------- d-----w C:\Program Files\Common Files\Real
2008-04-25 06:37 --------- d-----w C:\Program Files\Google
2008-04-12 07:06 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2008-04-10 11:12 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
2008-04-02 21:11 --------- d-----w C:\Documents and Settings\Owner\Application Data\Talkback
2008-03-26 19:58 68,608 ----a-w C:\WINDOWS\ScEdUnin.exe
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-13 02:44 --------- d-----w C:\Program Files\Realspace3_at
2008-03-13 02:39 --------- d-----w C:\Program Files\The Creative Assembly
2008-03-01 13:06 826,368 --s-a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2007-02-10 18:29 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2007-02-04 17:14 0 ----a-w C:\Documents and Settings\Owner\GoToAssist_phone__317_en.exe
2006-12-23 16:43 56 ----a-w C:\Program Files\options.dat
2006-12-21 14:54 547 ----a-w C:\Program Files\slot1.dat
2006-04-13 23:42 364 ----a-w C:\Program Files\scores.dat
2000-10-12 02:50 581,632 ----a-w C:\Program Files\pac-man.exe
2000-10-12 00:37 33,257 ----a-w C:\Program Files\ReadMe.txt
2000-10-11 18:12 57,061,717 ----a-w C:\Program Files\menu.pac
2000-10-11 16:47 193,159,064 ----a-w C:\Program Files\game.pac
2000-10-03 23:16 13 ------w C:\Program Files\override.dat
2000-09-27 02:23 547 ------w C:\Program Files\slot2.dat
2000-09-27 02:19 547 ------w C:\Program Files\slot3.dat
2000-09-26 20:51 547 ------w C:\Program Files\slot6.dat
2000-09-26 20:51 547 ------w C:\Program Files\slot5.dat
2000-09-26 20:51 547 ------w C:\Program Files\slot4.dat
2000-04-06 10:13 263,168 ------w C:\Program Files\binkw32.dll
2000-03-03 08:01 81,920 ------w C:\Program Files\eaxman.dll
2000-02-11 22:04 4,775,936 ----a-w C:\Program Files\hsbr.exe
1999-09-09 00:36 126,976 ------w C:\Program Files\ffc10.dll
.

((((((((((((((((((((((((((((( snapshot@2008-05-07_16.12.16.56 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-07 18:29:24 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-08 21:51:22 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-10-21 01:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
+ 2008-05-08 18:59:07 25,214 ----a-r C:\WINDOWS\Installer\{AC76BA86-7AD7-1033-7B44-A71000000002}\SC_Reader.exe
+ 2005-05-24 17:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 20:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 20:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"ParetoLogic Anti-Spyware"="C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe" [2007-10-24 13:59 2643312]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-04-25 01:37 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-04-17 10:06 579584]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 21:20 866584]
"hcsystray"="C:\Program Files\Kuma Games\hcsystray\hc_tray.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-09-23 12:40 98304]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 16:22 3739648]
"XoftSpy"="C:\Program Files\XoftSpy\XoftSpy.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-25 01:52 185896]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-04-10 15:14 1107848]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-24 10:18 219136]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 15:38 39264]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{51C55F9E-C308-4c95-89AB-8858D8AFD819}"= C:\Program Files\ParetoLogic\Anti-Spyware\PASShlExt.dll [2007-10-24 13:59 98304]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp officejet 7100 series) - 1.lnk]
backup=C:\WINDOWS\pss\HPAiODevice(hp officejet 7100 series) - 1.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp officejet 7100 series) - 2.lnk]
backup=C:\WINDOWS\pss\HPAiODevice(hp officejet 7100 series) - 2.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 02:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 14:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2004-01-09 05:54 65536 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-04-25 01:52 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon Internet Security Suite]
C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VerizonServicepoint.exe]
C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Symantec NetDriver Monitor"=C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Program Files\\pac-man.exe"=
"C:\\Documents and Settings\\Owner\\My Documents\\My Pictures\\Sean's things\\Game Maker Stuff\\PNT Project\\PNT\\PNT Client.exe"=
"C:\\Documents and Settings\\Owner\\My Documents\\My Pictures\\Sean's things\\Game Maker Stuff\\PNT Project\\PNT\\PNT Server.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Servant Salamander 2.0\\salamand.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Java\\j2re1.4.2\\bin\\javaw.exe"=
"C:\\Documents and Settings\\Owner\\My Documents\\My Pictures\\Sean's things\\Games from the Internet\\Risk 2\\Risk II\\RiskII.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Documents and Settings\\Owner\\Desktop\\Games\\[ PC Games ] - Age of Empires II(FULL)\\age2_x1.exe"=
"C:\\Documents and Settings\\Owner\\Desktop\\Games\\[ PC Games ] - Age of Empires II(FULL)\\empires2.EXE"=
"C:\\Documents and Settings\\Owner\\Desktop\\Games\\Defcon\\defcon.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=
"C:\\Documents and Settings\\Owner\\Desktop\\Games\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\EA GAMES\\The Battle for Middle-earth ™\\game.dat"=
"C:\\Documents and Settings\\Owner\\Desktop\\Games\\Empire Earth\\Empire Earth.exe"=
"C:\\Program Files\\The Creative Assembly\\Rome - Total War\\RomeTW.exe"=
"C:\\Program Files\\The Creative Assembly\\Rome - Total War\\RomeTW-BI.exe"=

S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-09-27 19:12]

.
Contents of the 'Scheduled Tasks' folder
"2005-02-25 16:26:16 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2008-05-08 21:54:41 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-05-06 23:00:02 C:\WINDOWS\Tasks\Pareto UNS.job"
- C:\Program Files\Common Files\ParetoLogic\UUS\UUS.dll\Pareto_Update.exe
"2008-04-25 08:00:02 C:\WINDOWS\Tasks\ParetoLogic Anti-Spyware.job"
- C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe
"2008-05-04 05:33:19 C:\WINDOWS\Tasks\ParetoLogic Update.job"
- C:\Program Files\Common Files\ParetoLogic\UUS\Pareto_Update.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-08 16:55:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\WudfHost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
.
**************************************************************************
.
Completion time: 2008-05-08 17:15:03 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-08 22:14:49
ComboFix2.txt 2008-05-07 21:13:22

Pre-Run: 14,167,494,656 bytes free
Post-Run: 14,338,674,688 bytes free

223 --- E O F --- 2008-04-25 07:19:10


AWF:

Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Thu 05/08/2008
The current time is: 17:25:14.46


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\DIGITA~1\BAK

03/11/2004 05:18 PM 135,168 shwiconem.exe
1 File(s) 135,168 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

08/09/2004 04:51 PM 98,304 qttask.exe
1 File(s) 98,304 bytes

Directory of C:\PROGRA~1\SYMNET~1\BAK

08/26/2005 06:21 PM 100,056 SNDMon.exe
1 File(s) 100,056 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

01/29/2004 09:13 PM 118,784 hkcmd.exe
1 File(s) 118,784 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

03/23/2005 05:34 PM 58,992 ccApp.exe
1 File(s) 58,992 bytes

Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK

10/31/2003 09:42 PM 32,768 PDVDServ.exe
1 File(s) 32,768 bytes

Directory of C:\PROGRA~1\MICROS~2\SYSTEM\BAK

06/18/2003 02:00 PM 200,704 mnyexpr.exe
1 File(s) 200,704 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

05/25/2005 03:19 AM 180,269 realsched.exe
1 File(s) 180,269 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

135168 Mar 11 2004 "C:\Program Files\Digital Media Reader\bak\shwiconem.exe"
98304 Sep 23 2007 "C:\Program Files\QuickTime\qttask.exe"
98304 Aug 9 2004 "C:\Program Files\QuickTime\bak\qttask.exe"
95456 Feb 4 2007 "C:\Program Files\SymNetDrv\SNDMon.exe"
100056 Aug 26 2005 "C:\Program Files\SymNetDrv\bak\SNDMon.exe"
118784 Jan 29 2004 "C:\Drivers\Video\Win2000\hkcmd.exe"
118784 Jan 29 2004 "C:\WINDOWS\system32\bak\hkcmd.exe"
58992 Mar 23 2005 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
32768 Oct 31 2003 "C:\Program Files\CyberLink\PowerDVD\bak\PDVDServ.exe"
200704 Jun 18 2003 "C:\Program Files\Microsoft Money\System\bak\mnyexpr.exe"
185896 Apr 25 2008 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
180269 May 25 2005 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"


end of report


Small ActiveScan report:

;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-05-09 22:17:16
PROTECTIONS: 1
MALWARE: 21
SUSPECTS: 0
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
AVG 7.5.524 7.5.524 Yes Yes
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00064839 Adware/Ucmore Adware No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\smpi1\lb66.exe.vir
00064839 Adware/Ucmore Adware No 0 Yes No C:\System Volume Information\_restore{4C6E9B3C-F1BE-4527-8708-5AE69FD346FA}\RP413\A0406941.exe
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\xvui5ego.default\cookies.txt[.doubleclick.net/]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\xvui5ego.default\cookies.txt[.atdmt.com/]
00139535 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\Owner\Desktop\Anti Malware Files\Anti Winfixer\smitRem\Process.exe
00139535 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\Owner\Desktop\Anti Malware Files\Anti Winfixer\smitRem\smitRem.exe[smitRem/Process.exe]
00139535 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\Owner\My Documents\Important Files\smitRem.exe[smitRem/Process.exe]
00139535 Application/Processor HackTools No 0 No No C:\Documents and Settings\Owner\Desktop\Anti Malware Files\Anti Winfixer\VirtMundoBeGone\VirtumundoBeGone.exe[²ƒÇ]
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\xvui5ego.default\cookies.txt[.fastclick.net/]
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\xvui5ego.default\cookies.txt[.fastclick.net/]
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\xvui5ego.default\cookies.txt[.fastclick.net/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\xvui5ego.default\cookies.txt[.mediaplex.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\xvui5ego.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\xvui5ego.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\xvui5ego.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\xvui5ego.default\cookies.txt[ad.yieldmanager.com/]
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\xvui5ego.default\cookies.txt[.apmebf.com/]
00168109 Cookie/Adtech TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@adtech[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\xvui5ego.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\xvui5ego.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\xvui5ego.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\xvui5ego.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\xvui5ego.default\cookies.txt[.advertising.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@realmedia[1].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@questionmarket[2].txt
00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
00252281 Adware/Trymedia Adware No 0 Yes No C:\Downloads\RiskIISetup-dm[1].exe
00514949 Adware/WebBuying Adware No 0 Yes No C:\System Volume Information\_restore{4C6E9B3C-F1BE-4527-8708-5AE69FD346FA}\RP413\A0406942.exe
00514949 Adware/WebBuying Adware No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\wbun.exe.vir
00519333 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\Owner\Desktop\Anti Malware Files\Anti Winfixer\VirtMundoBeGone\VirtumundoBeGone.exe
01176994 Bck/VB.XB Virus/Trojan No 0 No No C:\System Volume Information\_restore{4C6E9B3C-F1BE-4527-8708-5AE69FD346FA}\RP415\A0407163.exe[327882R2FWJFW\NirCmdC.cfexe]
01176994 Bck/VB.XB Virus/Trojan No 0 No No C:\Documents and Settings\Owner\Desktop\Anti Malware Files\Anti Winfixer\ComboFix\ComboFix.exe[327882R2FWJFW\NirCmdC.cfexe]
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{4C6E9B3C-F1BE-4527-8708-5AE69FD346FA}\RP415\A0407128.EXE
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{4C6E9B3C-F1BE-4527-8708-5AE69FD346FA}\RP415\A0407117.sys
;===============================================================================
=================================================================================
===================
SUSPECTS
Sent Location 8
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================
VULNERABILITIES
Id Severity Description 8
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================
  • 0

Advertisements

#11
andrewuk
Posted 10 May 2008 - 12:24 AM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
the online scan only picked up items safely quarantined or in your restore points (which we will clear out at the end).

however, it looks like you do have that infection we scanned for. so we will start to clear that now:

  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    "C:\Program Files\Digital Media Reader\bak\shwiconem.exe"
    "C:\Program Files\QuickTime\bak\qttask.exe"
    "C:\Program Files\SymNetDrv\bak\SNDMon.exe"
    "C:\WINDOWS\system32\bak\hkcmd.exe"
    "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
    "C:\Program Files\CyberLink\PowerDVD\bak\PDVDServ.exe"
    "C:\Program Files\Microsoft Money\System\bak\mnyexpr.exe"
    "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"

  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • You will be presented with a Menu.

    1. Press 1 then Enter to scan for bak folders
    2. Press 2 then Enter to restore files from bak folders
    3. Press 3 then Enter to remove bak folders
    4. Press 4 then Enter to reset domain zones
    5. Press E then Enter to EXIT

  • Press 2, then press Enter.
  • Press any key to continue.
  • A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of files to be restored.
  • Right click below this line and select Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
  • The program will proceed to move the legit files and will perform another scan for .bak folder
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt.
  • Please copy and paste the contents of the AWF.txt file in your next reply.

andrewuk
  • 0

#12
Draga X
Posted 11 May 2008 - 03:08 PM

Draga X

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Sun 05/11/2008
The current time is: 13:42:30.97


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\DIGITA~1\BAK

03/11/2004 05:18 PM 135,168 shwiconem.exe
1 File(s) 135,168 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

08/09/2004 04:51 PM 98,304 qttask.exe
1 File(s) 98,304 bytes

Directory of C:\PROGRA~1\SYMNET~1\BAK

08/26/2005 06:21 PM 100,056 SNDMon.exe
1 File(s) 100,056 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

01/29/2004 09:13 PM 118,784 hkcmd.exe
1 File(s) 118,784 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

03/23/2005 05:34 PM 58,992 ccApp.exe
1 File(s) 58,992 bytes

Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK

10/31/2003 09:42 PM 32,768 PDVDServ.exe
1 File(s) 32,768 bytes

Directory of C:\PROGRA~1\MICROS~2\SYSTEM\BAK

06/18/2003 02:00 PM 200,704 mnyexpr.exe
1 File(s) 200,704 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

05/25/2005 03:19 AM 180,269 realsched.exe
1 File(s) 180,269 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

135168 Mar 11 2004 "C:\Program Files\Digital Media Reader\shwiconem.exe"
135168 Mar 11 2004 "C:\Program Files\Digital Media Reader\bak\shwiconem.exe"
98304 Aug 9 2004 "C:\Program Files\QuickTime\qttask.exe"
98304 Aug 9 2004 "C:\Program Files\QuickTime\bak\qttask.exe"
100056 Aug 26 2005 "C:\Program Files\SymNetDrv\SNDMon.exe"
100056 Aug 26 2005 "C:\Program Files\SymNetDrv\bak\SNDMon.exe"
118784 Jan 29 2004 "C:\WINDOWS\system32\hkcmd.exe"
118784 Jan 29 2004 "C:\Drivers\Video\Win2000\hkcmd.exe"
118784 Jan 29 2004 "C:\WINDOWS\system32\bak\hkcmd.exe"
58992 Mar 23 2005 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
58992 Mar 23 2005 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
32768 Oct 31 2003 "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
32768 Oct 31 2003 "C:\Program Files\CyberLink\PowerDVD\bak\PDVDServ.exe"
200704 Jun 18 2003 "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
200704 Jun 18 2003 "C:\Program Files\Microsoft Money\System\bak\mnyexpr.exe"
180269 May 25 2005 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
180269 May 25 2005 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"


end of report
  • 0

#13
andrewuk
Posted 11 May 2008 - 03:21 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Program Files\Digital Media Reader\bak
    C:\Program Files\QuickTime\bak
    C:\Program Files\SymNetDrv\bak
    C:\WINDOWS\system32\bak
    C:\Program Files\Common Files\Symantec Shared\bak
    C:\Program Files\CyberLink\PowerDVD\bak
    C:\Program Files\Microsoft Money\System\bak
    C:\Program Files\Common Files\Real\Update_OB\bak

  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • You will be presented with a Menu.

    1. Press 1 then Enter to scan for bak folders
    2. Press 2 then Enter to restore files from bak folders
    3. Press 3 then Enter to remove bak folders
    4. Press 4 then Enter to reset domain zones
    5. Press E then Enter to EXIT

  • Press 3, then press Enter.
  • Press any key to continue.
  • A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of folders to be removed.
  • Right click below this line and select Paste, to paste the list of folders copied to the clipboard earlier. Save and close the document.
  • The program will proceed to remove the bad folders and will perform another scan for .bak folder
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt.
  • Please copy and paste the contents of the AWF.txt file in your next reply.

  • 0

#14
Draga X
Posted 12 May 2008 - 02:56 PM

Draga X

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Mon 05/12/2008
The current time is: 15:50:36.40


bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report
  • 0

#15
andrewuk
Posted 12 May 2008 - 03:10 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
hmm.....i do believe we are almost done. so lets get one last DSS scan to check up before we wrap this up.

could you run DSS again, only one log will come up to be posted.

and could you give me some idea of how your machine is running now.

andrewuk
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP