Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Boot Up Slow; Malware still present.

Started by tarheel02 , May 08 2008 12:31 PM

  • Please log in to reply

#1
tarheel02
Posted 08 May 2008 - 12:31 PM

tarheel02

    New Member

  • Member
  • Pip
  • 3 posts
My computer was running horribly slow. It would not bring up applications such as Microsoft Word files. It would also remove my taskbar and take 5 minutes or so just to open up applications. It would freeze and I would have to turn off the computer and try to reboot.

I did all of the recommended scans and my system is running much better now. However, startup still seems to take a long time. Panda Activescan stated that some malware is still present. I wanted to post my logs to make sure that everything is deleted so that I download Service Pack 2 for Windows XP and take all of the other precautionary measures to prevent future infections.

I appreciate your help.

Here are my logs:

1) Malwarebyte's log

Malwarebytes' Anti-Malware 1.12
Database version: 729

Scan type: Quick Scan
Objects scanned: 33360
Time elapsed: 10 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\services.exe (Adware.Maxifiles) -> Quarantined and deleted successfully.

2) SuperAntiSpyware Log:

SUPERAntiSpyware Scan Log
Generated 05/07/2008 at 09:18 PM

Application Version : 3.6.1000

Core Rules Database Version : 3454
Trace Rules Database Version: 1446

Scan type : Complete Scan
Total Scan Time : 02:25:37

Memory items scanned : 438
Memory threats detected : 0
Registry items scanned : 5467
Registry threats detected : 8
File items scanned : 51873
File threats detected : 10

Spyware.WebSearch (WinTools/Huntbar)
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#DeviceDesc

Adware.Unknown Origin
C:\WINDOWS\SYSTEM32\ADLCONTROLCOMP.XML
C:\WINDOWS\SYSTEM32\SP32.XML

Adware.Begin2Search-Installer
C:\WINDOWS\SYSTEM32\BTNETW-VENTURA-HOT_246765.EXE

Trojan.localDownload
C:\WINDOWS\SYSTEM32\COBGZD.EXE

Adware.Adlogix
C:\WINDOWS\SYSTEM32\COBGZF.EXE
C:\WINDOWS\SYSTEM32\FCS.EXE
C:\WINDOWS\SYSTEM32\INSTALL_ID6.EXE
C:\WINDOWS\SYSTEM32\MODGXYZ.EXE

Trojan.MC Downloader Variant
C:\WINDOWS\SYSTEM32\MC-58-12-0000079.EXE

Adware.WeirdOnTheWeb
C:\WINDOWS\SYSTEM32\WEIRDONTHEWEB_VENTURA.EXE


3) Active Scan log:

;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-05-08 13:08:49
PROTECTIONS: 1
MALWARE: 35
SUSPECTS: 0
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
McAfee VirusScan Enterprise 8.0.0.912 No Yes
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00000431 adware/ist.istbar Adware No 1 Yes No hkey_local_machine\software\y036
00029353 adware/maxifiles Adware No 1 Yes No hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\xbtb07618.xbtb07618toolbar
00040415 adware/wintools Adware No 0 Yes No hkey_local_machine\system\controlset001\enum\root\legacy_tbpssvc
00040467 adware/elitebar Adware No 1 Yes No hkey_local_machine\software\microsoft\windows\currentversion\internet settings\user agent\post platform\iebar
00045952 spyware/media-motor Spyware No 1 Yes No hkey_local_machine\software\revisions
00047311 adware/afaenhance Adware No 0 Yes No c:\windows\system\qbuninstaller.exe
00048239 adware/adlogix Adware No 0 Yes No c:\windows\system32\retpdat32.xml
00120326 Adware/AdLogix Adware No 0 No No C:\System Volume Information\_restore{CC190F0D-B161-425D-92C5-800791749E03}\RP948\A0161774.exe[modgxyz.exe]
00120326 Adware/AdLogix Adware No 0 Yes No C:\System Volume Information\_restore{CC190F0D-B161-425D-92C5-800791749E03}\RP948\A0161772.exe
00120326 Adware/AdLogix Adware No 0 Yes No C:\System Volume Information\_restore{CC190F0D-B161-425D-92C5-800791749E03}\RP948\A0161775.exe
00123572 Adware/AdLogix Adware No 0 No No C:\System Volume Information\_restore{CC190F0D-B161-425D-92C5-800791749E03}\RP948\A0161774.exe[adstartup.exe]
00123584 Adware/AdLogix Adware No 0 No No C:\System Volume Information\_restore{CC190F0D-B161-425D-92C5-800791749E03}\RP948\A0161774.exe[adupdater.exe]
00123584 Adware/AdLogix Adware No 0 Yes No C:\System Volume Information\_restore{CC190F0D-B161-425D-92C5-800791749E03}\RP948\A0161771.exe
00137090 adware/looksmart Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{eabbb49a-4d7b-415b-8250-15c3b854e9ff}
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\gllvw3cj.default\cookies.txt[.247realmedia.com/]
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\gllvw3cj.default\cookies.txt[.247realmedia.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\gllvw3cj.default\cookies.txt[.tribalfusion.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\gllvw3cj.default\cookies.txt[.tribalfusion.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\gllvw3cj.default\cookies.txt[.tribalfusion.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\gllvw3cj.default\cookies.txt[.tribalfusion.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\gllvw3cj.default\cookies.txt[.com.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\gllvw3cj.default\cookies.txt[.com.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\gllvw3cj.default\cookies.txt[.com.com/]
00167647 Cookie/Yadro TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\gllvw3cj.default\cookies.txt[.yadro.ru/]
00168048 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\gllvw3cj.default\cookies.txt[.perf.overture.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\gllvw3cj.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\gllvw3cj.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\gllvw3cj.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\gllvw3cj.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\gllvw3cj.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\gllvw3cj.default\cookies.txt[.serving-sys.com/]
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\gllvw3cj.default\cookies.txt[.bs.serving-sys.com/]
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\gllvw3cj.default\cookies.txt[server.iad.liveperson.net/hc/88496895]
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\gllvw3cj.default\cookies.txt[server.iad.liveperson.net/hc/2726766]
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\gllvw3cj.default\cookies.txt[server.iad.liveperson.net/hc/17492520]
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\gllvw3cj.default\cookies.txt[server.iad.liveperson.net/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\gllvw3cj.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\gllvw3cj.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\gllvw3cj.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\gllvw3cj.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\gllvw3cj.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\gllvw3cj.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\gllvw3cj.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\gllvw3cj.default\cookies.txt[.ads.pointroll.com/]
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\gllvw3cj.default\cookies.txt[.overture.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\gllvw3cj.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\gllvw3cj.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\gllvw3cj.default\cookies.txt[.realmedia.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\gllvw3cj.default\cookies.txt[.questionmarket.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\gllvw3cj.default\cookies.txt[.questionmarket.com/]
00173951 Adware/Transponder Adware No 0 Yes No C:\QUARANTINE\A0016524.exe.Vir
00173951 Adware/Transponder Adware No 0 Yes No C:\QUARANTINE\lvmkvy.exe.Vir
00176095 Adware/Aurora Adware No 0 Yes No C:\QUARANTINE\wzfcvo.exe.Vir
00178709 Adware/BigTrafficNet Adware No 0 No No C:\System Volume Information\_restore{CC190F0D-B161-425D-92C5-800791749E03}\RP948\A0161770.exe[˛ĹÇ]
00184046 Adware/Maxifiles Adware No 1 Yes No C:\Program Files\Common Files\system32.dll[gui.exe]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\gllvw3cj.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\gllvw3cj.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\gllvw3cj.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\gllvw3cj.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\gllvw3cj.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\gllvw3cj.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\gllvw3cj.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\gllvw3cj.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\gllvw3cj.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\gllvw3cj.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\gllvw3cj.default\cookies.txt[.go.com/]
00255160 adware/shorty Adware No 0 Yes No hkey_local_machine\software\classes\shorty.gopher.1
00255160 adware/shorty Adware No 0 Yes No hkey_current_user\software\dns
00255160 adware/shorty Adware No 0 Yes No hkey_classes_root\shorty.gopher
00255160 adware/shorty Adware No 0 Yes No c:\program files\common files\system32.dll
00255160 adware/shorty Adware No 0 Yes No hkey_local_machine\software\classes\shorty.gopher
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\gllvw3cj.default\cookies.txt[.atwola.com/]
00293079 Spyware/7r7t Spyware No 1 Yes No C:\System Volume Information\_restore{CC190F0D-B161-425D-92C5-800791749E03}\RP948\A0161770.exe
00488205 Adware/Maxifiles Adware No 1 Yes No C:\System Volume Information\_restore{CC190F0D-B161-425D-92C5-800791749E03}\RP948\A0161776.exe
00497358 Adware/AdLogix Adware No 0 No No C:\System Volume Information\_restore{CC190F0D-B161-425D-92C5-800791749E03}\RP948\A0161774.exe[SWin32.dll]
00581389 Adware/AdLogix Adware No 0 Yes No C:\System Volume Information\_restore{CC190F0D-B161-425D-92C5-800791749E03}\RP948\A0161773.exe
00581389 Adware/AdLogix Adware No 0 No No C:\System Volume Information\_restore{CC190F0D-B161-425D-92C5-800791749E03}\RP948\A0161774.exe[fcs.exe]
01048848 Adware/Maxifiles Adware No 1 Yes No C:\Program Files\Common Files\system32.dll[Catcher.dll]
;===============================================================================
=================================================================================
===================
SUSPECTS
Sent Location ;
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================
VULNERABILITIES
Id Severity Description ;
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================

4) Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:58:47 PM, on 5/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\CBTWlanSrv.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\program files\linksys\wpc54gsv2\wpc54gsv2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ADNOTI~1\ADNOTI~1.EXE
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\elnIE.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ElnkScamBHO Class - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: ElnkPubBHO Class - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: ElnkProtectionBHO Class - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: ElnkLegacyUninstBHO Class - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [adnotifier] "C:\PROGRA~1\ADNOTI~1\ADNOTI~1.EXE" min
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\DOCUME~1\owner\LOCALS~1\Temp\SSUPDATE.EXE Software\SUPERAntiSpyware.com\SUPERAntiSpyware
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O16 - DPF: {1803B9EF-9905-4F34-AFC4-05D1BAB28801} (RegUserCfgUI Class) - http://us.dl1.yimg.c..._1/yregucfg.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CBT Wlan Service (CBTWlanSrv) - Unknown owner - C:\WINDOWS\CBTWlanSrv.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5177 bytes
  • 0

Advertisements

#2
Tal
Posted 13 May 2008 - 03:58 AM

Tal

    Trusted Helper

  • Retired Staff
  • 2,138 posts
Hello tarheel02, sorry for the delay.

My name is Tal, and I will be helping you in the process of removing malware from your computer.

Before we proceed to clean your computer from malware, let's go over some points that will help both me and you, and prevent causing damage to your computer:
  • Please don't be afraid to ask questions! :) No question is considered dumb here. It's better to be safe than sorry!
  • Please follow the steps exactly in the same order posted. If you can't perform a certain step, or you're unsure on what to do, please stop and let me know.
  • NEVER fix anything in HijackThis or other programs on your own! This can be very dangerous and cause harm to your system. If you see a certain entry or program you're unsure about, please don't hesitate to ask! :)

You may also want to Track This Topic. This feature of the forum will send out an email to the email address you've signed up with as soon as I reply, so you can be notified of my reply. To do this, please locate the Options menu, located just under the New Topic and New Reply icons. Once you've found it, click it, and choose Track This Topic from the dropdown menu (the first option). In the page that appears after you have clicked Track This Topic, select Immediate Email Notification, then click Proceed.

I couldn't find but one possibly malicious entry, which we'll need to scan as it appears as if it's unknown.

Jotti File Submission:
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:

    • C:\PROGRA~1\ADNOTI~1\ADNOTI~1.EXE
  • Click on the submit button
  • Please post the results in your next reply.

Also, please download and run DSS:

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply. Note: It's likely that the two logs won't fit into one post. If so, please post extra.txt in a separate post.

In your next reply, please include the DSS logs and the Jotti results
  • 0

#3
tarheel02
Posted 13 May 2008 - 07:28 AM

tarheel02

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Hello Tal,

Thank you for your help. The delay is not a problem. I know that you volunteer your time and I am receiving help for free.

I ran the Jotti's malware scan as you suggested. The scan came back listed as okay as none of the programs suspected any malware. I listed the results from the DSS logs below.


Here is the main.txt from the DSS log:

Deckard's System Scanner v20071014.68
Run by owner on 2008-05-13 09:11:28
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
13: 2008-05-13 13:11:58 UTC - RP955 - Deckard's System Scanner Restore Point
12: 2008-05-12 16:04:33 UTC - RP954 - System Checkpoint
11: 2008-05-11 08:47:18 UTC - RP953 - Software Distribution Service 3.0
10: 2008-05-11 08:43:08 UTC - RP952 - Installed Windows Defender
9: 2008-05-11 07:10:15 UTC - RP951 - Removed McAfee VirusScan Enterprise


-- First Restore Point --
1: 2008-05-04 07:21:26 UTC - RP943 - Installed Craigslist Notifier


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 256 MiB (512 MiB recommended).
System Drive C: has 0.97 GiB (less than 15%) free.


-- HijackThis (run as owner.exe) -----------------------------------------------

logfile has no content; running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-13 09:14:51
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\CBTWlanSrv.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\Program Files\Linksys\WPC54GSv2\WPC54GSv2.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\owner\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.microsof...arch/search.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ElnkScamBHO Class - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: ElnkPubBHO Class - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ElnkProtectionBHO Class - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: ElnkLegacyUninstBHO Class - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {1803B9EF-9905-4F34-AFC4-05D1BAB28801} (RegUserCfgUI Class) - http://us.dl1.yimg.c..._1/yregucfg.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} () - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: CBT Wlan Service (CBTWlanSrv) - Unknown owner - C:\WINDOWS\CBTWlanSrv.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\system32\WLTRYSVC.EXE


--
End of file - 6658 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R3 BW2NDIS5 - c:\windows\system32\drivers\bw2ndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>

S2 W55U01 (WINBOND W55U01 USB) - c:\windows\system32\drivers\w55u01.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
S3 CBPMp50 (CBPMp50 NDIS Protocol Driver) - c:\windows\system32\drivers\cbpmp50.sys (file missing)
S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
S3 se59bus (Sony Ericsson Device 089 driver (WDM)) - c:\windows\system32\drivers\se59bus.sys <Not Verified; MCCI; Sony Ericsson Device 089>
S3 se59mdfl (Sony Ericsson Device 089 USB WMC Modem Filter) - c:\windows\system32\drivers\se59mdfl.sys <Not Verified; MCCI; Sony Ericsson Device 089 USB WMC Modem Filter Driver>
S3 se59mdm (Sony Ericsson Device 089 USB WMC Modem Driver) - c:\windows\system32\drivers\se59mdm.sys <Not Verified; MCCI; Sony Ericsson Device 089 USB WMC Data Modem>
S3 se59mgmt (Sony Ericsson Device 089 USB WMC Device Management Drivers (WDM)) - c:\windows\system32\drivers\se59mgmt.sys <Not Verified; MCCI; Sony Ericsson Device 089 USB WMC Device Management>
S3 se59nd5 (Sony Ericsson Device 089 USB Ethernet Emulation SEMC59 (NDIS)) - c:\windows\system32\drivers\se59nd5.sys <Not Verified; MCCI; Sony Ericsson Device 089 USB Ethernet Emulation>
S3 se59obex (Sony Ericsson Device 089 USB WMC OBEX Interface) - c:\windows\system32\drivers\se59obex.sys <Not Verified; MCCI; Sony Ericsson Device 089 USB WMC OBEX Interface>
S3 se59unic (Sony Ericsson Device 089 USB Ethernet Emulation SEMC59 (WDM)) - c:\windows\system32\drivers\se59unic.sys <Not Verified; MCCI; Sony Ericsson Device 089 USB Ethernet Emulation>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 CBTWlanSrv (CBT Wlan Service) - c:\windows\cbtwlansrv.exe <Not Verified; ; CBT Wlan Servic Application>
R2 EarthLinkMonitor (EarthLink Monitor Service) - "c:\program files\earthlink totalaccess\wengine\wmonitor.exe" <Not Verified; Boingo Wireless, Inc.; >


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\9211421434FC000
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\9211421434FC000
Service: NIC1394


-- Scheduled Tasks -------------------------------------------------------------

2008-05-13 08:38:23 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2005-05-23 13:14:11 364 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job


-- Files created between 2008-04-13 and 2008-05-13 -----------------------------

2008-05-11 06:08:10 161824 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-11 05:44:36 0 d-------- C:\Program Files\ZoneAlarmSB
2008-05-11 05:39:18 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-05-11 05:36:32 11264 --a------ C:\WINDOWS\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
2008-05-11 05:33:47 0 d-------- C:\WINDOWS\system32\ZoneLabs
2008-05-11 04:43:16 0 d-------- C:\Program Files\Windows Defender
2008-05-11 03:48:33 0 d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-11 03:48:17 0 d-------- C:\Program Files\SpywareBlaster
2008-05-10 23:48:35 0 d-------- C:\Program Files\Alwil Software
2008-05-08 13:57:48 0 d-------- C:\Program Files\Trend Micro
2008-05-08 08:00:06 0 d-------- C:\Program Files\Panda Security
2008-05-07 18:44:29 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-07 18:42:57 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-07 18:42:56 0 d-------- C:\Documents and Settings\owner\Application Data\SUPERAntiSpyware.com
2008-05-07 18:40:59 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-07 18:25:02 0 d-------- C:\Documents and Settings\owner\Application Data\Malwarebytes
2008-05-07 18:24:49 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-07 18:24:43 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-07 18:22:13 0 d-------- C:\Program Files\Common Files\Download Manager
2008-05-04 03:21:30 0 d-------- C:\Program Files\WMF Technologies
2008-05-04 01:38:33 0 d-------- C:\Program Files\Ad Notifier
2008-04-15 15:25:43 18704 -ra------ C:\WINDOWS\system32\drivers\se59nd5.sys <Not Verified; MCCI; Sony Ericsson Device 089 USB Ethernet Emulation>
2008-04-15 15:24:51 4128 -ra------ C:\WINDOWS\system32\drivers\se59cr.sys <Not Verified; MCCI; Sony Ericsson Device 089 USB Ethernet Emulation>
2008-04-15 15:24:50 90800 -ra------ C:\WINDOWS\system32\drivers\se59unic.sys <Not Verified; MCCI; Sony Ericsson Device 089 USB Ethernet Emulation>
2008-04-15 15:24:43 88624 -ra------ C:\WINDOWS\system32\drivers\se59mgmt.sys <Not Verified; MCCI; Sony Ericsson Device 089 USB WMC Device Management>
2008-04-15 15:24:38 86432 -ra------ C:\WINDOWS\system32\drivers\se59obex.sys <Not Verified; MCCI; Sony Ericsson Device 089 USB WMC OBEX Interface>
2008-04-15 15:24:19 9360 -ra------ C:\WINDOWS\system32\drivers\se59mdfl.sys <Not Verified; MCCI; Sony Ericsson Device 089 USB WMC Modem Filter Driver>
2008-04-15 15:24:19 6240 -ra------ C:\WINDOWS\system32\drivers\se59cmnt.sys <Not Verified; MCCI; Sony Ericsson Device 089 USB WMC OBEX Interface>
2008-04-15 15:24:19 6240 -ra------ C:\WINDOWS\system32\drivers\se59cm.sys <Not Verified; MCCI; Sony Ericsson Device 089 USB WMC OBEX Interface>
2008-04-15 15:24:18 97088 -ra------ C:\WINDOWS\system32\drivers\se59mdm.sys <Not Verified; MCCI; Sony Ericsson Device 089 USB WMC Data Modem>
2008-04-15 15:21:22 5872 -ra------ C:\WINDOWS\system32\drivers\se59whnt.sys <Not Verified; MCCI; Sony Ericsson Device 089 Driver>
2008-04-15 15:21:22 5872 -ra------ C:\WINDOWS\system32\drivers\se59wh.sys <Not Verified; MCCI; Sony Ericsson Device 089 Driver>
2008-04-15 15:21:20 61536 -ra------ C:\WINDOWS\system32\drivers\se59bus.sys <Not Verified; MCCI; Sony Ericsson Device 089>


-- Find3M Report ---------------------------------------------------------------

2008-05-11 05:47:21 4212 ---h---c- C:\WINDOWS\system32\zllictbl.dat
2008-05-11 05:01:30 0 d-------- C:\Program Files\SpywareGuard
2008-05-11 03:13:34 0 d-------- C:\Program Files\Common Files
2008-05-11 02:09:09 0 d-------- C:\Program Files\backups
2008-05-08 08:00:09 3157 --a----c- C:\WINDOWS\mozver.dat
2008-05-02 16:25:15 0 d-------- C:\Documents and Settings\owner\Application Data\Teleca
2008-05-02 16:21:06 0 d-------- C:\Program Files\Common Files\Teleca Shared
2008-04-20 07:37:38 0 d-------- C:\Documents and Settings\owner\Application Data\Real
2008-04-09 21:47:05 0 d-------- C:\Documents and Settings\owner\Application Data\Sony Ericsson
2008-04-09 18:42:23 0 d-------- C:\Documents and Settings\owner\Application Data\eBookPro6
2008-04-04 14:36:02 0 d-------- C:\Documents and Settings\owner\Application Data\Adobe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [03/29/2008 02:37 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [04/02/2008 08:07 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]

C:\Documents and Settings\owner\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [8/29/2003 7:05:35 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"E6TaskPanel"="C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"SpySweeper"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\3d33d9ad-f7b1-4c98-be2a-c9430df309fb]
C:\WINDOWS\System32\nbxddon.exe



-- Hosts -----------------------------------------------------------------------

127.0.0.1 ad.a8.net
127.0.0.1 asy.a8ww.net
127.0.0.1 www.abx4.com #[Adware.ABXToolbar]
127.0.0.1 acezip.net #[SiteAdvisor.acezip.net]
127.0.0.1 www.acezip.net #[Win32/Adware.180Solutions]
127.0.0.1 phpadsnew.abac.com
127.0.0.1 a.abnad.net
127.0.0.1 b.abnad.net
127.0.0.1 c.abnad.net #[eTrust.Tracking.Cookie]
127.0.0.1 d.abnad.net

18188 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-05-13 09:16:33 ------------

Here is the extra.txt log

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® III Mobile CPU 1133MHz
Percentage of Memory in Use: 82%
Physical Memory (total/avail): 255.46 MiB / 44.41 MiB
Pagefile Memory (total/avail): 618.1 MiB / 266.02 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1925.74 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 9.36 GiB total, 0.97 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - TOSHIBA MK1517GAP - 9.36 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 9.36 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FW: ZoneAlarm Firewall v7.0.473.000 (Check Point, LTD.) Disabled
AV: avast! antivirus 4.8.1169 [VPS 080513-0] v4.8.1169 (ALWIL Software)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\owner\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_02\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=OWNER-3RJCTPDFZ
ComSpec=C:\WINDOWS\system32\cmd.exe
DEFAULT_CA_NR=CA18
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\owner
LOGONSERVER=\\OWNER-3RJCTPDFZ
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Common Files\Teleca Shared
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 11 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0b01
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_02\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\owner\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=OWNER-3RJCTPDFZ
USERNAME=owner
USERPROFILE=C:\Documents and Settings\owner
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

owner (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\Linksys\WPC54GSv2\bcmwlu00.exe" verbose /rootkey="Software\WPC54GSv2\802.11\UninstallInfo" /rootdir="C:\Program Files\Linksys\WPC54GSv2"
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Ad Notifier - For Craigslist.org --> C:\PROGRA~1\ADNOTI~1\UNWISE.EXE C:\PROGRA~1\ADNOTI~1\INSTALL.LOG
Adobe Download Manager 2.0 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Photoshop 5.5 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 5.5\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 5.5\Uninst.dll"
Adobe Reader 7.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Adobe SVG Viewer 3.0 --> C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
Apple Mobile Device Support --> MsiExec.exe /I{B5C209B1-8DDB-4642-A573-375B951514CB}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Ashampoo WinOptimizer Platinum 3 --> "C:\Program Files\Ashampoo\Ashampoo WinOptimizer Platinum 3\Uninstall\WOP3_Uninstall.exe"
avast! Antivirus --> C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
Business Plan Forms --> C:\WINDOWS\unvise32.exe C:\Program Files\Business Plan Forms\uninstal.log
Business Plan Pro 2006 --> MsiExec.exe /X{6450335D-D87C-4003-812F-7E879866A74E}
Canon PhotoRecord --> MsiExec.exe /X{D958FAC4-BAE0-4B1D-A42E-DE9BFDE7DDEE}
Canon PIXMA iP4000 --> C:\WINDOWS\System32\CNMCP64.exe "-PRINTERNAMECanon PIXMA iP4000" "-HELPERDLLC:\BJPrinter\CNMWINDOWS\Canon PIXMA iP4000 Installer\Inst2\cnmis.dll" "-RCDLLC:\BJPrinter\CNMWINDOWS\Canon PIXMA iP4000 Installer\Inst2\cnmi0409.dll"
Craigslist Notifier --> MsiExec.exe /I{00D9F0E6-4C48-4279-894E-C8EC6F60CF18}
Credit Repair Forms --> C:\WINDOWS\unvise32.exe C:\Program Files\Credit Repair Forms\uninstal.log
EarthLink Software --> "C:\Program Files\EarthLink TotalAccess\uninstll.exe" /W
EarthLink Toolbar --> C:\Program Files\EarthLink TotalAccess\Toolbar\uninstall.exe
Easy-WebPrint --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\Easy-WebPrint\Uninst.isu"
ESPN RunTime --> C:\Program Files\ESPNRunTime\DIGSvcUninstall.exe /brand=ESPN
FileZilla (remove only) --> "C:\Program Files\FileZilla\uninstall.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Internet Explorer Q903235 --> C:\WINDOWS\ieuninst.exe C:\WINDOWS\INF\Q903235.inf
iTunes --> MsiExec.exe /I{18388EF8-E0A3-442B-8BFE-E2F1B3D05C91}
J2SE Runtime Environment 5.0 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020}
LiveUpdate 2.6 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{91110409-6000-11D3-8CFE-0150048383C9}
Move Networks Media Player for Internet Explorer --> C:\Documents and Settings\owner\Application Data\Move Networks\ie_bin\Uninst.exe
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Nvu 1.0 --> "C:\Program Files\Nvu\unins000.exe"
Palo Alto Software's Application Manager 8.2 --> MsiExec.exe /X{BAD00139-E284-4F6C-AA94-FB637462DEEB}
Panda ActiveScan 2.0 --> C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
QuickTime --> MsiExec.exe /I{E0D51394-1D45-460A-B62D-383BC4F8B335}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
SpywareBlaster 4.0 --> "C:\Program Files\SpywareBlaster\unins000.exe"
SpywareGuard v2.2 --> "C:\Program Files\SpywareGuard\unins000.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
WebEx --> C:\PROGRA~1\WebEx\atcliun.exe
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
WPC54GSv2 - WPC54GSv2 --> C:\Program Files\InstallShield Installation Information\{CBD7AC8B-2836-49F0-95FE-B09DB002B419}\setup.exe -runfromtemp -l0x0009 -removeonly
ZoneAlarm --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe
ZoneAlarm Spy Blocker --> rundll32 C:\PROGRA~1\ZONEAL~1\bar\1.bin\SpyBlock.dll,O


-- Application Event Log -------------------------------------------------------

Event Record #/Type9497 / Warning
Event Submitted/Written: 05/13/2008 08:37:10 AM
Event ID/Source: 4353 / EventSystem
Event Description:
The COM+ Event System attempted to fire the EventObjectChange::ChangedSubscription event but received a bad return code. HRESULT was 80040201.

Event Record #/Type9496 / Warning
Event Submitted/Written: 05/13/2008 08:37:10 AM
Event ID/Source: 4356 / EventSystem
Event Description:
The COM+ Event System failed to create an instance of the subscriber partition:{41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}!new:{D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}. CoGetObject returned HRESULT 80070422.

Event Record #/Type9495 / Warning
Event Submitted/Written: 05/13/2008 08:37:10 AM
Event ID/Source: 4353 / EventSystem
Event Description:
The COM+ Event System attempted to fire the EventObjectChange::ChangedSubscription event but received a bad return code. HRESULT was 80040201.

Event Record #/Type9494 / Warning
Event Submitted/Written: 05/13/2008 08:37:10 AM
Event ID/Source: 4356 / EventSystem
Event Description:
The COM+ Event System failed to create an instance of the subscriber partition:{41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}!new:{D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}. CoGetObject returned HRESULT 80070422.

Event Record #/Type9493 / Warning
Event Submitted/Written: 05/13/2008 08:37:10 AM
Event ID/Source: 4353 / EventSystem
Event Description:
The COM+ Event System attempted to fire the EventObjectChange::ChangedSubscription event but received a bad return code. HRESULT was 80040201.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type35124 / Error
Event Submitted/Written: 05/13/2008 08:37:18 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The avast! Mail Scanner service failed to start due to the following error:
%%1053

Event Record #/Type35123 / Error
Event Submitted/Written: 05/13/2008 08:37:18 AM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the avast! Mail Scanner service to connect.

Event Record #/Type35114 / Error
Event Submitted/Written: 05/13/2008 08:37:18 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The WINBOND W55U01 USB service failed to start due to the following error:
%%1058

Event Record #/Type35113 / Error
Event Submitted/Written: 05/13/2008 08:37:10 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service SENS with arguments ""
in order to run the server:
{D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}

Event Record #/Type35112 / Error
Event Submitted/Written: 05/13/2008 08:37:10 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service SENS with arguments ""
in order to run the server:
{D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}



-- End of Deckard's System Scanner: finished at 2008-05-13 09:16:33 ------------
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP