Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Please PLease Help win32rootkit and matrixhasyou [RESOLVED]


  • This topic is locked This topic is locked

#1
wcmont72

wcmont72

    Member

  • Member
  • PipPip
  • 19 posts
Hi
my computer has been running slow and the following winrootkit and matrixhasyou keep popping up in my my virus checker but when I go to quarantine I get a pop up saying there was an error and the files could not be accessed. I have followed the instructions on here and run all scans before re booting and I still get the virus checker popping up saying I have the above.I have done a hijack log posted below. any help would be great
thanks in advance



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:47:36, on 08/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\F-SECU~1\backweb\1245240\Program\SERVIC~1.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Internet Security\backweb\1245240\program\fsbwsys.exe
C:\Program Files\F-Secure Internet Security\backweb\1245240\Program\fspex.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Advanced Registry Doctor\RegManServ.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsrw.exe
C:\Program Files\F-Secure Internet Security\FSPC\fspc.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\TalkTalk\bin\sprtcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\F-SECU~1\ANTI-S~1\fsaw.exe
C:\Program Files\GalleryPlayer\Player\GPClientMonitor.exe
C:\Program Files\GalleryPlayer\Player\GPDownloadManager.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0C18666D-5ABD-4C46-B8FB-CF3E58FB1093} - C:\WINDOWS\system32\qoMcccCT.dll (file missing)
O2 - BHO: Anonymizer Proxy - {0DB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\Program Files\Hide Real IP\ProxyNew.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: Popup Killer - {2D58DD23-2759-4C7B-9351-D68AF7D0D868} - C:\PROGRA~1\POPUPR~1\popup.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [ibmmessages] rem C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] rem "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [TalkTalk] "C:\Program Files\TalkTalk\bin\sprtcmd.exe" /P TalkTalk
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [EPSON Stylus DX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE /P26 "EPSON Stylus DX4800 Series" /O6 "USB002" /M "Stylus DX4800"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [GPClientMonitor] C:\Program Files\GalleryPlayer\Player\GPClientMonitor.exe
O4 - HKLM\..\Run: [GPDownloadManager] C:\Program Files\GalleryPlayer\Player\GPDownloadManager.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] rem "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [EPSON Stylus DX4800 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE /P35 "EPSON Stylus DX4800 Series (Copy 1)" /O6 "USB003" /M "Stylus DX4800"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Anti Trojan Elite] C:\Program Files\Anti Trojan Elite\TJEnder.exe :NO
O4 - HKCU\..\Run: [ibmmessages] rem C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe min
O4 - HKCU\..\Run: [crhaxskk] C:\WINDOWS\system32\fcvotkpg.exe
O4 - HKCU\..\Run: [zonxytcj] C:\WINDOWS\system32\fkdejmpo.exe
O4 - HKCU\..\Run: [palwgjvb] C:\WINDOWS\system32\jopsdmju.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKLM\..\Policies\Explorer\Run: [q9ctH6xjpj] C:\Documents and Settings\All Users\Application Data\zkbwpafu\fczgfklg.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: F-Secure 2006 OEM.lnk = C:\Program Files\F-Secure Internet Security\backweb\1245240\Program\fspex.exe
O4 - Global Startup: Image Transfer.lnk = ?
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadbl...ivex/sabspx.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: wvULFvsr - wvULFvsr.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AutoComplete Service (Autocomplete) - Unknown owner - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe (file missing)
O23 - Service: F-Secure 2006 OEM (BackWeb Plug-in - 1245240) - F-Secure Internet Security 2005 - C:\PROGRA~1\F-SECU~1\backweb\1245240\Program\SERVIC~1.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Internet Security\backweb\1245240\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FSPC\fshttps\fshttps.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Registry Management Service (RegManServ) - Unknown owner - C:\Program Files\Advanced Registry Doctor\RegManServ.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 10909 bytes

Edited by wcmont72, 09 May 2008 - 08:37 AM.

  • 0

Advertisements


#2
wcmont72

wcmont72

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hi

I have done an uninstall list and pasted below

thanks again

2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
Access IBM
Access IBM Message Center
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
Adobe® Photoshop® Album Starter Edition 3.2
Advanced Registry Doctor
AltoMP3 Gold 5.20
ArcSoft PhotoStudio 5.5
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Aureon 5.1 Fun ControlPanel
Avanquest update
AXIS Media Control SDK 4.13
Azureus Vuze
Business Planner version 3
CalorieKing Nutrition and Exercise Manager (remove only)
Canon MP Navigator 2.0
Canon MP170
Canon Utilities Easy-PhotoPrint
CCleaner (remove only)
Conexant SoftK56 Data Fax
DiscAPI (Studio 10)
DivX
Easy-WebPrint
eBay Toolbar
EPSON Attach To Email
EPSON Copy Utility 3
EPSON Easy Photo Print
EPSON File Manager
EPSON Image Clip Palette
EPSON Printer Software
EPSON Scan
EPSON Scan Assistant
EPSON Web-To-Page
ESDX4800_4200 User's Guide
FreeMind
F-Secure Internet Security 2006 OEM
Half-Life® 2
Hide Real IP
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
HouseCall 6.6
IBM 32-bit Runtime Environment for Java 2, v1.4.2
IBM DLA
IBM RecordNow!
IBM Rescue and Recovery with Rapid Restore
IBM Themes
IBM Update Connector
Image Transfer
ImageMixer for Sony
IncrediMail Xe
Intel® Graphics Media Accelerator Driver
InterVideo WinDVD
InterVideo WinDVD Creator
Java™ 6 Update 3
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft AutoRoute 2005
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Encarta Encyclopedia Standard 2005
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Money
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Photo Premium 10
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works
Microsoft Works 2005 Setup Launcher
Microsoft Works Suite Add-in for Microsoft Word
MicroStaff WINASPI
Motorola Driver Installation
Motorola Phone Tools
MSN
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MyDsc2
OmniPage SE 2.0
Panda ActiveScan 2.0
PC-Doctor for Windows
PIF DESIGNER
PopupRadar 1.0.0.0
QuickTime
RAPID (Studio 10)
Recover My Files
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Excel 2007 (KB946974)
Security Update for Office 2007 (KB947801)
Security Update for Outlook 2007 (KB946983)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Visio 2007 (KB947590)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Shockwave
SmartSound Quicktracks Plugin
Sonic Update Manager
Sony USB Driver
Spybot - Search & Destroy
Spyware Doctor 5.5
Steam™
Studio 10
SUPERAntiSpyware Free Edition
TalkTalk Assist & Go
Tracks Eraser Pro v5.7
Undelete For Windows Workstation Edition Version 2.2
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb949037)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Ventrilo Client
Wallpapers
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
WinRAR archiver
WordZip
Xfire (remove only)
Yahoo! Extras
Yahoo! Mail
  • 0

#3
Chopin

Chopin

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,639 posts
Hello wcmont72, since it's been a couple of days, do you still need help? If so, please perform the following:

Please download Deckard's System Scanner (DSS) and save it to your Desktop. Close ALL open windows before running the scan.

Note: This program will clear your temporary files.

  • On the first run, Deckard's System Scanner will provide you with two warnings. Press "OK" and allow DSS to scan.
  • The entire scanning process will take about five minutes, often less.
  • During the scan you may get warnings about sigcheck.exe trying to access the Internet; please make sure you allow it to do so.
  • Your antivirus may also warn you about nircmd.exe; please make sure you do not delete nircmd.exe as it will cause DSS to malfunction.
  • Once the scan is complete, you will get two logfiles - a main.txt (which you see) and an extra.txt (which is minimized). Copy the contents of both into a reply.
On subsequent runs, DSS will only provide a significantly shortened main.txt and not an extra.txt.
  • 0

#4
wcmont72

wcmont72

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
HI

Thanks for the response, I have run scan and pasted the contents below, although at first I did try and paste both scans, the second one did not copy all of the text in my reply so it is attached, hope this is ok

thanks for your help

Wilma

Deckard's System Scanner v20071014.68
Run by Wilma Montgomery on 2008-05-14 07:27:49
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
37: 2008-05-14 06:27:55 UTC - RP926 - Deckard's System Scanner Restore Point
36: 2008-05-13 21:14:18 UTC - RP925 - System Checkpoint
35: 2008-05-12 21:08:30 UTC - RP924 - System Checkpoint
34: 2008-05-11 20:34:55 UTC - RP923 - Removed Windows Live Messenger
33: 2008-05-11 20:29:14 UTC - RP922 - Installed Windows Live Messenger


-- First Restore Point --
1: 2008-04-19 17:15:06 UTC - RP890 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Wilma Montgomery.exe) ------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:30:26, on 14/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\F-SECU~1\backweb\1245240\Program\SERVIC~1.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Internet Security\backweb\1245240\program\fsbwsys.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Advanced Registry Doctor\RegManServ.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsrw.exe
C:\Program Files\F-Secure Internet Security\FSPC\fspc.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\TalkTalk\bin\sprtcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\GalleryPlayer\Player\GPClientMonitor.exe
C:\Program Files\GalleryPlayer\Player\GPDownloadManager.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\F-Secure Internet Security\FSPC\fshttps\fshttps.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\PROGRA~1\F-SECU~1\ANTI-S~1\fsaw.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\F-Secure Internet Security\backweb\1245240\Program\fspex.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Wilma Montgomery\Local Settings\Temporary Internet Files\Content.IE5\9UZJCYEK\dss[1].exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Wilma Montgomery.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0C18666D-5ABD-4C46-B8FB-CF3E58FB1093} - C:\WINDOWS\system32\qoMcccCT.dll (file missing)
O2 - BHO: Anonymizer Proxy - {0DB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\Program Files\Hide Real IP\ProxyNew.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: Popup Killer - {2D58DD23-2759-4C7B-9351-D68AF7D0D868} - C:\PROGRA~1\POPUPR~1\popup.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [ibmmessages] rem C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] rem "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [TalkTalk] "C:\Program Files\TalkTalk\bin\sprtcmd.exe" /P TalkTalk
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [EPSON Stylus DX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE /P26 "EPSON Stylus DX4800 Series" /O6 "USB002" /M "Stylus DX4800"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [GPClientMonitor] C:\Program Files\GalleryPlayer\Player\GPClientMonitor.exe
O4 - HKLM\..\Run: [GPDownloadManager] C:\Program Files\GalleryPlayer\Player\GPDownloadManager.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] rem "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [EPSON Stylus DX4800 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE /P35 "EPSON Stylus DX4800 Series (Copy 1)" /O6 "USB003" /M "Stylus DX4800"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Anti Trojan Elite] C:\Program Files\Anti Trojan Elite\TJEnder.exe :NO
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ibmmessages] rem C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [crhaxskk] C:\WINDOWS\system32\fcvotkpg.exe
O4 - HKCU\..\Run: [zonxytcj] C:\WINDOWS\system32\fkdejmpo.exe
O4 - HKCU\..\Run: [palwgjvb] C:\WINDOWS\system32\jopsdmju.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKLM\..\Policies\Explorer\Run: [q9ctH6xjpj] C:\Documents and Settings\All Users\Application Data\zkbwpafu\fczgfklg.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: F-Secure 2006 OEM.lnk = C:\Program Files\F-Secure Internet Security\backweb\1245240\Program\fspex.exe
O4 - Global Startup: Image Transfer.lnk = ?
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadbl...ivex/sabspx.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: wvULFvsr - wvULFvsr.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: F-Secure 2006 OEM (BackWeb Plug-in - 1245240) - F-Secure Internet Security 2005 - C:\PROGRA~1\F-SECU~1\backweb\1245240\Program\SERVIC~1.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Internet Security\backweb\1245240\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FSPC\fshttps\fshttps.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Registry Management Service (RegManServ) - Unknown owner - C:\Program Files\Advanced Registry Doctor\RegManServ.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 11269 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 ANCSQ - c:\windows\system32\drivers\ancsq.sys <Not Verified; IBM Corp.; IBM Rescue and Recovery>
R0 FSFW (F-Secure Firewall Driver) - c:\windows\system32\drivers\fsdfw.sys <Not Verified; F-Secure Corporation; F-Secure Anti-Virus Internet Shield>
R1 PCLEPCI - c:\windows\system32\drivers\pclepci.sys <Not Verified; Pinnacle Systems GmbH; PCLEPCI>
R2 EGATHDRV (IBM Access Support) - c:\windows\system32\egathdrv.sys <Not Verified; IBM Corporation; IBM eGatherer>
R2 F-Secure Filter (F-Secure File System Filter) - c:\program files\f-secure internet security\anti-virus\win2k\fsfilter.sys
R2 F-Secure Gatekeeper - c:\program files\f-secure internet security\anti-virus\win2k\fsgk.sys
R2 F-Secure Recognizer (F-Secure File System Recognizer) - c:\program files\f-secure internet security\anti-virus\win2k\fsrec.sys
R2 IBMFilter - c:\windows\system32\drivers\ibmfilter.sys <Not Verified; IBM; FFE and RRU>
R2 MASPINT - c:\windows\system32\drivers\maspint.sys <Not Verified; MicroStaff Co.,Ltd.; Aspi32 Driver for WinNT>
R2 PMEM - c:\windows\system32\drivers\pmemnt.sys <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
R3 ASAPIW2K - c:\windows\system32\drivers\asapiw2k.sys <Not Verified; VOB Computersysteme GmbH; asapi>
R3 Pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
S3 adiusbaw (USB ADSL WAN Adapter) - c:\windows\system32\drivers\adiusbaw.sys (file missing)
S3 ATE_PROCMON - c:\program files\anti trojan elite\atepmon.sys (file missing)
S3 iadusb (MT882) - c:\windows\system32\drivers\glauiad.sys (file missing)
S3 NPF (Netgroup Packet Filter) - c:\windows\system32\drivers\npf.sys <Not Verified; CACE Technologies; WinPcap Netgroup Packet Filter Driver>
S3 PcdrNdisuio (PCDRNDISUIO Usermode I/O Protocol) - c:\windows\system32\drivers\pcdrndisuio.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
S3 psadd (IBM PSA Access Driver) - c:\windows\system32\drivers\psadd.sys <Not Verified; IBM Corporation; SMI Driver>
S3 SABProcEnum - c:\program files\internet explorer\sabprocenum.sys (file missing)
S3 SQTECH905C (DualCamera) - c:\windows\system32\drivers\capt905c.sys <Not Verified; Service & Quality Technology.; SQ905c>
S3 usbsermpt (Motorola USB Modem Driver for MPT) - c:\windows\system32\drivers\usbsermpt.sys <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 BackWeb Plug-in - 1245240 (F-Secure 2006 OEM) - c:\progra~1\f-secu~1\backweb\1245240\program\servic~1.exe <Not Verified; F-Secure Internet Security 2005; RunnerEXE Application>
R2 fsbwsys - "c:\program files\f-secure internet security\backweb\1245240\program\fsbwsys.exe" <Not Verified; F-Secure Corp.; F-Secure BackWeb>
R2 F-Secure Gatekeeper Handler Starter (FSGKHS) - "c:\program files\f-secure internet security\anti-virus\fsgk32st.exe" <Not Verified; F-Secure Corporation; F-Secure Corp. Startup service>
R2 FSMA - "c:\program files\f-secure internet security\common\fsma32.exe" <Not Verified; F-Secure Corporation; F-Secure Management Agent>
R2 IBM Rapid Restore Ultra Service - "c:\program files\ibm\ibm rapid restore ultra\rrpcsb.exe" <Not Verified; ; rrpcsb Module>
R2 RegManServ (Registry Management Service) - c:\program files\advanced registry doctor\regmanserv.exe
R3 FSDFWD (F-Secure Anti-Virus Firewall Daemon) - "c:\program files\f-secure internet security\fwes\program\fsdfwd.exe" <Not Verified; F-Secure Corporation; F-Secure Anti-Virus Internet Shield>
R3 fshttps (F-Secure HTTP Server) - "c:\program files\f-secure internet security\fspc\fshttps\fshttps.exe" <Not Verified; F-Secure Corporation; F-Secure Parental Control>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Packet Scheduler Miniport
Device ID: ROOT\MS_PSCHEDMP\0003
Manufacturer: Microsoft
Name: MT882 #2 - Packet Scheduler Miniport
PNP Device ID: ROOT\MS_PSCHEDMP\0003
Service: PSched


-- Scheduled Tasks -------------------------------------------------------------

2008-05-14 01:00:56 544 --a----c- C:\WINDOWS\Tasks\Scheduled scanning task.job


-- Files created between 2008-04-14 and 2008-05-14 -----------------------------

2008-05-13 18:43:30 0 d-------- C:\VideoOutput
2008-05-13 18:41:27 28672 --a------ C:\WINDOWS\system32\AVEQT.dll
2008-05-13 18:41:25 0 d-------- C:\Program Files\Ultra QuickTime Converter
2008-05-10 14:26:22 0 d-------- C:\Documents and Settings\Paul\Application Data\Malwarebytes
2008-05-09 15:54:52 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2008-05-09 15:54:48 0 d-------- C:\Program Files\Google
2008-05-09 14:04:12 0 d-------- C:\Documents and Settings\Wilma Montgomery\.SunDownloadManager
2008-05-09 13:54:02 0 d-------- C:\fsaua.data
2008-05-08 20:52:17 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-08 20:52:11 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-08 20:52:11 0 d-------- C:\Documents and Settings\Wilma Montgomery\Application Data\SUPERAntiSpyware.com
2008-05-08 20:40:38 0 d-------- C:\Documents and Settings\Wilma Montgomery\Application Data\Malwarebytes
2008-05-08 20:40:32 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-08 20:40:32 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-08 20:40:19 0 d-------- C:\Program Files\Common Files\Download Manager
2008-05-08 20:25:26 0 d-------- C:\Program Files\Trend Micro
2008-04-29 20:47:04 0 d-------- C:\Program Files\Anti Trojan Elite
2008-04-21 18:06:32 0 d-------- C:\Documents and Settings\Paul\Application Data\Sun
2008-04-20 17:38:38 0 d-------- C:\Program Files\Panda Security
2008-04-20 15:49:09 0 d-------- C:\Documents and Settings\Wilma Montgomery\Application Data\PC Tools
2008-04-20 14:16:47 186197 --ahs---- C:\WINDOWS\system32\TCcccMoq.ini2
2008-04-20 14:11:18 262144 --a------ C:\Documents and Settings\Paul\ntuser.dat
2008-04-20 13:39:12 5278 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-19 18:37:22 0 d-------- C:\RegBackup
2008-04-19 18:18:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-04-19 17:36:09 0 d-------- C:\Program Files\Enigma Software Group
2008-04-19 17:19:44 0 d-------- C:\Documents and Settings\Wilma Montgomery\.housecall6.6
2008-04-19 17:00:47 0 d-------- C:\SMCLpav
2008-04-19 15:18:00 0 d-------- C:\Documents and Settings\Wilma Montgomery\Application Data\TmpRecentIcons
2008-04-19 13:50:56 180721 --ahs---- C:\WINDOWS\system32\oXaadccf.ini2
2008-04-19 13:45:11 0 d-------- C:\Documents and Settings\All Users\Application Data\zkbwpafu
2008-04-15 19:08:36 0 d-------- C:\Documents and Settings\Paul\Application Data\WinRAR


-- Find3M Report ---------------------------------------------------------------

2008-11-26 20:21:00 0 d-------- C:\Program Files\Advanced Registry Doctor
2008-05-11 22:10:44 40580 --a----c- C:\Documents and Settings\Wilma Montgomery\Application Data\wklnhst.dat
2008-05-11 21:34:59 0 d-------- C:\Program Files\MSN Messenger
2008-05-10 14:25:21 0 d-------- C:\Program Files\Business Planner v3
2008-05-09 15:55:58 0 d-------- C:\Program Files\Spyware Doctor
2008-05-08 20:51:38 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-08 20:40:19 0 d-------- C:\Program Files\Common Files
2008-04-20 17:59:14 0 d-------- C:\Documents and Settings\Wilma Montgomery\Application Data\Azureus
2008-04-20 16:49:08 0 d-------- C:\Documents and Settings\Wilma Montgomery\Application Data\Adobe
2008-04-19 15:09:20 0 d-------- C:\Program Files\PC-Doctor for Windows
2008-04-13 14:47:23 0 d-------- C:\Program Files\MSN Games
2008-04-13 12:43:38 0 d-------- C:\Program Files\MT882
2008-04-13 12:43:33 0 d-------- C:\Program Files\MT882(2)
2008-04-13 11:48:25 0 d-------- C:\Program Files\EarthLink TotalAccess
2008-04-13 11:10:41 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-13 07:37:32 0 d-------- C:\Program Files\STOPzilla!
2008-04-05 16:31:08 0 d-------- C:\Program Files\IncrediMail


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0C18666D-5ABD-4C46-B8FB-CF3E58FB1093}]
C:\WINDOWS\system32\qoMcccCT.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ibmmessages"="rem C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" []
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [02/09/2004 09:05]
"UpdateManager"="rem c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" []
"IBMPRC"="C:\IBMTOOLS\UTILS\ibmprc.exe" [27/04/2005 17:53]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [23/02/2005 00:37]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [23/02/2005 00:34]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [12/08/2005 22:43]
"F-Secure Manager"="C:\Program Files\F-Secure Internet Security\Common\FSM32.exe" [02/06/2005 23:37]
"F-Secure TNB"="C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" [18/07/2005 15:51]
"F-Secure Startup Wizard"="C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.exe" [23/08/2005 14:38]
"TalkTalk"="C:\Program Files\TalkTalk\bin\sprtcmd.exe" [16/08/2005 08:12]
"@"="" []
"PinnacleDriverCheck"="C:\WINDOWS\system32\\PSDrvCheck.exe" [11/03/2004 00:26]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [24/04/2007 16:45]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [09/03/2007 11:09]
"EPSON Stylus DX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.exe" [02/02/2005 05:00]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [24/08/2007 08:00]
"GPClientMonitor"="C:\Program Files\GalleryPlayer\Player\GPClientMonitor.exe" [06/08/2007 10:59]
"GPDownloadManager"="C:\Program Files\GalleryPlayer\Player\GPDownloadManager.exe" [06/08/2007 10:59]
"SunJavaUpdateSched"="rem C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" []
"EPSON Stylus DX4800 Series (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.exe" [02/02/2005 05:00]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 23:16]
"Anti Trojan Elite"="C:\Program Files\Anti Trojan Elite\TJEnder.exe" []
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [10/04/2008 15:14]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ibmmessages"="rem C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 13:00]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [18/10/2006 21:05]
"crhaxskk"="C:\WINDOWS\system32\fcvotkpg.exe" []
"zonxytcj"="C:\WINDOWS\system32\fkdejmpo.exe" []
"palwgjvb"="C:\WINDOWS\system32\jopsdmju.exe" []
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [10/05/2008 12:07]

C:\Documents and Settings\Wilma Montgomery\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [24/08/2007 05:45:42]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
F-Secure 2006 OEM.lnk - C:\Program Files\F-Secure Internet Security\backweb\1245240\Program\fspex.exe [06/04/2006 16:55:16]
Image Transfer.lnk - C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe [07/03/2007 07:06:21]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"q9ctH6xjpj"=C:\Documents and Settings\All Users\Application Data\zkbwpafu\fczgfklg.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [20/12/2006 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 10/05/2008 12:07 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvULFvsr]
wvULFvsr.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\qoMcccCT
"Notification Packages"= scecli pwdmon

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{78fb1d66-35ee-11da-90cd-806d6172696f}]
AutoRun\command- E:\sysprep.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c2e14c31-368b-11da-a2cd-806d6172696f}]
AutoRun\command- D:\sysprep.bat




-- End of Deckard's System Scanner: finished at 2008-05-14 07:31:39 -----------




Attached File  Deckard.doc   70KB   69 downloads

Edited by wcmont72, 14 May 2008 - 12:54 AM.

  • 0

#5
wcmont72

wcmont72

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts

HI

Thanks for the response, I have run scan and pasted the contents below, although at first I did try and paste both scans, the second one did not copy all of the text in my reply so it is attached, hope this is ok

thanks for your help

Wilma

Deckard's System Scanner v20071014.68
Run by Wilma Montgomery on 2008-05-14 07:27:49
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
37: 2008-05-14 06:27:55 UTC - RP926 - Deckard's System Scanner Restore Point
36: 2008-05-13 21:14:18 UTC - RP925 - System Checkpoint
35: 2008-05-12 21:08:30 UTC - RP924 - System Checkpoint
34: 2008-05-11 20:34:55 UTC - RP923 - Removed Windows Live Messenger
33: 2008-05-11 20:29:14 UTC - RP922 - Installed Windows Live Messenger


-- First Restore Point --
1: 2008-04-19 17:15:06 UTC - RP890 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Wilma Montgomery.exe) ------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:30:26, on 14/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\F-SECU~1\backweb\1245240\Program\SERVIC~1.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Internet Security\backweb\1245240\program\fsbwsys.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Advanced Registry Doctor\RegManServ.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsrw.exe
C:\Program Files\F-Secure Internet Security\FSPC\fspc.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\TalkTalk\bin\sprtcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\GalleryPlayer\Player\GPClientMonitor.exe
C:\Program Files\GalleryPlayer\Player\GPDownloadManager.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\F-Secure Internet Security\FSPC\fshttps\fshttps.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\PROGRA~1\F-SECU~1\ANTI-S~1\fsaw.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\F-Secure Internet Security\backweb\1245240\Program\fspex.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Wilma Montgomery\Local Settings\Temporary Internet Files\Content.IE5\9UZJCYEK\dss[1].exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Wilma Montgomery.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0C18666D-5ABD-4C46-B8FB-CF3E58FB1093} - C:\WINDOWS\system32\qoMcccCT.dll (file missing)
O2 - BHO: Anonymizer Proxy - {0DB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\Program Files\Hide Real IP\ProxyNew.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: Popup Killer - {2D58DD23-2759-4C7B-9351-D68AF7D0D868} - C:\PROGRA~1\POPUPR~1\popup.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [ibmmessages] rem C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] rem "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [TalkTalk] "C:\Program Files\TalkTalk\bin\sprtcmd.exe" /P TalkTalk
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [EPSON Stylus DX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE /P26 "EPSON Stylus DX4800 Series" /O6 "USB002" /M "Stylus DX4800"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [GPClientMonitor] C:\Program Files\GalleryPlayer\Player\GPClientMonitor.exe
O4 - HKLM\..\Run: [GPDownloadManager] C:\Program Files\GalleryPlayer\Player\GPDownloadManager.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] rem "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [EPSON Stylus DX4800 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE /P35 "EPSON Stylus DX4800 Series (Copy 1)" /O6 "USB003" /M "Stylus DX4800"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Anti Trojan Elite] C:\Program Files\Anti Trojan Elite\TJEnder.exe :NO
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ibmmessages] rem C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [crhaxskk] C:\WINDOWS\system32\fcvotkpg.exe
O4 - HKCU\..\Run: [zonxytcj] C:\WINDOWS\system32\fkdejmpo.exe
O4 - HKCU\..\Run: [palwgjvb] C:\WINDOWS\system32\jopsdmju.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKLM\..\Policies\Explorer\Run: [q9ctH6xjpj] C:\Documents and Settings\All Users\Application Data\zkbwpafu\fczgfklg.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: F-Secure 2006 OEM.lnk = C:\Program Files\F-Secure Internet Security\backweb\1245240\Program\fspex.exe
O4 - Global Startup: Image Transfer.lnk = ?
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadbl...ivex/sabspx.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: wvULFvsr - wvULFvsr.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: F-Secure 2006 OEM (BackWeb Plug-in - 1245240) - F-Secure Internet Security 2005 - C:\PROGRA~1\F-SECU~1\backweb\1245240\Program\SERVIC~1.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Internet Security\backweb\1245240\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FSPC\fshttps\fshttps.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Registry Management Service (RegManServ) - Unknown owner - C:\Program Files\Advanced Registry Doctor\RegManServ.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 11269 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 ANCSQ - c:\windows\system32\drivers\ancsq.sys <Not Verified; IBM Corp.; IBM Rescue and Recovery>
R0 FSFW (F-Secure Firewall Driver) - c:\windows\system32\drivers\fsdfw.sys <Not Verified; F-Secure Corporation; F-Secure Anti-Virus Internet Shield>
R1 PCLEPCI - c:\windows\system32\drivers\pclepci.sys <Not Verified; Pinnacle Systems GmbH; PCLEPCI>
R2 EGATHDRV (IBM Access Support) - c:\windows\system32\egathdrv.sys <Not Verified; IBM Corporation; IBM eGatherer>
R2 F-Secure Filter (F-Secure File System Filter) - c:\program files\f-secure internet security\anti-virus\win2k\fsfilter.sys
R2 F-Secure Gatekeeper - c:\program files\f-secure internet security\anti-virus\win2k\fsgk.sys
R2 F-Secure Recognizer (F-Secure File System Recognizer) - c:\program files\f-secure internet security\anti-virus\win2k\fsrec.sys
R2 IBMFilter - c:\windows\system32\drivers\ibmfilter.sys <Not Verified; IBM; FFE and RRU>
R2 MASPINT - c:\windows\system32\drivers\maspint.sys <Not Verified; MicroStaff Co.,Ltd.; Aspi32 Driver for WinNT>
R2 PMEM - c:\windows\system32\drivers\pmemnt.sys <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
R3 ASAPIW2K - c:\windows\system32\drivers\asapiw2k.sys <Not Verified; VOB Computersysteme GmbH; asapi>
R3 Pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
S3 adiusbaw (USB ADSL WAN Adapter) - c:\windows\system32\drivers\adiusbaw.sys (file missing)
S3 ATE_PROCMON - c:\program files\anti trojan elite\atepmon.sys (file missing)
S3 iadusb (MT882) - c:\windows\system32\drivers\glauiad.sys (file missing)
S3 NPF (Netgroup Packet Filter) - c:\windows\system32\drivers\npf.sys <Not Verified; CACE Technologies; WinPcap Netgroup Packet Filter Driver>
S3 PcdrNdisuio (PCDRNDISUIO Usermode I/O Protocol) - c:\windows\system32\drivers\pcdrndisuio.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
S3 psadd (IBM PSA Access Driver) - c:\windows\system32\drivers\psadd.sys <Not Verified; IBM Corporation; SMI Driver>
S3 SABProcEnum - c:\program files\internet explorer\sabprocenum.sys (file missing)
S3 SQTECH905C (DualCamera) - c:\windows\system32\drivers\capt905c.sys <Not Verified; Service & Quality Technology.; SQ905c>
S3 usbsermpt (Motorola USB Modem Driver for MPT) - c:\windows\system32\drivers\usbsermpt.sys <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 BackWeb Plug-in - 1245240 (F-Secure 2006 OEM) - c:\progra~1\f-secu~1\backweb\1245240\program\servic~1.exe <Not Verified; F-Secure Internet Security 2005; RunnerEXE Application>
R2 fsbwsys - "c:\program files\f-secure internet security\backweb\1245240\program\fsbwsys.exe" <Not Verified; F-Secure Corp.; F-Secure BackWeb>
R2 F-Secure Gatekeeper Handler Starter (FSGKHS) - "c:\program files\f-secure internet security\anti-virus\fsgk32st.exe" <Not Verified; F-Secure Corporation; F-Secure Corp. Startup service>
R2 FSMA - "c:\program files\f-secure internet security\common\fsma32.exe" <Not Verified; F-Secure Corporation; F-Secure Management Agent>
R2 IBM Rapid Restore Ultra Service - "c:\program files\ibm\ibm rapid restore ultra\rrpcsb.exe" <Not Verified; ; rrpcsb Module>
R2 RegManServ (Registry Management Service) - c:\program files\advanced registry doctor\regmanserv.exe
R3 FSDFWD (F-Secure Anti-Virus Firewall Daemon) - "c:\program files\f-secure internet security\fwes\program\fsdfwd.exe" <Not Verified; F-Secure Corporation; F-Secure Anti-Virus Internet Shield>
R3 fshttps (F-Secure HTTP Server) - "c:\program files\f-secure internet security\fspc\fshttps\fshttps.exe" <Not Verified; F-Secure Corporation; F-Secure Parental Control>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Packet Scheduler Miniport
Device ID: ROOT\MS_PSCHEDMP\0003
Manufacturer: Microsoft
Name: MT882 #2 - Packet Scheduler Miniport
PNP Device ID: ROOT\MS_PSCHEDMP\0003
Service: PSched


-- Scheduled Tasks -------------------------------------------------------------

2008-05-14 01:00:56 544 --a----c- C:\WINDOWS\Tasks\Scheduled scanning task.job


-- Files created between 2008-04-14 and 2008-05-14 -----------------------------

2008-05-13 18:43:30 0 d-------- C:\VideoOutput
2008-05-13 18:41:27 28672 --a------ C:\WINDOWS\system32\AVEQT.dll
2008-05-13 18:41:25 0 d-------- C:\Program Files\Ultra QuickTime Converter
2008-05-10 14:26:22 0 d-------- C:\Documents and Settings\Paul\Application Data\Malwarebytes
2008-05-09 15:54:52 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2008-05-09 15:54:48 0 d-------- C:\Program Files\Google
2008-05-09 14:04:12 0 d-------- C:\Documents and Settings\Wilma Montgomery\.SunDownloadManager
2008-05-09 13:54:02 0 d-------- C:\fsaua.data
2008-05-08 20:52:17 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-08 20:52:11 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-08 20:52:11 0 d-------- C:\Documents and Settings\Wilma Montgomery\Application Data\SUPERAntiSpyware.com
2008-05-08 20:40:38 0 d-------- C:\Documents and Settings\Wilma Montgomery\Application Data\Malwarebytes
2008-05-08 20:40:32 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-08 20:40:32 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-08 20:40:19 0 d-------- C:\Program Files\Common Files\Download Manager
2008-05-08 20:25:26 0 d-------- C:\Program Files\Trend Micro
2008-04-29 20:47:04 0 d-------- C:\Program Files\Anti Trojan Elite
2008-04-21 18:06:32 0 d-------- C:\Documents and Settings\Paul\Application Data\Sun
2008-04-20 17:38:38 0 d-------- C:\Program Files\Panda Security
2008-04-20 15:49:09 0 d-------- C:\Documents and Settings\Wilma Montgomery\Application Data\PC Tools
2008-04-20 14:16:47 186197 --ahs---- C:\WINDOWS\system32\TCcccMoq.ini2
2008-04-20 14:11:18 262144 --a------ C:\Documents and Settings\Paul\ntuser.dat
2008-04-20 13:39:12 5278 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-19 18:37:22 0 d-------- C:\RegBackup
2008-04-19 18:18:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-04-19 17:36:09 0 d-------- C:\Program Files\Enigma Software Group
2008-04-19 17:19:44 0 d-------- C:\Documents and Settings\Wilma Montgomery\.housecall6.6
2008-04-19 17:00:47 0 d-------- C:\SMCLpav
2008-04-19 15:18:00 0 d-------- C:\Documents and Settings\Wilma Montgomery\Application Data\TmpRecentIcons
2008-04-19 13:50:56 180721 --ahs---- C:\WINDOWS\system32\oXaadccf.ini2
2008-04-19 13:45:11 0 d-------- C:\Documents and Settings\All Users\Application Data\zkbwpafu
2008-04-15 19:08:36 0 d-------- C:\Documents and Settings\Paul\Application Data\WinRAR


-- Find3M Report ---------------------------------------------------------------

2008-11-26 20:21:00 0 d-------- C:\Program Files\Advanced Registry Doctor
2008-05-11 22:10:44 40580 --a----c- C:\Documents and Settings\Wilma Montgomery\Application Data\wklnhst.dat
2008-05-11 21:34:59 0 d-------- C:\Program Files\MSN Messenger
2008-05-10 14:25:21 0 d-------- C:\Program Files\Business Planner v3
2008-05-09 15:55:58 0 d-------- C:\Program Files\Spyware Doctor
2008-05-08 20:51:38 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-08 20:40:19 0 d-------- C:\Program Files\Common Files
2008-04-20 17:59:14 0 d-------- C:\Documents and Settings\Wilma Montgomery\Application Data\Azureus
2008-04-20 16:49:08 0 d-------- C:\Documents and Settings\Wilma Montgomery\Application Data\Adobe
2008-04-19 15:09:20 0 d-------- C:\Program Files\PC-Doctor for Windows
2008-04-13 14:47:23 0 d-------- C:\Program Files\MSN Games
2008-04-13 12:43:38 0 d-------- C:\Program Files\MT882
2008-04-13 12:43:33 0 d-------- C:\Program Files\MT882(2)
2008-04-13 11:48:25 0 d-------- C:\Program Files\EarthLink TotalAccess
2008-04-13 11:10:41 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-13 07:37:32 0 d-------- C:\Program Files\STOPzilla!
2008-04-05 16:31:08 0 d-------- C:\Program Files\IncrediMail


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0C18666D-5ABD-4C46-B8FB-CF3E58FB1093}]
C:\WINDOWS\system32\qoMcccCT.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ibmmessages"="rem C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" []
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [02/09/2004 09:05]
"UpdateManager"="rem c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" []
"IBMPRC"="C:\IBMTOOLS\UTILS\ibmprc.exe" [27/04/2005 17:53]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [23/02/2005 00:37]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [23/02/2005 00:34]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [12/08/2005 22:43]
"F-Secure Manager"="C:\Program Files\F-Secure Internet Security\Common\FSM32.exe" [02/06/2005 23:37]
"F-Secure TNB"="C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" [18/07/2005 15:51]
"F-Secure Startup Wizard"="C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.exe" [23/08/2005 14:38]
"TalkTalk"="C:\Program Files\TalkTalk\bin\sprtcmd.exe" [16/08/2005 08:12]
"@"="" []
"PinnacleDriverCheck"="C:\WINDOWS\system32\\PSDrvCheck.exe" [11/03/2004 00:26]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [24/04/2007 16:45]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [09/03/2007 11:09]
"EPSON Stylus DX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.exe" [02/02/2005 05:00]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [24/08/2007 08:00]
"GPClientMonitor"="C:\Program Files\GalleryPlayer\Player\GPClientMonitor.exe" [06/08/2007 10:59]
"GPDownloadManager"="C:\Program Files\GalleryPlayer\Player\GPDownloadManager.exe" [06/08/2007 10:59]
"SunJavaUpdateSched"="rem C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" []
"EPSON Stylus DX4800 Series (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.exe" [02/02/2005 05:00]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 23:16]
"Anti Trojan Elite"="C:\Program Files\Anti Trojan Elite\TJEnder.exe" []
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [10/04/2008 15:14]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ibmmessages"="rem C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 13:00]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [18/10/2006 21:05]
"crhaxskk"="C:\WINDOWS\system32\fcvotkpg.exe" []
"zonxytcj"="C:\WINDOWS\system32\fkdejmpo.exe" []
"palwgjvb"="C:\WINDOWS\system32\jopsdmju.exe" []
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [10/05/2008 12:07]

C:\Documents and Settings\Wilma Montgomery\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [24/08/2007 05:45:42]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
F-Secure 2006 OEM.lnk - C:\Program Files\F-Secure Internet Security\backweb\1245240\Program\fspex.exe [06/04/2006 16:55:16]
Image Transfer.lnk - C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe [07/03/2007 07:06:21]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"q9ctH6xjpj"=C:\Documents and Settings\All Users\Application Data\zkbwpafu\fczgfklg.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [20/12/2006 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 10/05/2008 12:07 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvULFvsr]
wvULFvsr.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\qoMcccCT
"Notification Packages"= scecli pwdmon

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{78fb1d66-35ee-11da-90cd-806d6172696f}]
AutoRun\command- E:\sysprep.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c2e14c31-368b-11da-a2cd-806d6172696f}]
AutoRun\command- D:\sysprep.bat




-- End of Deckard's System Scanner: finished at 2008-05-14 07:31:39 -----------




Attached File  Deckard.doc   70KB   69 downloads


  • 0

#6
Chopin

Chopin

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,639 posts
Hello wcmont72, I know that you already replied yesterday. Please don't bump your topic, and PM me if I've been away for 5 days (it's in my signature :)) Also, please download a fresh copy of DSS and save it to your Desktop before continuing with these instructions. It's important that you do that.

Did you intentionally or knowingly install the "Popup Killer" toolbar?

Please read my entire post before commencing, and please follow my instructions in the order that they are given :) If you don't understand something, don't be afraid to ask!

1. Fix File Associations
------------------------------------------------

Please go to Start > Run. In the box that appears, carefully copy and paste the following:

"%Userprofile%\Desktop\dss.exe" /daft

Accept the disclaimer, and click the "Scan" button. Place a checkmark next to everything that appears and press "Fix". Afterwards, close the window.

2. Fix Entries with HijackThis
------------------------------------------------

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below (if present).

O2 - BHO: (no name) - {0C18666D-5ABD-4C46-B8FB-CF3E58FB1093} - C:\WINDOWS\system32\qoMcccCT.dll (file missing)
O4 - HKCU\..\Run: [crhaxskk] C:\WINDOWS\system32\fcvotkpg.exe
O4 - HKCU\..\Run: [zonxytcj] C:\WINDOWS\system32\fkdejmpo.exe
O4 - HKCU\..\Run: [palwgjvb] C:\WINDOWS\system32\jopsdmju.exe
O4 - HKLM\..\Policies\Explorer\Run: [q9ctH6xjpj] C:\Documents and Settings\All Users\Application Data\zkbwpafu\fczgfklg.exe
O20 - Winlogon Notify: wvULFvsr - wvULFvsr.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

2. Submit File for Testing
------------------------------------------------

Please go to this website: Link

Once there, you will see a textbox in the middle of the screen. Copy and paste the following line into the textbox:

C:\WINDOWS\system32\fcvotkpg.exe

Click the large "Send File" button. Your file will be scanned by MANY different antivirus engines, so until the top says Current status: Finished, don't close the window/copy the results! Once the scan is finished, copy and paste the entire table into a reply so it looks like this:

AhnLab-V3 2007.9.29.0 2007.09.28 -
AntiVir 7.6.0.18 2007.09.28 HEUR/Malware
Authentium 4.93.8 2007.09.28 -
Avast 4.7.1043.0 2007.09.28 -
AVG 7.5.0.488 2007.09.28 -
BitDefender 7.2 2007.09.28 -
CAT-QuickHeal 9.00 2007.09.28 (Suspicious) - DNAScan
ClamAV 0.91.2 2007.09.28 -
DrWeb 4.33 2007.09.28 -
eSafe 7.0.15.0 2007.09.23 Suspicious Trojan/Worm
eTrust-Vet 31.2.5169 2007.09.27 -
Ewido 4.0 2007.09.28 -
FileAdvisor 1 2007.09.29 -
Fortinet 3.11.0.0 2007.09.28 -
F-Prot 4.3.2.48 2007.09.27 -
F-Secure 6.70.13030.0 2007.09.28 -
Ikarus T3.1.1.12 2007.09.28 -
Kaspersky 7.0.0.125 2007.09.29 -
McAfee 5130 2007.09.28 -
Microsoft 1.2803 2007.09.29 -
NOD32v2 2558 2007.09.28 -
Norman 5.80.02 2007.09.28 -
Panda 9.0.0.4 2007.09.28 -
Prevx1 V2 2007.09.29 Heuristic: Suspicious Self Modifying EXE
Rising 19.42.42.00 2007.09.28 -
Sophos 4.21.0 2007.09.28 -
Sunbelt 2.2.907.0 2007.09.28 VIPRE.Suspicious
Symantec 10 2007.09.28 -
TheHacker 6.2.6.073 2007.09.28 -
VBA32 3.12.2.4 2007.09.29 -
VirusBuster 4.3.26:9 2007.09.28 -
Webwasher-Gateway 6.0.1 2007.09.28 Heuristic.Malware


Once finished with C:\WINDOWS\system32\fcvotkpg.exe, please repeat the process with this line at the beginning:

C:\Documents and Settings\All Users\Application Data\zkbwpafu\fczgfklg.exe

Post those results as well.

4. Update Java
------------------------------------------------

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 5 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 5...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement". The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u5-windows-i586-p.exe to install the newest version.
5. Run ComboFix
------------------------------------------------

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open internet browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

In your next post
------------------------------------------------

It's likely that the logs will not fit into one post, so please use multiple replies to ensure that they all make it :)
  • Two VirusTotal logs
  • ComboFix log
  • Fresh HijackThis log

  • 0

#7
wcmont72

wcmont72

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hi

Thanks for the reply, I would like to say sorry for posting again, this was not meant, Iwas trying to copy a part of the txt to quote so I could ask something about, anyway it did not work out that way and I ended up posting full thing again :)

I have followed all insrtuctions and only part I had problems with is the part where I had to send file
C:\WINDOWS\system32\fcvotkpg.exe
and
C:\Documents and Settings\All Users\Application Data\zkbwpafu\fczgfklg.exe
as all I got was the following in a pop up box

0 bytes size received / Se ha recibido un archivo vacio

I have pasted the other logs you requested
thanks again
Wilma
  • 0

#8
wcmont72

wcmont72

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
ComboFix 08-05-15.3 - Wilma Montgomery 2008-05-16 20:45:36.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.479 [GMT 1:00]
Running from: C:\Documents and Settings\Wilma Montgomery\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\featwswh.ini
C:\WINDOWS\system32\oXaadccf.ini
C:\WINDOWS\system32\oXaadccf.ini2
C:\WINDOWS\system32\Packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\TCcccMoq.ini
C:\WINDOWS\system32\TCcccMoq.ini2
C:\WINDOWS\system32\WanPacket.dll
C:\WINDOWS\system32\wpcap.dll

----- BITS: Possible infected sites -----

hxxp://assist.talktalk.net
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-04-16 to 2008-05-16 )))))))))))))))))))))))))))))))
.

2008-05-16 20:40 . 2008-05-16 20:40 <DIR> d-------- C:\Program Files\Sun
2008-05-16 20:40 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-16 20:36 . 2008-05-16 20:40 <DIR> d-------- C:\Program Files\Java
2008-05-16 20:33 . 2008-05-16 20:33 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-14 07:27 . 2008-05-14 07:27 <DIR> d-------- C:\Deckard
2008-05-13 18:43 . 2008-05-13 18:44 <DIR> d-------- C:\VideoOutput
2008-05-13 18:41 . 2008-05-13 18:43 <DIR> d-------- C:\Program Files\Ultra QuickTime Converter
2008-05-13 18:41 . 2006-09-26 13:57 28,672 --a------ C:\WINDOWS\system32\AVEQT.dll
2008-05-13 18:41 . 2008-05-13 18:42 108 --a------ C:\WINDOWS\system32\test.aok
2008-05-09 15:54 . 2008-05-09 23:54 <DIR> d-------- C:\Program Files\Google
2008-05-09 14:04 . 2008-05-09 14:07 <DIR> d-------- C:\Documents and Settings\Wilma Montgomery\.SunDownloadManager
2008-05-09 13:54 . 2008-05-09 13:54 <DIR> d-------- C:\fsaua.data
2008-05-08 20:52 . 2008-05-10 12:07 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-08 20:52 . 2008-05-08 20:52 <DIR> d-------- C:\Documents and Settings\Wilma Montgomery\Application Data\SUPERAntiSpyware.com
2008-05-08 20:52 . 2008-05-08 20:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-08 20:40 . 2008-05-16 20:49 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-08 20:40 . 2008-05-08 20:40 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-08 20:40 . 2008-05-08 20:40 <DIR> d-------- C:\Documents and Settings\Wilma Montgomery\Application Data\Malwarebytes
2008-05-08 20:40 . 2008-05-08 20:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-08 20:25 . 2008-05-08 20:25 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-29 20:47 . 2008-04-29 23:27 <DIR> d-------- C:\Program Files\Anti Trojan Elite
2008-04-20 17:38 . 2008-05-08 23:35 <DIR> d-------- C:\Program Files\Panda Security
2008-04-20 15:49 . 2008-04-20 15:49 <DIR> d-------- C:\Documents and Settings\Wilma Montgomery\Application Data\PC Tools
2008-04-20 15:49 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-04-20 15:49 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-04-20 15:49 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-04-20 15:49 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-04-20 13:39 . 2008-04-20 13:43 5,278 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-19 18:37 . 2008-04-19 18:37 <DIR> d-------- C:\RegBackup
2008-04-19 18:18 . 2008-04-19 18:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-04-19 17:36 . 2008-04-20 15:48 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-19 17:19 . 2008-04-19 17:24 <DIR> d-------- C:\Documents and Settings\Wilma Montgomery\.housecall6.6
2008-04-19 17:00 . 2008-04-19 17:00 <DIR> d-------- C:\SMCLpav
2008-04-19 15:18 . 2008-04-19 19:57 <DIR> d-------- C:\Documents and Settings\Wilma Montgomery\Application Data\TmpRecentIcons
2008-04-19 13:45 . 2008-05-11 11:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\zkbwpafu

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-26 19:21 --------- d-----w C:\Program Files\Advanced Registry Doctor
2008-05-16 19:38 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-16 07:11 40,576 -c--a-w C:\Documents and Settings\Wilma Montgomery\Application Data\wklnhst.dat
2008-05-13 17:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime
2008-05-11 20:34 --------- d-----w C:\Program Files\MSN Messenger
2008-05-10 13:25 --------- d-----w C:\Program Files\Business Planner v3
2008-05-09 14:55 --------- d-----w C:\Program Files\Spyware Doctor
2008-05-08 19:51 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-29 22:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-20 16:59 --------- d-----w C:\Documents and Settings\Wilma Montgomery\Application Data\Azureus
2008-04-19 19:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-19 18:09 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-19 16:20 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-19 14:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-19 14:09 --------- d-----w C:\Program Files\PC-Doctor for Windows
2008-04-13 13:47 --------- d-----w C:\Program Files\MSN Games
2008-04-13 11:43 --------- d-----w C:\Program Files\MT882(2)
2008-04-13 11:43 --------- d-----w C:\Program Files\MT882
2008-04-13 11:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-04-13 10:48 --------- d-----w C:\Program Files\EarthLink TotalAccess
2008-04-13 10:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-13 06:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\SITEguard
2008-04-13 06:37 --------- d-----w C:\Program Files\STOPzilla!
2008-04-05 15:31 --------- d-----w C:\Program Files\IncrediMail
2008-04-04 07:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\IM
2008-04-04 07:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\IncrediMail
2008-01-12 17:12 92,064 ----a-w C:\Documents and Settings\Wilma Montgomery\mqdmmdm.sys
2008-01-12 17:12 9,232 ----a-w C:\Documents and Settings\Wilma Montgomery\mqdmmdfl.sys
2008-01-12 17:12 79,328 ----a-w C:\Documents and Settings\Wilma Montgomery\mqdmserd.sys
2008-01-12 17:12 66,656 ----a-w C:\Documents and Settings\Wilma Montgomery\mqdmbus.sys
2008-01-12 17:12 6,208 ----a-w C:\Documents and Settings\Wilma Montgomery\mqdmcmnt.sys
2008-01-12 17:12 5,936 ----a-w C:\Documents and Settings\Wilma Montgomery\mqdmwhnt.sys
2008-01-12 17:12 4,048 ----a-w C:\Documents and Settings\Wilma Montgomery\mqdmcr.sys
2008-01-12 17:12 25,600 ----a-w C:\Documents and Settings\Wilma Montgomery\usbsermptxp.sys
2008-01-12 17:12 22,768 ----a-w C:\Documents and Settings\Wilma Montgomery\usbsermpt.sys
2005-12-27 23:18 0 -c--a-w C:\Documents and Settings\Paul 1\Application Data\wklnhst.dat
2006-04-06 15:56 10,240 -csha-w C:\WINDOWS\rnapxs\rnapxs.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ibmmessages"="rem C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-10 12:07 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ibmmessages"="rem C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [ ]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-09-02 09:05 127035]
"UpdateManager"="rem c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [ ]
"IBMPRC"="C:\IBMTOOLS\UTILS\ibmprc.exe" [2005-04-27 17:53 90112]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-02-23 00:37 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-02-23 00:34 126976]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 22:43 45056]
"F-Secure Manager"="C:\Program Files\F-Secure Internet Security\Common\FSM32.exe" [2005-06-02 23:37 122929]
"F-Secure TNB"="C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" [2005-07-18 15:51 700416]
"F-Secure Startup Wizard"="C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.exe" [2005-08-23 14:38 372736]
"TalkTalk"="C:\Program Files\TalkTalk\bin\sprtcmd.exe" [2005-08-16 08:12 192512]
"PinnacleDriverCheck"="C:\WINDOWS\system32\\PSDrvCheck.exe" [2004-03-11 00:26 406016]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-24 16:45 98304]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"EPSON Stylus DX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.exe" [2005-02-02 05:00 98304]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 08:00 33648]
"GPClientMonitor"="C:\Program Files\GalleryPlayer\Player\GPClientMonitor.exe" [2007-08-06 10:59 45056]
"GPDownloadManager"="C:\Program Files\GalleryPlayer\Player\GPDownloadManager.exe" [2007-08-06 10:59 163840]
"EPSON Stylus DX4800 Series (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.exe" [2005-02-02 05:00 98304]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"Anti Trojan Elite"="C:\Program Files\Anti Trojan Elite\TJEnder.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]

C:\Documents and Settings\Wilma Montgomery\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 05:45:42 101784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
F-Secure 2006 OEM.lnk - C:\Program Files\F-Secure Internet Security\backweb\1245240\Program\fspex.exe [2006-04-06 16:55:16 36903]
Image Transfer.lnk - C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe [2007-03-07 07:06:21 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-05-10 12:07 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= Pvmjpg30.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe"=
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"=
"C:\\Program Files\\IBM\\Updater\\ucsmb.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\syk0007\\half-life 2\\hl2.exe"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\syk0007\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\Xfire\\Xfire.exe"=
"C:\\Documents and Settings\\Wilma Montgomery\\My Documents\\FirstClass\\FCSPRA.exe"=
"C:\\Program Files\\F-Secure Internet Security\\backweb\\1245240\\Program\\fspex.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"62580:TCP"= 62580:TCP:azureus

R0 ANCSQ;ANCSQ;C:\WINDOWS\system32\drivers\ANCSQ.sys [2005-04-27 17:15]
R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2005-08-29 15:12]
R2 BackWeb Plug-in - 1245240;F-Secure 2006 OEM;C:\PROGRA~1\F-SECU~1\backweb\1245240\Program\SERVIC~1.EXE [2006-04-06 17:50]
R2 F-Secure Filter;F-Secure File System Filter;C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSfilter.sys [2004-09-10 16:14]
R2 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSgk.sys [2008-03-17 11:56]
R2 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSrec.sys [2004-06-01 10:03]
R2 IBMFilter;IBMFilter;C:\WINDOWS\system32\drivers\ibmfilter.sys [2005-09-20 22:05]
S3 ATE_PROCMON;ATE_PROCMON;C:\Program Files\Anti Trojan Elite\ATEPMon.sys []
S3 iadusb;MT882;C:\WINDOWS\system32\DRIVERS\glauiad.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{78fb1d66-35ee-11da-90cd-806d6172696f}]
\Shell\AutoRun\command - E:\sysprep.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c2e14c31-368b-11da-a2cd-806d6172696f}]
\Shell\AutoRun\command - D:\sysprep.bat

*Newly Created Service* - SASDIFSV
.
Contents of the 'Scheduled Tasks' folder
"2008-05-16 00:15:15 C:\WINDOWS\Tasks\Scheduled scanning task.job"
- C:\PROGRA~1\F-SECU~1\ANTI-V~1\fsav.exeZ /HARD /ARCHIVE /DISINF /SCHED /NOBREAK /REPORT=C:\PROGRA~1\F-SECU~1\ANTI-V~1\report.txt
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-16 20:50:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32.exe
C:\Program Files\F-Secure Internet Security\backweb\1245240\Program\fsbwsys.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Advanced Registry Doctor\RegManServ.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSRW.exe
C:\Program Files\F-Secure Internet Security\FSPC\fspc.exe
C:\Program Files\F-Secure Internet Security\FSPC\fshttps\fshttps.exe
C:\Program Files\F-Secure Internet Security\FWES\program\fsdfwd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSAV32.exe
C:\PROGRA~1\F-SECU~1\ANTI-S~1\FSAW.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
.
**************************************************************************
.
Completion time: 2008-05-16 20:55:18 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-16 19:55:15

Pre-Run: 120,544,522,240 bytes free
Post-Run: 120,654,508,032 bytes free

244 --- E O F --- 2008-04-13 12:47:07
  • 0

#9
wcmont72

wcmont72

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:01:19, on 16/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Advanced Registry Doctor\RegManServ.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\TalkTalk\bin\sprtcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\GalleryPlayer\Player\GPClientMonitor.exe
C:\Program Files\GalleryPlayer\Player\GPDownloadManager.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\Program Files\F-Secure Internet Security\backweb\1245240\program\fsbwsys.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\PROGRA~1\F-SECU~1\backweb\1245240\Program\SERVIC~1.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsrw.exe
C:\Program Files\F-Secure Internet Security\FSPC\fspc.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure Internet Security\backweb\1245240\Program\fspex.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\PROGRA~1\F-SECU~1\ANTI-S~1\fsaw.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Anonymizer Proxy - {0DB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\Program Files\Hide Real IP\ProxyNew.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: Popup Killer - {2D58DD23-2759-4C7B-9351-D68AF7D0D868} - C:\PROGRA~1\POPUPR~1\popup.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [ibmmessages] rem C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] rem "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [TalkTalk] "C:\Program Files\TalkTalk\bin\sprtcmd.exe" /P TalkTalk
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [EPSON Stylus DX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE /P26 "EPSON Stylus DX4800 Series" /O6 "USB002" /M "Stylus DX4800"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [GPClientMonitor] C:\Program Files\GalleryPlayer\Player\GPClientMonitor.exe
O4 - HKLM\..\Run: [GPDownloadManager] C:\Program Files\GalleryPlayer\Player\GPDownloadManager.exe
O4 - HKLM\..\Run: [EPSON Stylus DX4800 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE /P35 "EPSON Stylus DX4800 Series (Copy 1)" /O6 "USB003" /M "Stylus DX4800"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Anti Trojan Elite] C:\Program Files\Anti Trojan Elite\TJEnder.exe :NO
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ibmmessages] rem C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: F-Secure 2006 OEM.lnk = C:\Program Files\F-Secure Internet Security\backweb\1245240\Program\fspex.exe
O4 - Global Startup: Image Transfer.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadbl...ivex/sabspx.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: F-Secure 2006 OEM (BackWeb Plug-in - 1245240) - F-Secure Internet Security 2005 - C:\PROGRA~1\F-SECU~1\backweb\1245240\Program\SERVIC~1.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Internet Security\backweb\1245240\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FSPC\fshttps\fshttps.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Registry Management Service (RegManServ) - Unknown owner - C:\Program Files\Advanced Registry Doctor\RegManServ.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 11013 bytes
  • 0

#10
Chopin

Chopin

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,639 posts
Hello wcmont72, not so bad, but definite room for improvement. Are you still getting those AV alerts? And did you knowingly or intentionally install the "Popup Killer" toolbar?

Please read my entire post before commencing, and please follow my instructions in the order that they are given :) If you don't understand something, don't be afraid to ask!

1. P2P
------------------------------------------------

I see you are using P2P file-transfer programs. Although the programs themselves (e.g. LimeWire, BitComet) are legal, most people are not so nice and use them for illegal purposes. Many of the files these programs download are infected with malware. Due to this, it would be best if you removed any P2P programs from your computer.

2. Submit File for Testing
------------------------------------------------

Please go to this website: Link

Once there, you will see a textbox in the middle of the screen. Copy and paste the following line into the textbox:

C:\WINDOWS\system32\test.aok

Click the large "Send File" button. Your file will be scanned by MANY different antivirus engines, so until the top says Current status: Finished, don't close the window/copy the results! Once the scan is finished, copy and paste the entire table into a reply so it looks like this:

AhnLab-V3 2007.9.29.0 2007.09.28 -
AntiVir 7.6.0.18 2007.09.28 HEUR/Malware
Authentium 4.93.8 2007.09.28 -
Avast 4.7.1043.0 2007.09.28 -
AVG 7.5.0.488 2007.09.28 -
BitDefender 7.2 2007.09.28 -
CAT-QuickHeal 9.00 2007.09.28 (Suspicious) - DNAScan
ClamAV 0.91.2 2007.09.28 -
DrWeb 4.33 2007.09.28 -
eSafe 7.0.15.0 2007.09.23 Suspicious Trojan/Worm
eTrust-Vet 31.2.5169 2007.09.27 -
Ewido 4.0 2007.09.28 -
FileAdvisor 1 2007.09.29 -
Fortinet 3.11.0.0 2007.09.28 -
F-Prot 4.3.2.48 2007.09.27 -
F-Secure 6.70.13030.0 2007.09.28 -
Ikarus T3.1.1.12 2007.09.28 -
Kaspersky 7.0.0.125 2007.09.29 -
McAfee 5130 2007.09.28 -
Microsoft 1.2803 2007.09.29 -
NOD32v2 2558 2007.09.28 -
Norman 5.80.02 2007.09.28 -
Panda 9.0.0.4 2007.09.28 -
Prevx1 V2 2007.09.29 Heuristic: Suspicious Self Modifying EXE
Rising 19.42.42.00 2007.09.28 -
Sophos 4.21.0 2007.09.28 -
Sunbelt 2.2.907.0 2007.09.28 VIPRE.Suspicious
Symantec 10 2007.09.28 -
TheHacker 6.2.6.073 2007.09.28 -
VBA32 3.12.2.4 2007.09.29 -
VirusBuster 4.3.26:9 2007.09.28 -
Webwasher-Gateway 6.0.1 2007.09.28 Heuristic.Malware


Post the results in your reply.

3. Run a ComboFix Script
------------------------------------------------

1. Please open a blank Notepad document.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\fcvotkpg.exe
C:\WINDOWS\system32\fkdejmpo.exe
C:\WINDOWS\system32\jopsdmju.exe

Folder::
C:\Documents and Settings\All Users\Application Data\zkbwpafu

Driver::

Registry::


3. Go to File > Save As. Save the file name as CFScript and make sure "Text Documents (*.txt)" is selected in "Save as type". Save it to where you saved Combofix.

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. If it asks you to reboot, let it reboot. Either way, a Combofix log will be made. Post that in your next reply.

In your next post
------------------------------------------------

  • VirusTotal log
  • ComboFix log
  • Fresh HijackThis log

  • 0

Advertisements


#11
wcmont72

wcmont72

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hi

I cannot remember downloading popup killer, I have pasted results of first scan below

thanks for your help

Wilma

File test.aok received on 05.17.2008 09:14:16 (CET)
Current status: finished
Result: 0/32 (0%)
Compact
Print results
Email:
Antivirus Version Last Update Result
AhnLab-V3 2008.5.16.0 2008.05.16 -
AntiVir 7.8.0.19 2008.05.17 -
Authentium 5.1.0.4 2008.05.17 -
Avast 4.8.1195.0 2008.05.17 -
AVG 7.5.0.516 2008.05.16 -
BitDefender 7.2 2008.05.17 -
CAT-QuickHeal 9.50 2008.05.16 -
ClamAV 0.92.1 2008.05.17 -
DrWeb 4.44.0.09170 2008.05.16 -
eSafe 7.0.15.0 2008.05.16 -
eTrust-Vet 31.4.5796 2008.05.16 -
Ewido 4.0 2008.05.14 -
F-Prot 4.4.2.54 2008.05.14 -
F-Secure 6.70.13260.0 2008.05.17 -
Fortinet 3.14.0.0 2008.05.17 -
GData 2.0.7306.1023 2008.05.17 -
Ikarus T3.1.1.26.0 2008.05.17 -
Kaspersky 7.0.0.125 2008.05.17 -
McAfee 5297 2008.05.17 -
Microsoft 1.3408 2008.05.13 -
NOD32v2 3106 2008.05.16 -
Norman 5.80.02 2008.05.16 -
Panda 9.0.0.4 2008.05.17 -
Prevx1 V2 2008.05.17 -
Rising 20.44.50.00 2008.05.17 -
Sophos 4.29.0 2008.05.17 -
Sunbelt 3.0.1123.1 2008.05.17 -
Symantec 10 2008.05.17 -
TheHacker 6.2.92.311 2008.05.15 -
VBA32 3.12.6.6 2008.05.17 -
VirusBuster 4.3.26:9 2008.05.16 -
Webwasher-Gateway 6.6.2 2008.05.17 -
Additional information
File size: 108 bytes
MD5...: 99e0bbe1dbb962fb8d023bcae06be579
SHA1..: 457b9427e031d80d0c4fd8edfd24d01b7107ce91
SHA256: ec2d014b18df08951efb7128420c5d01d0dba8d2e31534f1e51a77c0225c0290
SHA512: f91282a1b5c333a940f42a24fdbdfbcb73577c86ade17cbb7d53afc80ad793a5
e11b3d943d12f3b38cfd3a187d189eccb124e45bb0035278d2d91d03461b4f9a
PEiD..: -
PEInfo: -
  • 0

#12
wcmont72

wcmont72

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
ComboFix 08-05-15.3 - Wilma Montgomery 2008-05-17 8:25:41.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.412 [GMT 1:00]
Running from: C:\Documents and Settings\Wilma Montgomery\Desktop\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-04-17 to 2008-05-17 )))))))))))))))))))))))))))))))
.

2008-05-16 20:40 . 2008-05-16 20:40 <DIR> d-------- C:\Program Files\Sun
2008-05-16 20:40 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-16 20:36 . 2008-05-16 20:40 <DIR> d-------- C:\Program Files\Java
2008-05-16 20:33 . 2008-05-16 20:33 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-14 07:27 . 2008-05-14 07:27 <DIR> d-------- C:\Deckard
2008-05-13 18:43 . 2008-05-13 18:44 <DIR> d-------- C:\VideoOutput
2008-05-13 18:41 . 2008-05-13 18:43 <DIR> d-------- C:\Program Files\Ultra QuickTime Converter
2008-05-13 18:41 . 2006-09-26 13:57 28,672 --a------ C:\WINDOWS\system32\AVEQT.dll
2008-05-13 18:41 . 2008-05-13 18:42 108 --a------ C:\WINDOWS\system32\test.aok
2008-05-09 15:54 . 2008-05-09 23:54 <DIR> d-------- C:\Program Files\Google
2008-05-09 14:04 . 2008-05-09 14:07 <DIR> d-------- C:\Documents and Settings\Wilma Montgomery\.SunDownloadManager
2008-05-09 13:54 . 2008-05-09 13:54 <DIR> d-------- C:\fsaua.data
2008-05-08 20:52 . 2008-05-10 12:07 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-08 20:52 . 2008-05-08 20:52 <DIR> d-------- C:\Documents and Settings\Wilma Montgomery\Application Data\SUPERAntiSpyware.com
2008-05-08 20:52 . 2008-05-08 20:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-08 20:40 . 2008-05-16 20:49 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-08 20:40 . 2008-05-08 20:40 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-08 20:40 . 2008-05-08 20:40 <DIR> d-------- C:\Documents and Settings\Wilma Montgomery\Application Data\Malwarebytes
2008-05-08 20:40 . 2008-05-08 20:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-08 20:25 . 2008-05-08 20:25 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-29 20:47 . 2008-04-29 23:27 <DIR> d-------- C:\Program Files\Anti Trojan Elite
2008-04-20 17:38 . 2008-05-08 23:35 <DIR> d-------- C:\Program Files\Panda Security
2008-04-20 15:49 . 2008-04-20 15:49 <DIR> d-------- C:\Documents and Settings\Wilma Montgomery\Application Data\PC Tools
2008-04-20 15:49 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-04-20 15:49 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-04-20 15:49 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-04-20 15:49 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-04-20 13:39 . 2008-04-20 13:43 5,278 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-19 18:37 . 2008-04-19 18:37 <DIR> d-------- C:\RegBackup
2008-04-19 18:18 . 2008-04-19 18:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-04-19 17:36 . 2008-04-20 15:48 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-19 17:19 . 2008-04-19 17:24 <DIR> d-------- C:\Documents and Settings\Wilma Montgomery\.housecall6.6
2008-04-19 17:00 . 2008-04-19 17:00 <DIR> d-------- C:\SMCLpav
2008-04-19 15:18 . 2008-04-19 19:57 <DIR> d-------- C:\Documents and Settings\Wilma Montgomery\Application Data\TmpRecentIcons
2008-04-19 13:45 . 2008-05-11 11:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\zkbwpafu

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-26 19:21 --------- d-----w C:\Program Files\Advanced Registry Doctor
2008-05-17 07:16 40,580 -c--a-w C:\Documents and Settings\Wilma Montgomery\Application Data\wklnhst.dat
2008-05-16 19:38 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-13 17:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime
2008-05-11 20:34 --------- d-----w C:\Program Files\MSN Messenger
2008-05-10 13:25 --------- d-----w C:\Program Files\Business Planner v3
2008-05-09 14:55 --------- d-----w C:\Program Files\Spyware Doctor
2008-05-08 19:51 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-29 22:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-20 16:59 --------- d-----w C:\Documents and Settings\Wilma Montgomery\Application Data\Azureus
2008-04-19 19:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-19 18:09 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-19 16:20 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-19 14:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-19 14:09 --------- d-----w C:\Program Files\PC-Doctor for Windows
2008-04-13 13:47 --------- d-----w C:\Program Files\MSN Games
2008-04-13 11:43 --------- d-----w C:\Program Files\MT882(2)
2008-04-13 11:43 --------- d-----w C:\Program Files\MT882
2008-04-13 11:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-04-13 10:48 --------- d-----w C:\Program Files\EarthLink TotalAccess
2008-04-13 10:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-13 06:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\SITEguard
2008-04-13 06:37 --------- d-----w C:\Program Files\STOPzilla!
2008-04-05 15:31 --------- d-----w C:\Program Files\IncrediMail
2008-04-04 07:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\IM
2008-04-04 07:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\IncrediMail
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-01 17:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-01-12 17:12 92,064 ----a-w C:\Documents and Settings\Wilma Montgomery\mqdmmdm.sys
2008-01-12 17:12 9,232 ----a-w C:\Documents and Settings\Wilma Montgomery\mqdmmdfl.sys
2008-01-12 17:12 79,328 ----a-w C:\Documents and Settings\Wilma Montgomery\mqdmserd.sys
2008-01-12 17:12 66,656 ----a-w C:\Documents and Settings\Wilma Montgomery\mqdmbus.sys
2008-01-12 17:12 6,208 ----a-w C:\Documents and Settings\Wilma Montgomery\mqdmcmnt.sys
2008-01-12 17:12 5,936 ----a-w C:\Documents and Settings\Wilma Montgomery\mqdmwhnt.sys
2008-01-12 17:12 4,048 ----a-w C:\Documents and Settings\Wilma Montgomery\mqdmcr.sys
2008-01-12 17:12 25,600 ----a-w C:\Documents and Settings\Wilma Montgomery\usbsermptxp.sys
2008-01-12 17:12 22,768 ----a-w C:\Documents and Settings\Wilma Montgomery\usbsermpt.sys
2005-12-27 23:18 0 -c--a-w C:\Documents and Settings\Paul 1\Application Data\wklnhst.dat
2006-04-06 15:56 10,240 -csha-w C:\WINDOWS\rnapxs\rnapxs.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ibmmessages"="rem C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-10 12:07 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ibmmessages"="rem C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [ ]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-09-02 09:05 127035]
"UpdateManager"="rem c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [ ]
"IBMPRC"="C:\IBMTOOLS\UTILS\ibmprc.exe" [2005-04-27 17:53 90112]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-02-23 00:37 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-02-23 00:34 126976]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 22:43 45056]
"F-Secure Manager"="C:\Program Files\F-Secure Internet Security\Common\FSM32.exe" [2005-06-02 23:37 122929]
"F-Secure TNB"="C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" [2005-07-18 15:51 700416]
"F-Secure Startup Wizard"="C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.exe" [2005-08-23 14:38 372736]
"TalkTalk"="C:\Program Files\TalkTalk\bin\sprtcmd.exe" [2005-08-16 08:12 192512]
"PinnacleDriverCheck"="C:\WINDOWS\system32\\PSDrvCheck.exe" [2004-03-11 00:26 406016]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-24 16:45 98304]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"EPSON Stylus DX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.exe" [2005-02-02 05:00 98304]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 08:00 33648]
"GPClientMonitor"="C:\Program Files\GalleryPlayer\Player\GPClientMonitor.exe" [2007-08-06 10:59 45056]
"GPDownloadManager"="C:\Program Files\GalleryPlayer\Player\GPDownloadManager.exe" [2007-08-06 10:59 163840]
"EPSON Stylus DX4800 Series (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.exe" [2005-02-02 05:00 98304]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"Anti Trojan Elite"="C:\Program Files\Anti Trojan Elite\TJEnder.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]

C:\Documents and Settings\Wilma Montgomery\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 05:45:42 101784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
F-Secure 2006 OEM.lnk - C:\Program Files\F-Secure Internet Security\backweb\1245240\Program\fspex.exe [2006-04-06 16:55:16 36903]
Image Transfer.lnk - C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe [2007-03-07 07:06:21 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-05-10 12:07 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= Pvmjpg30.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe"=
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"=
"C:\\Program Files\\IBM\\Updater\\ucsmb.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\syk0007\\half-life 2\\hl2.exe"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\syk0007\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\Xfire\\Xfire.exe"=
"C:\\Documents and Settings\\Wilma Montgomery\\My Documents\\FirstClass\\FCSPRA.exe"=
"C:\\Program Files\\F-Secure Internet Security\\backweb\\1245240\\Program\\fspex.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"62580:TCP"= 62580:TCP:azureus

R0 ANCSQ;ANCSQ;C:\WINDOWS\system32\drivers\ANCSQ.sys [2005-04-27 17:15]
R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2005-08-29 15:12]
R2 BackWeb Plug-in - 1245240;F-Secure 2006 OEM;C:\PROGRA~1\F-SECU~1\backweb\1245240\Program\SERVIC~1.EXE [2006-04-06 17:50]
R2 F-Secure Filter;F-Secure File System Filter;C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSfilter.sys [2004-09-10 16:14]
R2 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSgk.sys [2008-03-17 11:56]
R2 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSrec.sys [2004-06-01 10:03]
R2 IBMFilter;IBMFilter;C:\WINDOWS\system32\drivers\ibmfilter.sys [2005-09-20 22:05]
S3 ATE_PROCMON;ATE_PROCMON;C:\Program Files\Anti Trojan Elite\ATEPMon.sys []
S3 iadusb;MT882;C:\WINDOWS\system32\DRIVERS\glauiad.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{78fb1d66-35ee-11da-90cd-806d6172696f}]
\Shell\AutoRun\command - E:\sysprep.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c2e14c31-368b-11da-a2cd-806d6172696f}]
\Shell\AutoRun\command - D:\sysprep.bat

*Newly Created Service* - SASDIFSV
.
Contents of the 'Scheduled Tasks' folder
"2008-05-17 00:00:06 C:\WINDOWS\Tasks\Scheduled scanning task.job"
- C:\PROGRA~1\F-SECU~1\ANTI-V~1\fsav.exeZ /HARD /ARCHIVE /DISINF /SCHED /NOBREAK /REPORT=C:\PROGRA~1\F-SECU~1\ANTI-V~1\report.txt
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-17 08:28:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-17 8:29:13
ComboFix-quarantined-files.txt 2008-05-17 07:29:08
ComboFix2.txt 2008-05-16 19:55:19

Pre-Run: 120,621,932,544 bytes free
Post-Run: 120,634,920,960 bytes free

204 --- E O F --- 2008-04-13 12:47:07
  • 0

#13
wcmont72

wcmont72

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hi

Sorry I just realised I had not followed this part correctly,

3. Go to File > Save As. Save the file name as CFScript and make sure "Text Documents (*.txt)" is selected in "Save as type". Save it to where you saved Combofix.

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.


I have done exactly as asked now and have pasted the new log below

Wilma

ComboFix 08-05-15.3 - Wilma Montgomery 2008-05-17 13:26:09.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.446 [GMT 1:00]
Running from: C:\Documents and Settings\Wilma Montgomery\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Wilma Montgomery\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-04-17 to 2008-05-17 )))))))))))))))))))))))))))))))
.

2008-05-16 20:40 . 2008-05-16 20:40 <DIR> d-------- C:\Program Files\Sun
2008-05-16 20:40 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-16 20:36 . 2008-05-16 20:40 <DIR> d-------- C:\Program Files\Java
2008-05-16 20:33 . 2008-05-16 20:33 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-14 07:27 . 2008-05-14 07:27 <DIR> d-------- C:\Deckard
2008-05-13 18:43 . 2008-05-13 18:44 <DIR> d-------- C:\VideoOutput
2008-05-13 18:41 . 2008-05-13 18:43 <DIR> d-------- C:\Program Files\Ultra QuickTime Converter
2008-05-13 18:41 . 2006-09-26 13:57 28,672 --a------ C:\WINDOWS\system32\AVEQT.dll
2008-05-13 18:41 . 2008-05-13 18:42 108 --a------ C:\WINDOWS\system32\test.aok
2008-05-09 15:54 . 2008-05-09 23:54 <DIR> d-------- C:\Program Files\Google
2008-05-09 14:04 . 2008-05-09 14:07 <DIR> d-------- C:\Documents and Settings\Wilma Montgomery\.SunDownloadManager
2008-05-09 13:54 . 2008-05-09 13:54 <DIR> d-------- C:\fsaua.data
2008-05-08 20:52 . 2008-05-10 12:07 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-08 20:52 . 2008-05-08 20:52 <DIR> d-------- C:\Documents and Settings\Wilma Montgomery\Application Data\SUPERAntiSpyware.com
2008-05-08 20:52 . 2008-05-08 20:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-08 20:40 . 2008-05-16 20:49 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-08 20:40 . 2008-05-08 20:40 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-08 20:40 . 2008-05-08 20:40 <DIR> d-------- C:\Documents and Settings\Wilma Montgomery\Application Data\Malwarebytes
2008-05-08 20:40 . 2008-05-08 20:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-08 20:25 . 2008-05-08 20:25 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-29 20:47 . 2008-04-29 23:27 <DIR> d-------- C:\Program Files\Anti Trojan Elite
2008-04-20 17:38 . 2008-05-08 23:35 <DIR> d-------- C:\Program Files\Panda Security
2008-04-20 15:49 . 2008-04-20 15:49 <DIR> d-------- C:\Documents and Settings\Wilma Montgomery\Application Data\PC Tools
2008-04-20 15:49 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-04-20 15:49 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-04-20 15:49 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-04-20 15:49 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-04-20 13:39 . 2008-04-20 13:43 5,278 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-19 18:37 . 2008-04-19 18:37 <DIR> d-------- C:\RegBackup
2008-04-19 18:18 . 2008-04-19 18:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-04-19 17:36 . 2008-04-20 15:48 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-19 17:19 . 2008-04-19 17:24 <DIR> d-------- C:\Documents and Settings\Wilma Montgomery\.housecall6.6
2008-04-19 17:00 . 2008-04-19 17:00 <DIR> d-------- C:\SMCLpav
2008-04-19 15:18 . 2008-04-19 19:57 <DIR> d-------- C:\Documents and Settings\Wilma Montgomery\Application Data\TmpRecentIcons
2008-04-19 13:45 . 2008-05-11 11:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\zkbwpafu

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-26 19:21 --------- d-----w C:\Program Files\Advanced Registry Doctor
2008-05-17 07:16 40,580 -c--a-w C:\Documents and Settings\Wilma Montgomery\Application Data\wklnhst.dat
2008-05-16 19:38 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-13 17:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime
2008-05-11 20:34 --------- d-----w C:\Program Files\MSN Messenger
2008-05-10 13:25 --------- d-----w C:\Program Files\Business Planner v3
2008-05-09 14:55 --------- d-----w C:\Program Files\Spyware Doctor
2008-05-08 19:51 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-29 22:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-20 16:59 --------- d-----w C:\Documents and Settings\Wilma Montgomery\Application Data\Azureus
2008-04-19 19:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-19 18:09 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-19 16:20 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-19 14:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-19 14:09 --------- d-----w C:\Program Files\PC-Doctor for Windows
2008-04-13 13:47 --------- d-----w C:\Program Files\MSN Games
2008-04-13 11:43 --------- d-----w C:\Program Files\MT882(2)
2008-04-13 11:43 --------- d-----w C:\Program Files\MT882
2008-04-13 11:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-04-13 10:48 --------- d-----w C:\Program Files\EarthLink TotalAccess
2008-04-13 10:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-13 06:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\SITEguard
2008-04-13 06:37 --------- d-----w C:\Program Files\STOPzilla!
2008-04-05 15:31 --------- d-----w C:\Program Files\IncrediMail
2008-04-04 07:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\IM
2008-04-04 07:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\IncrediMail
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-01 17:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-01-12 17:12 92,064 ----a-w C:\Documents and Settings\Wilma Montgomery\mqdmmdm.sys
2008-01-12 17:12 9,232 ----a-w C:\Documents and Settings\Wilma Montgomery\mqdmmdfl.sys
2008-01-12 17:12 79,328 ----a-w C:\Documents and Settings\Wilma Montgomery\mqdmserd.sys
2008-01-12 17:12 66,656 ----a-w C:\Documents and Settings\Wilma Montgomery\mqdmbus.sys
2008-01-12 17:12 6,208 ----a-w C:\Documents and Settings\Wilma Montgomery\mqdmcmnt.sys
2008-01-12 17:12 5,936 ----a-w C:\Documents and Settings\Wilma Montgomery\mqdmwhnt.sys
2008-01-12 17:12 4,048 ----a-w C:\Documents and Settings\Wilma Montgomery\mqdmcr.sys
2008-01-12 17:12 25,600 ----a-w C:\Documents and Settings\Wilma Montgomery\usbsermptxp.sys
2008-01-12 17:12 22,768 ----a-w C:\Documents and Settings\Wilma Montgomery\usbsermpt.sys
2005-12-27 23:18 0 -c--a-w C:\Documents and Settings\Paul 1\Application Data\wklnhst.dat
2006-04-06 15:56 10,240 -csha-w C:\WINDOWS\rnapxs\rnapxs.dat
.

((((((((((((((((((((((((((((( [email protected]_20.55.03.29 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-16 19:49:57 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-17 11:12:16 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-17 11:13:25 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_f48.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ibmmessages"="rem C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-10 12:07 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ibmmessages"="rem C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [ ]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-09-02 09:05 127035]
"UpdateManager"="rem c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [ ]
"IBMPRC"="C:\IBMTOOLS\UTILS\ibmprc.exe" [2005-04-27 17:53 90112]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-02-23 00:37 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-02-23 00:34 126976]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 22:43 45056]
"F-Secure Manager"="C:\Program Files\F-Secure Internet Security\Common\FSM32.exe" [2005-06-02 23:37 122929]
"F-Secure TNB"="C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" [2005-07-18 15:51 700416]
"F-Secure Startup Wizard"="C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.exe" [2005-08-23 14:38 372736]
"TalkTalk"="C:\Program Files\TalkTalk\bin\sprtcmd.exe" [2005-08-16 08:12 192512]
"PinnacleDriverCheck"="C:\WINDOWS\system32\\PSDrvCheck.exe" [2004-03-11 00:26 406016]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-24 16:45 98304]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"EPSON Stylus DX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.exe" [2005-02-02 05:00 98304]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 08:00 33648]
"GPClientMonitor"="C:\Program Files\GalleryPlayer\Player\GPClientMonitor.exe" [2007-08-06 10:59 45056]
"GPDownloadManager"="C:\Program Files\GalleryPlayer\Player\GPDownloadManager.exe" [2007-08-06 10:59 163840]
"EPSON Stylus DX4800 Series (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.exe" [2005-02-02 05:00 98304]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"Anti Trojan Elite"="C:\Program Files\Anti Trojan Elite\TJEnder.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]

C:\Documents and Settings\Wilma Montgomery\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 05:45:42 101784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
F-Secure 2006 OEM.lnk - C:\Program Files\F-Secure Internet Security\backweb\1245240\Program\fspex.exe [2006-04-06 16:55:16 36903]
Image Transfer.lnk - C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe [2007-03-07 07:06:21 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-05-10 12:07 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= Pvmjpg30.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe"=
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"=
"C:\\Program Files\\IBM\\Updater\\ucsmb.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\syk0007\\half-life 2\\hl2.exe"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\syk0007\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\Xfire\\Xfire.exe"=
"C:\\Documents and Settings\\Wilma Montgomery\\My Documents\\FirstClass\\FCSPRA.exe"=
"C:\\Program Files\\F-Secure Internet Security\\backweb\\1245240\\Program\\fspex.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"62580:TCP"= 62580:TCP:azureus

R0 ANCSQ;ANCSQ;C:\WINDOWS\system32\drivers\ANCSQ.sys [2005-04-27 17:15]
R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2005-08-29 15:12]
R2 BackWeb Plug-in - 1245240;F-Secure 2006 OEM;C:\PROGRA~1\F-SECU~1\backweb\1245240\Program\SERVIC~1.EXE [2006-04-06 17:50]
R2 F-Secure Filter;F-Secure File System Filter;C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSfilter.sys [2004-09-10 16:14]
R2 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSgk.sys [2008-03-17 11:56]
R2 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSrec.sys [2004-06-01 10:03]
R2 IBMFilter;IBMFilter;C:\WINDOWS\system32\drivers\ibmfilter.sys [2005-09-20 22:05]
S3 ATE_PROCMON;ATE_PROCMON;C:\Program Files\Anti Trojan Elite\ATEPMon.sys []
S3 iadusb;MT882;C:\WINDOWS\system32\DRIVERS\glauiad.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{78fb1d66-35ee-11da-90cd-806d6172696f}]
\Shell\AutoRun\command - E:\sysprep.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c2e14c31-368b-11da-a2cd-806d6172696f}]
\Shell\AutoRun\command - D:\sysprep.bat

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-17 00:00:06 C:\WINDOWS\Tasks\Scheduled scanning task.job"
- C:\PROGRA~1\F-SECU~1\ANTI-V~1\fsav.exeZ /HARD /ARCHIVE /DISINF /SCHED /NOBREAK /REPORT=C:\PROGRA~1\F-SECU~1\ANTI-V~1\report.txt
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-17 13:27:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-17 13:27:56
ComboFix-quarantined-files.txt 2008-05-17 12:27:43
ComboFix2.txt 2008-05-17 12:18:54
ComboFix3.txt 2008-05-17 07:29:14
ComboFix4.txt 2008-05-16 19:55:19

Pre-Run: 120,602,030,080 bytes free
Post-Run: 120,587,976,704 bytes free

214 --- E O F --- 2008-04-13 12:47:07
  • 0

#14
wcmont72

wcmont72

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:34:49, on 17/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\F-SECU~1\backweb\1245240\Program\SERVIC~1.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\backweb\1245240\program\fsbwsys.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Advanced Registry Doctor\RegManServ.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsrw.exe
C:\Program Files\F-Secure Internet Security\FSPC\fspc.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\TalkTalk\bin\sprtcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\F-SECU~1\ANTI-S~1\fsaw.exe
C:\Program Files\GalleryPlayer\Player\GPClientMonitor.exe
C:\Program Files\GalleryPlayer\Player\GPDownloadManager.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program Files\F-Secure Internet Security\backweb\1245240\Program\fspex.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Anonymizer Proxy - {0DB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\Program Files\Hide Real IP\ProxyNew.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: Popup Killer - {2D58DD23-2759-4C7B-9351-D68AF7D0D868} - C:\PROGRA~1\POPUPR~1\popup.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [ibmmessages] rem C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] rem "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [TalkTalk] "C:\Program Files\TalkTalk\bin\sprtcmd.exe" /P TalkTalk
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [EPSON Stylus DX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE /P26 "EPSON Stylus DX4800 Series" /O6 "USB002" /M "Stylus DX4800"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [GPClientMonitor] C:\Program Files\GalleryPlayer\Player\GPClientMonitor.exe
O4 - HKLM\..\Run: [GPDownloadManager] C:\Program Files\GalleryPlayer\Player\GPDownloadManager.exe
O4 - HKLM\..\Run: [EPSON Stylus DX4800 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE /P35 "EPSON Stylus DX4800 Series (Copy 1)" /O6 "USB003" /M "Stylus DX4800"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Anti Trojan Elite] C:\Program Files\Anti Trojan Elite\TJEnder.exe :NO
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ibmmessages] rem C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: F-Secure 2006 OEM.lnk = C:\Program Files\F-Secure Internet Security\backweb\1245240\Program\fspex.exe
O4 - Global Startup: Image Transfer.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadbl...ivex/sabspx.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: F-Secure 2006 OEM (BackWeb Plug-in - 1245240) - F-Secure Internet Security 2005 - C:\PROGRA~1\F-SECU~1\backweb\1245240\Program\SERVIC~1.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Internet Security\backweb\1245240\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FSPC\fshttps\fshttps.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Registry Management Service (RegManServ) - Unknown owner - C:\Program Files\Advanced Registry Doctor\RegManServ.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 10980 bytes
  • 0

#15
Chopin

Chopin

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,639 posts
Hello wcmont72, doesn't look so bad. Sorry for the delay, I had a bit of a hectic weekend. Since it's been a few days, let's re-scan:

1. Re-scan with DSS
------------------------------------------------

Please go to Start > Run. In the box that appears, carefully copy and paste the following:

"%userprofile%\Desktop\dss.exe" /config

Hit "Check All" and click "Scan!" DSS will produce main.txt and extra.txt, please post them back :)

Edited by Fredil, 20 May 2008 - 03:21 PM.
fix code

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP