[Davis Engeler]

I know that this section is meant for Hijack This logs, but I'm not sure if I should have the infected computer hooked up to the internet.

I'll go ahead and describe what happened so I can know if it's OK to have it on the internet:

I was checked my email (No attatchments) and browsing the GTA IV forums at GTAIV.net (No downloads). All of a sudden, IE was closed. I started it back up and it wouldn't respond. My CPU Usage was 100%. After the computer froze up, it logged off and restarted. (By the way... the only thing I downloaded that day was the update from Adobe Reader.) When I logged back in, there was a ton of "Symantec Email Proxy" boxes coming up in the bottom right that said "Scanning Outgoing Message" or something similar. Then an error message from Symantec Email Proxy saying something like, "Message sending encountered an error. <Bla Bla Bla> Error: this looks like spam to me" I haven't sent any emails. Those were coming up like crazy. Once it said something about dean@<address>.com, but I don't know anyone like that. I came to the chat here and asked what I should do. While I was typing something, little cartoon bugs came onto the screen. When I moved the mouse they went away. It almost sounds fake. When I minimised the window my background was changed to one of those fony "You Have A Virus" things. This is aweful. They told me in the chat that they couldn't help and that I shouldn't be connected to the internet. I unpluged the cord. It all stoped.

So is it OK to be on the internet? HUH! I DON'T WANT TO DEAL WITH THIS!!!


Thanks for your help.

[Advertisements]

Hi Davis,

You shouldn't connect to the internet for long periods of time, but to do some of these steps you will need to be connected.
On your infected computer please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Note:These logs may be too large to post in one reply, if so, please post extra.txt in a seperate reply.

[Mike]

Hi Davis,

You shouldn't connect to the internet for long periods of time, but to do some of these steps you will need to be connected.
On your infected computer please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Note:These logs may be too large to post in one reply, if so, please post extra.txt in a seperate reply.

[Davis Engeler]

Main.txt:

Deckard's System Scanner v20071014.68
Run by dmengeler on 2008-05-09 16:11:06
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 2 Restore Point(s) --
2: 2008-05-09 20:11:17 UTC - RP632 - Deckard's System Scanner Restore Point
1: 2008-05-09 02:14:17 UTC - RP631 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-09 16:14:05
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Stonesoft\StoneGate VPN Client\gatekeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\TEMP\winlogon.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\TEMP\flash.exe
C:\WINDOWS\TEMP\scan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\dmengeler\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://intranet.ed.local/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ElliottDavis, LLC
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {04E4846E-A9AC-4553-A60A-803E8E9E4A3E} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {92A444D2-F945-4dd9-89A1-896A6C2D8D22} - (no file)
O2 - BHO: XBTBPos00 Class - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files\Softomate\ToolbarStudio\bin\tbcore3U.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Simple DNS Plus] "C:\Program Files\Simple DNS Plus\sdnsplus.exe" -s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Name of App] C:\Program Files\SAMSUNG\FW LiveUpdate\FWManager.exe r
O4 - HKLM\..\Run: [Windows OS Function] C:\WINDOWS\system32\win32osf.exe
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKUS\S-1-5-18\..\Run: [Firewall auto setup] C:\WINDOWS\TEMP\winlogon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Firewall auto setup] C:\WINDOWS\TEMP\winlogon.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\Program Files\Flash Saver\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\Program Files\Flash Saver\save.htm
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.micr...heckControl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....aceUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1102092125030
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab Class) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1182452037406
O16 - DPF: {89172179-D07F-455E-BBEB-C41D42AEC078} () - file:///C:/Program%20Files/Softomate/ToolbarStudio/projects/daviscreation_webinstall/daviscreation.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.ma...t/ultrashim.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} () - http://v4.windowsupd...7823.3649305556
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O20 - Winlogon Notify: winwim32 - C:\WINDOWS\system32\winwim32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_1.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SavRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Simple DNS Plus (sdnsplus) - JH Software ApS - C:\Program Files\Simple DNS Plus\sdnsmain.exe
O23 - Service: StoneGate VPN Client (SGClient) - Stonesoft Corp. - C:\Program Files\Stonesoft\StoneGate VPN Client\gatekeeper.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


--
End of file - 11319 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - "regedit.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R2 U3sHlpDr - c:\windows\system32\drivers\u3shlpdr.sys
R3 sgvnic (StoneGate VPN Virtual Adapter) - c:\windows\system32\drivers\sgvnic.sys <Not Verified; Stonesoft Corp.; StoneGate VPN Client>
R3 stonegate (StoneGate VPN Module (IPsec)) - c:\windows\system32\drivers\stonegate.sys <Not Verified; Stonesoft Corp.; StoneGate VPN Client>

S3 NPF (NetGroup Packet Filter Driver) - c:\windows\system32\drivers\npf.sys <Not Verified; Politecnico di Torino; NPF Driver>
S3 SCREAMINGBDRIVER (Screaming Bee Audio) - c:\windows\system32\drivers\screamingbaudio.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 SGClient (StoneGate VPN Client) - c:\program files\stonesoft\stonegate vpn client\gatekeeper.exe -d <Not Verified; Stonesoft Corp.; StoneGate VPN Client>

S2 sdnsplus (Simple DNS Plus) - "c:\program files\simple dns plus\sdnsmain.exe" <Not Verified; JH Software ApS; Simple DNS Plus>
S3 rpcapd (Remote Packet Capture Protocol v.0 (experimental)) - "c:\program files\winpcap\rpcapd.exe" -d -f "c:\program files\winpcap\rpcapd.ini"


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-06 17:31:03 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-04-09 and 2008-05-09 -----------------------------

2008-05-08 22:35:05 0 dr-h----- C:\Documents and Settings\dmengeler\Recent
2008-05-08 22:13:03 160256 --a------ C:\WINDOWS\system32\blackster.scr <Not Verified; Peter's Productions; Bugs!>
2008-05-08 22:12:57 3584 --a------ C:\WINDOWS\system32\win32osf.exe
2008-05-08 22:12:57 96256 --a------ C:\WINDOWS\system32\ctfmona.exe
2008-05-08 20:10:17 0 d-------- C:\WINDOWS\system32\Adobe
2008-04-21 18:48:19 0 d-------- C:\Documents and Settings\dmengeler\Application Data\mIRC
2008-04-21 18:48:18 0 d-------- C:\Program Files\mIRC
2008-04-10 19:05:53 0 d-------- C:\Program Files\Microsoft DirectX SDK (March 2008)


-- Find3M Report ---------------------------------------------------------------

2008-05-08 22:02:33 436 --a------ C:\Documents and Settings\dmengeler\Application Data\SamsungLiveUpdateConfig.ini
2008-05-08 21:56:33 0 d-------- C:\Program Files\Symantec AntiVirus
2008-05-08 21:52:11 0 d-------- C:\Program Files\Google
2008-05-08 20:43:35 0 d-------- C:\Documents and Settings\dmengeler\Application Data\AdobeUM
2008-04-25 18:04:15 0 d-------- C:\Documents and Settings\dmengeler\Application Data\uTorrent
2008-04-10 18:04:19 0 d-------- C:\Program Files\Pcsx2
2008-04-09 03:12:04 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-07 16:20:33 0 d-------- C:\Documents and Settings\dmengeler\Application Data\SmartFTP
2008-04-07 16:20:01 0 d-------- C:\Program Files\SmartFTP Client
2008-04-07 16:19:21 0 d-------- C:\Program Files\SmartFTP Client 3.0 Setup Files
2008-04-06 16:21:51 0 d-------- C:\Program Files\Image-Line
2008-04-06 16:20:43 0 d-------- C:\Program Files\Outsim
2008-04-06 12:20:35 0 d-------- C:\Program Files\eMule
2008-04-06 11:32:34 0 d-------- C:\Program Files\uTorrent
2008-04-05 22:21:57 0 d-------- C:\Documents and Settings\dmengeler\Application Data\Yahoo!
2008-04-05 22:21:56 0 d-------- C:\Program Files\Yahoo!
2008-04-05 19:06:25 1025 --a------ C:\logfile.dat
2008-04-05 19:05:50 0 d-------- C:\Program Files\FXhome VisionLab Studio
2008-04-05 14:41:34 0 d-------- C:\Program Files\Common Files
2008-04-05 14:41:09 0 d-------- C:\Program Files\Icon Constructor 3
2008-04-05 14:40:50 0 d-------- C:\Program Files\HyCam2
2008-04-05 14:34:43 0 d-------- C:\Program Files\IEToolbar
2008-04-05 14:10:27 0 d-------- C:\Program Files\Softomate
2008-04-02 21:34:35 0 d-------- C:\Program Files\Microsoft Visual Studio 9.0
2008-03-24 01:11:57 0 d-------- C:\Program Files\AC3Filter
2008-03-24 01:11:47 0 d-------- C:\Program Files\AviSynth 2.5
2008-03-24 01:11:37 0 d-------- C:\Program Files\DVD-WMV
2008-03-23 23:49:00 0 d-------- C:\Program Files\Common Files\LightScribe
2008-03-23 23:29:24 769536 --a------ C:\Documents and Settings\dmengeler\Application Data\sfdnwin.dll <Not Verified; Toshiba Samsung Storage Technology Coporation; SFDNWIN>
2008-03-23 23:27:13 0 d-------- C:\Program Files\SAMSUNG
2008-03-18 20:36:13 0 d-------- C:\Documents and Settings\dmengeler\Application Data\Google
2008-03-18 15:50:33 0 d-------- C:\Program Files\CCleaner
2008-03-17 21:14:51 0 d-------- C:\Documents and Settings\dmengeler\Application Data\W Photo Studio Viewer
2008-03-16 09:35:13 5 --a------ C:\Message.vbs
2008-03-12 20:27:31 0 d-------- C:\Program Files\Simple DNS Plus


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{04E4846E-A9AC-4553-A60A-803E8E9E4A3E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{92A444D2-F945-4dd9-89A1-896A6C2D8D22}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 05:25 AM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [07/19/2006 07:26 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [09/27/2006 08:33 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 05:25 AM]
"Simple DNS Plus"="C:\Program Files\Simple DNS Plus\sdnsplus.exe" [01/31/2008 01:31 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/10/2008 04:27 PM]
"Name of App"="C:\Program Files\SAMSUNG\FW LiveUpdate\FWManager.exe" [01/04/2008 05:33 PM]
"Windows OS Function"="C:\WINDOWS\system32\win32osf.exe" [05/08/2008 10:12 PM]
"ctfmona"="C:\WINDOWS\system32\ctfmona.exe" [05/08/2008 10:12 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [08/23/2007 05:36 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Firewall auto setup"=C:\WINDOWS\TEMP\winlogon.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [12/14/2004 4:44:06 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winwim32]
winwim32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ApachInc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
"C:\Program Files\BitTorrent_DNA\dna.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A940]
"C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FlyMonitor]
"C:\Program Files\Leapfrog\FlyWorld\bin\FlyMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SC2]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\smgr]
smgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StoneGateAgent]
"C:\Program Files\Stonesoft\StoneGate VPN Client\sgagent.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"



-- Hosts -----------------------------------------------------------------------

127.0.0.1 iefeadsl.com # Webroot SpySweeper entry
127.0.0.1 008k.com # Webroot SpySweeper entry
127.0.0.1 356563.net # Webroot SpySweeper entry
127.0.0.1 75tz.com # Webroot SpySweeper entry
127.0.0.1 kitasearch.com # Webroot SpySweeper entry
127.0.0.1 lookfor.com # Webroot SpySweeper entry
127.0.0.1 look-today.com # Webroot SpySweeper entry
127.0.0.1 new.8ad.com # Webroot SpySweeper entry
127.0.0.1 rf104.com # Webroot SpySweeper entry
127.0.0.1 search-to-find.com # Webroot SpySweeper entry

4 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-05-09 16:15:01 ------------



extra.txt:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.80GHz
Percentage of Memory in Use: 65%
Physical Memory (total/avail): 510.99 MiB / 177.54 MiB
Pagefile Memory (total/avail): 1981.71 MiB / 1483 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1942.54 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 74.5 GiB total, 36.21 GiB free.
D: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - WDC WD800BB-75CAA0 - 74.5 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.5 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: Symantec AntiVirus Corporate Edition v10.1.5.5000 (Symantec Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Stonesoft\\StoneGate VPN Client\\sgagent.exe"="C:\\Program Files\\Stonesoft\\StoneGate VPN Client\\sgagent.exe:*:Enabled:StoneGate VPN Agent"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\WINDOWS\\system32\\LEXPPS.EXE"="C:\\WINDOWS\\system32\\LEXPPS.EXE:*:Disabled:LEXPPS.EXE"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\BitTorrent_DNA\\dna.exe"="C:\\Program Files\\BitTorrent_DNA\\dna.exe:*:Enabled:BitTorrent DNA"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Microsoft Visual Studio\\Common\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE"="C:\\Program Files\\Microsoft Visual Studio\\Common\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE:*:Enabled:Microsoft ® Visual Studio VSA RPC Event Creator"
"C:\\WINDOWS\\system32\\ftp.exe"="C:\\WINDOWS\\system32\\ftp.exe:*:Enabled:File Transfer Program"
"C:\\WINDOWS\\system32\\rtcshare.exe"="C:\\WINDOWS\\system32\\rtcshare.exe:*:Enabled:RTC App Sharing"
"C:\\Program Files\\LeapFrog\\FlyWorld\\bin\\FLYWorld.exe"="C:\\Program Files\\LeapFrog\\FlyWorld\\bin\\FLYWorld.exe:*:Enabled:FLYWorld.exe"
"C:\\Program Files\\LeapFrog\\FlyWorld\\bin\\FLYMonitor.exe"="C:\\Program Files\\LeapFrog\\FlyWorld\\bin\\FLYMonitor.exe:*:Enabled:FLYMonitor.exe"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Net Tools\\nettools5.exe"="C:\\Program Files\\Net Tools\\nettools5.exe:*:Enabled:Net Tools by Mohammad Ahmadi Bidakhvidi"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\Simple DNS Plus\\sdnsmain.exe"="C:\\Program Files\\Simple DNS Plus\\sdnsmain.exe:*:Enabled:Simple DNS Plus"
"C:\\Program Files\\eMule\\emule.exe"="C:\\Program Files\\eMule\\emule.exe:*:Enabled:eMule"
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client\\SmartFTP.exe:*:Enabled:SmartFTP Client 3.0"
"C:\\Documents and Settings\\dmengeler\\My Documents\\VPresent\\WinVNC2.exe"="C:\\Documents and Settings\\dmengeler\\My Documents\\VPresent\\WinVNC2.exe:*:Enabled:TightVNC Win32 Server"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\dmengeler\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ENGELERGX260
ComSpec=C:\WINDOWS\system32\cmd.exe
DXSDK_DIR=C:\Program Files\Microsoft DirectX SDK (March 2008)\
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\dmengeler
lib=C:\Program Files\SQLXML 3.0\bin\
LOGONSERVER=\\ENGELERGX260
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Microsoft DirectX SDK (March 2008)\Utilities\Bin\x86;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\PFXENG~1\common;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;C:\Program Files\QuickTime\QTSystem";C:\Program Files\Common Files\Adobe\AGL;C:\Program Files\QuickTime\QTSystem\;c:\Program Files\Microsoft SQL Server\90\Tools\binn\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0207
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\DMENGE~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\DMENGE~1\LOCALS~1\Temp
USERDOMAIN=ENGELERGX260
USERNAME=dmengeler
USERPROFILE=C:\Documents and Settings\dmengeler
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

(admin)
Engeler (admin)
dmengeler (admin)
Administrator (admin)
(admin)
(admin)
Administrator.ELLIOTTDAVIS (admin)
(admin)
(admin)
(admin)
(new local, admin, net ready)
(new local, admin, net ready)
(new local, admin, net ready)
(admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNNMP.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
AC3Filter (remove only) --> C:\Program Files\AC3Filter\uninstall.exe
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-6884-0000-0000-000000000103}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-119F-4D52-B551-6739B2B22101}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-040C-1E257A25E34D}
Adobe Reader 7.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Adobe Shockwave Player 11 --> C:\WINDOWS\system32\adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-0C40-4930-9AFE-113BCE553101}
Adobe Stock Photos 1.0 --> MsiExec.exe /I{EE0D5DCD-2B97-4473-98DF-E93C0BD92F7A}
Anvil Studio --> C:\WINDOWS\system32\AsUninst.exe
Apple Mobile Device Support --> MsiExec.exe /I{D8AB8F0C-CEEB-4A29-8EF5-219B064813F4}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
ASIO4ALL --> C:\Program Files\ASIO4ALL v2\uninstall.exe
Audacity 1.3.4 (Unicode) --> "C:\Program Files\Audacity 1.3 Beta (Unicode)\unins000.exe"
AVG Anti-Rootkit Free --> C:\Program Files\GRISOFT\AVG Anti-Rootkit Free\Uninstall.exe
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
AviSynth 2.5 --> "C:\Program Files\AviSynth 2.5\Uninstall.exe"
Camtasia Studio 5 --> MsiExec.exe /I{784E6B0F-00EC-4950-95A2-BBA64F44EC48}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
CD/DVD-ROM Generator 1.20 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\CD_DVD-ROM Generator 1.20\Uninst.isu"
Collab --> C:\Program Files\Image-Line\Collab\uninstall.exe
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Crystal Reports9 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{543A636A-E53F-416F-8AB5-8BFE7B698C69} MaintenanceRun
DavisCreation Toolbar --> regsvr32 /u /s "C:\Program Files\IEToolbar\DavisCreation Toolbar\daviscreation.dll"
Dell AIO Printer A940 --> C:\WINDOWS\system32\spool\drivers\w32x86\3\DLBAUN5C.EXE -dDell AIO Printer A940
Dell ResourceCD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
DVD-WMV --> MsiExec.exe /I{19934FC9-A54C-4DEF-ADAD-D3D361C2A595}
Expstudio Audio Editor FREE --> C:\WINDOWS\Expstudio Audio Editor FREE Uninstaller.exe
FileStream Magic Cube --> C:\Program Files\FileStream\Magic Cube\uninstall.exe
FL Studio 7 --> C:\Program Files\Image-Line\FL Studio 7\uninstall.exe
FL Studio 8 --> C:\Program Files\Image-Line\FL Studio 8\uninstall.exe
Flash Saver --> C:\PROGRA~1\FLASHS~1\UNWISE.EXE C:\PROGRA~1\FLASHS~1\INSTALL.LOG
FLY World --> C:\WINDOWS\system32\msiexec.exe /i {5D946D0D-9437-4E15-AC1F-F9BCF0B32561}
Free MP3 Converter 2.0 --> "C:\Program Files\Free MP3 Converter\unins000.exe"
Free Screen Recorder v2.9 --> "C:\Program Files\Free Screen Recorder\unins000.exe"
Free WMA to MP3 Converter 1.08 --> "C:\Program Files\Free WMA to MP3 Converter\unins000.exe"
Freetar Editor --> C:\WINDOWS\system32\javaws.exe -uninstall -prompt "http://www.freetar.n...ar_Editor.jnlp"
FW LiveUpdate --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{11F5D779-7BD9-465A-BBC4-10701386BCB9}\setup.exe" -l0x9 -removeonly
FXhome CompositeLab Lite (remove only) --> "C:\Program Files\FXhome CompositeLab Lite\FXhome CompositeLab Lite Uninstall.exe"
FXhome VisionLab Studio (remove only) --> "C:\Program Files\FXhome VisionLab Studio\FXhome VisionLab Studio Uninstall.exe"
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Guitar Hero Explorer --> MsiExec.exe /I{2B072A33-D445-46D5-9442-7B41F5171AAC}
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
hp deskjet 3320 series --> rundll32 hpzcon07.dll,VendorJettison hp deskjet 3320 series
IL Download Manager --> C:\Program Files\Image-Line\Downloader\uninstall.exe
Image Icon Converter 1.3 --> "C:\Program Files\Image Icon Converter\unins000.exe"
ImgBurn (Remove Only) --> "C:\Program Files\ImgBurn\uninstall.exe"
ImTOO MPEG Encoder --> C:\Program Files\ImTOO\MPEG Encoder 3\Uninstall.exe
Intel® PRO Ethernet Adapter and Software --> Prounstl.exe
iTunes --> MsiExec.exe /I{B85C4D19-6CEB-48CF-BD98-C887AC8C6F94}
J2SE Runtime Environment 5.0 Update 8 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150080}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
LiveUpdate 3.1 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft DirectX SDK (March 2008) --> MsiExec.exe /I{92DF1607-ABCD-4511-8095-2436D94E952C}
Microsoft Office XP Professional --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0050048383C9}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft SOAP Toolkit 3.0 --> MsiExec.exe /I{BCB4C18A-ACA6-4383-8688-E19933A705DD}
Microsoft SQL Server 2005 --> "c:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\ARPWrapper.exe" /Remove
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS) --> MsiExec.exe /I{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}
Microsoft SQL Server 2005 Tools Express Edition --> MsiExec.exe /I{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}
Microsoft SQL Server Compact 3.5 Design Tools ENU --> MsiExec.exe /X{2E5C075E-11AB-4BDD-918C-7B9A68953FF8}
Microsoft SQL Server Compact 3.5 ENU --> MsiExec.exe /I{BCC899FE-2DAA-460C-A5FB-60291E73D9C3}
Microsoft SQL Server Native Client --> MsiExec.exe /I{F9B3DD02-B0B3-42E9-8650-030DFF0D133D}
Microsoft SQL Server Setup Support Files (English) --> MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
Microsoft SQL Server VSS Writer --> MsiExec.exe /I{E9F44C98-B8B6-480F-AF7B-E42A0A46F4E3}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual Basic 2005 Express Edition - ENU --> C:\Program Files\Microsoft Visual Studio 8\Microsoft Visual Basic 2005 Express Edition - ENU\setup.exe
Microsoft Visual Basic 2005 Express Edition - ENU --> MsiExec.exe /X{577AD794-8B34-40B4-9E7A-BE4CFFE396E6}
Microsoft Visual Basic 2008 Express Edition - ENU --> C:\Program Files\Microsoft Visual Studio 9.0\Microsoft Visual Basic 2008 Express Edition - ENU\setup.exe
Microsoft Visual Basic 2008 Express Edition - ENU --> MsiExec.exe /X{9C2DC81B-8114-37D9-A922-95E460A1FAFB}
Microsoft Visual C# 2008 Express Edition - ENU --> C:\Program Files\Microsoft Visual Studio 9.0\Microsoft Visual C# 2008 Express Edition - ENU\setup.exe
Microsoft Visual C# 2008 Express Edition - ENU --> MsiExec.exe /X{2D07422C-CA35-375A-A3A8-3631AB85BFE5}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Visual Studio 6.0 Enterprise Edition --> "C:\Program Files\Microsoft Visual Studio\Common\Setup\1033\Setup.exe"
Microsoft Web Publishing Wizard 1.53 --> RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\wpie3x86.inf,WebPostUninstall
Microsoft Windows SDK for Visual Studio 2008 Express Tools for .NET Framework --> MsiExec.exe /X{B4C0A315-07FB-39F9-85CD-8CE20C019350}
Microsoft Windows SDK for Visual Studio 2008 Express Tools for Win32 --> MsiExec.exe /X{07FCBED5-94C3-4F94-B9D3-360FA27C7B06}
mIRC --> C:\Program Files\mIRC\uninstall.exe _?=C:\Program Files\mIRC
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSDN Library for Microsoft Visual Studio 2008 Express Editions --> C:\Program Files\Microsoft Visual Studio 9.0\MSDN Library for Microsoft Visual Studio 2008 Express Editions\install.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
MyWeb - Complete --> rundll32.exe dfshim.dll,ShArpMaintain MyWeb - Complete.application, Culture=neutral, PublicKeyToken=c95795df4576a64e, processorArchitecture=msil
MyWeb Final --> rundll32.exe dfshim.dll,ShArpMaintain MyWeb Final.application, Culture=neutral, PublicKeyToken=d4b24b5528262af9, processorArchitecture=msil
Nero Suite --> C:\Program Files\Common Files\Nero\Uninstall\setupx.exe /uninstall ExtraUninstallID=""
NetTools 5.0 --> "C:\Program Files\Net Tools\unins000.exe"
OGRE Demos 1.4.0 --> MsiExec.exe /I{B3483083-1A14-4250-B196-AB82DE686742}
Pcsx2 0.9.1 Watermoose --> "C:\Program Files\Pcsx2\unins000.exe"
PoiZone --> C:\Program Files\Image-Line\PoiZone\uninstall.exe
Popup Maker --> rundll32.exe dfshim.dll,ShArpMaintain Popup Maker.application, Culture=en-US, PublicKeyToken=a5d56c48b579d1a8, processorArchitecture=msil
Prank Virus 3.0 --> rundll32.exe dfshim.dll,ShArpMaintain Prank Virus 3.0.application, Culture=neutral, PublicKeyToken=8b887046d13f75da, processorArchitecture=msil
ProSystem fx Workstation --> C:\Program Files\Common Files\Wfx32\FXREMOVE.EXE /WSSETUP
QuickTime --> MsiExec.exe /I{6EC874C2-F950-4B7E-A5B7-B1066D6B74AA}
RealWorld Cursor Editor --> MsiExec.exe /I{81B1F5E7-40CC-4869-B0DC-406B1AA39610}
RealWorld Icon Editor --> MsiExec.exe /I{A3EE0EAC-F60F-4A26-B782-E32270406C9D}
RegistryFix v6.2 --> "C:\Program Files\RegistryFix\unins000.exe"
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Simple DNS Plus --> MsiExec.exe /I{F2EC9A6A-C9BC-415C-9B1F-4B8D50F85EC4}
SketchyPhysics2b1 --> "C:\Program Files\Google\Google Sketchup 6\plugins\SketchyPhysics\uninst\unins000.exe"
SmartFTP Client --> MsiExec.exe /I{6F23C1A3-9F62-470C-BD12-B83F04E67865}
SmartFTP Client 3.0 Setup Files (remove only) --> C:\Program Files\SmartFTP Client 3.0 Setup Files\uninst-sftp.exe
Sothink SWF Catcher for Internet Explorer --> "C:\WINDOWS\unins000.exe"
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe"
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SQLXML 3.0 SP2 --> MsiExec.exe /I{3C72B40D-12D4-496E-974E-8DA4AA7953E8}
StoneGate VPN Client 2.6.0.814 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C2C7AB30-146B-11D5-973C-00105A698689}\Setup.exe" -l0x9 UNINSTALL
Symantec AntiVirus --> MsiExec.exe /I{33CFCF98-F8D6-4549-B469-6F4295676D83}
System Requirements Lab --> C:\Program Files\SystemRequirementsLab\Uninstall.exe
TabIt version 2.03 (Trial) --> "C:\Program Files\TabIt\unins000.exe"
TeamSpeak 2 RC2 --> "C:\Program Files\Teamspeak2_RC2\unins000.exe"
Tester --> rundll32.exe dfshim.dll,ShArpMaintain Tester.application, Culture=neutral, PublicKeyToken=51db35738b583f72, processorArchitecture=msil
ToolbarStudio --> "C:\Program Files\Softomate\ToolbarStudio\unins000.exe"
Toxic Biohazard --> C:\Program Files\Image-Line\Toxic Biohazard\uninstall.exe
Translator Fun Voice Pack --> MsiExec.exe /I{B4295F30-C1A6-432B-AB98-D3C57FE88F85}
TurboZIP --> "C:\Program Files\FileStream\TurboZIP\Setup.Exe" /U
TurboZIP Express --> C:\Program Files\FileStream\TurboZIP Express\Uninstall.exe
TValue Network Version 5 --> C:\TValue5\UNWISE.EXE C:\TValue5\INSTALL.LOG
URGE --> MsiExec.exe /I{8BBF6DFD-0AD9-43A7-9FBD-BF065E3866AF}
VideoReDo/Plus Version 2.5.4.507 --> "C:\Program Files\VideoReDoPlus\unins000.exe"
VPresent --> MsiExec.exe /X{F3160B0A-8B24-4B06-AB77-04DCFF1AA4EC}
Windows Driver Package - LeapFrog (FlyUsb) USB (06/15/2007 1.0.0.6) --> C:\PROGRA~1\DIFX\5BE688ACC8BC158E\DPInst.exe /u C:\WINDOWS\system32\DRVSTORE\flyusb_ECE9FCB25A55FF8E782476B8116A3635CD5AD324\flyusb.inf
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live Sign-in Assistant --> MsiExec.exe /I{49672EC2-171B-47B4-8CE7-50D7806360D7}
Windows Media Encoder 9 Series --> msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Encoder 9 Series --> MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
WinPcap 3.0 --> "C:\Program Files\WinPcap\Uninstall.exe" "C:\Program Files\WinPcap\install.log"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
WMV To Wav Converter version 1.0 --> "C:\Program Files\WMVTOWAV\unins000.exe"
Workspace Macro Pro 6.5 --> "C:\Program Files\Workspace Macro Pro 6.5\Uninstall.exe" "C:\Program Files\Workspace Macro Pro 6.5\install.log"
XML Paper Specification Shared Components Pack 1.0 -->
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe
YASA Video Converter v3.4 (build 0065) --> C:\PROGRA~1\YASAVI~1\UNWISE.EXE C:\PROGRA~1\YASAVI~1\INSTALL.LOG


-- Application Event Log -------------------------------------------------------

Event Record #/Type67776 / Warning
Event Submitted/Written: 05/09/2008 00:58:32 PM
Event ID/Source: 6 / Symantec AntiVirus
Event Description:
Could not scan 248 files inside C:\Program Files\RegistryFix\RegistryFixBackup\8,25,2007_20,13,9.zip due to extraction errors encountered by the Decomposer Engines.

Event Record #/Type67775 / Warning
Event Submitted/Written: 05/09/2008 00:49:40 PM
Event ID/Source: 6 / Symantec AntiVirus
Event Description:
Could not scan 2 files inside C:\Program Files\Microsoft Visual Studio 8\Microsoft Visual Basic 2005 Express Edition - ENU\vbsetup1.cab due to extraction errors encountered by the Decomposer Engines.

Event Record #/Type67774 / Warning
Event Submitted/Written: 05/09/2008 00:23:51 PM
Event ID/Source: 6 / Symantec AntiVirus
Event Description:
Could not scan 584 files inside C:\Program Files\BitLord\Downloads\FxHome_Vision_Lab_Studio_+EffectPreset.rar due to extraction errors encountered by the Decomposer Engines.

Event Record #/Type67773 / Warning
Event Submitted/Written: 05/09/2008 00:13:18 PM
Event ID/Source: 6 / Symantec AntiVirus
Event Description:
Could not scan 1 files inside C:\Documents and Settings\dmengeler\Local Settings\Application Data\Microsoft\Messenger\[email protected]\Sharing Folders\[email protected]\IE4\MSGMS_1.CAB due to extraction errors encountered by the Decomposer Engines.

Event Record #/Type67772 / Warning
Event Submitted/Written: 05/09/2008 00:12:49 PM
Event ID/Source: 6 / Symantec AntiVirus
Event Description:
Could not scan 1 files inside C:\Documents and Settings\dmengeler\Local Settings\Application Data\Microsoft\Messenger\[email protected]\Sharing Folders\[email protected]\IE4\IE4_S5.CAB due to extraction errors encountered by the Decomposer Engines.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type332 / Warning
Event Submitted/Written: 05/09/2008 00:05:52 PM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type307 / Error
Event Submitted/Written: 05/08/2008 09:55:46 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Simple DNS Plus service failed to start due to the following error:
%%1053

Event Record #/Type306 / Error
Event Submitted/Written: 05/08/2008 09:55:46 PM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the Simple DNS Plus service to connect.

Event Record #/Type285 / Warning
Event Submitted/Written: 05/06/2008 07:37:40 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type279 / Error
Event Submitted/Written: 05/01/2008 09:49:36 PM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 192.168.1.100 for the Network Card with network address 000874DD479E has been
denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).



-- End of Deckard's System Scanner: finished at 2008-05-09 16:15:01 ------------

[Davis Engeler]

One more thing... if you can tell what infected me, I'd like to know. Thanks.

[Mike]

Hi Davis,

Please follow my instructions in the order they were given, if you come across something you don't understand or don't feel comfortable doing, don't hesitate to ask and I will get you sorted out

Update Java

• Download the latest version of Java Runtime Environment (JRE) 6 Update 6.
• Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
• Click the "Download" button to the right.
• Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
• Click on Continue.
• Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java version.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on the download to install the newest version.

Temporarily disable realtime programs

We will need to temporarily disable a few programs that might interfere with our fixes.

AVG Anti-Spyware (formerly ewido)

1. Open AVG Anti-Spyware by double-clicking the multi-colored box emblazoned with an 'S' in the system tray.
2. In the 'Resident Shield' section, toggle the AVG Anti-Spyware active protection 'off' by clicking 'Change state' which will then change the protection status to 'inactive'.
3. If you are instructed to reboot at any time during your cleanup, AVG Anti-Spyware will prompt you as to whether you would like to "Restart the Resident Shield".
4. Reply 'no' and set it to 'inactive' for the duration of your cleanup.

Spybot S&D (Teatimer)

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

Ad-Aware Ad-Watch

1. Right click on the Ad-Watch icon in the system tray.
2. At the bottom of the screen there will be two checkable items called "Active" and "Automatic".

Active: This will turn Ad-Watch On\Off without closing it
Automatic: Suspicious activity will be blocked automatically

3. Uncheck both of those boxes.

Optional

You asked me where you got the virus, P2P programs are a breeding ground for viruses and is a prime suspect.

You have uTorrent installed, as well as remnants of 3 other P2P programs. These are Peer to Peer programs. These types of programs are very dangerous as you literally allow anyone to access your computer. Please read Dangers of P2P.

If you wish to uninstall them please go to Start >Control Panel > Add or Remove Programs an uninstall:

uTorrent

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

C:\program files\uTorrent
C:\Documents and Settings\dmengeler\Application Data\uTorrent
C:\Program Files\eMule

Step 1. Uploading a suspicious file

We will need to unhide hidden system files temporarily.

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View Tab.
• Under the Hidden files and folders heading select Show hidden files and folders.
• Uncheck the Hide protected operating system files (recommended) option.
• Click Yes to confirm.
• Click OK.

Please go to Uploadmalware to upload a suspicious file for analysis.

• Enter your username from this forum
• Copy and paste the link to this thread
• Browse for this filename: C:\WINDOWS\system32\win32osf.exe
• In the comments, please mention that I asked you to upload this file
• Click on Send File

Step 2. Fixes with Hijack This

* Click here to download HJTsetup.exe

• Save HJTsetup.exe to your desktop.
• Doubleclick on the HJTsetup.exe icon on your desktop.
• By default it will install to C:\Program Files\Hijack This.
• Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
• Put a check by Create a desktop icon then click Next again.
• Continue to follow the rest of the prompts from there.
• At the final dialogue box click Finish and it will launch Hijack This.

Choose "Do a system scan only". Please put a check next to each of the following entries (if still present):

O2 - BHO: (no name) - {04E4846E-A9AC-4553-A60A-803E8E9E4A3E} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {92A444D2-F945-4dd9-89A1-896A6C2D8D22} - (no file)
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
O4 - HKUS\S-1-5-18\..\Run: [Firewall auto setup] C:\WINDOWS\TEMP\winlogon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Firewall auto setup] C:\WINDOWS\TEMP\winlogon.exe (User 'Default user')
O20 - Winlogon Notify: winwim32 - C:\WINDOWS\system32\winwim32.dll (file missing)

Now please close all open windows except HJT and press "Fix checked".

Step 3. Running OTMoveIt2

Please download the OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  c:\windows\system32\drivers\npf.sys
   C:\WINDOWS\system32\blackster.scr 
   C:\WINDOWS\system32\ctfmona.exe
   C:\WINDOWS\smgr.exe
   C:\WINDOWS\TEMP\winlogon.exe
   C:\WINDOWS\TEMP\flash.exe
   C:\WINDOWS\TEMP\scan.exe
   HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ApachInc
   HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\smgr
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\npf

• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Step 4. Running MalwareByte's Anti-Malware

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Step 5. Running Deckards' System Scanner

Please Re-run Deckards' System Scanner

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• When it has finished, dss will open one Notepad main.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt in your next reply.

In your next reply

OTMoveIT2 log.
Log from Malware Bytes' Anti-Malware.
Main.txt from Deckards' System Scanner.

[Davis Engeler]

Thanks for your reply. I won't have any time to do the steps today, but when I do I'll post the stuff in the reply. Thanks.

[Davis Engeler]

Finnally!!!

OK, I finnally got set up right and did the instructions. I'll post the logs as attatchments. Is that OK?

 main.txt   16.4KB   214 downloads
 mbam_log_5_17_2008__19_16_09_.txt   2.78KB   160 downloads
 05172008_184920.txt   1.94KB   158 downloads

[Mike]

Hi there Davis,

Nice to have you back Please post the logs directly in the thread from now on, rather than attaching them.
I will work with the tools we have as much as I can but I will assume that after this fix you won't have to much trouble in regards to connecting to the internet. If you have trouble with one step, please skip it and continue with the others and tell me what you couldn't do in your next reply.

Preparation

I notice you have two firewalls running, StoneGate by StoneSoft and Symantec. This can cause extreme performance losses and lower your security. As Symantec is a suite (i.e Includes Antivirus as well) I would keep that unless you are willing to Remove Symantec completely and download another Antivirus solution. Please uninstall one of the programs at this point, if you choose to uninstall Symantec I recommend one of these two Antivirus programs to take the place of your Antivirus program:
Note: Make sure to only install ONE program, as having more can cause confliction between these programs, which in turn lowers your protection and slows down your computer.

• AVG Anti-Virus
• AntiVir

Please make sure your protection programs are still disabled!

Question: Did you install Softomate yourself? If not we will remove it the next time around.

Step 1. Running OTMoveIt2

Please download the OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  C:\WINDOWS\system32\win32osf.exe
   C:\Message.vbs
   E:\autorun.exe
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{92A444D2-F945-4dd9-89A1-896A6C2D8D22}
   HKCR\CLSID\{92A444D2-F945-4dd9-89A1-896A6C2D8D22}
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Windows OS Function
   HKCU\software\microsoft\windows\currentversion\explorer\mountpoints2\{3ca0c253-0d71-11dc-b759-000874dd479e}
   EmptyTemp

• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Step 2. Running MalwareByte's Anti-Malware

You did not let MBAM fix the problems it found according to your log, please re-run this program.
Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Step 3. Running Kaspersky Online Virusscaner

Please run a free online scan with Kaspersky AntiVirus (works only with MS Internet Explorer 5.0 or higher).
Go to http://www.kaspersky.com/virusscanner and click the "Kaspersky Online Scanner" button (NOT "Kaspersky File Scanner").

• In the new window that opens, click the "Accept" button to accept the user agreement, install the ActiveX control, and download the program.
• When you get the Windows dialog asking if you want to install this software, click the "Install" button.
• When the "Update progress" line changes to "Ready" and the "NEXT ->" button lights up with a green arrow, click it.
• Click on the "Scan Settings" button, and in the next window select the "extended" database, and click Ok.
• Under "Please select a target to scan:", click My Computer to start the scan.

When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window, and post the text in kavscan.txt in your next reply.


In your next reply

Please post the log from OTMoveIt2
Please post the log from MalwareBytes' Anti-Malware
Please post the log from Kaspersky
Also a new hijack this log after running the above programs.

Give me an update on how your computer is running, are you still experiencing problems? If so what?

If the logs are to big to fit in one reply please spread them out over multiple replies.

[Davis Engeler]

OK, I did everything. I remove Symantec with the Norton Remover thing we talked about in the chat. I installed AntiVir.

Got one more question: Should I also remove AVG AntiSpyware?


Here's the logs:

OTMoveIt:

C:\WINDOWS\system32\win32osf.exe moved successfully.
C:\Message.vbs moved successfully.
E:\autorun.exe moved successfully.
< HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{92A444D2-F945-4dd9-89A1-896A6C2D8D22} >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{92A444D2-F945-4dd9-89A1-896A6C2D8D22}\\ deleted successfully.
< HKCR\CLSID\{92A444D2-F945-4dd9-89A1-896A6C2D8D22} >
Registry key HKEY_CLASSES_ROOT\CLSID\{92A444D2-F945-4dd9-89A1-896A6C2D8D22}\\ not found.
< HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Windows OS Function >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Windows OS Function deleted successfully.
< HKCU\software\microsoft\windows\currentversion\explorer\mountpoints2\{3ca0c253-0d71-11dc-b759-000874dd479e} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3ca0c253-0d71-11dc-b759-000874dd479e}\\ deleted successfully.
< EmptyTemp >
Temp folders emptied.
IE temp folders emptied.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 05182008_212245




Malwarebytes' Anti-Malware 1.12
Database version: 760

Scan type: Quick Scan
Objects scanned: 46169
Time elapsed: 10 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


===================

I'm no expert, but I think that ^ looks good.?.

Edited by Davis Engeler, 18 May 2008 - 08:35 PM.

[Mike]

Hi Davis,

You can safely keep AVG Antispyware, it's a good program, however it is up to you, keep in mind you have both Ad-Aware and AVG AntiSpyware running realtime protection, this will slow down your computer so keeping one of them disabled and the other as an occasional scanner would be a good choice.

I still need the Kaspersky and Hijack This log (see my post above). Don't forget to give me an update on how your computer is running!

[Davis Engeler]

Well, my computer isn't having any of the problems it was having when I came. I'm getting warnings from AntiVir saying it found threats. Every time I see that I just select "Put in Quaranteen." I don't seem to be having any problems, but I haven't really started using it though. I'm posting this reply on the computer we're working on and I'm having no problems.

Here's the logs:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:38:30 PM, on 5/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Stonesoft\StoneGate VPN Client\gatekeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://intranet.ed.local/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ElliottDavis, LLC
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: XBTBPos00 Class - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\PROGRA~1\SOFTOM~1\TOOLBA~1\bin\tbcore3U.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Name of App] C:\Program Files\SAMSUNG\FW LiveUpdate\FWManager.exe r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - http://lads.myspace....aceUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1102092125030
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1182452037406
O16 - DPF: {89172179-D07F-455E-BBEB-C41D42AEC078} - file:///C:/Program%20Files/Softomate/ToolbarStudio/projects/daviscreation_webinstall/daviscreation.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: StoneGate VPN Client (SGClient) - Stonesoft Corp. - C:\Program Files\Stonesoft\StoneGate VPN Client\gatekeeper.exe

--
End of file - 7133 bytes






-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, May 19, 2008 5:36:35 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 19/05/2008
Kaspersky Anti-Virus database records: 786008
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 77086
Number of viruses found: 5
Number of infected objects: 4
Number of suspicious objects: 2
Duration of the scan process: 01:08:48

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\YazzleSudoku.zip/Yazzle1162OinUninstaller.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\YazzleSudoku.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\dmengeler\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\dmengeler\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\dmengeler\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\dmengeler\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\dmengeler\Local Settings\History\History.IE5\MSHist012008051920080520\index.dat Object is locked skipped
C:\Documents and Settings\dmengeler\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\dmengeler\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\dmengeler\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\dmengeler\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\dmengeler\Shared\01 Track 1.wma Infected: Trojan-Downloader.WMA.Wimad.l skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_350.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\ed4027f893dd3f1801f11e3898de\%temp%dd_msxml_retMSI.txt Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdbdata.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdblog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\log_24.trc Object is locked skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
C:\Program Files\Mozilla Firefox\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{5758FED0-E7F3-4C98-96BA-308D408DA0D7}\RP635\A0059514.exe Infected: not-a-virus:NetTool.MSIL.Sniffer.a skipped
C:\System Volume Information\_restore{5758FED0-E7F3-4C98-96BA-308D408DA0D7}\RP652\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\migregdb.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB833987$\sxs.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\cmdevtgprov.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\evtgprov.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\xpsp2res.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\dao360.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msexcl40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjet40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjetol1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjetoledb40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjtes40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mspbde40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msrepl40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mstext40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msxbde40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\wmp.dll Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{9D231383-FF1B-4F7E-87BD-52EF9610F43D}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.



Hope we're done. Don't think so though.

[Mike]

Hi there Davis,

You don't need to uninstall AVG antispyware, you may if you wish though.

Please navigate to and delete the following Files:

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\YazzleSudoku.zip
C:\Documents and Settings\dmengeler\Shared\01 Track 1.wma

And your logs are clean!

You may fix these items in Hijack This if you wish to speed up your boottime a bit:


O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden

Step 1. Running CleanUp!

Let's remove the tools I had you use.

Please open OTMoveIt2:

• Double click OTMoveIt.exe.
• Click the CleanUp! button.
• Select Yes when the "Begin cleanup Process?" prompt appears.
• If you are prompted to Reboot during the cleanup, select Yes.

Note: If you receive a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet, please allow it to do so.

The below steps have some important tips on how to stay safe and keep up-to-date, so be sure to read it!

Step 2. Flushing old Restore Points and creating a new one

Right-click on "My Computer." The "System Properties" dialogue box will appear, showing a number of tabs. From here you can reset System Restore and configure Automatic Updates.

First, click the System Restore tab.

* Check the box beside "Turn off System Restore"
* Click "Apply"
* At the prompt, click "Yes"

Wait while your system deletes existing Restore Points, this may take a few moments.

* Uncheck the box beside "Turn off System Restore"
* Click "Apply"
* At the prompt, click "Yes"

Your system will now create a new Restore Point.

Step 3. Configuring Automatic Updates

Click the Automatic Updates tab. Choose the update option that best suits your needs, but be sure that Automatic Updates is not turned off. Windows XP will now notify you and download important updates and security patches as they become available.
Click "OK" to save your new settings and close the System Properties dialogue.

Step 4. Preventing future infection

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems.

In order to protect yourself against spyware, you should consider installing and running the following free programs:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
http://www.spywarewa...uc/resource.htm

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.o...oducts/firefox/

Also make sure to run your antivirus software regularly, and to keep it up-to-date.

There are many programs that can be used for your protection, most falling within the three main categories of anti-virus, anti-spyware and firewall. Please be careful to never run more than one program of the same category in resident mode, as conflicts between the different programs can actually decrease your protection.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

Hopefully this should take care of your problems! Good luck.

Please post back and tell me if everything is OK, so that I may mark this thread as Resolved.

Edited by Mike, 20 May 2008 - 07:51 AM.

[Davis Engeler]

YAY! Thanks for your reply. I'll get to it when I get home!

[Davis Engeler]

Great. Thank you so much Mike!

It's running great. Really fast boot time now, and no problems so far. I'm still kind of confused about what to do about AVG AntiSpyware and Ad-Aware. I think I should do AVG sinse it's got Realtime Protection right?

Thanks again,
Davis.

[Mike]

Hi Davis,

Glad to hear its running smoothly

I think I should do AVG sinse it's got Realtime Protection right?

Yup, that sounds good to me. You could just keep both programs if you wish and just you Ad-Aware as an occasional scanner.

Any more questions?