Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Adzgalore [RESOLVED]

Started by nanajanet , May 16 2008 11:05 AM

  • This topic is locked This topic is locked

#16
nanajanet
Posted 26 May 2008 - 09:59 AM

nanajanet

    Member

  • Topic Starter
  • Member
  • PipPip
  • 64 posts
Here it is, below. After I ran combo fix I was getting an alert that my Norton worm protection was not working (I don't use Norton any longer, I use Avast). And my Avast was not running and the icon was gone on the right side of my taskbar with other programs that are running.


ComboFix 08-05-15.3 - abdwybabe 2008-05-26 11:43:45.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.99 [GMT -4:00]
Running from: C:\Documents and Settings\abdwybabe\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-04-26 to 2008-05-26 )))))))))))))))))))))))))))))))
.

2008-05-25 12:12 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-24 20:31 . 2008-05-24 20:31 <DIR> d-------- C:\Program Files\SelectRebates
2008-05-24 19:25 . 2008-05-24 19:25 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-24 19:25 . 2008-05-24 19:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-24 10:38 . 2008-05-24 10:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-19 22:27 . 2008-05-19 22:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\RoboForm
2008-05-16 13:53 . 2008-05-16 13:53 <DIR> d-------- C:\Program Files\BillP Studios
2008-05-16 13:53 . 2008-05-16 13:53 <DIR> d-------- C:\Documents and Settings\abdwybabe\Application Data\WinPatrol
2008-05-16 13:47 . 2008-05-16 13:47 <DIR> d-------- C:\_OTMoveIt
2008-05-09 23:38 . 2008-05-10 07:22 <DIR> d-------- C:\Documents and Settings\abdwybabe\Application Data\Download Manager
2008-05-09 23:30 . 2008-05-09 23:30 <DIR> d-------- C:\Documents and Settings\abdwybabe\Application Data\GARMIN
2008-05-09 23:09 . 2008-05-24 10:23 <DIR> d-------- C:\Garmin
2008-05-04 18:43 . 2008-05-04 18:43 <DIR> d-------- C:\Documents and Settings\abdwybabe\Application Data\Move Networks
2008-05-04 14:59 . 2008-05-04 14:59 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-04 14:59 . 2008-05-04 14:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-04 14:59 . 2008-05-04 14:59 <DIR> d-------- C:\Documents and Settings\abdwybabe\Application Data\Malwarebytes
2008-05-03 16:35 . 2008-05-03 16:35 <DIR> d-------- C:\Deckard
2008-05-02 14:07 . 2008-05-02 14:07 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-02 14:07 . 2008-05-02 17:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-02 12:13 . 2008-05-02 14:05 <DIR> d-------- C:\Program Files\ERUNT
2008-05-02 11:12 . 2008-05-03 01:45 <DIR> d-------- C:\Documents and Settings\abdwybabe\Application Data\SpywareStop
2008-05-01 00:50 . 2008-05-01 00:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-04-30 00:29 . 2008-04-30 00:28 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-30 00:28 . 2008-04-30 00:34 <DIR> d-------- C:\Documents and Settings\abdwybabe\.housecall6.6
2008-04-29 21:30 . 2008-04-29 21:30 136,627 --a------ C:\WINDOWS\LOT66225.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-25 16:12 --------- d-----w C:\Program Files\Java
2008-05-16 14:56 --------- d-----w C:\Program Files\Real
2008-05-16 14:53 --------- d-----w C:\Program Files\Common Files\Real
2008-05-07 18:53 --------- d-----w C:\Documents and Settings\abdwybabe\Application Data\Image Zone Express
2008-05-01 04:40 --------- d-----w C:\Program Files\mypoints
2008-04-30 02:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-21 15:39 --------- d-----w C:\Program Files\Siber Systems
2008-04-20 03:57 --------- d-----w C:\Program Files\Gomez
2008-04-20 03:57 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-07 20:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-07 19:53 --------- d-----w C:\Program Files\Alwil Software
2008-04-06 14:00 --------- d-----w C:\Program Files\iTunes
2008-04-06 14:00 --------- d-----w C:\Program Files\iPod
2008-04-06 13:58 --------- d-----w C:\Program Files\Bonjour
2008-04-06 13:57 --------- d-----w C:\Program Files\QuickTime
2008-04-06 13:54 --------- d-----w C:\Program Files\Apple Software Update
2008-04-06 13:53 --------- d-----w C:\Program Files\Common Files\Apple
2008-04-06 13:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-04-02 21:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-01 18:52 --------- d-----w C:\Program Files\InterActual
2008-03-27 14:51 --------- d-----w C:\Program Files\Ocucom
2007-07-06 22:29 104,408 -c----w C:\Documents and Settings\abdwybabe\Application Data\GDIPFONTCACHEV1.DAT
2007-04-20 16:06 2,726 -c----w C:\Documents and Settings\abdwybabe\Application Data\wklnhst.dat
2008-02-19 20:27 44,360 ----a-w C:\Program Files\mozilla firefox\plugins\atgpcdec.dll
2008-02-19 20:27 107,928 ----a-w C:\Program Files\mozilla firefox\plugins\atgpcext.dll
2007-01-13 05:40 88 --sh--r C:\WINDOWS\system32\20B77D9558.sys
2007-01-13 05:40 2,828 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00 15360]
"Performance Center"="C:\Program Files\Ascentive\Performance Center\APCMain.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-05-19 22:26 160592]
"AOL Fast Start"="C:\Program Files\AOL 9.1\AOL.exe" [2007-10-27 13:44 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 16:01 67584]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-14 01:44 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-14 01:41 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-14 01:45 118784]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2006-11-23 02:35 1392640]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 01:30 282624 C:\WINDOWS\stsystra.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 20:48 761947]
"HostManager"="C:\Program Files\Common Files\AOL\1168532354\ee\AOLSoftware.exe" [2007-05-25 13:16 42032]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 03:41 49152]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2008-04-25 13:31 333120]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

C:\Documents and Settings\abdwybabe\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08 38912]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-01-18 14:57:21 113664]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-01-03 00:59:26 24576]
Gomez PEER.lnk - C:\Program Files\Gomez\GomezPEER\bin\GomezPEER.exe [2008-04-19 23:57:58 61440]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 05:21:22 288472]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1168532354\\ee\\aolsoftware.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\AOL 9.1\\waol.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 19:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 19:16]
S3 spotJ;Spot Software GPS USB Driver;C:\WINDOWS\system32\Drivers\spotJ.sys [2006-03-30 18:38]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{77ef566d-a086-11dc-809b-00038a000015}]
\Shell\AutoRun\command - E:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c15b4285-ac25-11db-8a52-00038a000015}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-05-20 14:37:15 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-20 00:04:57 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-26 11:49:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\AOL 9.1\waol.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\PROGRA~1\Gomez\GOMEZP~1\jre\bin\java.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AOL 9.1\shellmon.exe
.
**************************************************************************
.
Completion time: 2008-05-26 11:55:51 - machine was rebooted [abdwybabe]
ComboFix-quarantined-files.txt 2008-05-26 15:55:47

Pre-Run: 19,949,182,976 bytes free
Post-Run: 19,919,982,592 bytes free

201 --- E O F --- 2008-05-16 07:02:30
  • 0

Advertisements

#17
sarahw
Posted 26 May 2008 - 12:00 PM

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Can you please Uninstall Norton from your computer.
If you are unable to do this, let me know.

:)
  • 0

#18
nanajanet
Posted 26 May 2008 - 08:00 PM

nanajanet

    Member

  • Topic Starter
  • Member
  • PipPip
  • 64 posts
I removed Norton a few months ago from my computer and I just double checked by going to add/remove programs and it's not there. The message I received about it came from Windows Support.
  • 0

#19
sarahw
Posted 28 May 2008 - 10:39 AM

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
There are still parts of Norton on your computer.
You should try the Norton Removal Tool

Apart from that, how is the computer running?

:)
  • 0

#20
nanajanet
Posted 28 May 2008 - 11:23 AM

nanajanet

    Member

  • Topic Starter
  • Member
  • PipPip
  • 64 posts
It runs fine but I still get adzgalore. I will go remove the rest of Norton now. Thanks so much.
  • 0

#21
sarahw
Posted 28 May 2008 - 12:27 PM

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Hi,
Could you please also do a scan with Kapersky Online scaner again?
I want to check if the files we deleted are actually gone.

:)
  • 0

#22
nanajanet
Posted 29 May 2008 - 12:43 AM

nanajanet

    Member

  • Topic Starter
  • Member
  • PipPip
  • 64 posts
Here is the Kapersky report. Other than Norton files, I did not remove any other. Was I supposed to? I looked at all the replies and did not see anything about it. Thanks.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, May 29, 2008 2:42:46 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/05/2008
Kaspersky Anti-Virus database records: 810683
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 89333
Number of viruses found: 11
Number of infected objects: 19
Number of suspicious objects: 0
Duration of the scan process: 01:41:59

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\abdwybabe\Application Data\AOL\C_AOL 9.1\IDB\Apps.Lst Object is locked skipped
C:\Documents and Settings\abdwybabe\Application Data\AOL\C_AOL 9.1\IDB\art.idx Object is locked skipped
C:\Documents and Settings\abdwybabe\Application Data\AOL\C_AOL 9.1\IDB\sap.dat Object is locked skipped
C:\Documents and Settings\abdwybabe\Application Data\AOL\C_AOL 9.1\IDB\spool.lst Object is locked skipped
C:\Documents and Settings\abdwybabe\Application Data\AOL\C_AOL 9.1\IDB\sysnews.lst Object is locked skipped
C:\Documents and Settings\abdwybabe\Application Data\Mozilla\Firefox\Profiles\g5soiv4f.default\cert8.db Object is locked skipped
C:\Documents and Settings\abdwybabe\Application Data\Mozilla\Firefox\Profiles\g5soiv4f.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\abdwybabe\Application Data\Mozilla\Firefox\Profiles\g5soiv4f.default\history.dat Object is locked skipped
C:\Documents and Settings\abdwybabe\Application Data\Mozilla\Firefox\Profiles\g5soiv4f.default\key3.db Object is locked skipped
C:\Documents and Settings\abdwybabe\Application Data\Mozilla\Firefox\Profiles\g5soiv4f.default\parent.lock Object is locked skipped
C:\Documents and Settings\abdwybabe\Application Data\Mozilla\Firefox\Profiles\g5soiv4f.default\search.sqlite Object is locked skipped
C:\Documents and Settings\abdwybabe\Application Data\Mozilla\Firefox\Profiles\g5soiv4f.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\abdwybabe\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-7658ba13.zip/vmain.class Infected: Exploit.Java.Gimsh.a skipped
C:\Documents and Settings\abdwybabe\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-7658ba13.zip ZIP: infected - 1 skipped
C:\Documents and Settings\abdwybabe\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\abdwybabe\Desktop\Anti-Viral-Malware Programs\OTScanIt\MovedFiles\05032008_002907\C_WINDOWS\system32\{899433cf-4c4d-1386-3e32-b276b12a533e}.dll Infected: not-a-virus:AdWare.Win32.Agent.bkn skipped
C:\Documents and Settings\abdwybabe\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\abdwybabe\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\abdwybabe\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\abdwybabe\Local Settings\Application Data\Mozilla\Firefox\Profiles\g5soiv4f.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\abdwybabe\Local Settings\Application Data\Mozilla\Firefox\Profiles\g5soiv4f.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\abdwybabe\Local Settings\Application Data\Mozilla\Firefox\Profiles\g5soiv4f.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\abdwybabe\Local Settings\Application Data\Mozilla\Firefox\Profiles\g5soiv4f.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\abdwybabe\Local Settings\Application Data\Mozilla\Firefox\Profiles\g5soiv4f.default\XUL.mfl Object is locked skipped
C:\Documents and Settings\abdwybabe\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\abdwybabe\Local Settings\History\History.IE5\MSHist012008052820080529\index.dat Object is locked skipped
C:\Documents and Settings\abdwybabe\Local Settings\History\History.IE5\MSHist012008052920080530\index.dat Object is locked skipped
C:\Documents and Settings\abdwybabe\Local Settings\Temp\fla4D8.tmp Object is locked skipped
C:\Documents and Settings\abdwybabe\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\abdwybabe\Local Settings\Temp\hsperfdata_abdwybabe\3056 Object is locked skipped
C:\Documents and Settings\abdwybabe\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\abdwybabe\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\abdwybabe\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\ph Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\variable Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.1\aolusers.fus Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.1\idb\Nanajanet1954\mydb.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.1\idb\Nanajanet1954\toolbar.lst Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.1\idb\SNMaster.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.1\organize\CACHE\nanajanet1901 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.1\organize\nanajanet1954 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.1\organize\nanajanet1954.abi Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.1\organize\nanajanet1954.aby Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\3.0\aolstderr.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\3.0\aolstdout.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\3.0\cache.db Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\3.0\ncoc Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\3.0\server.lock Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\selfdef.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\Gomez\GomezPEER\keys\cert8.db Object is locked skipped
C:\Program Files\Gomez\GomezPEER\keys\key3.db Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP331\A0098725.dll Infected: not-a-virus:AdWare.Win32.Agent.bjb skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP343\A0100379.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.cb skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP347\A0104673.exe/mwsSetup.CommonCodebase.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP347\A0104673.exe CAB: infected - 1 skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP372\A0113853.dll Infected: not-a-virus:AdWare.Win32.Agent.bjb skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP376\A0114126.rbf Infected: not-a-virus:FraudTool.Win32.SpywareStop.b skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP376\A0114130.rbf Infected: not-a-virus:FraudTool.Win32.SpywareStop.c skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP403\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\LOT66225.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.e skipped
C:\WINDOWS\LOT66225.exe NSIS: infected - 1 skipped
C:\WINDOWS\ModemLog_Conexant HDA D110 MDC V.92 Modem.txt Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{8F68CD34-1F0F-4AC3-98E8-A0C042B07453}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{22E908E0-EC9F-4851-B8EA-4421AE7610B9}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_5bc.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\_OTMoveIt\MovedFiles\05252008_115351\Documents and Settings\abdwybabe\Local Settings\Temp\Component Update 275/stream/data0003 Infected: Trojan.Win32.BHO.ceo skipped
C:\_OTMoveIt\MovedFiles\05252008_115351\Documents and Settings\abdwybabe\Local Settings\Temp\Component Update 275/stream Infected: Trojan.Win32.BHO.ceo skipped
C:\_OTMoveIt\MovedFiles\05252008_115351\Documents and Settings\abdwybabe\Local Settings\Temp\Component Update 275 NSIS: infected - 2 skipped
C:\_OTMoveIt\MovedFiles\05252008_115351\Documents and Settings\abdwybabe\Local Settings\Temp\SelectRebates_.exe Infected: not-a-virus:AdWare.Win32.Sahat.ci skipped
C:\_OTMoveIt\MovedFiles\05252008_115351\WINDOWS\four444444.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.Agent.buu skipped
C:\_OTMoveIt\MovedFiles\05252008_115351\WINDOWS\four444444.exe/stream Infected: not-a-virus:AdWare.Win32.Agent.buu skipped
C:\_OTMoveIt\MovedFiles\05252008_115351\WINDOWS\four444444.exe NSIS: infected - 2 skipped

Scan process completed.
  • 0

#23
sarahw
Posted 29 May 2008 - 11:00 AM

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts

Other than Norton files, I did not remove any other. Was I supposed to? I looked at all the replies and did not see anything about it. Thanks.

We used OTMoveIt to delete the files.


1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\LOT66225.exe



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image



  • Double-click OTMoveIt2.exe to run it.
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.


After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.
Tell me how the compiter is runing. Do you still get Adzgalore?
  • 0

#24
nanajanet
Posted 30 May 2008 - 12:30 PM

nanajanet

    Member

  • Topic Starter
  • Member
  • PipPip
  • 64 posts
Here is the combo fix log...


ComboFix 08-05-29.1 - abdwybabe 2008-05-30 14:16:45.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.237 [GMT -4:00]
Running from: C:\Documents and Settings\abdwybabe\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\abdwybabe\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\LOT66225.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\LOT66225.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-30 )))))))))))))))))))))))))))))))
.

2008-05-28 23:30 . 2008-05-28 23:30 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-28 23:30 . 2008-05-28 23:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-25 12:12 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-24 20:31 . 2008-05-24 20:31 <DIR> d-------- C:\Program Files\SelectRebates
2008-05-24 10:38 . 2008-05-24 10:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-19 22:27 . 2008-05-19 22:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\RoboForm
2008-05-16 13:53 . 2008-05-16 13:53 <DIR> d-------- C:\Program Files\BillP Studios
2008-05-16 13:53 . 2008-05-16 13:53 <DIR> d-------- C:\Documents and Settings\abdwybabe\Application Data\WinPatrol
2008-05-16 13:47 . 2008-05-16 13:47 <DIR> d-------- C:\_OTMoveIt
2008-05-09 23:38 . 2008-05-10 07:22 <DIR> d-------- C:\Documents and Settings\abdwybabe\Application Data\Download Manager
2008-05-09 23:30 . 2008-05-09 23:30 <DIR> d-------- C:\Documents and Settings\abdwybabe\Application Data\GARMIN
2008-05-09 23:09 . 2008-05-24 10:23 <DIR> d-------- C:\Garmin
2008-05-04 18:43 . 2008-05-04 18:43 <DIR> d-------- C:\Documents and Settings\abdwybabe\Application Data\Move Networks
2008-05-04 14:59 . 2008-05-04 14:59 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-04 14:59 . 2008-05-04 14:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-04 14:59 . 2008-05-04 14:59 <DIR> d-------- C:\Documents and Settings\abdwybabe\Application Data\Malwarebytes
2008-05-03 16:35 . 2008-05-03 16:35 <DIR> d-------- C:\Deckard
2008-05-02 14:07 . 2008-05-02 14:07 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-02 14:07 . 2008-05-02 17:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-02 12:13 . 2008-05-02 14:05 <DIR> d-------- C:\Program Files\ERUNT
2008-05-02 11:12 . 2008-05-03 01:45 <DIR> d-------- C:\Documents and Settings\abdwybabe\Application Data\SpywareStop
2008-05-01 00:50 . 2008-05-01 00:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-04-30 00:29 . 2008-04-30 00:28 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-30 00:28 . 2008-04-30 00:34 <DIR> d-------- C:\Documents and Settings\abdwybabe\.housecall6.6
2008-04-21 11:39 . 2008-04-21 11:39 <DIR> d-------- C:\Program Files\Siber Systems
2008-04-19 23:57 . 2008-04-19 23:57 <DIR> d-------- C:\Program Files\Gomez
2008-04-07 15:53 . 2008-04-07 15:53 <DIR> d-------- C:\Program Files\Alwil Software
2008-04-06 10:01 . 2008-05-30 14:23 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-06 10:01 . 2008-04-06 10:01 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-06 09:59 . 2008-04-06 10:00 <DIR> d-------- C:\Program Files\iTunes
2008-04-06 09:58 . 2008-04-06 09:58 <DIR> d-------- C:\Program Files\Bonjour
2008-04-06 09:53 . 2008-04-06 09:53 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-04-06 09:53 . 2008-04-06 09:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-28 17:37 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-25 16:12 --------- d-----w C:\Program Files\Java
2008-05-16 14:56 --------- d-----w C:\Program Files\Real
2008-05-16 14:53 --------- d-----w C:\Program Files\Common Files\Real
2008-05-07 18:53 --------- d-----w C:\Documents and Settings\abdwybabe\Application Data\Image Zone Express
2008-05-01 04:40 --------- d-----w C:\Program Files\mypoints
2008-04-30 02:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-20 03:57 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-07 20:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-06 14:00 --------- d-----w C:\Program Files\iPod
2008-04-06 13:57 --------- d-----w C:\Program Files\QuickTime
2008-04-06 13:54 --------- d-----w C:\Program Files\Apple Software Update
2008-04-02 21:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-01 18:52 --------- d-----w C:\Program Files\InterActual
2007-07-06 22:29 104,408 -c----w C:\Documents and Settings\abdwybabe\Application Data\GDIPFONTCACHEV1.DAT
2007-04-20 16:06 2,726 -c----w C:\Documents and Settings\abdwybabe\Application Data\wklnhst.dat
2008-02-19 20:27 44,360 ----a-w C:\Program Files\mozilla firefox\plugins\atgpcdec.dll
2008-02-19 20:27 107,928 ----a-w C:\Program Files\mozilla firefox\plugins\atgpcext.dll
2007-01-13 05:40 88 --sh--r C:\WINDOWS\system32\20B77D9558.sys
2007-01-13 05:40 2,828 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-05-26_11.55.33.95 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-02-26 11:48:44 297,984 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\SP2QFE\msctf.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\update\updspapi.dll
- 2008-05-26 15:49:14 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-30 18:21:07 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-10-20 16:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2008-05-30\ERDNT.EXE
+ 2008-05-30 18:23:47 8,056,832 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2008-05-30\Users\00000001\NTUSER.DAT
+ 2008-05-30 18:23:48 1,515,520 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2008-05-30\Users\00000002\UsrClass.dat
+ 2005-10-20 16:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\AutoBackup\5-26-2008\ERDNT.EXE
+ 2008-05-26 20:37:36 8,056,832 ----a-w C:\WINDOWS\ERDNT\AutoBackup\5-26-2008\Users\00000001\NTUSER.DAT
+ 2008-05-26 20:37:36 1,515,520 ----a-w C:\WINDOWS\ERDNT\AutoBackup\5-26-2008\Users\00000002\UsrClass.dat
+ 2005-10-20 16:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\AutoBackup\5-27-2008\ERDNT.EXE
+ 2008-05-27 19:04:12 8,056,832 ----a-w C:\WINDOWS\ERDNT\AutoBackup\5-27-2008\Users\00000001\NTUSER.DAT
+ 2008-05-27 19:04:12 1,515,520 ----a-w C:\WINDOWS\ERDNT\AutoBackup\5-27-2008\Users\00000002\UsrClass.dat
+ 2005-10-20 16:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\AutoBackup\5-28-2008\ERDNT.EXE
+ 2008-05-28 10:05:59 8,056,832 ----a-w C:\WINDOWS\ERDNT\AutoBackup\5-28-2008\Users\00000001\NTUSER.DAT
+ 2008-05-28 10:06:00 1,515,520 ----a-w C:\WINDOWS\ERDNT\AutoBackup\5-28-2008\Users\00000002\UsrClass.dat
- 2000-08-31 12:00:00 73,728 ----a-w C:\WINDOWS\fdsv.exe
+ 2000-08-31 12:00:00 89,504 ----a-w C:\WINDOWS\fdsv.exe
+ 2008-02-26 11:59:50 294,912 ------w C:\WINDOWS\system32\dllcache\msctf.dll
- 2004-08-10 11:00:00 294,400 ----a-w C:\WINDOWS\system32\MSCTF.dll
+ 2008-02-26 11:59:50 294,912 ----a-w C:\WINDOWS\system32\msctf.dll
+ 2008-05-30 18:21:12 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5c0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00 15360]
"Performance Center"="C:\Program Files\Ascentive\Performance Center\APCMain.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-05-19 22:26 160592]
"AOL Fast Start"="C:\Program Files\AOL 9.1\AOL.exe" [2007-10-27 13:44 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 16:01 67584]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-14 01:44 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-14 01:41 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-14 01:45 118784]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2006-11-23 02:35 1392640]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 01:30 282624 C:\WINDOWS\stsystra.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 20:48 761947]
"HostManager"="C:\Program Files\Common Files\AOL\1168532354\ee\AOLSoftware.exe" [2007-05-25 13:16 42032]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 03:41 49152]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2008-04-25 13:31 333120]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

C:\Documents and Settings\abdwybabe\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08 38912]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-01-18 14:57:21 113664]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-01-03 00:59:26 24576]
Gomez PEER.lnk - C:\Program Files\Gomez\GomezPEER\bin\GomezPEER.exe [2008-04-19 23:57:58 61440]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 05:21:22 288472]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1168532354\\ee\\aolsoftware.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\AOL 9.1\\waol.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 19:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 19:16]
S3 spotJ;Spot Software GPS USB Driver;C:\WINDOWS\system32\Drivers\spotJ.sys [2006-03-30 18:38]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{77ef566d-a086-11dc-809b-00038a000015}]
\Shell\AutoRun\command - E:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c15b4285-ac25-11db-8a52-00038a000015}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-05-27 14:37:13 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-27 01:12:17 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-30 14:22:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\AOL 9.1\waol.exe
C:\PROGRA~1\Gomez\GOMEZP~1\jre\bin\java.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\AOL 9.1\shellmon.exe
.
**************************************************************************
.
Completion time: 2008-05-30 14:28:40 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-30 18:28:36
ComboFix2.txt 2008-05-26 15:55:52

Pre-Run: 19,741,786,112 bytes free
Post-Run: 19,744,366,592 bytes free

238 --- E O F --- 2008-05-28 07:01:09




and here is the Hijackthis log....


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:37:21 PM, on 5/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\AOL\1168532354\ee\AOLSoftware.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\AOL 9.1\waol.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Gomez\GomezPEER\bin\GomezPEER.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\Gomez\GOMEZP~1\jre\bin\java.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AOL 9.1\shellmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4070102
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1168532354\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Performance Center] C:\Program Files\Ascentive\Performance Center\APCMain.exe -m
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.1\AOL.EXE" -b
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Gomez PEER.lnk = C:\Program Files\Gomez\GomezPEER\bin\GomezPEER.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {9B7E79AC-A646-4e45-A70F-1B3981FE370E} - (no file) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://www.worldwinn...GamesLoader.cab
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://o.aolcdn.com/...ns.10.6.0.6.cab
O16 - DPF: {BE71A78B-77DB-451C-A761-59B37022D544} (AOL Newport Downloader Ctrl) - http://o.aolcdn.com/...ns.10.5.0.4.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 10609 bytes

I will let you know if it still happens. Again thanks for all of your help.

:)

Edited by nanajanet, 30 May 2008 - 12:38 PM.

  • 0

#25
sarahw
Posted 01 June 2008 - 03:04 AM

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Hi,
Could you please uninstall then reinstall Spybot - Search and Destroy.

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK


  • Posted Image

The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.


Tell me how the computer is running. Do you still see Adzgalore?
  • 0

Advertisements

#26
nanajanet
Posted 01 June 2008 - 06:41 PM

nanajanet

    Member

  • Topic Starter
  • Member
  • PipPip
  • 64 posts
Hi,

Did all you said, computer runs fine, but adzgalore is still there. In fact, right after I finished, one popped up. It's like roaches... can't kill it!

LOL
  • 0

#27
sarahw
Posted 02 June 2008 - 07:45 AM

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Can you please take a screenshot of what is happening?
When the window pops up press Print Screen or Prnt Scrn.
Open Paint, Press Ctrl V and resize it so that you only see the Adzgalore.
Save it and upload it here.
  • 0

#28
nanajanet
Posted 02 June 2008 - 08:22 AM

nanajanet

    Member

  • Topic Starter
  • Member
  • PipPip
  • 64 posts
I do screen shots all the time so that's easy. I will do as soon as one pops up. In the meantime, I ran Malwarebytes' Anti-Malware last night, just in case.

Thanks.
  • 0

#29
sarahw
Posted 09 June 2008 - 09:17 AM

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Can you upload one here please?
  • 0

#30
nanajanet
Posted 09 June 2008 - 10:08 AM

nanajanet

    Member

  • Topic Starter
  • Member
  • PipPip
  • 64 posts
Here it is.

Attached Thumbnails

  • Screen_Shot_Adzgalore_copy.jpg

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP