Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Infected with Dropper.Agent.9.AA [RESOLVED]


  • This topic is locked This topic is locked

#1
Wbtonner

Wbtonner

    Member

  • Member
  • PipPip
  • 14 posts
Hi, please help. I have been infected with Dropper.Agent.9.AA and Vundo. AVG detects them and pops up a threat detected widget but heal or Move to Vault does not work, they keep appearing. Two files appear in the C:\Windows\Temp\ dir, 3070qpuanv.exe and banner.exe. Before I started this process I tried to Restore to a previous restore point but and error occurs with any restore point and says "Incomplete"

Additionally I recently tried to upgrade my Flashplayer and downloading from Adobe it says install is complete but I now cannot play anything that uses Flashplayer.

I have been through the "before posting a HijackThis log and below are the txt files. Please help me fix this. I await your guidance, Thank you.

Regards Edward


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:14:55 PM, on 18/05/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HiJackThis\HijackThis.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webedge.bigpo...view?field=date
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: COM+ Event System EventSystemMSDTC (EventSystemMSDTC) - Unknown owner - C:\WINDOWS\System32\sfcj.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: IPSEC Services PolicyAgentRDSessMgr (PolicyAgentRDSessMgr) - Unknown owner - C:\WINDOWS\System32\MSRTEDITj.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 5432 bytes


Uninstall.lst

Ad-Aware SE Personal
Adobe Acrobat 6.0 Professional
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Help Center 1.0
Adobe Photoshop 6.0
Adobe Photoshop CS2
Adobe Shockwave Player
Adobe Stock Photos 1.0
Adobe SVG Viewer
Apple Software Update
AVG Free Edition
Canon PhotoRecord
Canon S820
Canon Utilities 3D-PhotoPrint
Canon Utilities Easy-PhotoPrint
Canon Utilities PhotoStitch 3.1
Canon Utilities ZoomBrowser EX
CleanUp!
DJ2000
e-tax 2006
e-tax 2007
HijackThis 2.0.2
InCD (Ahead Software)
iPod for Windows 2005-10-12
iTunes
Malwarebytes' Anti-Malware
Microsoft Office 2000 Professional
MP3 Filename Formatter
MYIE2 Browser (remove only)
Nero
NetComm NB1300 USB Network Adapter
OpenMG Limited Patch 4.1-05-13-31-01
OpenMG Secure Module 4.1.00
Outlook Express Backup
Panda ActiveScan 2.0
PIXELA ImageMixer
QuickTime
SAMSUNG CDMA Modem Driver Set
SAMSUNG Mobile Composite Device Software
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio 3
Skype 3.0
Skype Plugin Manager
SonicStage 3.0
Spybot - Search & Destroy 1.3
SUPERAntiSpyware Free Edition
Sysadm
Winamp (remove only)
Windows Driver Package - 2Wire (2WIREPCP) Net (09/18/2002 1.4.0.5)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB842773
WinZip
ZoneAlarm
ZoneAlarm Spy Blocker

PandaScan:

;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-05-18 19:14:43
PROTECTIONS: 0
MALWARE: 6
SUSPECTS: 0
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00005468 dialer.bb Dialers No 0 Yes No c:\windows\system32\dktibs.exe
00029036 adware/superspider Adware No 1 Yes No c:\windows\system.exe
00029036 adware/superspider Adware No 1 Yes No c:\windows\seksdialer.exe
00029424 adware/cws.searchmeup Adware No 1 Yes No c:\windows\mstasks1.exe
00029424 adware/cws.searchmeup Adware No 1 Yes No c:\windows\mstasks2.exe
00029424 adware/cws.searchmeup Adware No 1 Yes No c:\windows\mstasks3.exe
00029424 adware/cws.searchmeup Adware No 1 Yes No c:\windows\tool4.exe
00029424 adware/cws.searchmeup Adware No 1 Yes No c:\windows\tool5.exe
00029424 adware/cws.searchmeup Adware No 1 Yes No c:\windows\toolbar.exe
00029424 adware/cws.searchmeup Adware No 1 Yes No c:\windows\tool3.exe
00029424 adware/cws.searchmeup Adware No 1 Yes No c:\windows\kl.exe
00029424 adware/cws.searchmeup Adware No 1 Yes No c:\windows\tool1.exe
00029424 adware/cws.searchmeup Adware No 1 Yes No c:\windows\ms1.exe
00039192 adware/msxmidi Adware No 0 Yes No c:\windows\msxmidi.exe
00039204 adware/cws Adware No 0 Yes No c:\windows\system32\paytime.exe
00039204 adware/cws Adware No 0 Yes No c:\windows\tool2.exe
00324988 adware/webattaker Adware No 0 Yes No c:\windows\uniq
;===============================================================================
=================================================================================
===================
SUSPECTS
Sent Location D\T
3
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================
VULNERABILITIES
Id Severity Description D\T
3
;===============================================================================
=================================================================================
===================
133387 MEDIUM MS06-065 D\T
3
133386 MEDIUM MS06-064



SUPERAntiSpyware Scan Log
Generated 05/18/2008 at 04:23 PM

Application Version : 3.6.1000

Core Rules Database Version : 3463
Trace Rules Database Version: 1454

Scan type : Complete Scan
Total Scan Time : 03:02:33

Memory items scanned : 341
Memory threats detected : 0
Registry items scanned : 4743
Registry threats detected : 0
File items scanned : 50872
File threats detected : 1

Trojan.SpySheriff
C:\WINDOWS\secure32.html



Malwarebytes' Anti-Malware 1.12
Database version: 760

Scan type: Quick Scan
Objects scanned: 35668
Time elapsed: 8 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

Advertisements


#2
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello Wbtonner

Welcome to G2Go. :)
=====================
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    c:\windows\system32\dktibs.exe
    c:\windows\system.exe
    c:\windows\seksdialer.exe
    c:\windows\mstasks1.exe
    c:\windows\mstasks2.exe
    c:\windows\mstasks3.exe
    c:\windows\tool4.exe
    c:\windows\tool5.exe
    c:\windows\toolbar.exe
    c:\windows\tool3.exe
    c:\windows\kl.exe
    c:\windows\tool1.exe
    c:\windows\ms1.exe
    c:\windows\msxmidi.exe
    c:\windows\system32\paytime.exe
    c:\windows\tool2.exe
    c:\windows\uniq
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
==================================
After that

Please download FixWareout from here:
http://downloads.sub.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt)
======================
Then:

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#3
Wbtonner

Wbtonner

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Kahdah, thankyou for the prompt reply. I have done as requested and here are the txt files:

c:\windows\system32\dktibs.exe moved successfully.
c:\windows\system.exe moved successfully.
c:\windows\seksdialer.exe moved successfully.
c:\windows\mstasks1.exe moved successfully.
c:\windows\mstasks2.exe moved successfully.
c:\windows\mstasks3.exe moved successfully.
c:\windows\tool4.exe moved successfully.
c:\windows\tool5.exe moved successfully.
c:\windows\toolbar.exe moved successfully.
c:\windows\tool3.exe moved successfully.
c:\windows\kl.exe moved successfully.
c:\windows\tool1.exe moved successfully.
c:\windows\ms1.exe moved successfully.
c:\windows\msxmidi.exe moved successfully.
c:\windows\system32\paytime.exe moved successfully.
c:\windows\tool2.exe moved successfully.
c:\windows\uniq moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 05192008_000144


Username "Woody" - 19/05/2008 0:05:08 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.113.90 85.255.112.5" <Value cleared.

Successfully flushed the DNS Resolver Cache.
System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}96ED3ED36026-4FEA-1154-110E-DB5A19F2{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}9A74965CA337-B31A-C034-964E-8FA15A56{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}B037C052F96F-7228-83D4-4F72-57864F4F{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}DAC5EF7FC2F5-B769-9424-ED0B-A257AA09{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}4B00897AEB1A-AA7B-80E4-366C-E6F513A3{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}FCFED3513601-470A-92E4-9538-502F894C{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}E0322A6C0EB4-2B6A-8F14-1703-D8CA1837{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}914474331B02-1B7B-14C4-A8C8-EF23CD62{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}1440812A6C26-F1A9-FD84-E5B4-0FADBB82{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}E210E65BEBA7-59E8-AB94-0E8F-EB211D39{" Deleted
....
~~~~~ Misc files.
C:\WINDOWS\System32\kernel32.exe Deleted
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot\\Spybot - Search & Destroy\\TeaTimer.exe"
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~



Deckard's System Scanner v20071014.68
Run by Woody on 2008-05-19 00:15:26
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
35: 2008-05-19 07:15:40 UTC - RP671 - Deckard's System Scanner Restore Point
34: 2008-05-18 20:09:37 UTC - RP670 - Installed SUPERAntiSpyware Free Edition
33: 2008-05-18 19:52:07 UTC - RP669 - Dropper
32: 2008-05-18 19:11:39 UTC - RP668 - Restore Operation
31: 2008-05-17 23:18:10 UTC - RP667 - System Checkpoint


-- First Restore Point --
1: 2008-03-18 23:00:07 UTC - RP637 - Restore Operation


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 256 MiB (512 MiB recommended).


-- HijackThis (run as Woody.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:17:04 AM, on 19/05/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Documents and Settings\Woody\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\Woody.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webedge.bigpo...view?field=date
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: COM+ Event System EventSystemMSDTC (EventSystemMSDTC) - Unknown owner - C:\WINDOWS\System32\sfcj.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: IPSEC Services PolicyAgentRDSessMgr (PolicyAgentRDSessMgr) - Unknown owner - C:\WINDOWS\System32\MSRTEDITj.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 5257 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 BsStor (InCD Storage Helper Driver) - c:\windows\system32\drivers\bsstor.sys <Not Verified; B.H.A Co.,Ltd.; >
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R1 StarOpen - c:\windows\system32\drivers\staropen.sys
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S3 CnxTrLan (NetComm USB Network Adapter Driver) - c:\windows\system32\drivers\cnxtrlan.sys <Not Verified; Conexant; Conexant USB Network Device>
S3 CnxTrUsb (NetComm USB Network Interface Device Driver) - c:\windows\system32\drivers\cnxtrusb.sys <Not Verified; Conexant; Conexant USB Network Device>
S3 TFBULK (Topfield USB client driver) - c:\windows\system32\drivers\tfbulk.sys <Not Verified; Topfield Co., Ltd.; >
S4 BsUDF (InCD UDF Driver) - c:\windows\system32\drivers\bsudf.sys <Not Verified; ahead software; UDF File System Driver (WindowsXP)>
S4 st3wolf - c:\windows\system32\drivers\st3wolf.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 EventSystemMSDTC (COM+ Event System EventSystemMSDTC) - c:\windows\system32\sfcj.exe srv
S2 PolicyAgentRDSessMgr (IPSEC Services PolicyAgentRDSessMgr) - c:\windows\system32\msrteditj.exe srv


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-19 00:00:02 350 --a------ C:\WINDOWS\Tasks\At25.job
2008-05-19 00:00:02 350 --a------ C:\WINDOWS\Tasks\At1.job
2008-05-18 23:00:02 350 --a------ C:\WINDOWS\Tasks\At48.job
2008-05-18 23:00:02 350 --a------ C:\WINDOWS\Tasks\At24.job
2008-05-18 22:00:02 350 --a------ C:\WINDOWS\Tasks\At47.job
2008-05-18 22:00:02 350 --a------ C:\WINDOWS\Tasks\At23.job
2008-05-18 21:00:02 350 --a------ C:\WINDOWS\Tasks\At46.job
2008-05-18 21:00:02 350 --a------ C:\WINDOWS\Tasks\At22.job
2008-05-18 20:00:02 350 --a------ C:\WINDOWS\Tasks\At45.job
2008-05-18 20:00:02 350 --a------ C:\WINDOWS\Tasks\At21.job
2008-05-18 19:00:02 350 --a------ C:\WINDOWS\Tasks\At44.job
2008-05-18 19:00:02 350 --a------ C:\WINDOWS\Tasks\At20.job
2008-05-18 18:00:02 350 --a------ C:\WINDOWS\Tasks\At43.job
2008-05-18 18:00:02 350 --a------ C:\WINDOWS\Tasks\At19.job
2008-05-18 17:00:02 350 --a------ C:\WINDOWS\Tasks\At42.job
2008-05-18 17:00:02 350 --a------ C:\WINDOWS\Tasks\At18.job
2008-05-18 16:00:02 350 --a------ C:\WINDOWS\Tasks\At41.job
2008-05-18 16:00:02 350 --a------ C:\WINDOWS\Tasks\At17.job
2008-05-18 15:00:02 350 --a------ C:\WINDOWS\Tasks\At40.job
2008-05-18 15:00:02 350 --a------ C:\WINDOWS\Tasks\At16.job
2008-05-18 14:00:02 350 --a------ C:\WINDOWS\Tasks\At39.job
2008-05-18 14:00:02 350 --a------ C:\WINDOWS\Tasks\At15.job
2008-05-18 13:00:02 350 --a------ C:\WINDOWS\Tasks\At38.job
2008-05-18 13:00:02 350 --a------ C:\WINDOWS\Tasks\At14.job
2008-05-18 12:00:02 350 --a------ C:\WINDOWS\Tasks\At37.job
2008-05-18 12:00:02 350 --a------ C:\WINDOWS\Tasks\At13.job
2008-05-18 11:00:04 350 --a------ C:\WINDOWS\Tasks\At36.job
2008-05-18 11:00:04 350 --a------ C:\WINDOWS\Tasks\At12.job
2008-05-18 10:00:02 350 --a------ C:\WINDOWS\Tasks\At35.job
2008-05-18 10:00:02 350 --a------ C:\WINDOWS\Tasks\At11.job
2008-05-16 09:00:02 350 --a------ C:\WINDOWS\Tasks\At34.job
2008-05-16 09:00:02 350 --a------ C:\WINDOWS\Tasks\At10.job
2008-05-16 08:00:02 350 --a------ C:\WINDOWS\Tasks\At9.job
2008-05-16 08:00:02 350 --a------ C:\WINDOWS\Tasks\At33.job
2008-05-05 11:56:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-04-19 07:00:02 350 --a------ C:\WINDOWS\Tasks\At8.job
2008-04-19 07:00:02 350 --a------ C:\WINDOWS\Tasks\At32.job
2008-04-19 06:00:02 350 --a------ C:\WINDOWS\Tasks\At7.job
2008-04-19 06:00:02 350 --a------ C:\WINDOWS\Tasks\At31.job
2008-04-06 05:00:02 350 --a------ C:\WINDOWS\Tasks\At30.job
2008-04-06 05:00:00 350 --a------ C:\WINDOWS\Tasks\At6.job
2008-04-06 04:00:02 350 --a------ C:\WINDOWS\Tasks\At29.job
2008-04-06 04:00:00 350 --a------ C:\WINDOWS\Tasks\At5.job
2008-04-06 03:00:02 350 --a------ C:\WINDOWS\Tasks\At4.job
2008-04-06 03:00:02 350 --a------ C:\WINDOWS\Tasks\At3.job
2008-04-06 03:00:02 350 --a------ C:\WINDOWS\Tasks\At28.job
2008-04-06 03:00:02 350 --a------ C:\WINDOWS\Tasks\At27.job
2008-04-06 01:00:02 350 --a------ C:\WINDOWS\Tasks\At26.job
2008-04-06 01:00:00 350 --a------ C:\WINDOWS\Tasks\At2.job


-- Files created between 2008-04-19 and 2008-05-19 -----------------------------

2008-05-18 16:54:08 0 d-------- C:\Program Files\Panda Security
2008-05-18 13:09:51 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-18 13:09:38 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-18 13:09:38 0 d-------- C:\Documents and Settings\Woody\Application Data\SUPERAntiSpyware.com
2008-05-18 13:08:52 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-16 12:05:04 37888 -r-hs---- C:\WINDOWS\System32\sfcj.exe
2008-05-16 12:01:12 0 d-------- C:\Documents and Settings\Woody\Application Data\Malwarebytes
2008-05-16 12:00:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-16 12:00:24 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-16 11:53:20 0 d--h----- C:\WINDOWS\PIF
2008-05-16 11:21:40 250 --a------ C:\WINDOWS\System32\usmtc.sys
2008-05-16 08:47:08 23552 --ahs---- C:\WINDOWS\System32\1025t.dll
2008-05-16 08:45:42 290 --a-s---- C:\WINDOWS\System32\453846133.dat
2008-05-16 08:44:46 37888 -r-hs---- C:\WINDOWS\System32\MSRTEDITj.exe
2008-04-19 09:43:27 0 d-------- C:\Program Files\Patrick Computer Services


-- Find3M Report ---------------------------------------------------------------

2008-05-16 07:35:24 2068 --a------ C:\WINDOWS\System32\d3d9caps.dat
2008-04-06 06:30:06 4212 ---h----- C:\WINDOWS\System32\zllictbl.dat
2008-04-05 18:04:08 0 d-------- C:\Documents and Settings\Woody\Application Data\iolo


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [21/12/2007 05:13 PM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [14/11/2007 04:05 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [27/04/2007 09:41 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [27/04/2007 11:25 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [29/08/2002 03:41 AM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot\Spybot - Search & Destroy\TeaTimer.exe" [12/05/2004 01:03 AM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [27/02/2007 11:39 AM]

C:\Documents and Settings\Woody\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2/10/2003 6:59:32 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [17/02/1999 3:05:56 AM]
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2/10/2003 6:59:32 PM]
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [15/05/2003 1:19:50 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispScrSavPage"=0
"NoDispAppearancePage "=0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [20/12/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 27/02/2007 11:39 AM 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-05-19 00:18:09 ------------



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 1.0
Architecture: X86; Language: English

CPU 0: AMD Duron™ processor
Percentage of Memory in Use: 58%
Physical Memory (total/avail): 255.48 MiB / 104.79 MiB
Pagefile Memory (total/avail): 2665.88 MiB / 2389.61 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1955.61 MiB

A: is Removable (No Media)
C: is Fixed (FAT32) - 18.63 GiB total, 8.77 GiB free.
D: is CDROM (No Media)
E: is Fixed (NTFS) - 111.79 GiB total, 27.35 GiB free.
F: is CDROM (No Media)

\\.\PHYSICALDRIVE1 - ST3120022A - 111.79 GiB - 1 partition
\PARTITION0 - Installable File System - 111.79 GiB - E:

\\.\PHYSICALDRIVE0 - WDC WD200BB-00DEA0 - 18.65 GiB - 1 partition
\PARTITION0 (bootable) - Unknown - 18.64 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Woody\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=WOODY-JOELLE
ComSpec=C:\WINDOWS\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Woody
LOGONSERVER=\\WOODY-JOELLE
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM;C:\Program Files\Common Files\Adobe\AGL;"C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier";C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Samsung\Samsung PC Studio 3\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 7 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0700
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Woody\LOCALS~1\Temp
TMP=C:\DOCUME~1\Woody\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=WOODY-JOELLE
USERNAME=Woody
USERPROFILE=C:\Documents and Settings\Woody
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Woody (admin)
Other Users
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\bsw.exe /UNINSTALL
--> C:\WINDOWS\System32\Macromed\Flash\uninstall_activeX.exe
--> Dummy
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{88E5FCB8-5F25-11D5-B16F-0800460222F0}\setup.exe" -l0x9 UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D76298C2-E532-4A11-BCFF-76F3F19DA84D}\setup.exe" UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> C:\PROGRA~1\LAVASOFT\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\LAVASOFT\AD-AWA~1\INSTALL.LOG
Adobe Acrobat 6.0 Professional --> MsiExec.exe /I{AC76BA86-1033-0000-7760-000000000001}
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-1033-0000-0000-000000000001}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop 6.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 6.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 6.0\Uninst.dll"
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Shockwave Player --> C:\WINDOWS\system32\ADOBE\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\ADOBE\SHOCKW~1\INSTALL.LOG
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
Adobe SVG Viewer --> C:\WINDOWS\IsUninst.exe -f"C:\WINDOWS\System32\Adobe\SVG Viewer\Uninst.isu"
Apple Software Update --> MsiExec.exe /I{A260B422-70E1-41E2-957D-F76FA21266D5}
AVG Free Edition --> C:\Program Files\Grisoft\AVG Free\setup.exe /UNINSTALL
Canon PhotoRecord --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\PhotoRecord\Uninst.isu" -c"C:\Program Files\Canon\PhotoRecord\Program\uninstdll.dll"
Canon S820 --> C:\WINDOWS\System32\CNMCP3K.EXE [email protected]:\WINDOWS\IsUninst.exe -f"C:\BJPrinter\CNMWINDOWS\Canon S820 Installer\Inst\DeIsL1.isu" -pCanon S820-c"C:\BJPrinter\CNMWINDOWS\Canon S820 Installer\Inst\bjinst.dll
Canon Utilities 3D-PhotoPrint --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Canon\3D-PhotoPrint\Uninst.isu" -c"C:\Program Files\Canon\3D-PhotoPrint\3DUNINST.DLL"
Canon Utilities Easy-PhotoPrint --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Canon\Easy-PhotoPrint\Uninst.isu" -c"C:\Program Files\Canon\Easy-PhotoPrint\EZUNINST.DLL"
Canon Utilities PhotoStitch 3.1 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\PhotoStitch\Uninst.isu"
Canon Utilities ZoomBrowser EX --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\ZoomBrowser EX\Uninst.isu" -c"C:\Program Files\Canon\ZoomBrowser EX\Program\uninstallutilities.dll"
CleanUp! --> C:\Program Files\CleanUp!\uninstall.exe
DJ2000 --> C:\PROGRA~1\DJ2000\UNWISE.EXE C:\PROGRA~1\DJ2000\INSTALL.LOG
e-tax 2006 --> C:\Program Files\etax\etax_2006\etax2006\e-tax 2006_uninstall.exe
e-tax 2007 --> C:\Program Files\etax\etax_2007\etax2007\e-tax 2007_uninstall.exe
HijackThis 2.0.2 --> "C:\Documents and Settings\Woody\Local Settings\Temp\Temporary Directory 1 for HiJackThis.zip\HijackThis.exe" /uninstall
InCD (Ahead Software) --> C:\WINDOWS\NuNInst.exe /UNINSTALL
iPod for Windows 2005-10-12 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{D9F4A9F8-92C5-4289-9D04-F0F8F02D580A} /l1033
iTunes --> MsiExec.exe /I{3592F5CB-B524-43AA-92F2-2377268199CC}
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Office 2000 Professional --> MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
MP3 Filename Formatter --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Patrick Computer Services\MP3 Filename Formatter\DeIsL1.isu" -c"C:\Program Files\Patrick Computer Services\MP3 Filename Formatter\_ISREG32.DLL"
MYIE2 Browser (remove only) --> C:\Program Files\MYIE2\MYIE2UINST.exe
Nero --> MsiExec.exe /X{A4D7B764-4140-11D4-88EB-0050DA3579C0}
NetComm NB1300 USB Network Adapter --> C:\Program Files\NetComm\NetComm USB Network\CnxUnist.exe -w7 NetComm\NetComm USB Network
OpenMG Limited Patch 4.1-05-13-31-01 --> C:\Program Files\Common Files\Sony Shared\OpenMG\HotFixes\HotFix4.1-05-13-31-01\HotFixSetup\setup.exe /u
OpenMG Secure Module 4.1.00 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{2F151B50-B434-4838-B51D-70442EBA093E} UNINSTALL
Outlook Express Backup --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6D8DDC7F-77E9-448C-B67A-C7617A8F2122}\setup.exe" anything
Panda ActiveScan 2.0 --> C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
PIXELA ImageMixer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{13413C6C-C640-40B8-917E-CA3062826B18}\setup.exe"
QuickTime --> MsiExec.exe /I{08094E03-AFE4-4853-9D31-6D0743DF5328}
SAMSUNG CDMA Modem Driver Set --> C:\WINDOWS\System32\Samsung_USB_Drivers\3\SSCDUninstall.exe
SAMSUNG Mobile Composite Device Software --> C:\WINDOWS\System32\Samsung_USB_Drivers\6\SSBCUninstall.exe
Samsung Mobile phone USB driver Software --> C:\WINDOWS\System32\Samsung_USB_Drivers\5\SSSDUninstall.exe
SAMSUNG Mobile USB Modem 1.0 Software --> C:\WINDOWS\System32\Samsung_USB_Drivers\1\SS_Uninstall.exe
SAMSUNG Mobile USB Modem Software --> C:\WINDOWS\System32\Samsung_USB_Drivers\2\SSM_Uninstall.exe
Samsung PC Studio 3 --> "C:\Program Files\InstallShield Installation Information\{C4A4722E-79F9-417C-BD72-8D359A090C97}\setup.exe" -runfromtemp -l0x0009 -removeonly
Skype 3.0 --> "C:\Program Files\Skype\Phone\unins000.exe"
Skype Plugin Manager --> MsiExec.exe /I{3D5E5C0A-5B36-4F98-99A7-287F7DBDCE03}
SonicStage 3.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A0EB195B-5876-48E6-879D-33D4B2102610}\setup.exe" -l0x9 UNINSTALL -removeonly
Spybot - Search & Destroy 1.3 --> "C:\Program Files\Spybot\Spybot - Search & Destroy\unins000.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Sysadm --> C:\WINDOWS\uninst.exe -fC:\BMW95\sysadm\uninst\DeIsL2.isu
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Driver Package - 2Wire (2WIREPCP) Net (09/18/2002 1.4.0.5) --> C:\PROGRA~1\DIFX\D6ACC4BE676423A2B130B78A4B627FC457D98997\DPInst.exe /u C:\WINDOWS\System32\DRVSTORE\2wirepcp_69FADC00605194186DA779D20303F74BFB7E55F3\2wirepcp.inf
WinZip --> C:\Program Files\WinZip\WINZIP32.EXE /uninstall
ZoneAlarm --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe
ZoneAlarm Spy Blocker --> rundll32 C:\PROGRA~1\ZONEAL~1\bar\1.bin\SpyBlock.dll,O


-- Application Event Log -------------------------------------------------------

Event Record #/Type10309 / Error
Event Submitted/Written: 05/16/2008 09:17:23 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application myie.exe, version 0.9.27.68, faulting module ole32.dll, version 5.1.2600.1106, fault address 0x00012597.

Event Record #/Type10308 / Error
Event Submitted/Written: 05/16/2008 08:52:17 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application MyIE.exe, version 0.9.27.68, hang module jscript.dll, version 5.6.0.6626, hang address 0x0000d220.

Event Record #/Type10180 / Error
Event Submitted/Written: 05/05/2008 00:08:26 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application myie.exe, version 0.9.27.68, faulting module mshtml.dll, version 6.0.2800.1106, fault address 0x000be241.

Event Record #/Type10179 / Error
Event Submitted/Written: 05/05/2008 11:53:11 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application myie.exe, version 0.9.27.68, faulting module mshtml.dll, version 6.0.2800.1106, fault address 0x000be241.

Event Record #/Type10152 / Error
Event Submitted/Written: 05/04/2008 10:45:21 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application MyIE.exe, version 0.9.27.68, hang module jscript.dll, version 5.6.0.6626, hang address 0x00006d36.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type73292 / Error
Event Submitted/Written: 05/17/2008 03:53:13 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The TrueVector Internet Monitor service failed to start due to the following error:
%%1053

Event Record #/Type73291 / Error
Event Submitted/Written: 05/17/2008 03:53:13 PM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the TrueVector Internet Monitor service to connect.

Event Record #/Type73290 / Error
Event Submitted/Written: 05/17/2008 03:53:10 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The TrueVector Internet Monitor service failed to start due to the following error:
%%1053

Event Record #/Type73289 / Error
Event Submitted/Written: 05/17/2008 03:53:10 PM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the TrueVector Internet Monitor service to connect.

Event Record #/Type73288 / Error
Event Submitted/Written: 05/17/2008 03:53:08 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The TrueVector Internet Monitor service failed to start due to the following error:
%%1053



-- End of Deckard's System Scanner: finished at 2008-05-19 00:18:09 ------------
  • 0

#4
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
You are Welcome :)
===================
Please visit this web page for instructions for downloading and running Combofix >ComboFix Instructions
We now suggest that you install the Windows Recovery Console.
The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

Post the log from ComboFix when you've accomplished all of that, along with a new HijackThis log.
  • 0

#5
Wbtonner

Wbtonner

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hi kahdah

There will probably be delays between us due to me being Australia and you in the US.

Here are the Combofix and HiJack logs

ComboFix 08-05-15.3 - Woody 2008-05-19 8:06:23.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.98 [GMT -7:00]
Running from: C:\Documents and Settings\Woody\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Woody\Desktop\winxpsp1_en_pro_bf.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\hosts
C:\WINDOWS\Temp\4913101.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NTMLSVC
-------\Service_NtmlSvc


((((((((((((((((((((((((( Files Created from 2008-04-19 to 2008-05-19 )))))))))))))))))))))))))))))))
.

2008-05-19 08:05 . 2008-05-19 08:05 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-05-19 00:15 . 2008-05-19 00:15 <DIR> d-------- C:\Deckard
2008-05-19 00:04 . 2008-05-19 00:04 <DIR> d-------- C:\fixwareout
2008-05-19 00:01 . 2008-05-19 00:01 <DIR> d-------- C:\_OTMoveIt
2008-05-18 16:54 . 2008-05-18 16:54 <DIR> d-------- C:\Program Files\Panda Security
2008-05-18 13:09 . 2008-05-18 13:09 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-18 13:09 . 2008-05-18 13:09 <DIR> d-------- C:\Documents and Settings\Woody\Application Data\SUPERAntiSpyware.com
2008-05-18 13:09 . 2008-05-18 13:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-18 13:08 . 2008-05-18 13:08 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-16 12:05 . 2008-05-16 12:05 37,888 -r-hs---- C:\WINDOWS\system32\sfcj.exe
2008-05-16 12:01 . 2008-05-16 12:01 <DIR> d-------- C:\Documents and Settings\Woody\Application Data\Malwarebytes
2008-05-16 12:00 . 2008-05-16 12:00 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-16 12:00 . 2008-05-16 12:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-16 12:00 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-16 12:00 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-16 11:53 . 2008-05-16 11:53 <DIR> d--h----- C:\WINDOWS\PIF
2008-05-16 11:21 . 2008-05-16 11:21 250 --a------ C:\WINDOWS\system32\usmtc.sys
2008-05-16 08:47 . 2008-05-16 08:47 23,552 --ahs---- C:\WINDOWS\system32\1025t.dll
2008-05-16 08:45 . 2008-05-19 07:44 369 --a-s---- C:\WINDOWS\system32\453846133.dat
2008-05-16 08:44 . 2008-05-16 08:44 37,888 -r-hs---- C:\WINDOWS\system32\MSRTEDITj.exe
2008-04-19 09:43 . 2008-04-19 09:43 <DIR> d-------- C:\Program Files\Patrick Computer Services
2008-04-19 09:43 . 1999-10-28 21:09 60,416 --a------ C:\WINDOWS\system32\EZYID3PRO2.OCX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-19 15:11 41,007,106 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-04-06 01:04 --------- d-----w C:\Documents and Settings\Woody\Application Data\iolo
2008-04-06 01:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\iolo
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL" [2007-12-15 08:20 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 03:41 13312]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-21 17:13 579072]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-04-27 11:25 257088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-08-29 03:41 13312]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-24 17:14 219136]

C:\Documents and Settings\Woody\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-10-02 18:59:32 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 03:05:56 65588]
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-10-02 18:59:32 113664]
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50 217193]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage "= 0

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R0 BsStor;InCD Storage Helper Driver;C:\WINDOWS\System32\DRIVERS\bsstor.sys [2002-05-01 09:05]
S2 EventSystemMSDTC;COM+ Event System EventSystemMSDTC;C:\WINDOWS\System32\sfcj.exe [2008-05-16 12:05]
S2 PolicyAgentRDSessMgr;IPSEC Services PolicyAgentRDSessMgr;C:\WINDOWS\System32\MSRTEDITj.exe [2008-05-16 08:44]
S3 TFBULK;Topfield USB client driver;C:\WINDOWS\System32\drivers\TfBulk.sys [2003-08-26 14:11]
S4 BsUDF;InCD UDF Driver;C:\WINDOWS\System32\drivers\BsUDF.sys [2002-05-22 20:36]
S4 st3wolf;st3wolf;C:\WINDOWS\System32\DRIVERS\st3wolf.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-05-05 18:56:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-19 07:00:02 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\System32\tLaGG25q.exe
"2008-04-06 08:00:00 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\System32\tLaGG25q.exe
"2008-04-06 10:00:02 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\System32\tLaGG25q.exe
"2008-04-06 10:00:02 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\System32\tLaGG25q.exe
"2008-04-06 11:00:00 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\System32\tLaGG25q.exe
"2008-04-06 12:00:00 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\System32\tLaGG25q.exe
"2008-04-19 13:00:02 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\System32\tLaGG25q.exe
"2008-04-19 14:00:02 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\System32\tLaGG25q.exe
"2008-05-19 15:00:02 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\System32\tLaGG25q.exe
"2008-05-16 16:00:02 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\System32\tLaGG25q.exe
"2008-05-18 17:00:02 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\System32\tLaGG25q.exe
"2008-05-18 18:00:04 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\System32\tLaGG25q.exe
"2008-05-18 19:00:02 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\System32\tLaGG25q.exe
"2008-05-18 20:00:02 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\System32\tLaGG25q.exe
"2008-05-18 21:00:02 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\System32\tLaGG25q.exe
"2008-05-18 22:00:02 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\System32\tLaGG25q.exe
"2008-05-18 23:00:02 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\System32\tLaGG25q.exe
"2008-05-19 00:00:02 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\System32\tLaGG25q.exe
"2008-05-19 01:00:02 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\System32\tLaGG25q.exe
"2008-05-19 02:00:02 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\System32\tLaGG25q.exe
"2008-05-19 03:00:02 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\System32\tLaGG25q.exe
"2008-05-19 04:00:02 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\System32\tLaGG25q.exe
"2008-05-19 05:00:02 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\System32\tLaGG25q.exe
"2008-05-19 06:00:02 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\System32\tLaGG25q.exe
"2008-05-19 07:00:02 C:\WINDOWS\Tasks\At25.job"
- C:\WINDOWS\System32\8GX8d172.exe
"2008-04-06 08:00:02 C:\WINDOWS\Tasks\At26.job"
- C:\WINDOWS\System32\8GX8d172.exe
"2008-04-06 10:00:02 C:\WINDOWS\Tasks\At27.job"
- C:\WINDOWS\System32\8GX8d172.exe
"2008-04-06 10:00:02 C:\WINDOWS\Tasks\At28.job"
- C:\WINDOWS\System32\8GX8d172.exe
"2008-04-06 11:00:02 C:\WINDOWS\Tasks\At29.job"
- C:\WINDOWS\System32\8GX8d172.exe
"2008-04-06 12:00:02 C:\WINDOWS\Tasks\At30.job"
- C:\WINDOWS\System32\8GX8d172.exe
"2008-04-19 13:00:02 C:\WINDOWS\Tasks\At31.job"
- C:\WINDOWS\System32\8GX8d172.exe
"2008-04-19 14:00:02 C:\WINDOWS\Tasks\At32.job"
- C:\WINDOWS\System32\8GX8d172.exe
"2008-05-19 15:00:02 C:\WINDOWS\Tasks\At33.job"
- C:\WINDOWS\System32\8GX8d172.exe
"2008-05-16 16:00:02 C:\WINDOWS\Tasks\At34.job"
- C:\WINDOWS\System32\8GX8d172.exe
"2008-05-18 17:00:02 C:\WINDOWS\Tasks\At35.job"
- C:\WINDOWS\System32\8GX8d172.exe
"2008-05-18 18:00:04 C:\WINDOWS\Tasks\At36.job"
- C:\WINDOWS\System32\8GX8d172.exe
"2008-05-18 19:00:02 C:\WINDOWS\Tasks\At37.job"
- C:\WINDOWS\System32\8GX8d172.exe
"2008-05-18 20:00:02 C:\WINDOWS\Tasks\At38.job"
- C:\WINDOWS\System32\8GX8d172.exe
"2008-05-18 21:00:02 C:\WINDOWS\Tasks\At39.job"
- C:\WINDOWS\System32\8GX8d172.exe
"2008-05-18 22:00:02 C:\WINDOWS\Tasks\At40.job"
- C:\WINDOWS\System32\8GX8d172.exe
"2008-05-18 23:00:02 C:\WINDOWS\Tasks\At41.job"
- C:\WINDOWS\System32\8GX8d172.exe
"2008-05-19 00:00:02 C:\WINDOWS\Tasks\At42.job"
- C:\WINDOWS\System32\8GX8d172.exe
"2008-05-19 01:00:02 C:\WINDOWS\Tasks\At43.job"
- C:\WINDOWS\System32\8GX8d172.exe
"2008-05-19 02:00:02 C:\WINDOWS\Tasks\At44.job"
- C:\WINDOWS\System32\8GX8d172.exe
"2008-05-19 03:00:02 C:\WINDOWS\Tasks\At45.job"
- C:\WINDOWS\System32\8GX8d172.exe
"2008-05-19 04:00:02 C:\WINDOWS\Tasks\At46.job"
- C:\WINDOWS\System32\8GX8d172.exe
"2008-05-19 05:00:02 C:\WINDOWS\Tasks\At47.job"
- C:\WINDOWS\System32\8GX8d172.exe
"2008-05-19 06:00:02 C:\WINDOWS\Tasks\At48.job"
- C:\WINDOWS\System32\8GX8d172.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-19 08:12:48
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGUPSVC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\WINDOWS\SYSTEM32\WDFMGR.EXE
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-05-19 8:15:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-19 15:15:36

Pre-Run: 9,329,033,216 bytes free
Post-Run: 9,277,652,992 bytes free

winxpsp1_en_pro_bf.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

218


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:19:23 AM, on 19/05/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\MyIE2\MyIE.exe
C:\Program Files\HiJackThis\HijackThis.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webedge.bigpo...view?field=date
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: COM+ Event System EventSystemMSDTC (EventSystemMSDTC) - Unknown owner - C:\WINDOWS\System32\sfcj.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: IPSEC Services PolicyAgentRDSessMgr (PolicyAgentRDSessMgr) - Unknown owner - C:\WINDOWS\System32\MSRTEDITj.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 5507 bytes
  • 0

#6
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\sfcj.exe
C:\WINDOWS\system32\usmtc.sys
C:\WINDOWS\system32\MSRTEDITj.exe
C:\WINDOWS\System32\tLaGG25q.exe
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\System32\8GX8d172.exe
Driver::
EventSystemMSDTC
PolicyAgentRDSessMgr


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#7
Wbtonner

Wbtonner

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
CFScript.txt completed, Here are the logs.

ComboFix 08-05-15.3 - Woody 2008-05-19 9:21:57.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.128 [GMT -7:00]
Running from: C:\Documents and Settings\Woody\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Woody\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\System32\8GX8d172.exe
C:\WINDOWS\system32\MSRTEDITj.exe
C:\WINDOWS\system32\sfcj.exe
C:\WINDOWS\System32\tLaGG25q.exe
C:\WINDOWS\system32\usmtc.sys
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\MSRTEDITj.exe
C:\WINDOWS\system32\sfcj.exe
C:\WINDOWS\system32\usmtc.sys
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
C:\WINDOWS\TEMP\4913101.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EVENTSYSTEMMSDTC
-------\Legacy_POLICYAGENTRDSESSMGR
-------\Service_EventSystemMSDTC
-------\Service_PolicyAgentRDSessMgr


((((((((((((((((((((((((( Files Created from 2008-04-19 to 2008-05-19 )))))))))))))))))))))))))))))))
.

2008-05-19 08:05 . 2008-05-19 08:05 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-05-19 00:15 . 2008-05-19 00:15 <DIR> d-------- C:\Deckard
2008-05-19 00:04 . 2008-05-19 00:04 <DIR> d-------- C:\fixwareout
2008-05-19 00:01 . 2008-05-19 00:01 <DIR> d-------- C:\_OTMoveIt
2008-05-18 16:54 . 2008-05-18 16:54 <DIR> d-------- C:\Program Files\Panda Security
2008-05-18 13:09 . 2008-05-18 13:09 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-18 13:09 . 2008-05-18 13:09 <DIR> d-------- C:\Documents and Settings\Woody\Application Data\SUPERAntiSpyware.com
2008-05-18 13:09 . 2008-05-18 13:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-18 13:08 . 2008-05-18 13:08 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-16 12:01 . 2008-05-16 12:01 <DIR> d-------- C:\Documents and Settings\Woody\Application Data\Malwarebytes
2008-05-16 12:00 . 2008-05-16 12:00 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-16 12:00 . 2008-05-16 12:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-16 12:00 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-16 12:00 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-16 11:53 . 2008-05-16 11:53 <DIR> d--h----- C:\WINDOWS\PIF
2008-05-16 08:47 . 2008-05-16 08:47 23,552 --ahs---- C:\WINDOWS\system32\1025t.dll
2008-05-16 08:45 . 2008-05-19 07:44 369 --a-s---- C:\WINDOWS\system32\453846133.dat
2008-04-19 09:43 . 2008-04-19 09:43 <DIR> d-------- C:\Program Files\Patrick Computer Services
2008-04-19 09:43 . 1999-10-28 21:09 60,416 --a------ C:\WINDOWS\system32\EZYID3PRO2.OCX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-19 15:11 41,007,106 ------w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-04-06 01:04 --------- d-----w C:\Documents and Settings\Woody\Application Data\iolo
2008-04-06 01:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\iolo
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((( [email protected]_ 8.14.53.42 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-19 15:11:06 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-19 16:27:06 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL" [2007-12-15 08:20 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 03:41 13312]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-21 17:13 579072]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-04-27 11:25 257088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-08-29 03:41 13312]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-24 17:14 219136]

C:\Documents and Settings\Woody\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-10-02 18:59:32 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 03:05:56 65588]
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-10-02 18:59:32 113664]
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50 217193]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage "= 0

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R0 BsStor;InCD Storage Helper Driver;C:\WINDOWS\System32\DRIVERS\bsstor.sys [2002-05-01 09:05]
S3 TFBULK;Topfield USB client driver;C:\WINDOWS\System32\drivers\TfBulk.sys [2003-08-26 14:11]
S4 BsUDF;InCD UDF Driver;C:\WINDOWS\System32\drivers\BsUDF.sys [2002-05-22 20:36]
S4 st3wolf;st3wolf;C:\WINDOWS\System32\DRIVERS\st3wolf.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-05-05 18:56:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-19 09:28:21
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGUPSVC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\WINDOWS\SYSTEM32\WDFMGR.EXE
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-05-19 9:30:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-19 16:30:38
ComboFix2.txt 2008-05-19 15:15:50

Pre-Run: 9,243,869,184 bytes free
Post-Run: 9,240,756,224 bytes free

222


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:32:34 AM, on 19/05/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HiJackThis\HijackThis.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webedge.bigpo...view?field=date
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 5230 bytes
  • 0

#8
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
===========================================================
Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
=====================================================
Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as button:
  • Save the file in txt format to your desktop.
  • Post that information in your next post.

  • 0

#9
Wbtonner

Wbtonner

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Kaspersky log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, May 19, 2008 1:22:16 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 18/05/2008
Kaspersky Anti-Virus database records: 783970
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 52940
Number of viruses found: 2
Number of infected objects: 5
Number of suspicious objects: 0
Duration of the scan process: 01:38:38

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AVG7\Log\emc.log Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Woody\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Woody\Local Settings\History\History.IE5\MSHist012008051920080520\index.dat Object is locked skipped
C:\Documents and Settings\Woody\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Woody\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Woody\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Woody\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Woody\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
C:\Documents and Settings\Woody\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Woody\ntuser.dat Object is locked skipped
C:\System Volume Information\_restore{4DCCAA2A-0DF4-4182-81B1-20BD3C05AB97}\RP667\A0111841.exe Object is locked skipped
C:\System Volume Information\_restore{4DCCAA2A-0DF4-4182-81B1-20BD3C05AB97}\RP667\A0111842.exe Object is locked skipped
C:\System Volume Information\_restore{4DCCAA2A-0DF4-4182-81B1-20BD3C05AB97}\RP673\A0112011.exe Infected: Backdoor.Win32.IRCBot.cyo skipped
C:\System Volume Information\_restore{4DCCAA2A-0DF4-4182-81B1-20BD3C05AB97}\RP673\change.log Object is locked skipped
C:\Deckard\System Scanner\backup\WINDOWS\temp\banner.exe Object is locked skipped
C:\Deckard\System Scanner\backup\WINDOWS\temp\3070qpuanvgv.exe Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\Temp\4913101.exe.vir Infected: Trojan-Downloader.Win32.Delf.hvj skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\MSRTEDITj.exe.vir Infected: Backdoor.Win32.IRCBot.cyo skipped
C:\QooBox\Quarantine\catchme2008-05-19_ 92450.76.zip/sfcj.exe Infected: Backdoor.Win32.IRCBot.cyo skipped
C:\QooBox\Quarantine\catchme2008-05-19_ 92450.76.zip ZIP: infected - 1 skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{4DCCAA2A-0DF4-4182-81B1-20BD3C05AB97}\RP673\change.log Object is locked skipped

Scan process completed.
  • 0

#10
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hi do you have the Malware Bytes log?
  • 0

Advertisements


#11
Wbtonner

Wbtonner

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Whoops ! Sorry

Malwarebytes' Anti-Malware 1.12
Database version: 763

Scan type: Quick Scan
Objects scanned: 35937
Time elapsed: 11 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

#12
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
I Highly recommend that you upgrade to Service Pack 3 for Windows.
It will increase the security and patch many vunerabilities that are not patched with sp1.

Cleanup::
  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.
===============
=============================
Delete\uninstall anything else that we have used.

System Restore
Then I will need you to reset your System Restore points.
The link below shows how to create a clean restore point.
How to Turn On and Turn Off System Restore in Windows XP
http://support.micro...kb/310405/en-us
=====================================
After that your log is clean. :)

The following is a list of tools and utilities that I like to suggest to people.
You do not have to have all or any of them they are only suggestions.
This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

Spybot Search & Destroy-Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

Ad-Aware-Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.

Spyware Blaster - Great prevention tool to keep nasties from installing on your system.

Spywareguard-Works as a Spyware "Shield" to protect your computer from getting malware in the first place.

IE-SPYAD- puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Tony Klein article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.
  • 0

#13
Wbtonner

Wbtonner

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
before I continue, the Kaspersky Scan produced the following:

Scan Statistics:
Total number of scanned objects: 52940
Number of viruses found: 2
Number of infected objects: 5
Number of suspicious objects: 0
Duration of the scan process: 01:38:38

Forgive my ignorance but are you saying that my PC is all clear, if so what do the above statistics mean. ie are there any viruses left on my PC.

Regards Edward
  • 0

#14
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
After you complete the last septs I asked of you then it will also take care of the things that Kaspersrky found.
Then you will be clean.
  • 0

#15
Wbtonner

Wbtonner

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Additionally, do I have to do anything about removing the "Console Mode" for Windows. OR is it OK to keep this option in the Windows loading.

Also are you saying to use one of those listed programs to replace AVG or to use them in addition to AVG.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP