Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Help.. I have Delf.12.AN and can not remove it [RESOLVED]


  • This topic is locked This topic is locked

#1
carolebrew

carolebrew

    Member

  • Member
  • PipPip
  • 16 posts
Can anyone help me here. Thanks...
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Read the Sticky Thread and post the required logs
  • 0

#3
carolebrew

carolebrew

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
OK... I hope I did this all right..


Malwarebytes' Anti-Malware 1.24
Database version: 1029
Windows 5.1.2600 Service Pack 2

12:16:14 PM 8/6/2008
mbam-log-8-6-2008 (12-16-14).txt

Scan type: Quick Scan
Objects scanned: 46966
Time elapsed: 7 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 4
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{417fcaa3-4f41-4702-b5f0-02361a2164f0} (Trojan.BHO) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{417fcaa3-4f41-4702-b5f0-02361a2164f0} (Trojan.BHO) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\alot (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\alotToolbar (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Antivirus2008y (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Program Files\alot (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\alot\bin (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\TJ\Application Data\alot (Adware.BHO) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\d3d8th.dll (Trojan.BHO) -> Delete on reboot.
C:\Program Files\alot\alotUninst.exe (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\alot\bin\alot.dll (Adware.BHO) -> Quarantined and deleted successfully.

2Wire Wireless Client
7-Zip 4.57
Ad-Aware SE Personal
Adobe Acrobat - Reader 6.0.2 Update
Adobe Acrobat and Reader 6.0.3 Update
Adobe Flash Player 9 ActiveX
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 6.0.1
Apple Software Update
Athlon 64 Processor Driver
AVG 7.5
Backyard Football
Backyard Skateboarding
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon EOS 5D WIA Driver
Canon EOS Kiss_N REBEL_XT 350D WIA Driver
Canon EOS-1D Mark II N WIA Driver
Canon EOS-1Ds Mark II WIA Driver
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities Digital Photo Professional 2.1
Canon Utilities EOS Utility
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
CCleaner (remove only)
CleanUp!
Equestriad 2001
EZ Math Tables
Google Earth
HijackThis 2.0.2
HP Deskjet Preloaded Printer Drivers
HP Extended Capabilities 4.7
HP Image Zone 4.7
HP PSC & OfficeJet 4.7
HP Software Update
Indiana Jones and the Emperors Tomb
InterActual Player
InterVideo WinDVD
iTunes
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_03
Macromedia Flash Player
Macromedia Shockwave Player
Madden NFL TM 2002
Malwarebytes' Anti-Malware
MathPlayer
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Office 2000 SR-1 Premium
Microsoft Picture It! Express 9
Microsoft Picture It! Library 9
Microsoft Visual C++ 2005 Redistributable
Microsoft Web Publishing Wizard 1.52
MSN
MSN Encarta Plus Support Files
MSN Messenger 7.5
MSXML 4.0 SP2 (KB936181)
Nancy Drew: Secrets Can Kill
NVIDIA GART Driver
NVIDIA Windows 2000/XP Display Drivers
PCI 1620 Cardbus Controller and Software
Phone Link Updater
Photosmart 140,240,7200,7600,7700,7900 Series
Picture Package
Pinnacle Instant DVD Recorder
Quick Launch Buttons 4.20 E1
QuickTime
Qwest QuickCare
Qwest QuickNetworking
Reading Detective Beginning Software
RealPlayer
RecordNow!
RegCure 1.5.0.0
Revenge of the Riddle Spiders A1
Rhapsody Player Engine
Schoolhouse Rock Thinking Games Deluxe
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Sonic Update Manager
Sony USB Driver
SoundMAX
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
Spyware Doctor 5.5
StartWrite
Studio 11
Study Helpers Spelling Bee
SUPERAntiSpyware Free Edition
Typing Instructor Deluxe
Ultimate Writing & Creativity Center
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinZip
Word Roots Software A1
XoftSpySE
Yahoo! Desktop Login
Yahoo! Toolbar


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:35:35 PM, on 8/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Kiwee Toolbar2\1.5.131\kwtbaim.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - URLSearchHook: (no name) - {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {417FCAA3-4F41-4702-B5F0-02361A2164F0} - C:\WINDOWS\System32\d3d8th.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - (no file)
O2 - BHO: (no name) - {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: (no name) - {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - (no file)
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [KiweeHook] "C:\Program Files\Kiwee Toolbar2\1.5.131\kwtbaim.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [LaunchList] C:\Program Files\Pinnacle\Studio 11\LaunchList2.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=laptop
O16 - DPF: CabBuilder - http://kiw.imgag.com...llerControl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcopho...stcoActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1205897134312
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1205897109796
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup155.cab
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.micro...rchsettings.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\WINDOWS\system32\drivers\pclepci.sys
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 7217 bytes
  • 0

#4
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
  • 0

#5
carolebrew

carolebrew

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
ComboFix 08-08-06.01 - James Trout 2008-08-06 13:34:59.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.207 [GMT -7:00]
Running from: C:\Documents and Settings\James Trout\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\James Trout\Application Data\macromedia\Flash Player\#SharedObjects\EP6FQZH5\interclick.com
C:\Documents and Settings\James Trout\Application Data\macromedia\Flash Player\#SharedObjects\EP6FQZH5\interclick.com\ud.sol
C:\Documents and Settings\James Trout\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\James Trout\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\Downloaded Program Files\setup.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MICROSOFT_I_SERVICE
-------\Service_Microsoft I Service


((((((((((((((((((((((((( Files Created from 2008-07-06 to 2008-08-06 )))))))))))))))))))))))))))))))
.

2008-08-06 12:05 . 2008-08-06 12:05 <DIR> d-------- C:\Documents and Settings\James Trout\Application Data\Malwarebytes
2008-08-06 12:05 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-06 12:05 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-06 12:04 . 2008-08-06 12:05 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-06 12:04 . 2008-08-06 12:04 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-08-06 12:04 . 2008-08-06 12:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-05 14:13 . 2008-08-05 14:13 <DIR> d-------- C:\fsaua.data
2008-08-05 13:50 . 2008-08-05 13:50 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-05 13:35 . 2008-08-05 13:35 <DIR> d-------- C:\Program Files\CleanUp!
2008-08-04 10:15 . 2008-08-04 10:15 <DIR> d---s---- C:\Documents and Settings\TJ\UserData
2008-08-04 10:08 . 2008-08-04 10:08 <DIR> d-------- C:\Documents and Settings\TJ\Application Data\MSNInstaller
2008-08-04 10:08 . 2008-08-04 15:34 <DIR> d-------- C:\Documents and Settings\TJ\Application Data\MSN6
2008-08-04 09:59 . 2008-08-04 09:59 <DIR> d-------- C:\Documents and Settings\TJ\Application Data\Apple Computer
2008-08-04 07:00 . 2008-08-04 07:00 <DIR> d-------- C:\Program Files\7-Zip
2008-08-03 19:38 . 2004-05-16 11:49 <DIR> d-------- C:\Documents and Settings\TJ\Application Data\Symantec
2008-08-03 19:38 . 2004-05-16 11:35 <DIR> d-------- C:\Documents and Settings\TJ\Application Data\Sonic
2008-08-03 19:38 . 2008-08-04 09:59 <DIR> d-------- C:\Documents and Settings\TJ\Application Data\AVG7
2008-08-03 19:38 . 2008-08-04 10:15 <DIR> d-------- C:\Documents and Settings\TJ
2008-08-03 17:32 . 2008-08-03 17:32 <DIR> d---s---- C:\Documents and Settings\Taylor\UserData
2008-08-03 17:29 . 2008-08-03 17:29 <DIR> d-------- C:\Documents and Settings\Taylor\Application Data\MSNInstaller
2008-08-03 17:29 . 2008-08-04 15:51 <DIR> d-------- C:\Documents and Settings\Taylor\Application Data\MSN6
2008-08-03 17:27 . 2004-05-16 11:49 <DIR> d-------- C:\Documents and Settings\Taylor\Application Data\Symantec
2008-08-03 17:27 . 2004-05-16 11:35 <DIR> d-------- C:\Documents and Settings\Taylor\Application Data\Sonic
2008-08-03 17:27 . 2008-08-04 09:15 <DIR> d-------- C:\Documents and Settings\Taylor\Application Data\AVG7
2008-08-03 17:27 . 2008-08-03 17:32 <DIR> d-------- C:\Documents and Settings\Taylor
2008-07-22 15:06 . 2008-07-22 15:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-22 15:05 . 2008-07-22 16:12 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-22 15:05 . 2008-07-22 15:05 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-22 15:05 . 2008-07-22 15:05 <DIR> d-------- C:\Documents and Settings\James Trout\Application Data\SUPERAntiSpyware.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-06 19:21 --------- d-----w C:\Documents and Settings\James Trout\Application Data\AVG7
2008-08-05 21:57 --------- d-----w C:\Documents and Settings\James Trout\Application Data\U3
2008-08-05 20:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kiwee Toolbar2
2008-08-05 14:55 --------- d-----w C:\Documents and Settings\James Trout\Application Data\MSN6
2008-08-04 14:00 --------- d-----w C:\Program Files\Yahoo!
2008-08-04 02:38 --------- d-----w C:\Program Files\Web Publish
2008-07-11 22:00 --------- d-----w C:\Program Files\XoftSpySE
2008-07-01 23:22 --------- d-----w C:\Program Files\LucasArts
2008-06-30 23:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\pixelStorm
2008-06-29 00:10 --------- d-----w C:\Documents and Settings\James Trout\Application Data\Move Networks
2008-06-27 21:33 --------- d-----w C:\Program Files\Enigma Software Group
2008-06-23 18:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\IM
2008-06-23 18:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\IncrediMail
2008-06-23 18:38 --------- d-----w C:\Program Files\MSN Messenger
2008-06-23 18:37 --------- d-----w C:\Program Files\Kiwee Toolbar2
2008-06-21 15:12 --------- d-----w C:\Documents and Settings\James Trout\Application Data\AdobeUM
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-15 14:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-15 14:14 --------- d-----w C:\Program Files\3 Day Eventing
2008-06-14 19:58 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-13 23:59 --------- d-----w C:\Program Files\Spyware Doctor
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 13:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2004-08-21 00:42 560 ----a-w C:\Documents and Settings\James Trout\Application Data\ViewerApp.dat
.
<pre>
----a-w		   319,488 2005-04-27 13:07:12  C:\Program Files\Critical Thinking Software\Word Roots Software A1\UninstallerData\Word Roots Software A1 Uninstall .exe
</pre>


((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 159,744 2003-10-08 03:40:00 C:\Program Files\Apoint2K\bak\Apoint.exe

----a-w 50,688 2003-09-14 04:36:52 C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe

----a-w 110,592 2003-08-19 08:01:00 C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe

----a-w 406,016 2006-11-07 12:16:09 C:\Program Files\Grisoft\AVG Free\bak\avgcc.exe

----a-w 49,152 2004-09-13 22:49:00 C:\Program Files\Hewlett-Packard\HP Software Update\bak\HPWuSchd2.exe

----a-w 49,152 2003-05-23 03:03:16 C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\bak\hphupd05.exe

----a-w 200,766 2004-03-01 20:05:46 C:\Program Files\HPQ\Default Settings\bak\cpqset.exe

----a-w 245,760 2004-01-13 16:21:10 C:\Program Files\HPQ\Quick Launch Buttons\bak\EabServr.exe

----a-w 256,576 2006-10-30 17:36:36 C:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 267,048 2007-11-03 02:36:42 C:\Program Files\iTunes\iTunesHelper.exe

----a-w 36,975 2005-11-10 20:03:52 C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe

----a-w 282,624 2006-10-26 02:58:18 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 286,720 2007-10-20 04:16:26 C:\Program Files\QuickTime\QTTask.exe

----a-r 1,851,392 2005-11-19 06:33:00 C:\Program Files\Support.com\bin\bak\tgcmd.exe

----a-w 483,328 2003-05-23 02:55:38 C:\WINDOWS\system32\bak\hphmon05.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{417FCAA3-4F41-4702-B5F0-02361A2164F0}]
2008-04-19 10:57 110848 --a------ C:\WINDOWS\System32\d3d8th.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"LaunchList"="C:\Program Files\Pinnacle\Studio 11\LaunchList2.exe" [2007-03-21 16:41 145496]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-07-22 16:12 1506544]
"RecordNow!"="" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 19:36 267048]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-06-27 09:54 580096]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 21:16 286720]
"KiweeHook"="C:\Program Files\Kiwee Toolbar2\1.5.131\kwtbaim.exe" [2008-04-03 10:51 56456]
"AGRSMMSG"="AGRSMMSG.exe" [2004-01-30 09:01 88363 C:\WINDOWS\AGRSMMSG.exe]
"nwiz"="nwiz.exe" [2004-04-07 12:22 323584 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-19 11:04 219136]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-07-22 16:12 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= vdrcodec.dll
"VIDC.IV41"= ir41_32.dll
"VIDC.MJPG"= Pvmjpg30.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Pinnacle\\Studio 11\\programs\\RM.exe"=
"C:\\Program Files\\Pinnacle\\Studio 11\\programs\\Studio.exe"=
"C:\\Program Files\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"=
"C:\\Program Files\\Pinnacle\\Studio 11\\programs\\umi.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN\\MSNCoreFiles\\msn.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

R0 kijlfpnd;kijlfpnd;C:\WINDOWS\system32\drivers\utevktaf.dat []
S3 cdrmkaun;cdrmkaun;C:\DOCUME~1\JAMEST~1\LOCALS~1\Temp\cdrmkaun.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{825a9e54-f2e1-11dc-8cda-00904b5d76c9}]
\shell\play\command - "C:\Program Files\InterVideo\WinDVD\WinDVD.exe" %1
.
Contents of the 'Scheduled Tasks' folder

2008-07-10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]

2008-08-06 C:\WINDOWS\Tasks\RegCure Program Check.job
- C:\Program Files\RegCure\RegCure.exe [2007-08-02 09:20]

2008-04-19 C:\WINDOWS\Tasks\RegCure.job
- C:\Program Files\RegCure\RegCure.exe [2007-08-02 09:20]

2008-08-06 C:\WINDOWS\Tasks\XoftSpySE 2.job
- C:\Program Files\XoftSpySE\XoftSpy.exe [2007-10-24 11:59]

2008-04-20 C:\WINDOWS\Tasks\XoftSpySE.job
- C:\Program Files\XoftSpySE\XoftSpy.exe [2007-10-24 11:59]
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - (no file)
BHO-{5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - (no file)
BHO-{6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - (no file)
Toolbar-{6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - (no file)
WebBrowser-{6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\James Trout\Application Data\Mozilla\Firefox\Profiles\qoedfags.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.foxnews.com


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-06 13:42:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\kijlfpnd]
"ImagePath"="system32\drivers\utevktaf.dat"
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-08-06 13:49:27 - machine was rebooted [James Trout]
ComboFix-quarantined-files.txt 2008-08-06 20:49:16

Pre-Run: 33,101,447,168 bytes free
Post-Run: 33,010,552,832 bytes free

204 --- E O F --- 2008-07-12 14:47:43


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:56:02 PM, on 8/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Kiwee Toolbar2\1.5.131\kwtbaim.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {417FCAA3-4F41-4702-B5F0-02361A2164F0} - C:\WINDOWS\System32\d3d8th.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [KiweeHook] "C:\Program Files\Kiwee Toolbar2\1.5.131\kwtbaim.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [LaunchList] C:\Program Files\Pinnacle\Studio 11\LaunchList2.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=laptop
O16 - DPF: CabBuilder - http://kiw.imgag.com...llerControl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcopho...stcoActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1205897134312
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1205897109796
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup155.cab
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.micro...rchsettings.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\WINDOWS\system32\drivers\pclepci.sys
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 7184 bytes
  • 0

#6
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

http://www.geekstogo...ve-t207398.html

Collect::
C:\WINDOWS\System32\d3d8th.dll
C:\WINDOWS\system32\drivers\utevktaf.dat

SysRst::

Suspect::

KillAll::

Firefox::

AWF::
C:\Program Files\Apoint2K\bak\Apoint.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe
C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe
C:\Program Files\Grisoft\AVG Free\bak\avgcc.exe
C:\Program Files\Hewlett-Packard\HP Software Update\bak\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\bak\hphupd05.exe
C:\Program Files\HPQ\Default Settings\bak\cpqset.exe
C:\Program Files\HPQ\Quick Launch Buttons\bak\EabServr.exe
C:\Program Files\iTunes\bak\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe
C:\Program Files\QuickTime\bak\qttask.exe
C:\Program Files\Support.com\bin\bak\tgcmd.exe
C:\WINDOWS\system32\bak\hphmon05.exe

File::

Folder::

Driver::
kijlfpnd
cdrmkaun

RenV::
----a-w 319,488 2005-04-27 13:07:12 C:\Program Files\Critical Thinking Software\Word Roots Software A1\UninstallerData\Word Roots Software A1 Uninstall .exe


Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{825a9e54-f2e1-11dc-8cda-00904b5d76c9}]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. Additonally, ComboFix will generate the following files on your desktop
  • A zipped file on your desktop called Submit [Date Time].zip
  • And another file named - CF-Submit.htm
6. ComboFix may need to reboot to finish its work. Let it.

7. When CF has finished running, it will generate the ComboFix.log which will appear on your screen.

8. If CF-Submit.htm is detected, ComboFix will generate this message box:

Posted Image

Clicking OK will cause the machine's browser to load CF-Submit.htm

Posted Image

9. Click the "Browse" button and locate the Submit [Date Time].zip file on your desktop.
  • Click on the file to Select it.
  • Submit the file by clicking "OK"
10. Once the file has been submitted, please DELETE both files on your desktop.

11. Post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log (run after ComboFix has finished its work.)

  • 0

#7
carolebrew

carolebrew

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Ok Here goes....

ComboFix 08-08-06.01 - James Trout 2008-08-06 14:14:34.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.232 [GMT -7:00]
Running from: C:\Documents and Settings\James Trout\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\James Trout\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\System32\d3d8th.dll
C:\WINDOWS\system32\drivers\utevktaf.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CDRMKAUN
-------\Legacy_KIJLFPND
-------\Service_cdrmkaun
-------\Service_kijlfpnd


((((((((((((((((((((((((( Files Created from 2008-07-06 to 2008-08-06 )))))))))))))))))))))))))))))))
.

2008-08-06 12:05 . 2008-08-06 12:05 <DIR> d-------- C:\Documents and Settings\James Trout\Application Data\Malwarebytes
2008-08-06 12:05 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-06 12:05 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-06 12:04 . 2008-08-06 12:05 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-06 12:04 . 2008-08-06 12:04 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-08-06 12:04 . 2008-08-06 12:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-05 14:13 . 2008-08-05 14:13 <DIR> d-------- C:\fsaua.data
2008-08-05 13:50 . 2008-08-05 13:50 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-05 13:35 . 2008-08-05 13:35 <DIR> d-------- C:\Program Files\CleanUp!
2008-08-04 10:15 . 2008-08-04 10:15 <DIR> d---s---- C:\Documents and Settings\TJ\UserData
2008-08-04 10:08 . 2008-08-04 10:08 <DIR> d-------- C:\Documents and Settings\TJ\Application Data\MSNInstaller
2008-08-04 10:08 . 2008-08-04 15:34 <DIR> d-------- C:\Documents and Settings\TJ\Application Data\MSN6
2008-08-04 09:59 . 2008-08-04 09:59 <DIR> d-------- C:\Documents and Settings\TJ\Application Data\Apple Computer
2008-08-04 07:00 . 2008-08-04 07:00 <DIR> d-------- C:\Program Files\7-Zip
2008-08-03 19:38 . 2004-05-16 11:49 <DIR> d-------- C:\Documents and Settings\TJ\Application Data\Symantec
2008-08-03 19:38 . 2004-05-16 11:35 <DIR> d-------- C:\Documents and Settings\TJ\Application Data\Sonic
2008-08-03 19:38 . 2008-08-04 09:59 <DIR> d-------- C:\Documents and Settings\TJ\Application Data\AVG7
2008-08-03 19:38 . 2008-08-04 10:15 <DIR> d-------- C:\Documents and Settings\TJ
2008-08-03 17:32 . 2008-08-03 17:32 <DIR> d---s---- C:\Documents and Settings\Taylor\UserData
2008-08-03 17:29 . 2008-08-03 17:29 <DIR> d-------- C:\Documents and Settings\Taylor\Application Data\MSNInstaller
2008-08-03 17:29 . 2008-08-04 15:51 <DIR> d-------- C:\Documents and Settings\Taylor\Application Data\MSN6
2008-08-03 17:27 . 2004-05-16 11:49 <DIR> d-------- C:\Documents and Settings\Taylor\Application Data\Symantec
2008-08-03 17:27 . 2004-05-16 11:35 <DIR> d-------- C:\Documents and Settings\Taylor\Application Data\Sonic
2008-08-03 17:27 . 2008-08-04 09:15 <DIR> d-------- C:\Documents and Settings\Taylor\Application Data\AVG7
2008-08-03 17:27 . 2008-08-03 17:32 <DIR> d-------- C:\Documents and Settings\Taylor
2008-07-22 15:06 . 2008-07-22 15:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-22 15:05 . 2008-07-22 16:12 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-22 15:05 . 2008-07-22 15:05 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-22 15:05 . 2008-07-22 15:05 <DIR> d-------- C:\Documents and Settings\James Trout\Application Data\SUPERAntiSpyware.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-06 21:21 --------- d-----w C:\Program Files\QuickTime
2008-08-06 21:21 --------- d-----w C:\Program Files\iTunes
2008-08-06 21:14 --------- d-----w C:\Program Files\Apoint2K
2008-08-06 19:21 --------- d-----w C:\Documents and Settings\James Trout\Application Data\AVG7
2008-08-05 21:57 --------- d-----w C:\Documents and Settings\James Trout\Application Data\U3
2008-08-05 20:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kiwee Toolbar2
2008-08-05 14:55 --------- d-----w C:\Documents and Settings\James Trout\Application Data\MSN6
2008-08-04 14:00 --------- d-----w C:\Program Files\Yahoo!
2008-08-04 02:38 --------- d-----w C:\Program Files\Web Publish
2008-07-11 22:00 --------- d-----w C:\Program Files\XoftSpySE
2008-07-01 23:22 --------- d-----w C:\Program Files\LucasArts
2008-06-30 23:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\pixelStorm
2008-06-29 00:10 --------- d-----w C:\Documents and Settings\James Trout\Application Data\Move Networks
2008-06-27 21:33 --------- d-----w C:\Program Files\Enigma Software Group
2008-06-23 18:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\IM
2008-06-23 18:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\IncrediMail
2008-06-23 18:38 --------- d-----w C:\Program Files\MSN Messenger
2008-06-23 18:37 --------- d-----w C:\Program Files\Kiwee Toolbar2
2008-06-21 15:12 --------- d-----w C:\Documents and Settings\James Trout\Application Data\AdobeUM
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-15 14:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-15 14:14 --------- d-----w C:\Program Files\3 Day Eventing
2008-06-14 19:58 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-13 23:59 --------- d-----w C:\Program Files\Spyware Doctor
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 13:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2004-08-21 00:42 560 ----a-w C:\Documents and Settings\James Trout\Application Data\ViewerApp.dat
.
<pre>
----a-w		   319,488 2005-04-27 13:07:12  C:\Program Files\Critical Thinking Software\Word Roots Software A1\UninstallerData\Word Roots Software A1 Uninstall .exe
</pre>


((((((((((((((((((((((((((((( [email protected]_13.48.16.79 )))))))))))))))))))))))))))))))))))))))))
.
+ 2003-05-23 02:55:38 483,328 ----a-w C:\WINDOWS\system32\hphmon05.exe
.
((((((((((((((((((((((((((((((((((((((( System Restore )))))))))))))))))))))))))))))))))))))))))))))))))))
.

2008-08-06 13:50 795 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegBHO-Global.reg
2008-08-04 07:00 1069 {EABCAB45-42A4-472A-8674-85AD723A5F23}\RP3\A0000100.reg

2008-08-06 13:45 271 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGBP2a-Global.reg
2008-06-27 09:14 245 {EABCAB45-42A4-472A-8674-85AD723A5F23}\RP3\A0000059.reg

2008-08-06 13:45 438 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGBP2b-Global.reg
2008-04-20 09:11 392 {EABCAB45-42A4-472A-8674-85AD723A5F23}\RP3\A0000060.reg

2008-08-06 13:50 81 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGBTB1-Global.reg
2008-08-06 08:54 128 {EABCAB45-42A4-472A-8674-85AD723A5F23}\RP3\A0000099.reg

2008-08-06 13:45 285 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUBP2a-James Trout.reg
2008-05-18 06:35 244 {EABCAB45-42A4-472A-8674-85AD723A5F23}\RP3\A0000056.reg

2008-08-06 13:50 4131 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUBTB1-James Trout.reg
2008-06-24 08:37 4230 {EABCAB45-42A4-472A-8674-85AD723A5F23}\RP3\A0000098.reg

2004-08-04 05:00 47564 C:\ntdetect.com
2008-03-20 18:33 47564 {EABCAB45-42A4-472A-8674-85AD723A5F23}\RP2\A0000004.com

2006-10-30 10:36 256576 C:\Program Files\iTunes\iTunesHelper.exe
2007-11-02 19:36 267048 {EABCAB45-42A4-472A-8674-85AD723A5F23}\RP4\A0000107.exe

2006-10-25 19:58 282624 C:\Program Files\QuickTime\qttask.exe
2007-10-19 21:16 286720 {EABCAB45-42A4-472A-8674-85AD723A5F23}\RP4\A0000108.exe

C:\WINDOWS\system32\d3d8th.dll
2008-04-19 10:57 110848 {EABCAB45-42A4-472A-8674-85AD723A5F23}\RP4\A0000116.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"LaunchList"="C:\Program Files\Pinnacle\Studio 11\LaunchList2.exe" [2007-03-21 16:41 145496]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-07-22 16:12 1506544]
"RecordNow!"="" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36 256576]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-06-27 09:54 580096]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2006-10-25 19:58 282624]
"KiweeHook"="C:\Program Files\Kiwee Toolbar2\1.5.131\kwtbaim.exe" [2008-04-03 10:51 56456]
"AGRSMMSG"="AGRSMMSG.exe" [2004-01-30 09:01 88363 C:\WINDOWS\AGRSMMSG.exe]
"nwiz"="nwiz.exe" [2004-04-07 12:22 323584 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-19 11:04 219136]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-07-22 16:12 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= vdrcodec.dll
"VIDC.IV41"= ir41_32.dll
"VIDC.MJPG"= Pvmjpg30.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Pinnacle\\Studio 11\\programs\\RM.exe"=
"C:\\Program Files\\Pinnacle\\Studio 11\\programs\\Studio.exe"=
"C:\\Program Files\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"=
"C:\\Program Files\\Pinnacle\\Studio 11\\programs\\umi.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN\\MSNCoreFiles\\msn.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

.
Contents of the 'Scheduled Tasks' folder

2008-07-10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]

2008-08-06 C:\WINDOWS\Tasks\RegCure Program Check.job
- C:\Program Files\RegCure\RegCure.exe [2007-08-02 09:20]

2008-04-19 C:\WINDOWS\Tasks\RegCure.job
- C:\Program Files\RegCure\RegCure.exe [2007-08-02 09:20]

2008-08-06 C:\WINDOWS\Tasks\XoftSpySE 2.job
- C:\Program Files\XoftSpySE\XoftSpy.exe [2007-10-24 11:59]

2008-04-20 C:\WINDOWS\Tasks\XoftSpySE.job
- C:\Program Files\XoftSpySE\XoftSpy.exe [2007-10-24 11:59]
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - (no file)
BHO-{417FCAA3-4F41-4702-B5F0-02361A2164F0} - (no file)


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-06 14:21:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
.
**************************************************************************
.
Completion time: 2008-08-06 14:27:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-06 21:27:08
ComboFix2.txt 2008-08-06 20:49:30

Pre-Run: 32,988,823,552 bytes free
Post-Run: 32,973,815,808 bytes free

198 --- E O F --- 2008-07-12 14:47:43


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:34:26 PM, on 8/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Kiwee Toolbar2\1.5.131\kwtbaim.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [KiweeHook] "C:\Program Files\Kiwee Toolbar2\1.5.131\kwtbaim.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [LaunchList] C:\Program Files\Pinnacle\Studio 11\LaunchList2.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=laptop
O16 - DPF: CabBuilder - http://kiw.imgag.com...llerControl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcopho...stcoActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1205897134312
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1205897109796
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup155.cab
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.micro...rchsettings.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\WINDOWS\system32\drivers\pclepci.sys
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 6971 bytes
  • 0

#8
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Looking good

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::

KillAll::

RenV::
----a-w 319,488 2005-04-27 13:07:12 C:\Program Files\Critical Thinking Software\Word Roots Software A1\UninstallerData\Word Roots Software A1 Uninstall .exe

Folder::

Registry::

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.





Please do an online scan with Kaspersky WebScanner

Make sure you are using Internet Explorer for this. Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#9
carolebrew

carolebrew

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
you are wonderful...this is working


ComboFix 08-08-06.01 - James Trout 2008-08-06 16:46:33.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.304 [GMT -7:00]
Running from: C:\Documents and Settings\James Trout\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\James Trout\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-07-06 to 2008-08-06 )))))))))))))))))))))))))))))))
.

2008-08-06 14:47 . 2008-08-06 14:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-08-06 12:05 . 2008-08-06 12:05 <DIR> d-------- C:\Documents and Settings\James Trout\Application Data\Malwarebytes
2008-08-06 12:05 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-06 12:05 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-06 12:04 . 2008-08-06 12:05 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-06 12:04 . 2008-08-06 12:04 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-08-06 12:04 . 2008-08-06 12:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-05 14:13 . 2008-08-05 14:13 <DIR> d-------- C:\fsaua.data
2008-08-05 13:50 . 2008-08-05 13:50 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-05 13:35 . 2008-08-05 13:35 <DIR> d-------- C:\Program Files\CleanUp!
2008-08-04 10:15 . 2008-08-04 10:15 <DIR> d---s---- C:\Documents and Settings\TJ\UserData
2008-08-04 10:08 . 2008-08-04 10:08 <DIR> d-------- C:\Documents and Settings\TJ\Application Data\MSNInstaller
2008-08-04 10:08 . 2008-08-04 15:34 <DIR> d-------- C:\Documents and Settings\TJ\Application Data\MSN6
2008-08-04 09:59 . 2008-08-04 09:59 <DIR> d-------- C:\Documents and Settings\TJ\Application Data\Apple Computer
2008-08-04 07:00 . 2008-08-04 07:00 <DIR> d-------- C:\Program Files\7-Zip
2008-08-03 19:38 . 2004-05-16 11:49 <DIR> d-------- C:\Documents and Settings\TJ\Application Data\Symantec
2008-08-03 19:38 . 2004-05-16 11:35 <DIR> d-------- C:\Documents and Settings\TJ\Application Data\Sonic
2008-08-03 19:38 . 2008-08-06 14:45 <DIR> d-------- C:\Documents and Settings\TJ
2008-08-03 17:32 . 2008-08-03 17:32 <DIR> d---s---- C:\Documents and Settings\Taylor\UserData
2008-08-03 17:29 . 2008-08-03 17:29 <DIR> d-------- C:\Documents and Settings\Taylor\Application Data\MSNInstaller
2008-08-03 17:29 . 2008-08-04 15:51 <DIR> d-------- C:\Documents and Settings\Taylor\Application Data\MSN6
2008-08-03 17:27 . 2004-05-16 11:49 <DIR> d-------- C:\Documents and Settings\Taylor\Application Data\Symantec
2008-08-03 17:27 . 2004-05-16 11:35 <DIR> d-------- C:\Documents and Settings\Taylor\Application Data\Sonic
2008-08-03 17:27 . 2008-08-06 14:45 <DIR> d-------- C:\Documents and Settings\Taylor
2008-07-22 15:06 . 2008-07-22 15:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-22 15:05 . 2008-08-06 15:06 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-22 15:05 . 2008-08-06 15:07 <DIR> d-------- C:\Documents and Settings\James Trout\Application Data\SUPERAntiSpyware.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-06 22:16 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-06 22:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-06 21:21 --------- d-----w C:\Program Files\QuickTime
2008-08-06 21:21 --------- d-----w C:\Program Files\iTunes
2008-08-06 21:21 --------- d-----w C:\Program Files\Apoint2K
2008-08-05 21:57 --------- d-----w C:\Documents and Settings\James Trout\Application Data\U3
2008-08-05 20:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kiwee Toolbar2
2008-08-05 14:55 --------- d-----w C:\Documents and Settings\James Trout\Application Data\MSN6
2008-08-04 14:00 --------- d-----w C:\Program Files\Yahoo!
2008-08-04 02:38 --------- d-----w C:\Program Files\Web Publish
2008-07-11 22:00 --------- d-----w C:\Program Files\XoftSpySE
2008-07-01 23:22 --------- d-----w C:\Program Files\LucasArts
2008-06-30 23:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\pixelStorm
2008-06-29 00:10 --------- d-----w C:\Documents and Settings\James Trout\Application Data\Move Networks
2008-06-27 21:33 --------- d-----w C:\Program Files\Enigma Software Group
2008-06-23 18:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\IM
2008-06-23 18:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\IncrediMail
2008-06-23 18:38 --------- d-----w C:\Program Files\MSN Messenger
2008-06-23 18:37 --------- d-----w C:\Program Files\Kiwee Toolbar2
2008-06-21 15:12 --------- d-----w C:\Documents and Settings\James Trout\Application Data\AdobeUM
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-15 14:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-15 14:14 --------- d-----w C:\Program Files\3 Day Eventing
2008-06-14 19:58 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-13 23:59 --------- d-----w C:\Program Files\Spyware Doctor
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2004-08-21 00:42 560 ----a-w C:\Documents and Settings\James Trout\Application Data\ViewerApp.dat
.

((((((((((((((((((((((((((((( [email protected]_13.48.16.79 )))))))))))))))))))))))))))))))))))))))))
.
+ 2003-05-23 02:55:38 483,328 ----a-w C:\WINDOWS\system32\hphmon05.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchList"="C:\Program Files\Pinnacle\Studio 11\LaunchList2.exe" [2007-03-21 16:41 145496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36 256576]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2006-10-25 19:58 282624]
"KiweeHook"="C:\Program Files\Kiwee Toolbar2\1.5.131\kwtbaim.exe" [2008-04-03 10:51 56456]
"AGRSMMSG"="AGRSMMSG.exe" [2004-01-30 09:01 88363 C:\WINDOWS\AGRSMMSG.exe]
"nwiz"="nwiz.exe" [2004-04-07 12:22 323584 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= vdrcodec.dll
"VIDC.IV41"= ir41_32.dll
"VIDC.MJPG"= Pvmjpg30.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Pinnacle\\Studio 11\\programs\\RM.exe"=
"C:\\Program Files\\Pinnacle\\Studio 11\\programs\\Studio.exe"=
"C:\\Program Files\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"=
"C:\\Program Files\\Pinnacle\\Studio 11\\programs\\umi.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN\\MSNCoreFiles\\msn.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

.
Contents of the 'Scheduled Tasks' folder

2008-07-10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]

2008-08-06 C:\WINDOWS\Tasks\RegCure Program Check.job
- C:\Program Files\RegCure\RegCure.exe [2007-08-02 09:20]

2008-04-19 C:\WINDOWS\Tasks\RegCure.job
- C:\Program Files\RegCure\RegCure.exe [2007-08-02 09:20]

2008-08-06 C:\WINDOWS\Tasks\XoftSpySE 2.job
- C:\Program Files\XoftSpySE\XoftSpy.exe [2007-10-24 11:59]

2008-04-20 C:\WINDOWS\Tasks\XoftSpySE.job
- C:\Program Files\XoftSpySE\XoftSpy.exe [2007-10-24 11:59]
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - (no file)


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-06 16:52:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-08-06 16:57:07 - machine was rebooted [James Trout]
ComboFix-quarantined-files.txt 2008-08-06 23:57:03
ComboFix2.txt 2008-08-06 22:05:30
ComboFix3.txt 2008-08-06 21:27:17
ComboFix4.txt 2008-08-06 20:49:30

Pre-Run: 32,971,685,888 bytes free
Post-Run: 32,959,549,440 bytes free

145 --- E O F --- 2008-07-12 14:47:43
  • 0

#10
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Ok lets see what Kaspersky shows
  • 0

Advertisements


#11
carolebrew

carolebrew

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
OK....Kaspersky is downloading now and I will post back when the test is done. :)
  • 0

#12
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Ok, it takes a while.
  • 0

#13
carolebrew

carolebrew

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
ok here is the results... not good


Wednesday, August 06, 2008 7:53:39 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 6/08/2008
Kaspersky Anti-Virus database records: 1064003


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\

Scan Statistics
Total number of scanned objects 72492
Number of viruses found 3
Number of infected objects 7
Number of suspicious objects 0
Duration of the scan process 01:29:13

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Zango.zip/zangohook.dll Infected: not-a-virus:AdTool.Win32.Zango.c skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Zango.zip ZIP: infected - 1 skipped

C:\Documents and Settings\James Trout\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\James Trout\Desktop\[4][email protected]/d3d8th.dll Infected: Rootkit.Win32.Podnuha.bi skipped

C:\Documents and Settings\James Trout\Desktop\[4][email protected]/utevktaf.dat Infected: Rootkit.Win32.Agent.aap skipped

C:\Documents and Settings\James Trout\Desktop\[4][email protected] ZIP: infected - 2 skipped

C:\Documents and Settings\James Trout\Local Settings\Application Data\Kiwee Toolbar2\Logs\KiweeHook.log Object is locked skipped

C:\Documents and Settings\James Trout\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\James Trout\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\James Trout\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\James Trout\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\James Trout\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\James Trout\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\utevktaf.dat.vir Object is locked skipped

C:\QooBox\Quarantine\catchme2008-08-06_141752.03.zip/utevktaf.dat Infected: Rootkit.Win32.Agent.aap skipped

C:\QooBox\Quarantine\catchme2008-08-06_141752.03.zip ZIP: infected - 1 skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{EABCAB45-42A4-472A-8674-85AD723A5F23}\RP10\change.log Object is locked skipped

C:\WINDOWS\$NtUninstallKB824141$\user32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB824141$\win32k.sys Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\accwiz.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\crypt32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\cryptsvc.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\hh.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\hhctrl.ocx Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\hhsetup.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\html32.cnv Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\itss.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\locator.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\magnify.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\migwiz.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\mrxsmb.sys Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\msconv97.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\narrator.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\newdev.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\ntdll.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\ntkrnlpa.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\ntoskrnl.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\ole32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\osk.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\pchshell.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\raspptp.sys Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\rpcrt4.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\rpcss.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\shdocvw.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\shell32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\shmedia.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\srrstr.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\srv.sys Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\urlmon.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\winsrv.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\zipfldr.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826942$\dhcpcsvc.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826942$\ndis.sys Object is locked skipped

C:\WINDOWS\$NtUninstallKB826942$\ndisuio.sys Object is locked skipped

C:\WINDOWS\$NtUninstallKB826942$\netshell.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826942$\nwlnkipx.sys Object is locked skipped

C:\WINDOWS\$NtUninstallKB826942$\wzcdlg.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826942$\wzcsapi.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826942$\wzcsvc.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828028$\msasn1.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\dao360.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msexcl40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msjet40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msjetoledb40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msjtes40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\mspbde40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msrepl40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\mstext40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msxbde40.dll Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{32DD2A42-66E3-4465-A6E0-179291FBE471}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
  • 0

#14
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Nope thats fine, your logs are clean

Delete this file

C:\Documents and Settings\James Trout\Desktop\[4][email protected]



Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image



Your using an old version of Adobe Acrobat Reader, this can leave your pc open to vulnerabilities, you can update it here :
http://www.adobe.com.../readstep2.html



You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here



  • Make sure you have an Internet Connection.
  • Download OTCleanIt to your desktop and run it
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OTCleanUp to reach the Internet, please allow the application to do so.
  • Click Yes to beging the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:

SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program or there will be a conflict.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
  • 0

#15
carolebrew

carolebrew

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Oh my ...... You are wonderful. I just can not believe how you have helped me. What an interesting form of support. I appreciate all of the help you have given me. I will continue to come back to read up on what is happening. Very interesting and a good learning tool as well. Not sure how you know all of this, you sure on a higher level of knowledge then me. Thank you for all of your help. This laptop is one of my bosses so I am glad I could fix it for him. Several years ago the only forum around that I knew of was Virtual Doctor. Tools used then were sypbot search and destroy, adaware, spywareblaster and a few others. Things have really changed and the cleaning process more intense. I will follow your wonderful instructions below before I give this laptop back to my boss. Thanks again... U R A Genius.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP