Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

IPHaction.dll- trojan.proscks.a- win32.dnschanger.haw [RESOLVED]

Started by Raider 1 , Aug 13 2008 07:49 PM

  • This topic is locked This topic is locked

#16
Raider 1
Posted 16 August 2008 - 09:22 AM

Raider 1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
I've also downloaded deckards now
  • 0

Advertisements

#17
emeraldnzl
Posted 17 August 2008 - 06:23 AM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello Raider 1,

  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:

  • C:\Documents and Settings\NORT\Application Data\netstat.bat

  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
Now

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum.
Next

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
C:\WINDOWS\system32\dwbin.exe
C:\WINDOWS\system32\wmoptimizer.dll
C:\WINDOWS\system32\downer.exe
C:\WINDOWS\system32\new2.exe

NetSvc::
wmosvr
WMOptimizer

Driver::
WMOptimizer
Ias

Sysrst::


Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.

So when you come back please post
  • VirSCAN report
  • SDFix report
  • ComboFix text
  • a new HijackThis log

  • 0

#18
Raider 1
Posted 17 August 2008 - 04:56 PM

Raider 1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
I replaced sunbelt/vipre antivirus with avast. I also uninstalled malwarebytes antivirus. The vipre is being nasty still trying to install itself. here are the logs you asked for, THNX

File Name : netstat.bat
File Size : 106 byte
File Type : ASCII text, with no line terminators
MD5 : e052d52ce6484bcca9d91457ec7e4efe
SHA1 : 821818ea5fa87e44eea058065190775fa57


Scanner results : All Scanners reported not find malware!
Time : 2008/08/17 14:48:08 (PDT)







SDFix: Version 1.216
Run by NORT on 2008-08-17 at 15:04

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\TFTP2820 - Deleted
C:\WINDOWS\system32\rtl60.bpl - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-17 15:11:54
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 18 Aug 2001 94,784 ..SH. --- "C:\WINDOWS\twain.dll"
Wed 4 Aug 2004 50,688 ..SH. --- "C:\WINDOWS\twain_32.dll"
Wed 4 Aug 2004 1,028,096 ..SH. --- "C:\WINDOWS\system32\mfc42.dll"
Wed 4 Aug 2004 343,040 A.SH. --- "C:\WINDOWS\system32\msvcrt.dll"
Wed 4 Aug 2004 11,776 ..SH. --- "C:\WINDOWS\system32\regsvr32.exe"
Wed 4 Aug 2004 413,696 A.SH. --- "C:\WINDOWS\system32\msvcp60.dll"
Wed 4 Aug 2004 54,784 ..SH. --- "C:\WINDOWS\system32\msvcirt.dll"
Tue 12 Aug 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f7db876e78b88fd8276fd7d29cb7e4eb\BIT2.tmp"
Fri 15 Aug 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"

Finished!


ComboFix 08-08-15.04 - NORT 2008-08-17 15:19:30.7 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.310 [GMT -7:00]
Running from: C:\Documents and Settings\NORT\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\NORT\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\downer.exe
C:\WINDOWS\system32\dwbin.exe
C:\WINDOWS\system32\new2.exe
C:\WINDOWS\system32\wmoptimizer.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\NORT\Application Data\macromedia\Flash Player\#SharedObjects\ZYNBGGM5\interclick.com
C:\Documents and Settings\NORT\Application Data\macromedia\Flash Player\#SharedObjects\ZYNBGGM5\interclick.com\ud.sol
C:\Documents and Settings\NORT\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\NORT\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\NORT\Cookies\[email protected][2].txt
C:\Documents and Settings\NORT\Cookies\nort@ebay[1].txt
C:\Documents and Settings\NORT\Cookies\[email protected][1].txt
C:\Documents and Settings\NORT\Cookies\nort@live[2].txt
C:\Documents and Settings\NORT\Cookies\nort@msn[1].txt
C:\Documents and Settings\NORT\Cookies\nort@realmedia[2].txt
C:\Documents and Settings\NORT\Cookies\nort@revsci[1].txt
C:\WINDOWS\system32\new2.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IAS
-------\Legacy_WMOPTIMIZER
-------\Service_Ias


((((((((((((((((((((((((( Files Created from 2008-07-17 to 2008-08-17 )))))))))))))))))))))))))))))))
.

2008-08-17 15:00 . 2008-08-17 15:00 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-17 14:56 . 2008-08-15 21:15 <DIR> d-------- C:\SDFix
2008-08-16 16:40 . 2008-08-16 16:40 <DIR> d-------- C:\Program Files\Alwil Software
2008-08-15 09:41 . 2008-08-15 09:41 <DIR> d-------- C:\_OTMoveIt
2008-08-14 06:54 . 2008-05-01 07:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-13 18:15 . 2008-08-13 18:15 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-13 16:16 . 2008-08-13 16:16 <DIR> d-------- C:\Documents and Settings\NORT\Application Data\Malwarebytes
2008-08-13 16:15 . 2008-08-13 16:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-12 21:15 . 2008-08-12 21:15 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-12 03:40 . 2008-08-12 03:40 746 --a------ C:\WINDOWS\win.ini
2008-08-11 11:36 . 2008-08-11 11:36 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-08-11 03:06 . 2008-08-11 03:06 106 --a------ C:\Documents and Settings\NORT\Application Data\netstat.bat
2008-08-10 21:25 . 2008-07-18 01:26 68,912 --a------ C:\WINDOWS\system32\drivers\sbapifs.sys
2008-08-10 21:25 . 2008-07-18 01:26 13,360 --a------ C:\WINDOWS\system32\drivers\sbaphd.sys
2008-08-10 21:16 . 2008-08-10 21:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt
2008-08-10 21:13 . 2008-04-28 14:48 202,160 --a------ C:\WINDOWS\system32\drivers\sbtis.sys
2008-08-10 15:51 . 2008-08-10 15:51 58 ---hs---- C:\WINDOWS\system32\User.ini
2008-08-08 21:43 . 2008-08-08 21:43 0 --a------ C:\CWSDPMI.SWP
2008-08-08 21:37 . 2008-05-06 16:49 428,904 --a------ C:\WINDOWS\system32\Incinerator.dll
2008-08-08 21:37 . 2006-07-24 18:51 9,341 --a------ C:\WINDOWS\system32\drivers\filedisk.sys
2008-07-24 18:55 . 2008-03-21 13:57 14,640 --------- C:\WINDOWS\system32\spmsgXP_2k3.dll
2008-07-24 18:55 . 2008-07-24 18:55 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2008-07-24 18:55 . 2008-07-24 18:55 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2008-07-21 22:01 . 2008-07-21 22:01 59,176 --a------ C:\WINDOWS\system32\sbbd.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-11 22:08 47,360 ----a-w C:\Documents and Settings\NORT\Application Data\pcouffin.sys
2008-08-09 05:24 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2008-08-09 05:24 4,224 ----a-w C:\WINDOWS\system32\dllcache\beep.sys
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:32 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
2008-06-30 20:17 --------- d-----w C:\Program Files\DVDFab 5
2008-06-24 17:57 3,592,192 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:23 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-23 09:20 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-06-23 09:20 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-17 02:21 29,696 ----a-w C:\WINDOWS\system32\iolobtdfg.exe
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-06 23:55 8,704 ----a-w C:\WINDOWS\system32\smrgdf.exe
2006-10-27 18:03 81,920 ----a-w C:\Documents and Settings\NORT\Application Data\ezpinst.exe
2001-08-18 12:00 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-04 07:56 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 07:56 1,028,096 --sh--w C:\WINDOWS\system32\mfc42.dll
2004-08-04 07:56 343,040 --sha-w C:\WINDOWS\system32\msvcrt.dll
2004-08-04 07:56 11,776 --sh--w C:\WINDOWS\system32\regsvr32.exe
2004-08-04 07:56 413,696 --sha-w C:\WINDOWS\system32\msvcp60.dll
2004-08-04 07:56 54,784 --sh--w C:\WINDOWS\system32\msvcirt.dll
.

((((((((((((((((((((((((((((( snapshot@2008-08-16_ 6.40.57.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-07 23:27:04 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-08-17 22:01:06 8,290,304 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2008-08-17 22:01:06 557,056 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-08-07 23:27:04 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-08-17 22:00:56 8,290,304 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2008-08-17 22:00:56 557,056 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2008-07-19 14:43:08 1,163,960 ----a-w C:\WINDOWS\system32\aswBoot.exe
+ 2008-07-19 14:30:54 94,392 ----a-w C:\WINDOWS\system32\AvastSS.scr
+ 2008-07-19 14:32:16 26,944 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
+ 2008-07-19 14:37:42 20,560 ----a-w C:\WINDOWS\system32\drivers\aswFsBlk.sys
+ 2008-01-17 16:34:02 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
+ 2008-07-19 14:37:22 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
+ 2008-07-19 14:33:42 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
+ 2008-07-19 14:35:18 78,416 ----a-w C:\WINDOWS\system32\drivers\aswSP.sys
+ 2008-07-19 14:32:36 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
+ 2008-08-17 22:23:04 16,384 ----a-w C:\WINDOWS\temp\Perflib_Perfdata_5b8.dat
.
((((((((((((((((((((((((((((((((((((((( System Restore )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\_OTMoveIt\MovedFiles\08152008_094116\WINDOWS\system32\sobicyt.exe
{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002578.exe

C:\_OTMoveIt\MovedFiles\08152008_094116\WINDOWS\system32\tdxdowkc.exe
{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002579.exe

2004-08-04 00:56 25600 C:\Documents and Settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2004-08-04 00:56 25600 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP7\A0001268.dll
2004-08-04 00:56 25600 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP9\A0001502.dll

C:\Documents and Settings\NORT\Application Data\inst.exe
2008-08-11 15:08 87608 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP9\A0001445.exe

C:\kmd.exe
2004-08-04 00:56 388608 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP9\A0001439.exe

2008-08-17 15:23 188600 C:\Program Files\Alwil Software\Avast4\DATA\aswar0.dll
2008-08-16 19:17 188600 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002560.dll
2008-08-17 15:09 188600 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP11\A0002725.dll

2008-08-17 15:23 391216 C:\Program Files\Alwil Software\Avast4\DATA\clnr0.dll
2008-08-16 19:17 391216 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002558.dll
2008-08-17 15:09 391216 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP11\A0002723.dll

2008-08-17 15:23 9080 C:\Program Files\Alwil Software\Avast4\DATA\exts0.dll
2008-08-16 19:17 9080 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002559.dll
2008-08-17 15:09 9080 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP11\A0002724.dll

C:\Program Files\Common Files\Authentium\AntiVirus\csav.exe
2007-07-09 12:53 136456 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP4\A0001119.exe

C:\Program Files\Common Files\Authentium\AntiVirus\Css-Dvp.sys
2007-07-09 12:01 834448 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP4\A0001125.sys

C:\Program Files\Common Files\Authentium\AntiVirus\css3rde.dll
2007-07-09 12:54 161032 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP4\A0001121.dll

C:\Program Files\Common Files\Authentium\AntiVirus\css3rdem.dll
2007-07-09 12:54 161032 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP4\A0001118.dll

C:\Program Files\Common Files\Authentium\AntiVirus\csscan32.dll
2007-07-09 12:54 750856 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP4\A0001120.dll

C:\Program Files\Common Files\Authentium\AntiVirus\defvn.dll
2008-08-09 13:41 8664 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP4\A0001123.dll

C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
2007-07-09 12:54 177416 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP7\A0001258.exe

C:\Program Files\Common Files\Authentium\AntiVirus\dvpmgr.exe
{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP4\A0001127.exeC:\WINDOWS\inf\_000000_.tmp.dll
2008-06-20 10:55 926 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001128.dll

C:\Program Files\Common Files\Authentium\AntiVirus\odapi.dll
2007-07-09 12:54 353544 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP4\A0001122.dll

2008-05-01 07:30 331776 C:\Program Files\Common Files\System\msadc\msadce.dll
2004-08-04 00:56 331776 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001191.dll

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
2007-06-11 01:25 6731312 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP2\A0000008.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgasc64.sys
2007-05-30 04:10 14072 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP2\A0000014.sys

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgascln.sys
2007-05-30 04:10 10872 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP2\A0000009.sys

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll
2007-05-30 04:29 144944 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP2\A0000013.dll

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context64.dll
2007-05-30 04:29 261680 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP2\A0000016.dll

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\engine.dll
2007-06-07 02:49 448048 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP3\A0000024.dll

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
2007-05-30 04:31 312880 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP2\A0000011.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys
2007-05-30 04:10 11000 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP2\A0000012.sys

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard64.sys
2007-05-30 04:10 12024 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP2\A0000015.sys

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll
2007-05-30 04:29 79408 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP3\A0000025.dll

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook64.dll
2007-05-30 04:29 126512 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP2\A0000017.dll

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
2008-02-04 20:59 475893 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP2\A0000018.exe

2008-06-23 02:20 625664 C:\Program Files\Internet Explorer\iexplore.exe
2008-04-22 00:40 625664 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001156.EXE

2008-06-23 02:20 625664 C:\Program Files\Internet Explorer\iexplore.exe
2008-04-22 00:40 625664 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001224.exe

C:\Program Files\LimeWire\.NetworkShare\LimeWireWin4.8.1.exe
2006-11-29 18:31 2314920 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP3\A0000069.exe

C:\Program Files\LimeWire\GenericWindowsUtils.dll
2005-03-09 11:49 12279 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP3\A0000070.dll

C:\Program Files\LimeWire\LimeWire.exe
2005-03-09 11:49 81920 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP3\A0000071.exe

C:\Program Files\LimeWire\LimeWire20.dll
2005-03-09 11:49 32768 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP3\A0000073.dll

C:\Program Files\LimeWire\uninstall.exe
2008-01-09 18:44 109826 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP3\A0000079.exe

C:\Program Files\LimeWire\WindowsV5PlusUtils.dll
2005-03-09 11:49 12808 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP3\A0000077.dll

C:\Program Files\Malwarebytes' Anti-Malware\mbam.dll
2008-07-30 20:07 61048 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002616.dll

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
2008-07-30 20:07 1187448 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002614.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll
2008-07-30 20:07 73336 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002619.dll

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
2008-07-30 20:07 110200 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002608.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamtrayctrl.exe
2008-07-30 20:07 372344 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002609.exe

C:\Program Files\Malwarebytes' Anti-Malware\SSUBTMR6.DLL
2008-07-30 20:07 44664 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002611.DLL

C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe
2008-08-13 16:15 688760 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002617.exe

C:\Program Files\Malwarebytes' Anti-Malware\ZLIB.DLL
2008-07-30 20:07 77944 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002612.DLL

C:\Program Files\Sunbelt Software\VIPRE\Definitions\libRar.dll
2008-08-08 04:26 271656 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP3\A0000035.dll

C:\Program Files\Sunbelt Software\VIPRE\Definitions\libZip.dll
2008-08-08 04:26 218408 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP3\A0000036.dll

C:\Program Files\Sunbelt Software\VIPRE\Definitions\remediation.dll
2008-08-08 04:27 267560 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP3\A0000041.dll

C:\Program Files\Sunbelt Software\VIPRE\Definitions\vcore.dll
2008-08-08 04:27 1008936 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP3\A0000044.dll

C:\Program Files\Sunbelt Software\VIPRE\Drivers\amd64\sbapifs.sys
2008-07-18 01:26 62000 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001343.sys

C:\Program Files\Sunbelt Software\VIPRE\Drivers\amd64\SBTIS.sys
2008-04-28 14:48 81968 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001342.sys

C:\Program Files\Sunbelt Software\VIPRE\Drivers\i386\sbaphd.sys
2008-07-18 01:26 13360 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001377.sys

C:\Program Files\Sunbelt Software\VIPRE\Drivers\i386\sbapifs.sys
2008-07-18 01:26 68912 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001376.sys

C:\Program Files\Sunbelt Software\VIPRE\Drivers\i386\sbapifsl.sys
2008-07-18 01:26 77488 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001375.sys

C:\Program Files\Sunbelt Software\VIPRE\Drivers\i386\SBTIS.sys
2008-04-28 14:48 202160 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001374.sys

C:\Program Files\Sunbelt Software\VIPRE\Eraser.dll
2007-09-19 13:40 634880 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001337.dll

C:\Program Files\Sunbelt Software\VIPRE\MIMEPP.DLL
2008-05-12 22:33 212992 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001338.DLL

C:\Program Files\Sunbelt Software\VIPRE\oecom.dll
2007-11-06 18:08 503808 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001367.dll

C:\Program Files\Sunbelt Software\VIPRE\oehook.dll
2007-11-06 18:08 106496 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001354.dll

C:\Program Files\Sunbelt Software\VIPRE\oestore.dll
2007-11-06 18:08 327680 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001344.dll

C:\Program Files\Sunbelt Software\VIPRE\SBAMCreateRestore.exe
2008-07-21 22:02 439592 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001323.exe

C:\Program Files\Sunbelt Software\VIPRE\SBAMOutlook.dll
2008-07-21 22:02 345384 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001327.dll

C:\Program Files\Sunbelt Software\VIPRE\SBAMRes.dll
2008-07-21 22:02 3622184 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001352.dll

C:\Program Files\Sunbelt Software\VIPRE\SBAMSafeModeUI.exe
2008-07-21 22:02 804136 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001324.exe

C:\Program Files\Sunbelt Software\VIPRE\SBAMScanShellExt.dll
2008-07-21 22:02 234792 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001339.dll

C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
2008-07-21 22:01 849192 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001325.exe

C:\Program Files\Sunbelt Software\VIPRE\SBAMSvcPS.dll
2008-07-21 22:01 79144 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001340.dll

C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
2008-07-21 22:02 935208 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001351.exe

C:\Program Files\Sunbelt Software\VIPRE\sbamui.exe
2008-07-21 22:02 1996072 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001334.exe

C:\Program Files\Sunbelt Software\VIPRE\sbamwsc.exe
2008-07-21 22:02 435496 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001336.exe

C:\Program Files\Sunbelt Software\VIPRE\SBAP.DLL
2008-07-21 22:01 554280 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001364.DLL

C:\Program Files\Sunbelt Software\VIPRE\SBArva.dll
2008-07-21 22:02 206120 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001362.dll

C:\Program Files\Sunbelt Software\VIPRE\SBFE.DLL
2008-07-21 22:02 238888 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001361.DLL

C:\Program Files\Sunbelt Software\VIPRE\SBRC.EXE
2008-07-21 22:01 197928 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001341.EXE

C:\Program Files\Sunbelt Software\VIPRE\SBRE.dll
2008-07-21 22:01 242984 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001360.dll

C:\Program Files\Sunbelt Software\VIPRE\SBSDKXML.DLL
2008-07-21 22:01 636200 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001353.DLL

C:\Program Files\Sunbelt Software\VIPRE\SBTE.DLL
2008-07-21 22:01 1142568 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001359.DLL

C:\Program Files\Sunbelt Software\VIPRE\SBTIS.DLL
2008-07-21 22:02 83240 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001349.DLL

C:\Program Files\Sunbelt Software\VIPRE\SBTISinstaller.exe
2008-07-21 22:02 58664 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001333.exe

C:\Program Files\Sunbelt Software\VIPRE\SpursDownload.dll
2008-07-21 22:01 140584 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001345.dll

C:\Program Files\Sunbelt Software\VIPRE\unrar.dll
2005-12-22 17:28 160768 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001347.dll

C:\Program Files\Sunbelt Software\VIPRE\VIPRE.DLL
2008-06-05 11:26 271656 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001348.DLL

C:\Program Files\Viewpoint\Common\ViewpointService.exe
2007-01-04 13:38 24652 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP4\A0001091.exe

C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream.dll
2007-01-05 08:32 254022 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP4\A0001101.dll

C:\Program Files\Viewpoint\Viewpoint Media Player\ComponentMgr_0305001C.dll
2007-09-02 14:16 217158 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP4\A0001097.dll

C:\Program Files\Viewpoint\Viewpoint Media Player\Components\Cursors.dll
2007-09-02 14:17 36864 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP4\A0001109.dll

C:\Program Files\Viewpoint\Viewpoint Media Player\Components\JpegReader.dll
2007-09-02 14:16 122927 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP4\A0001112.dll

C:\Program Files\Viewpoint\Viewpoint Media Player\Components\Mts3Reader.dll
2007-11-12 14:21 204868 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP4\A0001107.dll

C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SceneComponent.dll
2007-10-05 22:46 1282120 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP4\A0001108.dll

C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SreeDMMX.dll
2007-11-12 14:21 774210 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP4\A0001106.dll

C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SWFView.dll
2007-09-02 14:16 643116 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP4\A0001111.dll

C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMgr.dll
2007-09-02 14:16 41024 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP4\A0001113.dll

C:\Program Files\Viewpoint\Viewpoint Media Player\Components\ZoomView.dll
2007-09-02 14:16 208941 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP4\A0001110.dll

C:\Program Files\Viewpoint\Viewpoint Media Player\DownloadedComponents\VMgr_Win\Exec.exe
2007-09-02 14:16 256248 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP4\A0001102.exe

C:\Program Files\Viewpoint\Viewpoint Media Player\MtsAxInstaller.exe
2007-01-18 07:53 98304 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP4\A0001099.exe

C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\VMPVideo.dll
2007-12-08 21:00 647234 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP4\A0001104.dll

C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\VMPVideo2.dll
2007-12-08 21:00 770115 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP4\A0001103.dll

C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\WaveletReader.dll
2007-12-08 21:00 53298 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP4\A0001105.dll

C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
2007-01-05 08:31 180293 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP4\A0001095.dll

C:\SDFix\attrib.exe
2001-08-18 05:00 11264 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002670.exe

C:\SDFix\backupreg\AppInit_DLLs.reg
2008-08-17 15:01 74 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002662.reg

C:\SDFix\backupreg\bat_shell_open.reg
2008-08-17 15:01 204 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002655.reg

C:\SDFix\backupreg\BHO.reg
2008-08-17 15:01 888 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002644.reg

C:\SDFix\backupreg\com_shell_open.reg
2008-08-17 15:01 204 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002656.reg

C:\SDFix\backupreg\ControlPanel_Load.reg
2008-08-17 15:01 29804 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002661.reg

C:\SDFix\backupreg\Drivers32.reg
2008-08-17 15:01 3370 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002640.reg

C:\SDFix\backupreg\exe_shell_open.reg
2008-08-17 15:01 204 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002651.reg

C:\SDFix\backupreg\HKCU_SOFTWARE_Policy.reg
2008-08-17 15:01 5068 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002658.reg

C:\SDFix\backupreg\HKCU_WINDOWS_Policy.reg
2008-08-17 15:01 2464 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002660.reg

C:\SDFix\backupreg\HKCURun.reg
2008-08-17 15:01 312 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002649.reg

C:\SDFix\backupreg\HKCURunServices.reg
2008-08-17 15:01 228 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002650.reg

C:\SDFix\backupreg\HKLM_SOFTWARE_Policy.reg
2008-08-17 15:01 118774 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002657.reg

C:\SDFix\backupreg\HKLM_WINDOWS_Policy.reg
2008-08-17 15:01 3256 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002659.reg

C:\SDFix\backupreg\HKLMRun.reg
2008-08-17 15:01 2018 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002647.reg

C:\SDFix\backupreg\HKLMRunServices.reg
2008-08-17 15:01 230 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002648.reg

C:\SDFix\backupreg\IEDesktop.reg
2008-08-17 15:01 4676 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002646.reg

C:\SDFix\backupreg\IEMain.reg
2008-08-17 15:01 6436 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002645.reg

C:\SDFix\backupreg\Installed_Components.reg
2008-08-17 15:01 33834 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002643.reg

C:\SDFix\backupreg\pif_shell_open.reg
2008-08-17 15:01 204 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002654.reg

C:\SDFix\backupreg\reg_shell_open.reg
2008-08-17 15:01 222 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002653.reg

C:\SDFix\backupreg\SecurityProviders.reg
2008-08-17 15:01 8002 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002642.reg

C:\SDFix\backupreg\SharedTaskScheduler.reg
2008-08-17 15:01 546 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002665.reg

C:\SDFix\backupreg\ShellServiceObjectDelayLoad.reg
2008-08-17 15:01 816 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002666.reg

C:\SDFix\backupreg\SubSystems.reg
2008-08-17 15:01 4846 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002641.reg

C:\SDFix\backupreg\txt_shell_open.reg
2008-08-17 15:01 668 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002652.reg

C:\SDFix\backupreg\Winlogon.reg
2008-08-17 15:01 29912 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002663.reg

C:\SDFix\backupreg\WinlogonNotify.reg
2008-08-17 15:01 19344 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002664.reg

C:\SDFix\dummy.exe
2008-08-07 16:27 6656 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002667.exe

C:\SDFix\Find.exe
2001-08-18 05:00 9216 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002668.exe

C:\SDFix\findstr.exe
2004-08-04 00:56 27136 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002669.exe

C:\SDFix\regedit.exe
2004-08-04 00:56 146432 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002671.exe

C:\SDFix\userinfix.reg
2008-08-17 15:05 169 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002672.reg

C:\WINDOWS\_000000_.tmp.dll
2008-03-20 18:06 9452 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP3\A0000022.dll

C:\WINDOWS\_000005_.tmp.dll
2008-04-11 12:18 12431 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001130.dll
2008-06-24 10:04 12431 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001205.dll

C:\WINDOWS\_000048_.tmp.dll
2008-06-26 11:16 32215 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001134.dll

C:\WINDOWS\CDProxyServ.exe
{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP9\A0001507.exe

C:\WINDOWS\inf\_000000_.tmp.dll
2008-04-11 12:07 871 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001133.dll
2008-06-23 11:21 926 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001203.dll

C:\WINDOWS\system32\$sys$caj.dll
{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002573.dll

C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP9\A0001506.exe

C:\WINDOWS\system32\$sys$filesystem\oct.sys
{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002590.sys

C:\WINDOWS\system32\_000004_.tmp.dll
2007-11-30 05:39 17272 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001129.dll
2007-11-30 05:39 17272 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001204.dll

C:\WINDOWS\system32\_reproxy.dll
{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP9\A0001444.dll

2008-06-23 09:57 124928 C:\WINDOWS\system32\advpack.dll
2008-04-22 21:16 124928 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001155.dll
2008-04-22 21:16 124928 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001223.dll

C:\WINDOWS\system32\AFinding.exe
{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP2\A0000003.exe
2001-08-18 05:00 34816 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP7\A0001255.exe

C:\WINDOWS\system32\beauty.exe
{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002576.exe

C:\WINDOWS\system32\cfexfst.sys
{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002577.sys

C:\WINDOWS\system32\comsa32.sys
2001-08-18 05:00 7 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP2\A0000002.sys
2001-08-18 05:00 11 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP7\A0001254.sys

2008-06-23 09:57 124928 C:\WINDOWS\system32\dllcache\advpack.dll
2008-04-22 21:16 124928 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001187.dll

2008-06-23 09:57 347136 C:\WINDOWS\system32\dllcache\dxtmsft.dll
2008-04-22 21:16 347136 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001186.dll

2008-06-23 09:57 214528 C:\WINDOWS\system32\dllcache\dxtrans.dll
2008-04-22 21:16 214528 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001185.dll

2008-06-23 09:57 133120 C:\WINDOWS\system32\dllcache\extmgr.dll
2008-04-22 21:16 133120 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001184.dll

2008-06-23 09:57 63488 C:\WINDOWS\system32\dllcache\icardie.dll
2008-04-22 21:16 63488 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001183.dll

2008-06-23 02:20 70656 C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 00:39 70656 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001182.exe

2008-06-23 09:57 153088 C:\WINDOWS\system32\dllcache\ieakeng.dll
2008-04-22 21:16 153088 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001181.dll

2008-06-23 09:57 230400 C:\WINDOWS\system32\dllcache\ieaksie.dll
2008-04-22 21:16 230400 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001180.dll

2008-06-20 22:23 161792 C:\WINDOWS\system32\dllcache\ieakui.dll
2008-04-19 22:07 161792 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001179.dll

2008-06-23 09:57 383488 C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-04-22 21:16 383488 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001178.dll

2008-06-23 09:57 384512 C:\WINDOWS\system32\dllcache\iedkcs32.dll
2008-04-22 21:16 384512 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001177.dll

2008-06-23 09:57 6066176 C:\WINDOWS\system32\dllcache\ieframe.dll
2008-04-22 21:16 6066176 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001176.dll

2008-06-23 09:57 44544 C:\WINDOWS\system32\dllcache\iernonce.dll
2008-04-22 21:16 44544 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001175.dll

2008-06-23 09:57 267776 C:\WINDOWS\system32\dllcache\iertutil.dll
2008-04-22 21:16 267776 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001174.dll

2008-06-23 02:20 13824 C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-22 00:39 13824 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001173.exe

2008-06-23 02:20 625664 C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 00:40 625664 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001172.exe

2008-04-11 11:50 683520 C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-08-20 23:15 683520 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001132.dll

2008-06-23 09:57 27648 C:\WINDOWS\system32\dllcache\jsproxy.dll
2008-04-22 21:16 27648 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001170.dll

2008-06-23 09:57 459264 C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-04-22 21:16 459264 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001169.dll

2008-06-23 09:57 52224 C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-04-22 21:16 52224 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001168.dll

2008-06-24 10:57 3592192 C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-23 22:16 3591680 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001167.dll

2008-06-23 09:57 477696 C:\WINDOWS\system32\dllcache\mshtmled.dll
2008-04-22 21:16 478208 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001166.dll

2008-06-23 09:57 193024 C:\WINDOWS\system32\dllcache\msrating.dll
2008-04-22 21:16 193024 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001165.dll

2008-06-23 09:57 671232 C:\WINDOWS\system32\dllcache\mstime.dll
2008-04-22 21:16 671232 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001164.dll

2008-06-23 09:57 102912 C:\WINDOWS\system32\dllcache\occache.dll
2008-04-22 21:16 102912 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001163.dll

2008-06-23 09:57 44544 C:\WINDOWS\system32\dllcache\pngfilt.dll
2008-04-22 21:16 44544 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001162.dll

2008-06-23 09:57 105984 C:\WINDOWS\system32\dllcache\url.dll
2008-04-22 21:16 105984 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001161.dll

2008-06-23 09:57 1159680 C:\WINDOWS\system32\dllcache\urlmon.dll
2008-04-22 21:16 1159680 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001160.dll

2008-06-23 09:57 233472 C:\WINDOWS\system32\dllcache\webcheck.dll
2008-04-22 21:16 233472 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001159.dll

2008-06-23 09:57 826368 C:\WINDOWS\system32\dllcache\wininet.dll
2008-04-22 21:16 826368 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001158.dll

C:\WINDOWS\system32\downer.exe
{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002574.exe

C:\WINDOWS\system32\drivers\$sys$cor.sys
{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002571.sys

C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-05-30 04:10 10872 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP2\A0000007.sys

C:\WINDOWS\system32\drivers\mbam.sys
2008-07-30 20:07 17144 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002607.sys

C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-30 20:07 38472 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002613.sys

2008-07-18 01:26 13360 C:\WINDOWS\system32\drivers\sbaphd.sys
2008-07-18 01:26 13360 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001294.sys
2008-07-18 01:26 13360 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001314.sys

C:\WINDOWS\system32\dwbin.exe



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:31, on 2008-08-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ub...s/GSManager.cab
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - Unknown owner - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe (file missing)
O23 - Service: DvpApi (dvpapi) - Unknown owner - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe (file missing)
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Sunbelt VIPRE Antivirus Service (SBAMSvc) - Unknown owner - C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 5132 bytes
  • 0

#19
emeraldnzl
Posted 18 August 2008 - 02:09 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello Raider 1,

Getting there. :) Next move.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
C:\WINDOWS\_000000_.tmp.dll
C:\WINDOWS\_000005_.tmp.dll
C:\WINDOWS\_000048_.tmp.dll
C:\WINDOWS\inf\_000000_.tmp.dll
C:\WINDOWS\system32\_000004_.tmp.dll
C:\WINDOWS\system32\AFinding.exe
C:\WINDOWS\system32\beauty.exe
C:\WINDOWS\system32\cfexfst.sys
C:\WINDOWS\system32\comsa32.sys
C:\WINDOWS\system32\downer.exe
C:\WINDOWS\system32\dwbin.exe

Driver::
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe (file missing)
O23 - Service: DvpApi (dvpapi) - Unknown owner - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe (file missing)
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe (file missing)
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe (file missing)
O23 - Service: Sunbelt VIPRE Antivirus Service (SBAMSvc) - Unknown owner - C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe (file missing)


Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Lastly

Kaspersky only works if you are using Internet Explorer.

Please do an online scan with Kaspersky WebScanner.

Click on the Kaspersky Online Scanner button. A box will come up, click Accept, this will allow it to install an ActiveX component and download its latest anti-virus database. (Note: It may take a couple of minutes)

  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    * Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    * Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
    Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    * Now click on the Save as Text button:
  • Save the file to your desktop.
Copy and paste that information in your next post. Also tell me how your computer is running.

So when you come back please post
  • ComboFix report
  • Kaspersky scan results
  • 0

#20
Raider 1
Posted 18 August 2008 - 07:36 PM

Raider 1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Hello emeraldnz, I no longer use iolo, kaspersky,authentium, sunbelt vipre or malwarebytes. They were unistalled supposedly. Vipre keeps trying to install itself when I click on certain icons...and my wastebasket wont empty. It always asks me if I want to delete "windows". I am currently using avast antispyware\antivirus. When I first installed it it found 8 malwares and 3 or 4 of those were rootkits. Any further instructions or would you like me to continue with the last one?
  • 0

#21
emeraldnzl
Posted 18 August 2008 - 08:39 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hi Raider 1,

Thanks for the update.

Please proceed with the instructions in my last post.

We need to cover that ground to ensure those ones aren't left.

The Kaspersky scan will also help us identify what else might be there.

regards
emeraldnzl
  • 0

#22
Raider 1
Posted 19 August 2008 - 04:08 PM

Raider 1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Sorry I didn't get back sooner...had a hiccup connecting.

ComboFix 08-08-18.01 - NORT 2008-08-18 19:51:12.9 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.286 [GMT -7:00]
Running from: C:\Documents and Settings\NORT\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\NORT\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\_000000_.tmp.dll
C:\WINDOWS\_000005_.tmp.dll
C:\WINDOWS\_000048_.tmp.dll
C:\WINDOWS\inf\_000000_.tmp.dll
C:\WINDOWS\system32\_000004_.tmp.dll
C:\WINDOWS\system32\AFinding.exe
C:\WINDOWS\system32\beauty.exe
C:\WINDOWS\system32\cfexfst.sys
C:\WINDOWS\system32\comsa32.sys
C:\WINDOWS\system32\downer.exe
C:\WINDOWS\system32\dwbin.exe
.



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, August 19, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, August 19, 2008 03:54:19
Records in database: 1108566
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
G:\

Scan statistics:
Files scanned: 74927
Threat name: 3
Infected objects: 2
Suspicious objects: 1
Duration of the scan: 01:57:14


File name / Threat name / Threats count
C:\Documents and Settings\NORT\Local Settings\Application Data\Microsoft\Outlook\archive.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\NORT\Local Settings\temp\Av-test.txt Infected: EICAR-Test-File 1
C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP3\A0001063.exe Infected: Trojan.Win32.Agent.zaz 1

The selected area was scanned.
  • 0

#23
emeraldnzl
Posted 20 August 2008 - 06:59 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello Raider 1,

Much better now.

Vipre keeps trying to install itself when I click on certain icons...and my wastebasket wont empty


I am not sure which version of Vipre you had. Below is a link I found to Sunbelt that has instructions for manual removal of Vipre 3.

http://beta.sunbelt-...opic.php?t=7702

If that doesn't work you could always do a search of your computer for Vipre and delete any associated folders/files you find.

Now

Please right Click Start > Explore and navigate to C:\Documents and Settings\NORT\Local Settings\Application Data\Microsoft\Outlook\archive.pst and delete.

Next

Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

That should take care of your waste basket.

Lastly in this post

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

Driver::
CD_Proxy
dvpapi
ioloFileInfoList
ioloSystemService
SBAMSvc


Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.

So when you come back please post
  • ComboFix text
  • a new HijackThis log
  • and tell me how your computer is running now
  • 0

#24
Raider 1
Posted 22 August 2008 - 08:39 AM

Raider 1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
I do have a warning about a corupt file popping up but Computer seems to be running much better.


ComboFix 08-08-21.02 - NORT 2008-08-22 7:26:01.10 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.247 [GMT -7:00]
Running from: C:\Documents and Settings\NORT\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\NORT\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:47, on 2008-08-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ub...s/GSManager.cab
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - Unknown owner - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe (file missing)
O23 - Service: DvpApi (dvpapi) - Unknown owner - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe (file missing)
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 5485 bytes
  • 0

#25
emeraldnzl
Posted 22 August 2008 - 01:58 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello Raider 1,

Pretty much there now. Just a few bits and pieces.

We need to get rid of one of the services running on your machine. To do this, copy (Ctrl +C) and paste (Ctrl +V) the text in the code box below to Notepad.

@echo off
sc stop $sys$DRMServer
sc stop CD_Proxy
sc stop dvpapi
sc stop ioloFileInfoList
sc stop ioloSystemService
sc delete $sys$DRMServer
sc delete CD_Proxy
sc delete dvpapi
sc delete ioloFileInfoList
sc delete ioloSystemService
exit

Save it to your desktop as File name: Service.cmd
Save as type: All Files

Once done, double click Service.cmd to run it. A command window will open briefly, then close. This is quite normal.

Please post a fresh HijackThis log.
  • 0

Advertisements

#26
Raider 1
Posted 22 August 2008 - 04:22 PM

Raider 1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:14, on 2008-08-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ub...s/GSManager.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 4954 bytes
  • 0

#27
emeraldnzl
Posted 23 August 2008 - 01:17 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello Raider 1,

Congratulations you look clean to me. :)

You might try the Tech people if your corrupt file persists. Tell them you have been here and have a clearance from malware.

We have a couple of last steps to perform and then you're all set. :)

Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image

  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it.
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
  • Click Yes to beging the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.
-------------------------------------------------------------------------------------------------------------------

Now that you are clean here are some things I think are worth having a look at:

-------------------------------------------------------------------------------------------------------------------

Check your Adobe Acrobat Reader; it may be out of date. Older versions are vunerable to attack.

Please go to the link below to update.

http://www.adobe.com.../readstep2.html

---------------------------------------------------------------------------------------------------------------------

Be sure and give the Temp folders a cleaning out now and then. This helps with security and your computer will run more efficiently. I clean mine once a week. For ease of use, you might consider the following free program which works well with XP:--------------------------------------------------------------------------------------------------------------------

A great way to check that your Microsoft and Java have the latest updates is to go to Software Inspector at Secunia.

I do this weekly. Not only do they tell you which programs need updating but they give you the link to follow.

To bolster your security go to Secunia.com to ensure essential programs are up to date.

---------------------------------------------------------------------------------------------------------------------

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Consider using an alternate browser. Mozilla's Firefox browser is excellant; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up blocker (Note: this as an added benefit!) that I have seen. Firefox is my default browser but I retain Internet Explorer as well so that I can access the very few sites that require it.

Firefox may be downloaded from Here

-----------------------------------------------------------------------------------------------------------------------

To help protect your computer in the future here are some free programs you can look at:

  • SUPERAntiSpyware Free for Home Users to detect and remove spyware.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

    If your Microsoft Update is not working automatically. Keep your operating system up to date by visiting
  • Microsoft Windows Update
monthly. And to keep your system clean run these free malware scanners
weekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klein: So how did I get infected in the first place?

Have a safe and happy computing day!
  • 0

#28
Rorschach112
Posted 26 August 2008 - 03:25 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP