Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

SurfSide Kick 3 and Trojans On My Laptop after being Hacked HELP PLeas

Started by bubbles4u35 , May 28 2006 03:23 PM

This topic is locked

#61
bubbles4u35

Posted 02 June 2006 - 06:38 PM

Member

Topic Starter
Member
42 posts

Hi Rambro,
I am still experiencing popups. They are still freezing me up. Most are visit our sponsers or advertising casinos and some just say "about blank". There are also a couple that ask me if I want to download something which I immediately click on No and close out.
Thank You
Bubbles

#62
rambro

Posted 02 June 2006 - 07:18 PM

Member 1K

Member
1,383 posts

Dear bubbles4u35, :whistling:

(Note: Please read through these instructions a couple of times before executing the steps in this post.)

You may want to print out these instructions or save them as a text file with "Notepad" to your desktop because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.
******************************

Download smitRem.exe ©noahdfear, and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop (in Internet Explorer, right click on Panda ActiveScan link select "Copy Shortcut" then right click on your desktop and select "Paste Shortcut" or in FireFox right-click the link and select "Save Link As" and save it to your desktop).

Please download the trial version of ewido anti-malware here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

Now scan with HJT and place a checkmark next to each of the following items and click FIX CHECKED:
===================================================
===================================================

Close HiJackThis.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Open Ad-aware and do a full scan. Remove all it finds.

Run Ewido:

Click on scanner
Click on Complete System Scan and the scan will begin.
While the scan is in progress you will be prompted to clean files, click OK
When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop.

Close ewido anti-malware.

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut.

Once you are on the Panda site click the Scan your PC button.
A new window will open...click the Check Now button.
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When the download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log by using Add Reply.
Let us know if any problems persist.

#63
bubbles4u35

Posted 02 June 2006 - 11:21 PM

Member

Topic Starter
Member
42 posts

Hi Rambro,
I did as you instructed. Below are the reports you requested. I am experiencing the same problems as last post.
Thank You,
Bubbs

smitRem © log file
version 2.9

by noahdfear

Microsoft Windows XP [Version 5.1.2600]
"IE"="6.0000"
The current date is: Fri 06/02/2006
The current time is: 22:37:32.57

Running from
C:\Documents and Settings\Ed\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key

PSGuard.com key not present!

checking for WinHound.com key

WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
AlfaCleaner uninstaller NOT present
SpyFalcon uninstaller NOT present
SpywareQuake uninstaller NOT present
SpywareSheriff uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

amcompat.tlb
nscompat.tlb
taskdir.exe

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 692 'explorer.exe'
Killing PID 692 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~ Wininet.dll ~~~

CLEAN! :whistling:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 12:04:11 AM, 6/3/2006
+ Report-Checksum: 9B4DA4C7

+ Scan result:

:mozilla.26:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.62:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.65:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.67:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.68:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.80:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.82:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned with backup
:mozilla.86:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.87:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.88:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.89:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.90:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.91:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.108:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.118:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.119:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.120:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.121:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.122:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.123:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.124:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.125:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.126:C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Ed\Application Data\Mozilla\Profiles\default\825n7aha.slt\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Ed\Application Data\Mozilla\Profiles\default\825n7aha.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Ed\Application Data\Mozilla\Profiles\default\825n7aha.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Ed\Application Data\Mozilla\Profiles\default\825n7aha.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Ed\Application Data\Mozilla\Profiles\default\825n7aha.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Ed\Application Data\Mozilla\Profiles\default\825n7aha.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Ed\Application Data\Mozilla\Profiles\default\825n7aha.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Ed\Application Data\Mozilla\Profiles\default\825n7aha.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Ed\Application Data\Mozilla\Profiles\default\825n7aha.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Ed\Application Data\Mozilla\Profiles\default\825n7aha.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Ed\Application Data\Mozilla\Profiles\default\825n7aha.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Ed\Application Data\Mozilla\Profiles\default\825n7aha.slt\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Ed\Application Data\Mozilla\Profiles\default\825n7aha.slt\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Ed\Application Data\Mozilla\Profiles\default\825n7aha.slt\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Ed\Application Data\Mozilla\Profiles\default\825n7aha.slt\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Ed\Application Data\Mozilla\Profiles\default\825n7aha.slt\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Ed\Application Data\Mozilla\Profiles\default\825n7aha.slt\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Ed\Application Data\Mozilla\Profiles\default\825n7aha.slt\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Ed\Application Data\Mozilla\Profiles\default\825n7aha.slt\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Ed\Application Data\Mozilla\Profiles\default\825n7aha.slt\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Ed\Application Data\Mozilla\Profiles\default\825n7aha.slt\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Ed\Application Data\Mozilla\Profiles\default\825n7aha.slt\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Ed\Application Data\Mozilla\Profiles\default\825n7aha.slt\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.61:C:\Documents and Settings\Ed\Application Data\Mozilla\Profiles\default\825n7aha.slt\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Ed\Application Data\Mozilla\Profiles\default\825n7aha.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.65:C:\Documents and Settings\Ed\Application Data\Mozilla\Profiles\default\825n7aha.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.66:C:\Documents and Settings\Ed\Application Data\Mozilla\Profiles\default\825n7aha.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.67:C:\Documents and Settings\Ed\Application Data\Mozilla\Profiles\default\825n7aha.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.68:C:\Documents and Settings\Ed\Application Data\Mozilla\Profiles\default\825n7aha.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Ed\Application Data\Mozilla\Profiles\default\825n7aha.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Ed\Application Data\Mozilla\Profiles\default\825n7aha.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Ed\Application Data\Mozilla\Profiles\default\825n7aha.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Ed\Application Data\Mozilla\Profiles\default\825n7aha.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.83:C:\Documents and Settings\Ed\Application Data\Mozilla\Profiles\default\825n7aha.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.84:C:\Documents and Settings\Ed\Application Data\Mozilla\Profiles\default\825n7aha.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.85:C:\Documents and Settings\Ed\Application Data\Mozilla\Profiles\default\825n7aha.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.86:C:\Documents and Settings\Ed\Application Data\Mozilla\Profiles\default\825n7aha.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.87:C:\Documents and Settings\Ed\Application Data\Mozilla\Profiles\default\825n7aha.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.88:C:\Documents and Settings\Ed\Application Data\Mozilla\Profiles\default\825n7aha.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.89:C:\Documents and Settings\Ed\Application Data\Mozilla\Profiles\default\825n7aha.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.90:C:\Documents and Settings\Ed\Application Data\Mozilla\Profiles\default\825n7aha.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.91:C:\Documents and Settings\Ed\Application Data\Mozilla\Profiles\default\825n7aha.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.96:C:\Documents and Settings\Ed\Application Data\Mozilla\Profiles\default\825n7aha.slt\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.97:C:\Documents and Settings\Ed\Application Data\Mozilla\Profiles\default\825n7aha.slt\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.98:C:\Documents and Settings\Ed\Application Data\Mozilla\Profiles\default\825n7aha.slt\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\Ed\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Ed\Cookies\[email protected][1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup
C:\Documents and Settings\Ed\Cookies\ed@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\Ed\Cookies\ed@popuptraffic[2].txt -> TrackingCookie.Popuptraffic : Cleaned with backup
C:\Documents and Settings\Ed\Cookies\ed@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup

::Report End

Incident Status Location

Adware:adware program Not disinfected c:\windows\system32\key.~
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Ed\Application Data\Sskuknwrd.dll
Adware:adware/windowenhancer Not disinfected c:\windows\system32\SBUtils
Adware:adware/commad Not disinfected Windows Registry
Adware:adware/dyfuca Not disinfected Windows Registry
Spyware:spyware/media-motor Not disinfected Windows Registry
Adware:adware/sqwire Not disinfected Windows Registry
Adware:adware/webhancer Not disinfected Windows Registry
Adware:Adware/EliteBar Not disinfected C:\!KillBox\unstall.exe
Adware:Adware/Deskwizz Not disinfected C:\!KillBox\VSL03.exe.tcf[VSL.dl_]
Adware:Adware/Deskwizz Not disinfected C:\!KillBox\VSL03.exe.tcf[auxe.exe]
Adware:Adware/Deskwizz Not disinfected C:\!KillBox\VSL05.exe[VSL.dl_]
Adware:Adware/Deskwizz Not disinfected C:\!KillBox\VSL05.exe[auxe.exe]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt[.atwola.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt[.fortunecity.com/]
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt[hc2.humanclick.com/hc/11199995]
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt[hc2.humanclick.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt[searchportal.information.com/]
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt[.adopt.hbmediapro.com/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Ed\Cookies\[email protected][1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Ed\Cookies\[email protected][2].txt
Spyware:Cookie/nCase Not disinfected C:\Documents and Settings\Ed\Cookies\[email protected][1].txt
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\Ed\Cookies\[email protected][1].txt
Spyware:Cookie/GoClick Not disinfected C:\Documents and Settings\Ed\Cookies\[email protected][2].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Ed\Cookies\ed@revenue[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Ed\Cookies\ed@zedo[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Ed\Desktop\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Ed\Desktop\smitRem.exe[smitRem/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Ed\Local Settings\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\Cache\3EFBEAA3d01[smitRem/Process.exe]
Adware:Adware/YieldManager Not disinfected C:\Documents and Settings\Ed\Local Settings\Temporary Internet Files\Content.IE5\0T6XYJYZ\rmtag3[1].js
Adware:Adware/YieldManager Not disinfected C:\Documents and Settings\Ed\Local Settings\Temporary Internet Files\Content.IE5\GD8BOV43\rmtag3[1].js
Adware:Adware/YieldManager Not disinfected C:\Documents and Settings\Ed\Local Settings\Temporary Internet Files\Content.IE5\KT230XIR\rmtag3[1].js
Adware:Adware/YieldManager Not disinfected C:\Documents and Settings\Ed\Local Settings\Temporary Internet Files\Content.IE5\W5ANO1IZ\rmtag3[2].js
Adware:Adware/YieldManager Not disinfected C:\Documents and Settings\Ed\Local Settings\Temporary Internet Files\Content.IE5\WPIN4TQR\rmtag3[2].js
Spyware:Spyware/Support Not disinfected C:\Program Files\Support.com\bin\tgcmd.exe
Adware:Adware/CommAd Not disinfected C:\WINDOWS\RWQ\lqk.vbs
Adware:Adware/SpySheriff Not disinfected C:\WINDOWS\system32\vxgame6.exe3072.exe.tcf

Logfile of HijackThis v1.99.1
Scan saved at 1:04:54 AM, on 6/3/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\tp4serv.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Ed\My Documents\Highjackthis.exe\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_2/home.html"); (C:\Documents and Settings\Ed\Application Data\Mozilla\Profiles\default\825n7aha.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Ed\Application Data\Mozilla\Profiles\default\825n7aha.slt\prefs.js)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1148887527406
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B495C654-5860-45D4-8EAA-5663B9393F33} (OVA Class) - http://go.microsoft....k/?linkid=49480
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE

#64
rambro

Posted 03 June 2006 - 06:24 AM

Member 1K

Member
1,383 posts

Dear bubbles4u35, :whistling:

Please download the Killbox by O^E. Unzip it to the desktop but do NOT run it yet.
Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.
Once in Safe Mode, please run Killbox. Put a check mark next to "End Explorer Shell While Killing File".
In the main screen of Pocket KillBox, go to Tools in the top menu bar, and select: Delete Temp Files.
When a box pops up, click the "Deleted Selected Temp Files" button.This may take a while.
When it is done, click the "Exit (Save Settings)" button.
Next, select "Delete on Reboot" button. The "Single File" button will be selected by default.
Copy the file names below to the clipboard by highlighting them and pressing Control-C:

c:\windows\system32\key.~
C:\Documents and Settings\Ed\Application Data\Sskuknwrd.dll
c:\windows\system32\SBUtils
C:\WINDOWS\system32\vxgame6.exe3072.exe.tcf
Return to Killbox, go to the File menu, and choose "Paste from Clipboard". Now you will see, that the files are pasted in the "Full Path of File to Delete" field. There's a little arrow (dropdown-arrow) next to that field. If you expand it, these lines must be there together!
If you have mutliple files to delete: Press the "All Files"button. If you have one file to delete: Press the "Single File" button.
Click the red-and-white "Delete File" button.If the "Single File" button is selected:
A "Delete next Reboot" dialog box will pop up.
A prompt will tell the user that "File will be removed on reboot, Do you want to reboot now"
Click "Yes" at the "Delete next Reboot" dialog box if you want to reboot now.
Click "No" at the "Delete next Reboot" dialog box if you want to do a manual reboot at a later time.

If the "All Files" button is selected:

A "Delete next Reboot" dialog box will pop up.
A prompt will tell the user that "Files will be removed on reboot, Do you want to reboot now"
Click "Yes" at the "Delete next Reboot" dialog box if you want to reboot now.
Click "No" at the "Delete next Reboot" dialog box if you want to do a manual reboot at a later time.

[*] The KillBox application will start the process to reboot your computer (i.e. you have the option to "abort" this reboot process).
[/list]**************************

Restart your computer in "Safe Mode" again and delete the following folder/folders marked in blue (if they exist):

C:\WINDOWS\RWQ
C:\!KillBox <-- (Note: Delete all the files in this folder, but do not delete the folder itself!!! The killbox application creates a folder called "!KillBox", which holds a backup of any files you delete through Killbox, I want you to clear out this folder.)

Restart your computer into "normal" mode.
*************************

(Note: As a double check, search for the file/files I had you delete through the Killbox application to see if they are actually deleted. Let me know in detail if they were deleted.)

Please restart your computer and then post a new HijackThis log, along with a new log from the Panda scan.

In addition, let me know in detail how your computer system is running after performing the above steps. :blink:

#65
bubbles4u35

Posted 03 June 2006 - 10:59 AM

Member

Topic Starter
Member
42 posts

Hello Rambro,

I followed your instructions from your previous post. These 2 files were present and deleted in safe mode.
C:\WINDOWS\RWQ
C:\!KillBox (deleted the contents of folder)

When I searched for the files deleted in safe mode by Killbox, c:\windows\system32\SBUtils was found.

While running the new Panda scan, AVG popped up with a few alerts. It would not allow me to do anything but here is what was found. I had to copy fast before the popup disappeared. I think I got most of them correct.

C\WINDOWS\system32\IPODRA~.exe
C\WINDOWS\System32\ipod.raw.exe
C\WINDOWS\System32\dlh9jkdql.exe
C\WINDOWS\System32\DLH9JK~2.exe
C\Documents & Settings\Ed\ApplicationData\a??.sembly\cmd.exe :whistling:

Most said Trojan Downloader with different endings (ex: Genetic ZTQ, Downloader.Tibs)

Below is the new Panda Scan log and the new Hjk log.

Incident Status Location

Adware:adware/windowenhancer Not disinfected c:\windows\system32\SBUtils
Adware:adware/commad Not disinfected Windows Registry
Adware:adware/dyfuca Not disinfected Windows Registry
Spyware:spyware/media-motor Not disinfected Windows Registry
Adware:adware/sqwire Not disinfected Windows Registry
Adware:adware/webhancer Not disinfected Windows Registry
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt[servedby.advertising.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt[.atwola.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt[.fortunecity.com/]
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt[hc2.humanclick.com/hc/11199995]
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt[hc2.humanclick.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt[searchportal.information.com/]
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt[.adopt.hbmediapro.com/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\8phkkh1b.default\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Ed\Cookies\[email protected][2].txt
Spyware:Cookie/nCase Not disinfected C:\Documents and Settings\Ed\Cookies\[email protected][1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Ed\Cookies\[email protected][2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Ed\Desktop\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Ed\Desktop\smitRem.exe[smitRem/Process.exe]
Adware:Adware/YieldManager Not disinfected C:\Documents and Settings\Ed\Local Settings\Temporary Internet Files\Content.IE5\0DEFC1UN\rmtag3[1].js
Adware:Adware/Deskwizz Not disinfected C:\Documents and Settings\Ed\Local Settings\Temporary Internet Files\Content.IE5\0T6XYJYZ\adwerkz[1].cab[adwerkz.dll]
Adware:Adware/YieldManager Not disinfected C:\Documents and Settings\Ed\Local Settings\Temporary Internet Files\Content.IE5\KD2NO1IJ\rmtag3[1].js
Adware:Adware/YieldManager Not disinfected C:\Documents and Settings\Ed\Local Settings\Temporary Internet Files\Content.IE5\W5ANO1IZ\rmtag3[1].js
Spyware:Spyware/Support Not disinfected C:\Program Files\Support.com\bin\tgcmd.exe
Adware:Adware/CommAd Not disinfected C:\RECYCLER\S-1-5-21-2136417557-2216756414-1723214923-1004\Dc1\lqk.vbs
Adware:Adware/Deskwizz Not disinfected C:\RECYCLER\S-1-5-21-2136417557-2216756414-1723214923-1004\Dc6.tcf[VSL.dl_]
Adware:Adware/Deskwizz Not disinfected C:\RECYCLER\S-1-5-21-2136417557-2216756414-1723214923-1004\Dc6.tcf[auxe.exe]
Adware:Adware/EliteBar Not disinfected C:\RECYCLER\S-1-5-21-2136417557-2216756414-1723214923-1004\Dc7.exe
Adware:Adware/SpySheriff Not disinfected C:\RECYCLER\S-1-5-21-2136417557-2216756414-1723214923-1004\Dc8.tcf
Adware:Adware/Deskwizz Not disinfected C:\RECYCLER\S-1-5-21-2136417557-2216756414-1723214923-1004\Dc9.exe[VSL.dl_]
Adware:Adware/Deskwizz Not disinfected C:\RECYCLER\S-1-5-21-2136417557-2216756414-1723214923-1004\Dc9.exe[auxe.exe]

Logfile of HijackThis v1.99.1
Scan saved at 12:25:26 PM, on 6/3/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\tp4serv.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Ed\My Documents\Highjackthis.exe\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_2/home.html"); (C:\Documents and Settings\Ed\Application Data\Mozilla\Profiles\default\825n7aha.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Ed\Application Data\Mozilla\Profiles\default\825n7aha.slt\prefs.js)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1148887527406
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B495C654-5860-45D4-8EAA-5663B9393F33} (OVA Class) - http://go.microsoft....k/?linkid=49480
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE

Thank you for all the time you are investing in helping me. I have the feeling this is not fixable. What is your oppinion? As I dont have the operating disks I would have to purchase them. As a last resort will wiping the hard drive or replacing it be the only option?

Thank You
Bubbles

#66
rambro

Posted 03 June 2006 - 12:21 PM

Member 1K

Member
1,383 posts

Dear bubbles4u35, :whistling:

I am going to confer with other members of this forum about your thread.

In the meantime, empty out your recycle bin.

Run killbox again in "safe mode" and try to delete the following file (see post #64):

c:\windows\system32\SBUtils

If you can get that above file deleted, please run the panda scan and post a new log from the Panda scan. :blink:

#67
bubbles4u35

Posted 03 June 2006 - 12:44 PM

Member

Topic Starter
Member
42 posts

Rambro,

I appreciate it.

I ran Killbox again in safe mode and tried to delete the file:

c:\windows\system32\SBUtils

Its still coming up on the search I do after starting in normal mode.

Thank You,
Bubbs :whistling:

#68
rambro

Posted 03 June 2006 - 05:40 PM

Member 1K

Member
1,383 posts

Dear bubbles4u35, :whistling:

Click the Scan button to begin.
Leave the PC idle while the scan takes place.
When it has completed, click the Close button.
A text file, fsbl-date/time, will be saved in the Blacklight folder, copy and paste this into your next post.

#69
bubbles4u35

Posted 03 June 2006 - 06:56 PM

Member

Topic Starter
Member
42 posts

Hi Rambro,

Here is the Blacklight log.

06/03/06 19:51:46 [Info]: BlackLight Engine 1.0.37 initialized
06/03/06 19:51:46 [Info]: OS: 5.1 build 2600 (Service Pack 1)
06/03/06 19:51:46 [Note]: 7019 4
06/03/06 19:51:46 [Note]: 7005 0
06/03/06 19:52:00 [Note]: 7006 0
06/03/06 19:52:00 [Note]: 7011 1684
06/03/06 19:52:00 [Note]: 7026 0
06/03/06 19:52:00 [Note]: 7026 0
06/03/06 19:52:07 [Note]: FSRAW library version 1.7.1015
06/03/06 20:42:13 [Note]: 7007 0

Thank You
Bubbs :whistling:

#70
rambro

Posted 03 June 2006 - 07:08 PM

Member 1K

Member
1,383 posts

Dear bubbles4u35, :whistling:

(Note: Please read through these instructions a couple of times before executing the steps in this post.)

You may want to print out these instructions or save them as a text file with "Notepad" to your desktop.
******************************

1) Create a folder on your desktop and name it "RootkitRevealer" (without the quotes).

2) Download rootkitrevealer.zip from here and save it to the "RookitRevealer" folder your Desktop.
You will need to extract the file(s) from this zipped file, extract these files to the same "RootkitRevealer" folder.

3) Log off from the internet and disconnect your modem cable.

4) Exit all applications and keep the system otherwise idle during the RootkitRevealer scanning process.

4) Double click RootkitRevealer.exe and click the Scan button to run it.
When the scan has completed, click on File > Save... and then click on the Save button.
The report will be saved as RootkitReveal.txt in the C:\Windows\System 32 folder - copy and paste it into your next reply.

#71
bubbles4u35

Posted 03 June 2006 - 07:56 PM

Member

Topic Starter
Member
42 posts

Hi Rambro,

Below is the RookitRevealer log. I had to run it twice the first time I forgot to save the log but the first scan didnt find anything. This is the second scan.

C:\Documents and Settings\Ed\Local Settings\Temporary Internet Files\Content.IE5\CPIRS9U3\imp[1].htm 6/3/2006 9:34 PM 424 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Ed\Local Settings\Temporary Internet Files\Content.IE5\CPIRS9U3\l[1].htm 6/3/2006 9:34 PM 257 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Ed\Local Settings\Temporary Internet Files\Content.IE5\GDEF4DQZ\media[1] 6/3/2006 9:32 PM 734 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Ed\Local Settings\Temporary Internet Files\Content.IE5\WD8BSFSX\to[1].htm 6/3/2006 9:32 PM 1.44 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Ed\Local Settings\Temporary Internet Files\Content.IE5\WD8BSFSX\to[2].htm 6/3/2006 9:32 PM 1.59 KB Visible in Windows API, but not in MFT or directory index.

Thank You
Bubbs

#72
rambro

Posted 03 June 2006 - 08:19 PM

Member 1K

Member
1,383 posts

Dear bubbles4u35, :whistling:

(Note: Please read through these instructions a couple of times before executing the steps in this post.)

You may want to print out these instructions or save them as a text file with "Notepad" to your desktop.
******************************

Run the following in "Safe Mode":

I would like you to generate a "Startup List" log using the HijackThis application. Here is how you can do this:

Restart your computer in "Safe Mode".

Open Hijackthis, In the lower right corner click the "Config..." (Configuration) button.
Once in the "Configuration" panel, click "Misc Tools" button.
Next to the "Generate StartupList log" button, place a check in the checkboxes "List also minor sections" (full) and "List empty sections (complete).
Then click the "Generate StartupList log" button.
Click "Yes" to the box that pops-up.
Then copy and paste the notepad text that appears in the generated "startuplist.txt" file in a reply to this post.

#73
bubbles4u35

Posted 03 June 2006 - 08:45 PM

Member

Topic Starter
Member
42 posts

Rambro,

Here is the startup list you requested.

Thanks,
Bubbs :whistling:

StartupList report, 6/3/2006, 10:36:23 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Ed\My Documents\Highjackthis.exe\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Ed\My Documents\Highjackthis.exe\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Ed\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
*No files*

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\System32\Userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ATIModeChange = Ati2mdxx.exe
TrackPointSrv = tp4serv.exe
QCWLICON = C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
BMMGAG = RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
TPTRAY = C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
TP4EX = tp4ex.exe
TPHOTKEY = C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
AGRSMMSG = AGRSMMSG.exe
UC_SMB =
NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
MimBoot = C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
MMTray = "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
THGuard = "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
Yahoo! Pager = "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\INF\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub.NT

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Install.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=*Registry value not found*

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\ssmarque.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

--------------------------------------------------

Enumerating Task Scheduler jobs:

BMMTask.job

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\System32\LegitCheckControl.DLL
CODEBASE = http://go.microsoft....k/?linkid=39204

[YInstStarter Class]
InProcServer32 = C:\Program Files\Yahoo!\Common\yinsthelper.dll
CODEBASE = C:\Program Files\Yahoo!\Common\yinsthelper.dll

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.micros...ntent/opuc3.cab

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\muweb.dll
CODEBASE = http://update.micros...b?1148887527406

[Java Plug-in]
InProcServer32 = C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoft...free/asinst.cab

[OVA Class]
InProcServer32 = C:\WINDOWS\System32\OVAControl.DLL
CODEBASE = http://go.microsoft....k/?linkid=49480

[Java Plug-in]
InProcServer32 = C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Java Plug-in 1.5.0_07]
InProcServer32 = C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\mswsock.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\rsvpsp.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Embedded Controller Driver: System32\DRIVERS\ACPIEC.sys (system)
aeaudio: system32\drivers\aeaudio.sys (manual start)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Agere Systems Soft Modem: System32\DRIVERS\AGRSM.sys (manual start)
Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
Ati HotKey Poller: %SystemRoot%\System32\Ati2evxx.exe (autostart)
ati2mtag: System32\DRIVERS\ati2mtag.sys (manual start)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
AVG7 Alert Manager Server: C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (autostart)
AVG7 Kernel: \SystemRoot\System32\Drivers\avg7core.sys (system)
AVG7 Wrap Driver: \SystemRoot\System32\Drivers\avg7rsw.sys (system)
AVG7 Resident Driver XP: \SystemRoot\System32\Drivers\avg7rsxp.sys (system)
AVG7 Update Service: C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (autostart)
AVG E-mail Scanner: C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe (autostart)
AVG Network Redirector: \SystemRoot\System32\Drivers\avgtdi.sys (autostart)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: C:\WINDOWS\System32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
Microsoft AC Adapter Driver: System32\DRIVERS\CmBatt.sys (manual start)
Microsoft Composite Battery Driver: System32\DRIVERS\compbatt.sys (system)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Intel® PRO Adapter Driver: System32\DRIVERS\e100b325.sys (manual start)
IBM Access Support: \??\C:\WINDOWS\System32\EGATHDRV.SYS (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
ewido security suite control: C:\Program Files\ewido anti-malware\ewidoctrl.exe (autostart)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
IBMPMDRV: System32\DRIVERS\ibmpmdrv.sys (manual start)
IBM PM Service: %SystemRoot%\System32\ibmpmsvc.exe (autostart)
IBMTPCHK: System32\drivers\IBMBLDID.SYS (system)
InstallDriver Table Manager: "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" (manual start)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
IntelIde: System32\DRIVERS\intelide.sys (system)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IrDA Protocol: System32\DRIVERS\irda.sys (autostart)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
Infrared Monitor: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Linksys Wireless-B USB Network Adapter v4.0 Driver: System32\DRIVERS\m4301A.sys (manual start)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NSC Infrared Device Driver: System32\DRIVERS\nscirda.sys (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Office Source Engine: "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
Pcmcia: System32\DRIVERS\pcmcia.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
PMEM: \??\C:\WINDOWS\system32\drivers\PMEMNT.SYS (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\Drivers\PxHelp20.sys (system)
QCONSVC: System32\QCONSVC.EXE (autostart)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (IrDA): System32\DRIVERS\rasirda.sys (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Smapint: System32\drivers\Smapint.sys (system)
smwdm: system32\drivers\smwdm.sys (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{312875F8-F99C-464F-9F2A-9916958363A7} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
TDSMAPI: System32\drivers\TDSMAPI.SYS (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Telnet: C:\WINDOWS\System32\tlntsvr.exe (manual start)
IBM PS/2 TrackPoint Driver: System32\DRIVERS\tp4track.sys (manual start)
TPPWR: System32\drivers\Tppwr.sys (system)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\System32\wdfmgr.exe (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
vspf: \??\C:\WINDOWS\System32\drivers\vspf5.sys (system)
vspf_hk: \??\C:\WINDOWS\System32\drivers\vspf_hk5.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (disabled)
Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

End of report, 32,088 bytes
Report generated in 0.571 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

#74
rambro

Posted 04 June 2006 - 07:27 AM

Member 1K

Member
1,383 posts

Dear bubbles4u35, :whistling:

1. Please download The Avenger by Swandog46 to your Desktop.

Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

files to delete:
c:\windows\system32\SBUtils

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply

(Note: As a double check, search for the file/files I had you delete through the Avenger application to see if they are actually deleted. Let me know in detail if they were deleted.)

In addition, let me know in detail how your computer system is running after performing the above steps. :blink:

**********************

Can you tell me in detail, if you were able to get your Internet Explorer back, you mentiond that it went missing?

Can you tell me in detail if your Internet Explorer browser is running correctly?

Are you still experiencing popups after performing the above steps?

Dear bubbles4u35, can you tell me in detail if your computer came with a system recovery diskette? :help:

Edited by rambro, 04 June 2006 - 11:02 AM.

#75
bubbles4u35

Posted 04 June 2006 - 10:41 AM

Member

Topic Starter
Member
42 posts

Hi Rambro,

Here is the log from Avenger. Since it had an error I did not run a new hjk scan. I did find explorer and it ran correctly when I used it for the panda scans as they wouldnt run in mazilla. I'm still receiving a good amount of popups and freezing. I do not have a recovery disk.

Thank You
Bubbles

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\whgconli

*******************

Script file located at: \??\C:\WINDOWS\System32\vvmguenx.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Error: c:\windows\system32\SBUtils is a folder, not a file!
Deletion of file c:\windows\system32\SBUtils failed!

Could not process line:
c:\windows\system32\SBUtils
Status: 0xc00000ba

Completed script processing.

*******************

Finished! Terminate.