Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Worm.Win32.NetSky[RESOLVED]

Started by Morris6996 , Mar 12 2008 06:53 PM

  • This topic is locked This topic is locked

#1
Morris6996
Posted 12 March 2008 - 06:53 PM

Morris6996

    Member

  • Member
  • PipPip
  • 67 posts
My system has a red X blinking, like the one found on the hotmail quickkey when it's turned off. The system brings up spyware alerts and keeps trying to access two different websites. ----mediasmegaportal.com/phandler.php?sid=502&said=1&aid=668&pn=5&pid=2 and ---www.safenavweb.com/index.php?sid=502&aid=668&pn=5&said=1&pid=0 which carry bad viruses.

Also, everytime I shut my computer off it brings back up the shift-deleted desktop icons for the system defender program that I thought was deleted by a program installed by this site.


My home page changes to this site everytime I log off----- softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2

Please help me, I was an idiot and opened a file on this laptop that I just traded my desktop for.
  • 0

Advertisements

#2
RatHat
Posted 12 March 2008 - 07:25 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Hi there,

Welcome to GeekToGo. My name is RatHat, and I will help you get through the process of cleaning the malware from your computer.


OK firstly, I need you to print out each post I make so that you can refer to it while we fix your computer. This is because there will be times when you are unable to be online to read my instructions, and I will want you to do everything very carefully. I also need you to follow my instructions in the order that they are given. If however, you cannot carry out one of them, please continue on with the next and let me know what you were unsuccessful with.

Next, I would like to make sure that you can view hidden files and folders;
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading SELECT Show hidden files and folders.
  • UNCHECK the Hide protected operating system files (recommended) option.
  • UNCHECK the Hide extensions for known file types option.
  • Click Yes to confirm.
  • Click OK.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, DSS will open two Notepad files: main.txt and extra.txt
  • Use Save As to save both Notepad files to your Desktop and post them in your next reply.
Note: A copy of these files can be found in you root drive, usually C:\Deckard\System Scanner\

Regards,
RatHat
  • 0

#3
Morris6996
Posted 12 March 2008 - 07:49 PM

Morris6996

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
no printer, laptop, and i have one but the virus won't let the driver load
  • 0

#4
RatHat
Posted 12 March 2008 - 08:10 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
At the top of this topic, on the right hand side, you will see a button that says Options

Click that, and choose Download this topic

Save it to your desktop as an HTML file so that you can open it if needs be. Do this when I make a post that asks you to go into Safe Mode.

For DSS you do not need to print out anything as you will not need to go into Safe Mode, so you can download and run DSS, then post me the two logs it produces.
  • 0

#5
Morris6996
Posted 12 March 2008 - 08:18 PM

Morris6996

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
Deckard's System Scanner v20071014.68
Run by Dede on 2008-03-12 21:08:42
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
77: 2008-03-13 02:09:10 UTC - RP347 - Deckard's System Scanner Restore Point
76: 2008-03-12 19:52:09 UTC - RP346 - Installed Ad-Aware 2007
75: 2008-03-12 08:00:37 UTC - RP345 - Software Distribution Service 3.0
74: 2008-03-12 06:23:10 UTC - RP344 - System Checkpoint
73: 2008-03-08 09:11:23 UTC - RP343 - System Checkpoint


-- First Restore Point --
1: 2008-02-15 03:32:39 UTC - RP271 - Removed Apple Software Update


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as Dede.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:10:33 PM, on 3/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\System32\svchost.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Trend Micro\Internet Security\UfUpdUi.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Dede\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Dede.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....p;PartnerID=104
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: JT's Blocks - http://download2.gam...ts/y/blt1_x.cab
O16 - DPF: Yahoo! MahJong - http://download2.gam...nts/y/ot0_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download2.gam...s/y/mjst4_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download2.gam...ts/y/poti_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan....s/ascstubie.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1204163654613
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.game...outLauncher.cab
O21 - SSODL: altvxvm - {001C8231-FC60-49CA-A837-F8130E7C1524} - C:\WINDOWS\altvxvm.dll
O21 - SSODL: bokpkov - {68ECD0D8-4BF5-4E60-9B55-F1D7BD04C540} - C:\WINDOWS\bokpkov.dll
O21 - SSODL: DrivePrx - {f403ab69-be87-4f39-9715-50808b331f9a} - C:\WINDOWS\Installer\{f403ab69-be87-4f39-9715-50808b331f9a}\DrivePrx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 7329 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Mass Storage Controller
Device ID: PCI\VEN_104C&DEV_8033&SUBSYS_3085103C&REV_00\4&13826118&0&23A4
Manufacturer:
Name: Mass Storage Controller
PNP Device ID: PCI\VEN_104C&DEV_8033&SUBSYS_3085103C&REV_00\4&13826118&0&23A4
Service:

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8139 Family PCI Fast Ethernet NIC
Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_3085103C&REV_10\4&13826118&0&30A4
Manufacturer: Realtek
Name: Realtek RTL8139 Family PCI Fast Ethernet NIC
PNP Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_3085103C&REV_10\4&13826118&0&30A4
Service: rtl8139

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Modem
Device ID: PCI\VEN_1002&DEV_4378&SUBSYS_3085103C&REV_01\3&13C0B0C5&0&A6
Manufacturer:
Name: PCI Modem
PNP Device ID: PCI\VEN_1002&DEV_4378&SUBSYS_3085103C&REV_01\3&13C0B0C5&0&A6
Service:


-- Files created between 2008-02-12 and 2008-03-12 -----------------------------

2008-03-12 20:23:02 0 d-------- C:\Program Files\Panda Security
2008-03-12 20:23:00 0 d-------- C:\WINDOWS\LastGood
2008-03-12 16:04:19 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-03-12 14:52:19 0 d-------- C:\Program Files\Lavasoft
2008-03-12 14:52:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-12 14:50:46 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-12 13:42:05 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-12 10:24:47 0 d--h----- C:\WINDOWS\PIF
2008-03-12 06:43:15 0 d-------- C:\Documents and Settings\Dede\.housecall6.6
2008-03-12 06:00:35 0 d-------- C:\WINDOWS\Sun
2008-03-12 06:00:34 0 d-------- C:\Documents and Settings\Dede\Application Data\Sun
2008-03-12 00:09:18 229376 --a------ C:\WINDOWS\bokpkov.dll
2008-03-12 00:09:18 229376 --a------ C:\WINDOWS\altvxvm.dll <Not Verified; ; altvxvm>
2008-03-10 18:21:17 0 d-------- C:\Documents and Settings\Dede\Application Data\InterVideo
2008-03-01 17:08:28 0 d-------- C:\Program Files\Sony
2008-03-01 13:58:01 0 d-------- C:\Documents and Settings\Dede\Application Data\Macromedia
2008-02-29 13:13:40 617 --a------ C:\WINDOWS\eReg.dat
2008-02-29 13:00:24 0 d-------- C:\Program Files\EA Games
2008-02-28 23:20:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-02-28 23:19:39 0 d-------- C:\Program Files\Trend Micro
2008-02-28 22:53:22 0 d-------- C:\Documents and Settings\Dede\Application Data\Motive
2008-02-28 22:31:37 0 d-------- C:\Documents and Settings\Dede\Application Data\Google
2008-02-28 20:48:17 0 d-------- C:\Documents and Settings\Dede\Application Data\Adobe
2008-02-28 20:47:03 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-02-28 20:46:54 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-28 20:43:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2008-02-28 20:43:32 0 d-------- C:\Program Files\Google
2008-02-28 19:12:50 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-02-27 23:38:26 0 d-------- C:\Program Files\Windows Media Connect 2
2008-02-27 22:12:53 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-02-27 22:12:42 0 d-------- C:\Program Files\Zune
2008-02-27 22:10:41 0 d-------- C:\WINDOWS\system32\LogFiles
2008-02-27 22:10:41 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2008-02-27 21:47:41 0 d-------- C:\Documents and Settings\LocalService\Start Menu
2008-02-27 21:47:00 0 d-------- C:\WINDOWS\Prefetch
2008-02-27 21:15:46 0 d-------- C:\WINDOWS\peernet
2008-02-27 21:15:45 0 d-------- C:\WINDOWS\provisioning
2008-02-27 21:13:24 0 d-------- C:\WINDOWS\ServicePackFiles
2008-02-27 21:06:59 0 d-------- C:\WINDOWS\EHome
2008-02-27 20:48:10 0 d--hs---- C:\Documents and Settings\Dede\UserData
2008-02-27 20:36:10 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll <Not Verified; Sony DADC Austria AG.; >
2008-02-27 20:32:22 0 d-------- C:\Program Files\Firaxis Games
2008-02-15 20:15:15 0 d-------- C:\Documents and Settings\Dede\Application Data\MSN6
2008-02-14 22:45:48 0 d-------- C:\Documents and Settings\Dede\Application Data\Identities
2008-02-14 22:45:16 0 d--h----- C:\Documents and Settings\Dede\Templates
2008-02-14 22:45:16 0 dr------- C:\Documents and Settings\Dede\Start Menu
2008-02-14 22:45:16 0 dr-h----- C:\Documents and Settings\Dede\SendTo
2008-02-14 22:45:16 0 dr-h----- C:\Documents and Settings\Dede\Recent
2008-02-14 22:45:16 0 d--h----- C:\Documents and Settings\Dede\PrintHood
2008-02-14 22:45:16 0 d--h----- C:\Documents and Settings\Dede\NetHood
2008-02-14 22:45:16 0 dr------- C:\Documents and Settings\Dede\My Documents
2008-02-14 22:45:16 0 d--h----- C:\Documents and Settings\Dede\Local Settings
2008-02-14 22:45:16 0 dr------- C:\Documents and Settings\Dede\Favorites
2008-02-14 22:45:16 0 d-------- C:\Documents and Settings\Dede\Desktop
2008-02-14 22:45:16 0 d--hs---- C:\Documents and Settings\Dede\Cookies
2008-02-14 22:45:16 0 dr-h----- C:\Documents and Settings\Dede\Application Data
2008-02-14 22:45:15 1835008 --ah----- C:\Documents and Settings\Dede\NTUSER.DAT


-- Find3M Report ---------------------------------------------------------------

2008-03-12 14:50:46 0 d-------- C:\Program Files\Common Files
2008-03-01 17:08:27 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-01 17:07:54 0 d-------- C:\Program Files\Common Files\InstallShield
2008-02-28 17:51:10 0 d-------- C:\Program Files\Messenger
2008-02-27 21:15:48 0 d-------- C:\Program Files\Movie Maker
2008-02-27 21:12:56 0 d-------- C:\Program Files\Windows NT
2008-02-14 22:33:01 0 d-------- C:\Program Files\Yahoo!
2008-02-14 22:32:01 0 d-------- C:\Program Files\Common Files\Scanner
2008-02-10 17:48:10 0 d-------- C:\Program Files\LimeWire


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [08/05/2005 10:05 PM]
"WatchDog"="C:\Program Files\InterVideo\DVD Check\DVDCheck.exe" [07/04/2005 05:47 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [04/13/2005 04:48 AM]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [09/10/2002 09:26 PM]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [08/24/2005 07:51 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/02/2007 04:07 PM]
"Zune Launcher"="c:\Program Files\Zune\ZuneLauncher.exe" [01/11/2008 06:54 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [10/27/2007 01:35 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [02/28/2008 08:43 PM]
"OE"="C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [10/27/2007 01:35 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DVD Check.lnk - C:\Program Files\InterVideo\DVD Check\DVDCheck.exe [2/9/2007 6:09:39 PM]
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [8/19/1997]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [8/19/1997]
SBC Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [6/1/2007 6:36:03 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"altvxvm"= {001C8231-FC60-49CA-A837-F8130E7C1524} - C:\WINDOWS\altvxvm.dll [03/11/2008 02:30 PM 229376]
"bokpkov"= {68ECD0D8-4BF5-4E60-9B55-F1D7BD04C540} - C:\WINDOWS\bokpkov.dll [03/11/2008 02:30 PM 229376]
"DrivePrx"= {f403ab69-be87-4f39-9715-50808b331f9a} - C:\WINDOWS\Installer\{f403ab69-be87-4f39-9715-50808b331f9a}\DrivePrx.dll [03/12/2008 12:09 AM 18690]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

*Newly Created Service* - RKPAVPROC



-- End of Deckard's System Scanner: finished at 2008-03-12 21:13:02 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ 64 Processor 3200+
Percentage of Memory in Use: 52%
Physical Memory (total/avail): 510.48 MiB / 243.74 MiB
Pagefile Memory (total/avail): 1246.26 MiB / 888.64 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1926.69 MiB

C: is Fixed (NTFS) - 93.15 GiB total, 69.61 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST9100822A - 93.16 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 93.15 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FW: Trend Micro Personal Firewall v5.0 (Trend Micro Inc.) Disabled
AV: Trend Micro Internet Security v16.00.1679 () Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Dede\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=SETHANDJESSICA
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Dede
LOGONSERVER=\\SETHANDJESSICA
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 15 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0f00
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Dede\LOCALS~1\Temp
TMP=C:\DOCUME~1\Dede\LOCALS~1\Temp
USERDOMAIN=SETHANDJESSICA
USERNAME=Dede
USERPROFILE=C:\Documents and Settings\Dede
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Dede (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\PROGRA~1\SBCSEL~1\CustomUninstall.exe SBC
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
AT&T Yahoo! Applications --> C:\PROGRA~1\Yahoo!\Common\uninstall.exe
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Broadcom 802.11 Driver --> C:\WINDOWS\system32\BCMWLU00.exe verbose /rootkey=Software\Broadcom\802.11\UninstallInfo
BroadJump Client Foundation --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\BroadJump\Client Foundation\Uninst.isu" -c"C:\Program Files\BroadJump\Client Foundation\RmvBJCFD.dll" -b"CFD" -h"CFD" -a
Civilization III --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{2157961D-0507-44A8-BCF2-1EE2D439E8DF}
Command & Conquer Generals --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{06F80017-8F98-4C94-B868-52358569FC32}
Conexant AC-Link Audio --> CIAunwdm.exe
EverQuest II: Play the Fae --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{31EF8B2A-1332-4A0E-8B35-2E3491727922}\setup.exe" -l0x9 -removeonly
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Format SDK (KB902344) --> "C:\WINDOWS\$NtUninstallKB902344$\spuninst\spuninst.exe"
Hotfix for Windows Media Format SDK (KB910998) --> "C:\WINDOWS\$NtUninstallKB910998$\spuninst\spuninst.exe"
InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
InterVideo DVD Check --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5D97A4A7-C274-4B63-86D9-07A33435F505}\setup.exe" REMOVEALL
InterVideo WinDVD --> "C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
J2SE Runtime Environment 5.0 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
Lemonade Tycoon --> C:\PROGRA~1\HEXACT~1\LEMONA~1\UNWISE.EXE C:\PROGRA~1\HEXACT~1\LEMONA~1\INSTALL.LOG
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Word 97 --> C:\Program Files\Microsoft Office\Office\Setup\AcmeWord.exe /w Word97.stf
Panda TotalScan --> C:\Program Files\Panda Security\TotalScan\ascuninst.exe
QuickTime --> MsiExec.exe /I{08094E03-AFE4-4853-9D31-6D0743DF5328}
Trend Micro Internet Security --> C:\Program Files\Trend Micro\Internet Security\remove.exe
Trend Micro Internet Security --> MsiExec.exe /X{A621B45A-D138-4A95-BE10-7CABA05EF94E}
WebVideo Support --> C:\WINDOWS\fmsxwqs.exe
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Zune --> MsiExec.exe /X{7583239A-D4BE-48CA-A253-396122B3D3E9}
Zune Language Pack (ES) --> MsiExec.exe /X{EE4ACABF-531E-419A-9225-B8E0FA4955AF}
Zune Language Pack (FR) --> MsiExec.exe /X{0076E1AC-9E7B-4B9F-A62A-4CC9511AD8E3}


-- Application Event Log -------------------------------------------------------

Event Record #/Type502 / Error
Event Submitted/Written: 03/12/2008 00:35:45 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16608, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type491 / Error
Event Submitted/Written: 03/12/2008 05:23:42 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16608, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type490 / Error
Event Submitted/Written: 03/12/2008 05:23:42 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16608, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type489 / Error
Event Submitted/Written: 03/12/2008 05:23:42 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16608, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type453 / Error
Event Submitted/Written: 03/06/2008 11:23:09 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application SfCtlCom.exe, version 16.0.0.1679, faulting module SfCtlCom.exe, version 16.0.0.1679, fault address 0x00007152.
Processing media-specific event for [SfCtlCom.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type6198 / Error
Event Submitted/Written: 03/12/2008 06:22:36 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The PC Tools Security Service service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type6189 / Error
Event Submitted/Written: 03/12/2008 06:11:52 PM
Event ID/Source: 1001 / Dhcp
Event Description:
Your computer was not assigned an address from the network (by the DHCP
Server) for the Network Card with network address 00904BAC8413. The following error
occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type6123 / Error
Event Submitted/Written: 03/12/2008 00:45:30 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {0002DF01-0000-0000-C000-000000000046} did not register with DCOM within the required timeout.

Event Record #/Type6061 / Error
Event Submitted/Written: 03/12/2008 08:09:54 AM
Event ID/Source: 10010 / DCOM
Event Description:
The server {0002DF01-0000-0000-C000-000000000046} did not register with DCOM within the required timeout.

Event Record #/Type6060 / Warning
Event Submitted/Written: 03/12/2008 08:09:11 AM
Event ID/Source: 1007 / Dhcp
Event Description:
Your computer has automatically configured the IP address for the Network
Card with network address 00904BAC8413. The IP address being used is 169.254.135.198.



-- End of Deckard's System Scanner: finished at 2008-03-12 21:13:02 ------------

Here it is.
  • 0

#6
RatHat
Posted 12 March 2008 - 08:29 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
OK, a few things to do, none of them need you to go into Safe Mode. Make sure you do everything as laid out below.


Please download Brute Force Uninstaller to your desktop.
  • Right click the BFU.zip on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
Right Click HERE and choose Save Target As, in Firefox, Right Click and choose Save Link As.
Save it to the BFU folder you just created.

Whilst you are still in the BFU folder;
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Behind the scriptline to execute field click the folder icon Posted Image and select Adware.bfu
  • Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
  • On completion, allow the computer to be rebooted.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please read this Combofix tutorial before continuing, then follow the instructions below.

Download ComboFix from Here, Here or Here to your Desktop. (If you already have ComboFix, please delete it and download this new version).

  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Save this log to your desktop as Combofix.txt and post it in your next reply.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please run an online scan with Kaspersky WebScanner. Note: You must use Internet Explorer to run this scan.

Click the Accept button.

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display the results if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop as Kaspersky.txt.
  • Copy and paste that information in your next post.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please run Deckard's System Scanner (DSS) again. This time it will only produce a single Notepad file; main.txt, please copy and paste the contents in your next reply.
Note:A copy of this file can be found in you root drive, usually C:\Deckard\System Scanner\main.txt

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


So in your next post, please include the following (Use two or three posts to make sure you get all the logs in full):
  • The contents of Combofix.txt
  • The contents of the MBAM report
  • The contents of Kaspersky.txt
  • The DSS Main.txt

Also let me know how your computer is behaving now.

Regards,
RatHat
  • 0

#7
Morris6996
Posted 12 March 2008 - 10:50 PM

Morris6996

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
ComboFix 08-03-10.1 - Dede 2008-03-12 21:54:20.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.265 [GMT -5:00]
Running from: C:\Documents and Settings\Dede\Desktop\Combo-Fix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-02-13 to 2008-03-13 )))))))))))))))))))))))))))))))
.

2008-03-12 21:05 . 2008-03-12 21:05 <DIR> d-------- C:\Deckard
2008-03-12 20:45 . 2004-08-04 00:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-03-12 20:45 . 2004-08-04 00:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-03-12 20:40 . 2004-08-04 00:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-03-12 20:40 . 2004-08-04 00:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-03-12 20:23 . 2008-03-12 20:23 <DIR> d-------- C:\Program Files\Panda Security
2008-03-12 14:52 . 2008-03-12 14:52 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-12 14:52 . 2008-03-12 15:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-12 14:50 . 2008-03-12 14:50 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-12 13:42 . 2008-03-12 18:23 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-12 10:24 . 2008-03-12 10:24 <DIR> d--h----- C:\WINDOWS\PIF
2008-03-12 06:43 . 2008-03-12 10:12 <DIR> d-------- C:\Documents and Settings\Dede\.housecall6.6
2008-03-12 06:00 . 2008-03-12 06:00 <DIR> d-------- C:\WINDOWS\Sun
2008-03-12 03:02 . 2008-03-12 03:02 215 --a------ C:\WINDOWS\system32\MRT.INI
2008-03-10 18:21 . 2008-03-10 18:21 <DIR> d-------- C:\Documents and Settings\Dede\Application Data\InterVideo
2008-03-06 00:56 . 2008-03-06 00:56 120,872 --a------ C:\WINDOWS\system32\MSForms.TWD
2008-03-01 17:08 . 2008-03-01 17:08 <DIR> d-------- C:\Program Files\Sony
2008-02-29 13:13 . 2008-02-29 13:13 617 --a------ C:\WINDOWS\eReg.dat
2008-02-29 13:00 . 2008-02-29 13:00 <DIR> d-------- C:\Program Files\EA Games
2008-02-28 23:20 . 2008-02-28 23:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-02-28 23:20 . 2007-12-24 18:37 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-02-28 23:20 . 2007-12-24 18:37 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2008-02-28 23:20 . 2007-12-24 18:37 52,240 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2008-02-28 23:19 . 2008-03-12 21:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-28 22:53 . 2008-02-28 22:53 <DIR> d-------- C:\Documents and Settings\Dede\Application Data\Motive
2008-02-28 20:46 . 2008-02-28 20:47 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-02-28 20:43 . 2008-02-28 20:43 <DIR> d-------- C:\Program Files\Google
2008-02-28 19:12 . 2008-03-02 10:23 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-02-27 23:38 . 2008-02-27 23:38 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-02-27 22:33 . 2007-07-09 08:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-02-27 22:13 . 2008-02-27 22:13 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-02-27 22:13 . 2008-02-27 22:13 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_zumbus_01005.Wdf
2008-02-27 22:12 . 2008-02-27 22:12 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-02-27 22:12 . 2008-02-27 22:15 <DIR> d-------- C:\Program Files\Zune
2008-02-27 22:12 . 2008-01-11 18:39 145,408 --a------ C:\WINDOWS\system32\ZuneMTPZ.dll
2008-02-27 22:12 . 2008-01-11 18:39 70,656 --a------ C:\WINDOWS\system32\ZuneIpTransport.dll
2008-02-27 22:12 . 2008-01-11 18:39 62,464 --a------ C:\WINDOWS\system32\ZuneUsbTransport.dll
2008-02-27 22:12 . 2008-01-11 18:39 35,840 --a------ C:\WINDOWS\system32\ZuneUsbCOnnection.dll
2008-02-27 22:11 . 2006-10-04 09:06 1,197,294 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-02-27 22:11 . 2006-10-04 09:06 764,868 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-02-27 22:11 . 2006-10-04 09:06 217,118 -----c--- C:\WINDOWS\system32\dllcache\apphelp.sdb
2008-02-27 22:10 . 2008-02-27 22:10 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-02-27 22:10 . 2008-02-27 22:51 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-02-27 21:18 . 2004-08-04 02:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-02-27 21:15 . 2008-02-27 21:15 <DIR> d-------- C:\WINDOWS\provisioning
2008-02-27 21:15 . 2008-02-27 21:15 <DIR> d-------- C:\WINDOWS\peernet
2008-02-27 21:13 . 2008-02-27 21:13 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-02-27 21:06 . 2008-02-27 21:06 <DIR> d-------- C:\WINDOWS\EHome
2008-02-27 21:03 . 2007-07-30 20:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-02-27 21:03 . 2007-07-30 20:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-02-27 20:48 . 2008-03-12 12:20 <DIR> d--hs---- C:\Documents and Settings\Dede\UserData
2008-02-27 20:36 . 2008-02-27 20:36 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-02-27 20:32 . 2008-02-27 20:32 <DIR> d-------- C:\Program Files\Firaxis Games
2008-02-24 01:28 . 2008-02-24 01:28 35,262 --a------ C:\WINDOWS\Dede.acl
2008-02-15 20:15 . 2008-02-29 22:04 <DIR> d-------- C:\Documents and Settings\Dede\Application Data\MSN6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-01 22:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-01 22:07 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-02-15 03:33 --------- d-----w C:\Program Files\Yahoo!
2008-02-15 03:32 --------- d-----w C:\Program Files\Common Files\Scanner
2008-02-15 03:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo
2008-02-10 22:48 --------- d-----w C:\Program Files\LimeWire
2008-01-11 23:54 61,856 ----a-w C:\WINDOWS\system32\ZuneBusEnum.exe
2008-01-11 23:54 245,664 ----a-w C:\WINDOWS\system32\ZuneWlanCfgSvc.exe
2007-12-14 16:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-02-28 20:43 171448]
"OE"="C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2007-10-27 01:35 492808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 22:05 344064]
"WatchDog"="C:\Program Files\InterVideo\DVD Check\DVDCheck.exe" [2005-07-04 17:47 184320]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 04:48 36975]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26 368706]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 07:51 442455]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-02 16:07 282624]
"Zune Launcher"="c:\Program Files\Zune\ZuneLauncher.exe" [2008-01-11 18:54 166304]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2007-10-27 01:35 1393928]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DVD Check.lnk - C:\Program Files\InterVideo\DVD Check\DVDCheck.exe [2007-02-09 18:09:39 184320]
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1997-08-19 111376]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1997-08-19 51984]
SBC Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [2007-06-01 18:36:03 217088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"DrivePrx"= {f403ab69-be87-4f39-9715-50808b331f9a} - C:\WINDOWS\Installer\{f403ab69-be87-4f39-9715-50808b331f9a}\DrivePrx.dll [2008-03-12 00:09 18690]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2008-01-11 18:39]
R2 ZuneBusEnum;Zune Bus Enumerator;c:\WINDOWS\system32\ZuneBusEnum.exe [2008-01-11 18:54]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2008-01-11 18:54]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-12 21:56:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\WINDOWS\Installer\{f403ab69-be87-4f39-9715-50808b331f9a}\DrivePrx.dll
.
Completion time: 2008-03-12 21:57:51
.
2008-03-12 08:02:31 --- E O F ---

Malwarebytes' Anti-Malware 1.08
Database version: 483

Scan type: Quick Scan
Objects scanned: 26439
Time elapsed: 4 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\Installer\{f403ab69-be87-4f39-9715-50808b331f9a}\DrivePrx.dll (Trojan.Alphabet) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{f403ab69-be87-4f39-9715-50808b331f9a} (Trojan.Alphabet) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\etlrlws.bpvm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\etlrlws.ToolBar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\DrivePrx (Trojan.Alphabet) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\Installer\{f403ab69-be87-4f39-9715-50808b331f9a} (Trojan.Alphabet) -> Delete on reboot.

Files Infected:
C:\WINDOWS\Installer\{f403ab69-be87-4f39-9715-50808b331f9a}\DrivePrx.dll (Trojan.Alphabet) -> Delete on reboot.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, March 12, 2008 11:44:49 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 13/03/2008
Kaspersky Anti-Virus database records: 626795
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 61224
Number of viruses found: 2
Number of infected objects: 7
Number of suspicious objects: 0
Duration of the scan process: 00:49:07

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Dede\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.21031 Infected: Trojan-Dropper.Win32.Agent.ftv skipped
C:\Documents and Settings\Dede\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Dede\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Dede\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Dede\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dede\Local Settings\Temp\~DF3D20.tmp Object is locked skipped
C:\Documents and Settings\Dede\Local Settings\Temp\~DF3D31.tmp Object is locked skipped
C:\Documents and Settings\Dede\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Dede\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dede\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Dede\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\SBC Self Support Tool\SmartBridge\AlertFilter.log Object is locked skipped
C:\Program Files\SBC Self Support Tool\SmartBridge\log\httpclient.log Object is locked skipped
C:\Program Files\SBC Self Support Tool\SmartBridge\SmartBridge.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{1E4326F6-19F8-4F12-B54D-92BECB9472C3}\RP345\A0183166.dll Infected: not-a-virus:AdWare.Win32.Vapsup.cop skipped
C:\System Volume Information\_restore{1E4326F6-19F8-4F12-B54D-92BECB9472C3}\RP345\A0183167.dll Infected: not-a-virus:AdWare.Win32.Vapsup.cop skipped
C:\System Volume Information\_restore{1E4326F6-19F8-4F12-B54D-92BECB9472C3}\RP345\A0183206.exe Infected: not-a-virus:AdWare.Win32.Vapsup.cop skipped
C:\System Volume Information\_restore{1E4326F6-19F8-4F12-B54D-92BECB9472C3}\RP347\A0184312.dll Infected: not-a-virus:AdWare.Win32.Vapsup.cop skipped
C:\System Volume Information\_restore{1E4326F6-19F8-4F12-B54D-92BECB9472C3}\RP347\A0184313.dll Infected: not-a-virus:AdWare.Win32.Vapsup.cop skipped
C:\System Volume Information\_restore{1E4326F6-19F8-4F12-B54D-92BECB9472C3}\RP348\A0184359.dll Infected: Trojan-Dropper.Win32.Agent.ftv skipped
C:\System Volume Information\_restore{1E4326F6-19F8-4F12-B54D-92BECB9472C3}\RP348\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{5810FC82-E75B-4A3D-9C8B-6E144355821D}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


Deckard's System Scanner v20071014.68
Run by Dede on 2008-03-12 23:45:48
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as Dede.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:45:53 PM, on 3/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Dede\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Dede.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....p;PartnerID=104
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: JT's Blocks - http://download2.gam...ts/y/blt1_x.cab
O16 - DPF: Yahoo! MahJong - http://download2.gam...nts/y/ot0_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download2.gam...s/y/mjst4_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download2.gam...ts/y/poti_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan....s/ascstubie.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1204163654613
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.game...outLauncher.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 6848 bytes

-- Files created between 2008-02-12 and 2008-03-12 -----------------------------

2008-03-12 22:16:01 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-12 22:16:00 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-12 22:15:57 0 d-------- C:\WINDOWS\LastGood
2008-03-12 22:04:12 0 d-------- C:\Documents and Settings\Dede\Application Data\Malwarebytes
2008-03-12 22:04:01 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-12 22:04:01 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-12 21:53:25 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-03-12 21:53:25 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-03-12 21:53:25 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-03-12 21:53:25 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-03-12 21:41:12 0 d-------- C:\BFU
2008-03-12 20:23:02 0 d-------- C:\Program Files\Panda Security
2008-03-12 16:04:19 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-03-12 14:52:19 0 d-------- C:\Program Files\Lavasoft
2008-03-12 14:52:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-12 14:50:46 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-12 13:42:05 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-12 10:24:47 0 d--h----- C:\WINDOWS\PIF
2008-03-12 06:43:15 0 d-------- C:\Documents and Settings\Dede\.housecall6.6
2008-03-12 06:00:35 0 d-------- C:\WINDOWS\Sun
2008-03-12 06:00:34 0 d-------- C:\Documents and Settings\Dede\Application Data\Sun
2008-03-10 18:21:17 0 d-------- C:\Documents and Settings\Dede\Application Data\InterVideo
2008-03-01 17:08:28 0 d-------- C:\Program Files\Sony
2008-03-01 13:58:01 0 d-------- C:\Documents and Settings\Dede\Application Data\Macromedia
2008-02-29 13:13:40 617 --a------ C:\WINDOWS\eReg.dat
2008-02-29 13:00:24 0 d-------- C:\Program Files\EA Games
2008-02-28 23:20:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-02-28 23:19:39 0 d-------- C:\Program Files\Trend Micro
2008-02-28 22:53:22 0 d-------- C:\Documents and Settings\Dede\Application Data\Motive
2008-02-28 22:31:37 0 d-------- C:\Documents and Settings\Dede\Application Data\Google
2008-02-28 20:48:17 0 d-------- C:\Documents and Settings\Dede\Application Data\Adobe
2008-02-28 20:47:03 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-02-28 20:46:54 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-28 20:43:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2008-02-28 20:43:32 0 d-------- C:\Program Files\Google
2008-02-28 19:12:50 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-02-27 23:38:26 0 d-------- C:\Program Files\Windows Media Connect 2
2008-02-27 22:12:53 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-02-27 22:12:42 0 d-------- C:\Program Files\Zune
2008-02-27 22:10:41 0 d-------- C:\WINDOWS\system32\LogFiles
2008-02-27 22:10:41 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2008-02-27 21:47:41 0 d-------- C:\Documents and Settings\LocalService\Start Menu
2008-02-27 21:47:00 0 d-------- C:\WINDOWS\Prefetch
2008-02-27 21:15:46 0 d-------- C:\WINDOWS\peernet
2008-02-27 21:15:45 0 d-------- C:\WINDOWS\provisioning
2008-02-27 21:13:24 0 d-------- C:\WINDOWS\ServicePackFiles
2008-02-27 21:06:59 0 d-------- C:\WINDOWS\EHome
2008-02-27 20:48:10 0 d--hs---- C:\Documents and Settings\Dede\UserData
2008-02-27 20:36:10 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll <Not Verified; Sony DADC Austria AG.; >
2008-02-27 20:32:22 0 d-------- C:\Program Files\Firaxis Games
2008-02-15 20:15:15 0 d-------- C:\Documents and Settings\Dede\Application Data\MSN6
2008-02-14 22:45:48 0 d-------- C:\Documents and Settings\Dede\Application Data\Identities
2008-02-14 22:45:16 0 d--h----- C:\Documents and Settings\Dede\Templates
2008-02-14 22:45:16 0 dr------- C:\Documents and Settings\Dede\Start Menu
2008-02-14 22:45:16 0 dr-h----- C:\Documents and Settings\Dede\SendTo
2008-02-14 22:45:16 0 dr-h----- C:\Documents and Settings\Dede\Recent
2008-02-14 22:45:16 0 d--h----- C:\Documents and Settings\Dede\PrintHood
2008-02-14 22:45:16 0 d--h----- C:\Documents and Settings\Dede\NetHood
2008-02-14 22:45:16 0 dr------- C:\Documents and Settings\Dede\My Documents
2008-02-14 22:45:16 0 d--h----- C:\Documents and Settings\Dede\Local Settings
2008-02-14 22:45:16 0 dr------- C:\Documents and Settings\Dede\Favorites
2008-02-14 22:45:16 0 d-------- C:\Documents and Settings\Dede\Desktop
2008-02-14 22:45:16 0 d--hs---- C:\Documents and Settings\Dede\Cookies
2008-02-14 22:45:16 0 dr-h----- C:\Documents and Settings\Dede\Application Data
2008-02-14 22:45:15 1835008 --ah----- C:\Documents and Settings\Dede\NTUSER.DAT


-- Find3M Report ---------------------------------------------------------------

2008-03-12 14:50:46 0 d-------- C:\Program Files\Common Files
2008-03-01 17:08:27 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-01 17:07:54 0 d-------- C:\Program Files\Common Files\InstallShield
2008-02-28 17:51:10 0 d-------- C:\Program Files\Messenger
2008-02-27 21:15:48 0 d-------- C:\Program Files\Movie Maker
2008-02-27 21:12:56 0 d-------- C:\Program Files\Windows NT
2008-02-14 22:33:01 0 d-------- C:\Program Files\Yahoo!
2008-02-14 22:32:01 0 d-------- C:\Program Files\Common Files\Scanner
2008-02-10 17:48:10 0 d-------- C:\Program Files\LimeWire


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [08/05/2005 10:05 PM]
"WatchDog"="C:\Program Files\InterVideo\DVD Check\DVDCheck.exe" [07/04/2005 05:47 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [04/13/2005 04:48 AM]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [09/10/2002 09:26 PM]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [08/24/2005 07:51 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/02/2007 04:07 PM]
"Zune Launcher"="c:\Program Files\Zune\ZuneLauncher.exe" [01/11/2008 06:54 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [10/27/2007 01:35 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [02/28/2008 08:43 PM]
"OE"="C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [10/27/2007 01:35 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DVD Check.lnk - C:\Program Files\InterVideo\DVD Check\DVDCheck.exe [2/9/2007 6:09:39 PM]
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [8/19/1997]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [8/19/1997]
SBC Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [6/1/2007 6:36:03 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSetTaskbar"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-03-12 23:46:46 ------------

Here is everything you asked for. The system is running so much better, thank you thank you thank you so much.
  • 0

#8
RatHat
Posted 13 March 2008 - 06:53 AM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Hey there,

OK! Well done, your log is clean again! :)

Now lets uninstall Combofix and have a bit of a cleanup:
  • Click START then RUN
  • Now type "%userprofile%\desktop\ComboFix.exe" /u in the runbox and click OK
The above procedure will do the following:
  • Delete ComboFix and its associated files and folders.
  • Delete VundoFix backups, if present
  • Delete the C:\Deckard folder, if present
  • Delete the C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.
Please delete any logs or other files we have used during the fixing of your machine.

OK, lets carry out a few preventative steps to make sure you reduce the risk of further infections.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


An essential is to keep your computer updated with the latest operating system patches and security fixes. Windows Updates are constantly being revised to combat the newest hacks and threats, Microsoft releases security updates that help your computer from becoming vunerable. It is best if you have these set to download automatically.

Automatic Updates for Windows
  • Click Start.
  • Select Settings and then Control Panel.
  • Select Automatic Updates.
  • Click Automatic (recommended)
  • Choose a day and a time when you know the computer will be on and connected to the internet.
  • Click Apply then OK.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


In addition to Windows updates, you also need to ensure that your version of Java is the latest.Click here to download the latest version (Java Runtime Environment (JRE) 6 Update 5). Once downloaded, install it and then Reboot your computer.

It is most important that you also uninstall older versions of Java.
  • Click Start, Control Panel, Add/Remove Programs.
  • Delete all Java updates except Java ™ 6 Update 5
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


OK, now lets download some preventative programs that will help to keep the nasties away! We will start with Anti Spyware programs. I would advise getting a couple of them at least, and running each at least once a month.

Anti Spyware
  • SpywareBlaster to help prevent spyware from installing in the first place. A tutorial can be found here.
  • SpywareGuard to catch and block spyware before it can execute. A tutorial can be found here.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email. A tutorial can be found here.
  • Spybot Search & Destroy a powerful tool which can "search and destroy" nasties that make it onto your system. Now with an Immunize section that will help prevent future infections. A tutorial can be found here.
  • AdAware another very powerful tool which searches and kills nasties that infect your system. A tutorial can be found here. AdAware and Spybot Search & Destroy compliment each other very well.

Note: If you find your system slows down after installing any of these, just uninstall it, or disable it from running at startup.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


On to personal Anti Virus programs. One AV is a must have! But never more than one, as this can and will cause conflicts and false readings. I have listed three free AV's below which are as good as any paid subscription AV, as long as you allow them to update themselves.

Anti Virus Programs~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Nearly done! If you like to use chat, MSN and Yahoo have vunerabilities that can leave you open to infections. There are however a couple of very good, Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN):

Instant Messengers~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Lastly, it is a good idea to clear out all your temp files every now and again. This will help your computer from bogging down and slowing. It also can assist in getting rid of files that may contain malicious code that could re-infect your computer.

Temp File Cleaners
  • ATF Cleaner A very powerful cleaning program for XP and Windows 2000 only. Note: You may have this already as part of the fixes you have run.
  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Note: Do NOT run this program if you have XP Professional 64 bit edition.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I will keep this log open for the next couple of days, so if you have any further problems post another reply here.

OK, all the best, and stay safe!

Best regards,
RatHat
  • 0

#9
RatHat
Posted 15 March 2008 - 10:02 AM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0

#10
RatHat
Posted 15 March 2008 - 03:33 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Topic reopened
  • 0

#11
RatHat
Posted 15 March 2008 - 03:40 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
As you are unable to run Combofix /U, lets go about removing the tools a different way:

Click Here to download OTCleanIt
Double-click OTCleanIt.exe to run it.
Click the Clean up button
Click Yes to the reboot.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Now lets Reset and Re-enable your System Restore to remove any infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected, but that's good news).

Turn OFF System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
Restart your computer.

Turn ON System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check Turn off System Restore.
  • Click Apply, and then click OK.

System Restore will now be active again.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Next, lets reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.

Reset Hidden/System Files & Folders
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
  • CHECK the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Now you can continue with the preventative measures show in my earlier post.

Regards,
RatHat
  • 0

#12
Morris6996
Posted 17 March 2008 - 08:27 PM

Morris6996

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
Thank you all so very much my computer is working so much better now. I appreciate all the help and am now more virus protection savee. I have started using Firefox and will see how I like it. The other programs are great as well. However, I am having problems deleting programs such as my Trend Micro (which I now have no access to and can not delete). Also, a game on my system called Lemon Tychoon, the system says it can not find it. Can you help me with this as well?
  • 0

#13
RatHat
Posted 17 March 2008 - 08:34 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Hi there,

Those are both software issues, of which I am not too clear on. Could you post a message explaining what is happening in the Software Applications forum, where one of the Tech Staff should be able to help out.

Regards,
RatHat
  • 0

#14
Morris6996
Posted 17 March 2008 - 08:55 PM

Morris6996

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
Thank you again, and the virus is gone.
  • 0

#15
RatHat
Posted 18 March 2008 - 06:54 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP