Lots Of Tracking Cookies, Worms, Trojans Etc

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

2 Pages
1
2
→

You cannot start a new topic
This topic is locked

Lots Of Tracking Cookies, Worms, Trojans Etc Please help!

#1 hookedforever

Member

Group: Members
Posts: 37
Joined: 02-July 08
Gender:Female
Location:philippines

Posted 04 July 2008 - 04:19 AM

Hi!

I hope someone could help me with my computer problem. Everytime I open Mozilla an AVG

Resident Shield Alert pops up (Warning! Found Tracking Cookie...Detected on open.) When

I scan my system using AVG, a lot of tracking cookies, Win32/Heur, Worm/Generic.HMD etc

are found. The tracking cookies are considered as Threat so they couldn't be healed.

I read the rules before posting and it says that I should install the new Java Version

(Im actually using a very,very outdated Java) but I opted not to because I'm afraid

that my desktop would show BSOD again like what happened on my laptop

(http://www.bleepingcomputer.com/forums/topic155463.html).

Attached here is the DSS.
Hope someone could help.
Thanks in advance!

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-07-04 16:47:46
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
19: 2008-07-04 08:47:58 UTC - RP78 - Deckard's System Scanner Restore Point
18: 2008-07-04 01:02:04 UTC - RP77 - Avg8 Update
17: 2008-07-02 10:44:04 UTC - RP76 - Removed USB2.0 Capture Device
16: 2008-06-30 01:48:26 UTC - RP75 - Removed USB2.0 Capture Device
15: 2008-06-24 12:16:50 UTC - RP74 - System Checkpoint

-- First Restore Point --
1: 2008-05-24 02:15:40 UTC - RP60 - Installed YouTUBE ™ movie downloader

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 352 MiB (512 MiB recommended).

-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:52:42 PM, on 7/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\StkASv2K.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\sistray.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\CameraFixer.exe
C:\WINDOWS\tsnpstd3.exe
C:\WINDOWS\vsnpstd3.exe
C:\WINDOWS\system32\drivers\svchost.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.1.25.0\GoogleUpdate.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myhpf.co.uk/mypage.asp?OrgID=125218
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: SrchHook Class - {F4F10C1D-87C7-404A-B4B3-000000000000} - C:\PROGRA~1\DAP\SBSearch.dll (file missing)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\system32\khooker.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [CameraFixer] C:\WINDOWS\CameraFixer.exe
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.1.25.0\GoogleUpdate.exe" /lang en
O4 - HKUS\S-1-5-19\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Startup: YouTube Uploader.lnk = C:\Documents and Settings\Administrator\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZKfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Syntek STK1160 Service (StkASSrv) - Syntek America Inc. - C:\WINDOWS\System32\StkASv2K.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 8171 bytes

-- File Associations -----------------------------------------------------------

.bat - batfile - shell\edit\command - C:\WINDOWS\system32\NOTEPAD2.EXE %1
.cmd - cmdfile - shell\edit\command - C:\WINDOWS\system32\NOTEPAD2.EXE %1
.inf - inffile - shell\open\command - C:\WINDOWS\system32\NOTEPAD2.EXE %1
.ini - inifile - shell\open\command - C:\WINDOWS\system32\NOTEPAD2.EXE %1
.reg - regfile - shell\edit\command - C:\WINDOWS\system32\NOTEPAD2.EXE %1
.txt - txtfile - shell\open\command - C:\WINDOWS\system32\NOTEPAD2.EXE %1
.vbs - VBSFile - shell\edit\command - C:\WINDOWS\system32\Notepad2.exe %1

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 BTHidMgr (Bluetooth HID Manager Service) - c:\windows\system32\drivers\bthidmgr.sys <Not Verified; IVT Corporation; BlueSoleil©>
R1 SiSkp - c:\windows\system32\drivers\srvkp.sys
R3 BlueletAudio (Bluetooth Audio Service) - c:\windows\system32\drivers\blueletaudio.sys <Not Verified; IVT Corporation; Windows ® 2000 DDK driver>
R3 BTHidEnum (Bluetooth HID Enumerator) - c:\windows\system32\drivers\vbtenum.sys
R3 VComm (Virtual Serial port driver) - c:\windows\system32\drivers\vcomm.sys <Not Verified; IVT Corporation; BlueSoleil>
R3 VcommMgr (Bluetooth VComm Manager Service) - c:\windows\system32\drivers\vcommmgr.sys <Not Verified; IVT Corporation; BlueSoleil>

S3 BT (Bluetooth PAN Network Adapter) - c:\windows\system32\drivers\btnetdrv.sys <Not Verified; IVT Corporation; BlueSoleil>
S3 Btcsrusb (Bluetooth USB For Bluetooth Service) - c:\windows\system32\drivers\btcusb.sys <Not Verified; IVT Corporation; Bluetooth USB Device Driver>
S3 BTNetFilter (Bluetooth Network Filter) - c:\windows\system32\drivers\btnetfilter.sys
S3 SNPSTD3 (USB PC Camera (SNPSTD3)) - c:\windows\system32\drivers\snpstd3.sys <Not Verified; ; PC Camera driver>
S3 StkAMini (Syntek STK1160) - c:\windows\system32\drivers\stkamini.sys <Not Verified; Syntek America Inc.; Syntek Universal Serial Bus 2.0 Video Mini Driver>
S3 StkScan (Syntek STK1160 Still Image) - c:\windows\system32\drivers\stkscan.sys <Not Verified; Syntek America Inc.; Syntek Universal Serial Bus 2.0 Still Image Driver>
S3 usbsermpt (Motorola USB Modem Driver for MPT) - c:\windows\system32\drivers\usbsermpt.sys <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 BlueSoleil Hid Service - c:\program files\ivt corporation\bluesoleil\btntservice.exe
R2 StkASSrv (Syntek STK1160 Service) - c:\windows\system32\stkasv2k.exe <Not Verified; Syntek America Inc.; Syntek Hardware Snapshot Launch Application Services>

S3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Bluetooth PAN Network Adapter
Device ID: ROOT\NET\0000
Manufacturer: IVT Corporation
Name: Bluetooth PAN Network Adapter
PNP Device ID: ROOT\NET\0000
Service: BT

-- Files created between 2008-06-04 and 2008-07-04 -----------------------------

2008-07-04 16:47:09 0 d-------- C:\Program Files\Trend Micro
2008-07-04 09:05:33 0 d--hs---- C:\Documents and Settings\Administrator\Recent
2008-06-12 15:12:12 66940 --a------ C:\WINDOWS\Sysvxd.exe
2008-06-10 14:57:58 0 d--hs---- C:\WINDOWS\ftpcache
2008-06-10 14:57:04 0 d-------- C:\Program Files\Ant War
2008-06-09 22:55:32 39936 --a------ C:\WINDOWS\system32\drivers\svchost.exe
2008-06-09 12:36:38 0 d-------- C:\Documents and Settings\Administrator\Application Data\Super-Cow
2008-06-09 12:05:50 0 d-------- C:\Program Files\Kea
2008-06-08 01:45:56 0 d-------- C:\Program Files\Axialis
2008-06-06 17:44:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage

-- Find3M Report ---------------------------------------------------------------

2008-07-04 16:37:52 0 d-------- C:\Documents and Settings\Administrator\Application Data\MegauploadToolbar
2008-07-02 18:54:10 0 d-------- C:\Program Files\Diner Dash
2008-07-02 01:01:06 0 d-------- C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-07-01 14:58:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-06-25 10:03:54 0 d-------- C:\Program Files\Yahoo!
2008-06-15 18:51:44 0 d-------- C:\Program Files\DigiEffects AgedFilm Demo
2008-06-15 15:53:05 0 d-------- C:\Documents and Settings\Administrator\Application Data\BearShare
2008-06-09 11:37:23 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-06-09 11:27:48 5455 --a------ C:\WINDOWS\mozver.dat
2008-06-05 11:29:46 0 d-------- C:\Program Files\NCBuy
2008-06-05 11:07:07 0 d-------- C:\Program Files\SkyPaint
2008-06-05 10:45:48 0 d-------- C:\Program Files\Sallys Salon
2008-06-04 13:16:40 0 d-------- C:\Documents and Settings\Administrator\Application Data\Image Zone Express
2008-06-03 15:32:40 0 d-------- C:\Program Files\Xvid
2008-06-02 20:50:16 0 d-------- C:\Documents and Settings\Administrator\Application Data\PlayFirst
2008-06-02 20:49:25 0 d-------- C:\Program Files\Doggie Dash
2008-06-01 20:38:15 0 d-------- C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-06-01 20:30:51 0 d-------- C:\Program Files\QuickFix
2008-05-30 15:39:58 0 d-------- C:\Program Files\ZakFromAnotherPlanet
2008-05-29 15:40:49 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-29 15:34:53 0 d-------- C:\Program Files\Common Files
2008-05-28 23:46:16 0 d-------- C:\Program Files\Mozilla Thunderbird
2008-05-28 11:04:28 0 d-------- C:\Program Files\ReflexiveArcade
2008-05-27 19:30:32 4096 --a------ C:\WINDOWS\d3dx.dat
2008-05-27 19:29:16 0 d-------- C:\Documents and Settings\Administrator\Application Data\GameHouse
2008-05-27 19:26:42 0 d-------- C:\Program Files\GameHouse
2008-05-24 17:41:13 0 d-------- C:\Program Files\FLV to AVI MPEG WMV 3GP MP4 iPod Converter
2008-05-24 13:58:20 0 d-------- C:\Program Files\uTorrent
2008-05-19 19:41:57 50688 --a------ C:\WINDOWS\system32\wbhelp2.dll <Not Verified; Stardock.Net, Inc; WindowBlinds for Win32 x86 machines>
2008-05-12 03:05:57 0 d-------- C:\Program Files\Common Files\SWF Studio
2008-05-12 02:53:34 0 d-------- C:\Program Files\PopCap Games
2008-05-11 04:36:44 0 d-------- C:\Documents and Settings\Administrator\Application Data\A2Soft Shared
2008-04-27 10:35:28 180224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-04-27 10:33:36 765952 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-04-18 11:34:14 3350 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-04-09 21:28:42 36 --a------ C:\WINDOWS\popcinfo.dat

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
07/04/2008 09:00 AM 2055960 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [07/04/2008 09:00 AM 2055960]

[-HKEY_CLASSES_ROOT\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [07/12/2002 06:15 PM]
"SiS Tray"="C:\WINDOWS\system32\sistray.EXE" [11/17/2002 10:36 AM]
"SiS KHooker"="C:\WINDOWS\system32\khooker.exe" []
"Cmaudio"="cmicnfg.cpl" []
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [08/11/2005 04:30 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [08/11/2005 04:30 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [12/17/2007 10:25 PM]
"NeroCheck"="C:\WINDOWS\system32\\NeroCheck.exe" [07/09/2001 06:50 PM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [05/11/2005 11:12 PM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [07/04/2008 09:00 AM]
"CameraFixer"="C:\WINDOWS\CameraFixer.exe" [10/03/2005 11:23 AM]
"tsnpstd3"="C:\WINDOWS\tsnpstd3.exe" [11/04/2005 03:05 PM]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [09/05/2005 03:55 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Free Download Manager"="C:\Program Files\Free Download Manager\fdm.exe" []
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [12/17/2007 05:13 PM]
"amva"="C:\WINDOWS\system32\amvo.exe" []
"SVCHOST.EXE"="C:\WINDOWS\system32\drivers\svchost.exe" [06/09/2008 10:55 PM]
"Google Update"="C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.1.25.0\GoogleUpdate.exe" [06/15/2008 02:37 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"nlsf"=cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll"
"nlhr"=RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"TaskSwitchXP"=C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
"Free Download Manager"=C:\Program Files\Free Download Manager\fdm.exe -autorun

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
YouTube Uploader.lnk - C:\Documents and Settings\Administrator\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe [11/9/2007 1:33:08 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [12/16/2007 7:28:00 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [5/11/2005 11:23:26 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"=1 (0x1)
"ForceClassicControlPanel"=1 (0x1)
"NoRemoteRecursiveEvents"=1 (0x1)
"MemCheckBoxInRunDlg"=1 (0x1)
"DisableCAD"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSharedDocuments"=1 (0x1)
"ClearRecentDocsOnExit"=1 (0x1)
"NoRecentDocsMenu"=1 (0x1)
"NoRecentDocsHistory"=1 (0x1)
"NoInstrumentation"=1 (0x1)
"NoSMHelp"=1 (0x1)
"NoSaveSettings"=0 (0x0)
"DisableCAD"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSharedDocuments"=1 (0x1)
"ClearRecentDocsOnExit"=1 (0x1)
"NoRecentDocsMenu"=1 (0x1)
"NoRecentDocsHistory"=1 (0x1)
"NoInstrumentation"=1 (0x1)
"NoSMHelp"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{01f0e1c0-e80c-11dc-a692-000ae6f03ef5}]
AutoRun\command- SilentSoftech.exe
explore\command- SilentSoftech.exe
open\command- SilentSoftech.exe
var1\command- SilentSoftech.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{53fa4f31-ae36-11dc-a5b5-101111111111}]
AutoRun\command- SilentSoftech.exe
explore\command- SilentSoftech.exe
open\command- SilentSoftech.exe
var1\command- SilentSoftech.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{91960270-abc8-11dc-a5ad-000ae6f03ef5}]
auto\command- Knight.exe open
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Knight.exe open
explore\command- Knight.exe open
find\command- Knight.exe open
install\command- Knight.exe open
open\command- Knight.exe open

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ea2b4e71-e1c0-11dc-a676-000ae6f03ef5}]
Auto\command- F:\RECYCLER.exe
AutoRun\command- F:\RECYCLER.exe
explore\Command- vuts0e.cmd
open\Command- vuts0e.cmd

-- End of Deckard's System Scanner: finished at 2008-07-04 16:53:48 ------------

extra.txt (14.97K)
Number of downloads: 35

#2 Buckeye_Sam

Malware Expert

Group: Malware Response Team
Posts: 17,382
Joined: 23-December 04
Gender:Male
Location:Pickerington, Ohio

Posted 04 July 2008 - 10:07 AM

Hi again hookedforever! :thumbsup:

I see a few issues more troubling than just cookies. But let's see if we can get them all at once.

Download and scan with SUPERAntiSpyware Free for Home Users

Double-click SUPERAntiSpyware.exe and use the default settings for installation.
An icon will be created on your desktop. Double-click that icon to launch the program.
If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
Under "Configuration and Preferences", click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Scan for tracking cookies.
- Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen.
Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
On the left, make sure you check C:\Fixed Drive.
On the right, under "Complete Scan", choose Perform Complete Scan.
Click "Next" to start the scan. Please be patient while it scans your computer.
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
Make sure everything has a checkmark next to it and click "Next".
A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
If asked if you want to reboot, click "Yes".
To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

Also post a new log from DSS.

If I have helped you in any way, please consider a donation to help me continue the fight against malware.

Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!

========================================================

#3 hookedforever

Member

Group: Members
Posts: 37
Joined: 02-July 08
Gender:Female
Location:philippines

Posted 04 July 2008 - 11:27 PM

Hello there Sam! I'm glad it's you again. :thumbsup:

Here is the SUPERAntiSpyware Scan Log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/05/2008 at 11:50 AM

Application Version : 4.15.1000

Core Rules Database Version : 3497
Trace Rules Database Version: 1488

Scan type : Complete Scan
Total Scan Time : 01:27:29

Memory items scanned : 337
Memory threats detected : 1
Registry items scanned : 4979
Registry threats detected : 20
File items scanned : 10917
File threats detected : 42

Trojan.Dropper/SVCHost-Fake
C:\WINDOWS\SYSTEM32\DRIVERS\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\SVCHOST.EXE
[SVCHOST.EXE] C:\WINDOWS\SYSTEM32\DRIVERS\SVCHOST.EXE
C:\WINDOWS\Prefetch\SVCHOST.EXE-0EB47E31.pf

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{F4F10C1D-87C7-404A-B4B3-000000000000}
HKCR\CLSID\{F4F10C1D-87C7-404A-B4B3-000000000000}
HKCR\CLSID\{F4F10C1D-87C7-404A-B4B3-000000000000}
HKCR\CLSID\{F4F10C1D-87C7-404A-B4B3-000000000000}\InprocServer32
HKCR\CLSID\{F4F10C1D-87C7-404A-B4B3-000000000000}\InprocServer32#ThreadingModel
HKCR\CLSID\{F4F10C1D-87C7-404A-B4B3-000000000000}\ProgID
HKCR\CLSID\{F4F10C1D-87C7-404A-B4B3-000000000000}\Programmable
HKCR\CLSID\{F4F10C1D-87C7-404A-B4B3-000000000000}\TypeLib
HKCR\CLSID\{F4F10C1D-87C7-404A-B4B3-000000000000}\VersionIndependentProgID
C:\PROGRA~1\DAP\SBSEARCH.DLL
HKU\S-1-5-21-746137067-1060284298-854245398-500\Software\Microsoft\Internet Explorer\URLSearchHooks#{F4F10C1D-87C7-404A-B4B3-000000000000}
HKCR\SearchHook.SrchHook.1
HKCR\SearchHook.SrchHook.1\CLSID
HKCR\SearchHook.SrchHook
HKCR\TypeLib\{95EFB171-F3DF-4BEC-9EF7-829A800203E6}
HKCR\TypeLib\{95EFB171-F3DF-4BEC-9EF7-829A800203E6}\1.0
HKCR\TypeLib\{95EFB171-F3DF-4BEC-9EF7-829A800203E6}\1.0\0
HKCR\TypeLib\{95EFB171-F3DF-4BEC-9EF7-829A800203E6}\1.0\0\win32
HKCR\TypeLib\{95EFB171-F3DF-4BEC-9EF7-829A800203E6}\1.0\FLAGS
HKCR\TypeLib\{95EFB171-F3DF-4BEC-9EF7-829A800203E6}\1.0\HELPDIR

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\administrator@www.123finder[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@i.screensavers[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@apmebf[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.glispa[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@rm.yieldmanager[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@camtocamsex[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.screensavers[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@1072645447[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@youporn[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adultfriendfinder[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adultadworld[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@1068202713[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@1059866580[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@try.starware[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@cgi-bin[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@bs.serving-sys[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@1055368616[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@richmedia.yahoo[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@1071917968[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.bestsexdatingsite[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@serving-sys[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@h.starware[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.pornandsexvideo[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@screensavers[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adserver.adreactor[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@livecams.youporn[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@mediaservices.myspace[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@1055664782[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@shareporno[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.chikka[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads-dev.youporn[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ad2.doublepimp[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@pool2.stolenpornpasswords[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@vod.shareporno[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@metacafe.122.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@123finder[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@1060917073[1].txt

BearShare File Sharing Client
C:\PROGRAM FILES\BEARSHARE APPLICATIONS\BEARSHARE\BEARSHARE.EXE

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-07-05 12:03:02
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 352 MiB (512 MiB recommended).

-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:03:38 PM, on 7/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\StkASv2K.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\sistray.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\CameraFixer.exe
C:\WINDOWS\tsnpstd3.exe
C:\WINDOWS\vsnpstd3.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.1.25.0\GoogleUpdate.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myhpf.co.uk/mypage.asp?OrgID=125218
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\system32\khooker.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [CameraFixer] C:\WINDOWS\CameraFixer.exe
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.1.25.0\GoogleUpdate.exe" /lang en
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Startup: YouTube Uploader.lnk = C:\Documents and Settings\Administrator\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZKfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Syntek STK1160 Service (StkASSrv) - Syntek America Inc. - C:\WINDOWS\System32\StkASv2K.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 8135 bytes

-- Files created between 2008-06-05 and 2008-07-05 -----------------------------

2008-07-05 10:13:48 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-05 10:13:10 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-07-05 10:13:10 0 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-07-05 10:12:15 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-04 21:35:26 0 d--hs---- C:\Documents and Settings\Administrator\Recent
2008-07-04 16:47:09 0 d-------- C:\Program Files\Trend Micro
2008-06-12 15:12:12 0 --a------ C:\WINDOWS\Sysvxd.exe
2008-06-10 14:57:58 0 d--hs---- C:\WINDOWS\ftpcache
2008-06-10 14:57:04 0 d-------- C:\Program Files\Ant War
2008-06-09 12:36:38 0 d-------- C:\Documents and Settings\Administrator\Application Data\Super-Cow
2008-06-09 12:05:50 0 d-------- C:\Program Files\Kea
2008-06-08 01:45:56 0 d-------- C:\Program Files\Axialis
2008-06-06 17:44:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage

-- Find3M Report ---------------------------------------------------------------

2008-07-05 12:01:46 0 d-------- C:\Documents and Settings\Administrator\Application Data\MegauploadToolbar
2008-07-05 10:12:15 0 d-------- C:\Program Files\Common Files
2008-07-02 18:54:10 0 d-------- C:\Program Files\Diner Dash
2008-07-02 01:01:06 0 d-------- C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-07-01 14:58:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-06-25 10:03:54 0 d-------- C:\Program Files\Yahoo!
2008-06-15 18:51:44 0 d-------- C:\Program Files\DigiEffects AgedFilm Demo
2008-06-15 15:53:05 0 d-------- C:\Documents and Settings\Administrator\Application Data\BearShare
2008-06-09 11:37:23 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-06-09 11:27:48 5455 --a------ C:\WINDOWS\mozver.dat
2008-06-05 11:29:46 0 d-------- C:\Program Files\NCBuy
2008-06-05 11:07:07 0 d-------- C:\Program Files\SkyPaint
2008-06-05 10:45:48 0 d-------- C:\Program Files\Sallys Salon
2008-06-04 13:16:40 0 d-------- C:\Documents and Settings\Administrator\Application Data\Image Zone Express
2008-06-03 15:32:40 0 d-------- C:\Program Files\Xvid
2008-06-02 20:50:16 0 d-------- C:\Documents and Settings\Administrator\Application Data\PlayFirst
2008-06-02 20:49:25 0 d-------- C:\Program Files\Doggie Dash
2008-06-01 20:38:15 0 d-------- C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-06-01 20:30:51 0 d-------- C:\Program Files\QuickFix
2008-05-30 15:39:58 0 d-------- C:\Program Files\ZakFromAnotherPlanet
2008-05-29 15:40:49 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-28 23:46:16 0 d-------- C:\Program Files\Mozilla Thunderbird
2008-05-28 11:04:28 0 d-------- C:\Program Files\ReflexiveArcade
2008-05-27 19:30:32 4096 --a------ C:\WINDOWS\d3dx.dat
2008-05-27 19:29:16 0 d-------- C:\Documents and Settings\Administrator\Application Data\GameHouse
2008-05-27 19:26:42 0 d-------- C:\Program Files\GameHouse
2008-05-24 17:41:13 0 d-------- C:\Program Files\FLV to AVI MPEG WMV 3GP MP4 iPod Converter
2008-05-24 13:58:20 0 d-------- C:\Program Files\uTorrent
2008-05-19 19:41:57 50688 --a------ C:\WINDOWS\system32\wbhelp2.dll <Not Verified; Stardock.Net, Inc; WindowBlinds for Win32 x86 machines>
2008-05-12 03:05:57 0 d-------- C:\Program Files\Common Files\SWF Studio
2008-05-12 02:53:34 0 d-------- C:\Program Files\PopCap Games
2008-05-11 04:36:44 0 d-------- C:\Documents and Settings\Administrator\Application Data\A2Soft Shared
2008-04-27 10:35:28 180224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-04-27 10:33:36 765952 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-04-18 11:34:14 3350 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-04-09 21:28:42 36 --a------ C:\WINDOWS\popcinfo.dat

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
07/04/2008 09:00 AM 2055960 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [07/04/2008 09:00 AM 2055960]

[-HKEY_CLASSES_ROOT\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [07/12/2002 06:15 PM]
"SiS Tray"="C:\WINDOWS\system32\sistray.EXE" [11/17/2002 10:36 AM]
"SiS KHooker"="C:\WINDOWS\system32\khooker.exe" []
"Cmaudio"="cmicnfg.cpl" []
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [08/11/2005 04:30 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [08/11/2005 04:30 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [12/17/2007 10:25 PM]
"NeroCheck"="C:\WINDOWS\system32\\NeroCheck.exe" [07/09/2001 06:50 PM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [05/11/2005 11:12 PM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [07/04/2008 09:00 AM]
"CameraFixer"="C:\WINDOWS\CameraFixer.exe" [10/03/2005 11:23 AM]
"tsnpstd3"="C:\WINDOWS\tsnpstd3.exe" [11/04/2005 03:05 PM]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [09/05/2005 03:55 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Free Download Manager"="C:\Program Files\Free Download Manager\fdm.exe" []
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [12/17/2007 05:13 PM]
"amva"="C:\WINDOWS\system32\amvo.exe" []
"Google Update"="C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.1.25.0\GoogleUpdate.exe" [06/15/2008 02:37 PM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [05/28/2008 10:33 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"nlsf"=cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll"
"nlhr"=RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"TaskSwitchXP"=C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
"Free Download Manager"=C:\Program Files\Free Download Manager\fdm.exe -autorun

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
YouTube Uploader.lnk - C:\Documents and Settings\Administrator\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe [11/9/2007 1:33:08 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [12/16/2007 7:28:00 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [5/11/2005 11:23:26 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"=1 (0x1)
"ForceClassicControlPanel"=1 (0x1)
"NoRemoteRecursiveEvents"=1 (0x1)
"MemCheckBoxInRunDlg"=1 (0x1)
"DisableCAD"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSharedDocuments"=1 (0x1)
"ClearRecentDocsOnExit"=1 (0x1)
"NoRecentDocsMenu"=1 (0x1)
"NoRecentDocsHistory"=1 (0x1)
"NoInstrumentation"=1 (0x1)
"NoSMHelp"=1 (0x1)
"NoSaveSettings"=0 (0x0)
"DisableCAD"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSharedDocuments"=1 (0x1)
"ClearRecentDocsOnExit"=1 (0x1)
"NoRecentDocsMenu"=1 (0x1)
"NoRecentDocsHistory"=1 (0x1)
"NoInstrumentation"=1 (0x1)
"NoSMHelp"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 AM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{01f0e1c0-e80c-11dc-a692-000ae6f03ef5}]
AutoRun\command- SilentSoftech.exe
explore\command- SilentSoftech.exe
open\command- SilentSoftech.exe
var1\command- SilentSoftech.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{53fa4f31-ae36-11dc-a5b5-101111111111}]
AutoRun\command- SilentSoftech.exe
explore\command- SilentSoftech.exe
open\command- SilentSoftech.exe
var1\command- SilentSoftech.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{91960270-abc8-11dc-a5ad-000ae6f03ef5}]
auto\command- Knight.exe open
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Knight.exe open
explore\command- Knight.exe open
find\command- Knight.exe open
install\command- Knight.exe open
open\command- Knight.exe open

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ea2b4e71-e1c0-11dc-a676-000ae6f03ef5}]
Auto\command- F:\RECYCLER.exe
AutoRun\command- F:\RECYCLER.exe
explore\Command- vuts0e.cmd
open\Command- vuts0e.cmd

-- End of Deckard's System Scanner: finished at 2008-07-05 12:04:21 ------------

This post has been edited by hookedforever: 05 July 2008 - 04:09 AM

#4 Buckeye_Sam

Malware Expert

Group: Malware Response Team
Posts: 17,382
Joined: 23-December 04
Gender:Male
Location:Pickerington, Ohio

Posted 05 July 2008 - 07:58 AM

Let's clean up your log a bit and then we need to check on a few suspicious files.

Fix these lines with Hijackthis.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZKfox000

Please visit the online Jotti Virus Scanner

Click on button.
Copy and paste the following filepath in the box:

C:\WINDOWS\Sysvxd.exe
Click on the button.
The scanner will check the file with various AV companies.
Copy and paste the results box into a reply to this thread.

If Jotti's too busy, try here:
Go here: http://www.virustotal.com/en/virustotalf.html

Also submit this file.

C:\Windows\System32\syssetub.dll

#5 hookedforever

Member

Group: Members
Posts: 37
Joined: 02-July 08
Gender:Female
Location:philippines

Posted 05 July 2008 - 11:54 AM

Hi there!

I ran AVG a while ago and I'm glad that there weren't any threats detected (not even 1!

)

Anyway, I'll do the next step you posted early in the morning. It's actually midnight here and I can't go to my desktop or my mother would know that I'm still awake..

(I'll just deal with my laptop's issues first..)

I'll get back here with the results.

#6 Buckeye_Sam

Malware Expert

Group: Malware Response Team
Posts: 17,382
Joined: 23-December 04
Gender:Male
Location:Pickerington, Ohio

Posted 05 July 2008 - 11:59 AM

Despite the all clear from AVG, you do have some issues that we'll still have to deal with.
But I'll catch up with you after a good night's sleep. :thumbsup:

#7 hookedforever

Member

Group: Members
Posts: 37
Joined: 02-July 08
Gender:Female
Location:philippines

Posted 05 July 2008 - 11:22 PM

Hi! Here are the results.

C:\WINDOWS\Sysvxd.exe

>Jotti

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

>Virustotal

0 bytes size received / Se ha recibido un archivo vacio

C:\WINDOWS\Sysvxd.exe

Filenot found by both scanners.

#8 Buckeye_Sam

Malware Expert

Group: Malware Response Team
Posts: 17,382
Joined: 23-December 04
Gender:Male
Location:Pickerington, Ohio

Posted 06 July 2008 - 08:13 AM

Download Flash_Disinfector.exe by sUBs and save it to your desktop.

Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

===============

Please download ComboFix and save it to your desktop.
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

#9 hookedforever

Member

Group: Members
Posts: 37
Joined: 02-July 08
Gender:Female
Location:philippines

Posted 07 July 2008 - 04:19 AM

Sam, here's the ComboFix log. :thumbsup:

ComboFix 08-07-05.1 - Administrator 2008-07-07 17:00:55.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.150 [GMT 8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Sysvxd.exe

.
((((((((((((((((((((((((( Files Created from 2008-06-07 to 2008-07-07 )))))))))))))))))))))))))))))))
.

2008-07-05 10:13 . 2008-07-05 10:13 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-05 10:13 . 2008-07-05 10:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-05 10:13 . 2008-07-05 10:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-07-05 10:12 . 2008-07-05 10:12 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-04 16:47 . 2008-07-04 16:47 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-04 16:47 . 2008-07-04 16:47 <DIR> d-------- C:\Deckard
2008-06-24 11:46 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-06-24 11:46 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-06-10 14:57 . 2008-06-10 14:57 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-06-10 14:57 . 2008-06-10 18:58 <DIR> d-------- C:\Program Files\Ant War
2008-06-10 14:57 . 2008-06-10 14:57 827,392 --a------ C:\WINDOWS\system32\FLASH.OCX
2008-06-09 12:36 . 2008-06-09 12:44 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Super-Cow
2008-06-09 12:05 . 2008-06-09 12:05 <DIR> d-------- C:\Program Files\Kea
2008-06-08 02:14 . 2008-06-08 12:49 3,163 --a------ C:\WINDOWS\AXCursor.INI
2008-06-08 01:45 . 2008-06-08 01:45 <DIR> d-------- C:\Program Files\Axialis

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-07 06:56 --------- d-----w C:\Documents and Settings\Administrator\Application Data\MegauploadToolbar
2008-07-05 10:21 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-07-04 01:00 96,520 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-04 01:00 76,040 ----a-w C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-04 01:00 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll
2008-07-02 10:54 --------- d-----w C:\Program Files\Diner Dash
2008-06-25 02:03 --------- d-----w C:\Program Files\Yahoo!
2008-06-15 10:51 --------- d-----w C:\Program Files\DigiEffects AgedFilm Demo
2008-06-15 07:53 --------- d-----w C:\Documents and Settings\Administrator\Application Data\BearShare
2008-06-06 09:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-06-05 03:29 --------- d-----w C:\Program Files\NCBuy
2008-06-05 03:07 --------- d-----w C:\Program Files\SkyPaint
2008-06-05 02:45 --------- d-----w C:\Program Files\Sallys Salon
2008-06-04 05:16 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Image Zone Express
2008-06-03 07:32 --------- d-----w C:\Program Files\Xvid
2008-06-02 12:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-06-02 12:50 --------- d-----w C:\Documents and Settings\Administrator\Application Data\PlayFirst
2008-06-02 12:49 --------- d-----w C:\Program Files\Doggie Dash
2008-06-01 12:38 --------- d-----w C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-06-01 12:30 --------- d-----w C:\Program Files\QuickFix
2008-05-30 10:17 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-30 07:39 --------- d-----w C:\Program Files\ZakFromAnotherPlanet
2008-05-29 07:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-05-29 07:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-28 15:46 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-05-28 03:04 --------- d-----w C:\Program Files\ReflexiveArcade
2008-05-27 11:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\n7-89-o9-3r-4t-r9
2008-05-27 11:29 --------- d-----w C:\Documents and Settings\Administrator\Application Data\GameHouse
2008-05-27 11:26 --------- d-----w C:\Program Files\GameHouse
2008-05-24 09:41 --------- d-----w C:\Program Files\FLV to AVI MPEG WMV 3GP MP4 iPod Converter
2008-05-24 05:58 --------- d-----w C:\Program Files\uTorrent
2008-05-19 11:41 50,688 ----a-w C:\WINDOWS\system32\wbhelp2.dll
2008-05-11 19:05 --------- d-----w C:\Program Files\Common Files\SWF Studio
2008-05-11 18:53 --------- d-----w C:\Program Files\PopCap Games
2008-05-10 20:36 --------- d-----w C:\Documents and Settings\Administrator\Application Data\A2Soft Shared
2008-04-27 02:35 180,224 ----a-w C:\WINDOWS\system32\xvidvfw.dll
2008-04-27 02:33 765,952 ----a-w C:\WINDOWS\system32\xvidcore.dll
2008-04-20 01:01 24,192 ----a-w C:\Documents and Settings\Administrator\usbsermptxp.sys
2008-04-20 01:01 22,768 ----a-w C:\Documents and Settings\Administrator\usbsermpt.sys
2008-04-18 03:34 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-01-17 03:53 1,990 ----a-w C:\Program Files\DeIsL1.isu
2001-11-23 04:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
1997-11-08 12:29 68,608 ----a-w C:\Program Files\MLCheck.dll
1997-11-08 07:10 54,272 ----a-w C:\Program Files\ml-Uninstall.Exe
1997-11-06 02:33 199,680 ----a-w C:\Program Files\mlff-png.dll
1997-11-06 00:55 186,012 ----a-w C:\Program Files\3DTP.HLP
1997-11-06 00:54 275 ----a-w C:\Program Files\3DTP.CNT
1997-10-31 02:38 133 ----a-w C:\Program Files\MLCheck.cfg
1997-01-09 11:27 14,715 ----a-w C:\Program Files\standardnodes.wrl
1996-05-10 04:09 33,792 ----a-w C:\Program Files\_ISREG32.DLL
2008-01-07 11:50 56 --sh--r C:\WINDOWS\system32\26A5CDFE9A.sys
.

------- Sigcheck -------

2005-10-13 01:14 694272 0f346a32db874f1c31c6931132fb0fb2 C:\WINDOWS\system32\wininet.dll

2005-10-15 17:07 974336 7fb96a922d5d8bbbcdb16906af6741d6 C:\WINDOWS\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-12-17 17:13 3810544]
"Google Update"="C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.1.25.0\GoogleUpdate.exe" [2008-06-15 14:37 51184]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-07-12 18:15 106496]
"SiS Tray"="C:\WINDOWS\system32\sistray.EXE" [2002-11-17 10:36 303104]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30 81920]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-17 22:25 98304]
"NeroCheck"="C:\WINDOWS\system32\\NeroCheck.exe" [2001-07-09 18:50 155648]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12 49152]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-04 09:00 1232152]
"CameraFixer"="C:\WINDOWS\CameraFixer.exe" [2005-10-03 11:23 20480]
"tsnpstd3"="C:\WINDOWS\tsnpstd3.exe" [2005-11-04 15:05 90112]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [2005-09-05 15:55 339968]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
YouTube Uploader.lnk - C:\Documents and Settings\Administrator\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe [2007-11-09 13:33:08 71152]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-16 19:28:00 110592]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
"DisableCAD"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"DisableCAD"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)
"NoSMHelp"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm
"aux1"= ctwdm32.dll
"aux2"= ctwdm32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-04 09:00]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-04 09:00]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-04 09:00]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-04 09:00]
R2 StkASSrv;Syntek STK1160 Service;C:\WINDOWS\System32\StkASv2K.exe [2006-05-23 23:49]
S3 Inimgpritsr;Inimgpritsr;C:\WINDOWS\system32\rasautou.exe [2001-08-24 01:00]
S3 StkAMini;Syntek STK1160;C:\WINDOWS\system32\Drivers\StkAMini.sys [2006-11-15 17:32]
S3 StkScan;Syntek STK1160 Still Image;C:\WINDOWS\system32\Drivers\StkScan.sys [2006-06-27 18:27]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{01f0e1c0-e80c-11dc-a692-000ae6f03ef5}]
\Shell\AutoRun\command - SilentSoftech.exe
\Shell\explore\command - SilentSoftech.exe
\Shell\open\command - SilentSoftech.exe
\Shell\var1\command - SilentSoftech.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{53fa4f31-ae36-11dc-a5b5-101111111111}]
\Shell\AutoRun\command - SilentSoftech.exe
\Shell\explore\command - SilentSoftech.exe
\Shell\open\command - SilentSoftech.exe
\Shell\var1\command - SilentSoftech.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{91960270-abc8-11dc-a5ad-000ae6f03ef5}]
\Shell\auto\command - Knight.exe open
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Knight.exe open
\Shell\explore\command - Knight.exe open
\Shell\find\command - Knight.exe open
\Shell\install\command - Knight.exe open
\Shell\open\command - Knight.exe open

*Newly Created Service* - CATCHME
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Free Download Manager - C:\Program Files\Free Download Manager\fdm.exe
HKLM-Run-SiS KHooker - C:\WINDOWS\system32\khooker.exe
HKLM-Run-SunJavaUpdateSched - C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
HKLM-Run-Cmaudio - cmicnfg.cpl
HKU-Default-Run-TaskSwitchXP - C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
HKU-Default-Run-Free Download Manager - C:\Program Files\Free Download Manager\fdm.exe

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-07 17:04:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-07 17:06:00
ComboFix-quarantined-files.txt 2008-07-07 09:05:55

Pre-Run: 7,102,066,688 bytes free
Post-Run: 7,407,820,800 bytes free

213

#10 Buckeye_Sam

Malware Expert

Group: Malware Response Team
Posts: 17,382
Joined: 23-December 04
Gender:Male
Location:Pickerington, Ohio

Posted 07 July 2008 - 08:23 AM

Did you run Flash Disinfector before running Combofix?

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\Knight.exe
C:\WINDOWS\system32\SilentSoftech.exe

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{01f0e1c0-e80c-11dc-a692-000ae6f03ef5}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{53fa4f31-ae36-11dc-a5b5-101111111111}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{91960270-abc8-11dc-a5ad-000ae6f03ef5}]

Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

#11 hookedforever

Member

Group: Members
Posts: 37
Joined: 02-July 08
Gender:Female
Location:philippines

Posted 08 July 2008 - 07:10 PM

Yes I ran Flash Disinfector prior to running combofix..

Here's the new ComboFix log.

ComboFix 08-07-05.1 - Administrator 2008-07-09 7:45:50.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.103 [GMT 8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\Knight.exe
C:\WINDOWS\system32\SilentSoftech.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\WeatherDPA
C:\Documents and Settings\Administrator\Application Data\WeatherDPA\Weather\WeatherStartup.xml
C:\Documents and Settings\Administrator\Application Data\Zango
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\1.sdf
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\1066422.sdf
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\1383771.sdf
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\1387907.sdf
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\1392379.sdf
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\1408054.sdf
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\1450356.sdf
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\2883915.sdf
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\2899655.sdf
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\3385108.sdf
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\domains.txt
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\1000044868
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\115541
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\116977
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\1408
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\1411
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\1424
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\17025
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\202699
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\20701
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\225064
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\24098
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\261991
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\286256
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\291093
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\297534
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\3338
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\34374
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\360144
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\39245
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\392888
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\42208
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\43719
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\44228
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\475788
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\49700
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\532492
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\53481
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\541636
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\552031
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\552212
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\579123
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\580792
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\58197
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\59221
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\650494
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\65770
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\66636
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\67564
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\67933
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\69263
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\69626
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\711791
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\73775
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\73840
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\745040
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\745137
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\747928
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\75089
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\79246
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\79432
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\79972
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\79977
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\79986
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\80026
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\80815
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\81392
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\8282
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\93899
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\93909
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\93925
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\95668
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\95774
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\99742
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\dynamic\ustat\36f4.dat
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\avatar.res
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\btntrans.idx
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\btntrans1.dat
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\buttondir.txt
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\components.cdf
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\cursors.res
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_1000.res
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_2000.res
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_3000.res
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_bar.res
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_bbar1.res
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_logos.res
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_other.res
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\d_icons_weather.res
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\default.cdf
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\Default_511745-514279.mnu
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\Default_bidzC_ZT_IE-ca.mnu
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\Default_bidzC_ZT_IE-us.mnu
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\Default_categorize.mnu
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\Default_comparison.mnu
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\Default_explorer-Mails.mnu
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\Default_explorer-people.mnu
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\Default_favorites.mnu
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\Default_Games.mnu
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\Default_Hide.mnu
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\Default_hotbarcom.mnu
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\Default_Hotmail.mnu
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\Default_hsskin.mnu
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\Default_jemster.mnu
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\Default_jemsterie.mnu
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\Default_jemsteruk.mnu
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\Default_jobsearch.mnu
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\Default_Mails.mnu
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\Default_MobileSidewalk.mnu
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\Default_new.mnu
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\Default_premium.mnu
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\Default_reun.mnu
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\Default_ringtones.mnu
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\Default_SearchBoxTrapper.mnu
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\Default_searchfor.mnu
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\Default_searchgo.mnu
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\Default_weather.mnu
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\Default_yellowpages.mnu
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\editblbuttons.res
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\email-def-511724-548964.mnu
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\email-def-511724-9595.mnu
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\email-t1-bg.res
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\icons2.res
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\ie_games_icon.res
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\ie_video.res
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\keywords.idx
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\keywords1.dat
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\layout.cdf
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\linkpathlegal.txt
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\progress.res
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\s_icons_buttons.res
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\sales_buttons.res
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\sdfmodifier.xml
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\t2_bg.res
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\theweb.mnu
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\top7.cdf
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\Top7_theweb.mnu
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\tsd_bg.res
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\zango_btn.res
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\1\zango_ie_menu.res
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\DownLoad\avatar.xip
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\DownLoad\BtnTrans.xip
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\DownLoad\BtnTrans1.xip
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\DownLoad\buttondir.xip
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\DownLoad\cursors.xip
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_1000.xip
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_2000.xip
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_3000.xip
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_bar.xip
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_bbar1.xip
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_logos.xip
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_other.xip
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_weather.xip
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\DownLoad\default.xip
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\DownLoad\editblbuttons.xip
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\DownLoad\email-t1-bg.xip
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\DownLoad\icons2.xip
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\DownLoad\ie_games_icon.xip
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\DownLoad\ie_video.xip
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\DownLoad\keywords.xip
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\DownLoad\keywords1.xip
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\DownLoad\layout.xip
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\DownLoad\linkpathlegal.xip
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\DownLoad\progress.xip
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\DownLoad\s_icons_buttons.xip
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\DownLoad\sales_buttons.xip
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\DownLoad\sdfmodifier.xip
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\DownLoad\t2_bg.xip
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\DownLoad\top7.xip
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\DownLoad\tsd_bg.xip
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\DownLoad\zango_btn.xip
C:\Documents and Settings\Administrator\Application Data\Zango\v3.0\Zango\static\DownLoad\zango_ie_menu.xip
C:\Documents and Settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
C:\Documents and Settings\All Users\Application Data\ZangoSA
C:\Documents and Settings\All Users\Application Data\ZangoSA\ZangoSA.dat
C:\Documents and Settings\All Users\Application Data\ZangoSA\ZangoSA_kyf.dat
C:\Documents and Settings\All Users\Application Data\ZangoSA\ZangoSAAbout.mht
C:\Documents and Settings\All Users\Application Data\ZangoSA\ZangoSAau.dat
C:\Documents and Settings\All Users\Application Data\ZangoSA\ZangoSAEula.mht
C:\Documents and Settings\All Users\Start Menu\Programs\Zango
C:\Documents and Settings\All Users\Start Menu\Programs\Zango\Reset Cursor.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Zango\Weather.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Zango\Zango Customer Support Center.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Zango\Zango Games!.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Zango\Zango Library.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Zango\Zango Screensavers!.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Zango\Zango Uninstall Instructions.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Zango\Zango Videos!.lnk
C:\Program Files\zango
C:\Program Files\zango\bin\10.3.70.0\arrow.ico
C:\Program Files\zango\bin\10.3.70.0\CntntCntr.dll
C:\Program Files\zango\bin\10.3.70.0\copyright.txt
C:\Program Files\zango\bin\10.3.70.0\CoreSrv.dll
C:\Program Files\zango\bin\10.3.70.0\firefox\extensions\chrome.manifest
C:\Program Files\zango\bin\10.3.70.0\firefox\extensions\components\npclntax.xpt
C:\Program Files\zango\bin\10.3.70.0\firefox\extensions\install.rdf
C:\Program Files\zango\bin\10.3.70.0\firefox\extensions\plugins\npclntax_ZangoSA.dll
C:\Program Files\zango\bin\10.3.70.0\HostIE.dll
C:\Program Files\zango\bin\10.3.70.0\HostOE.dll
C:\Program Files\zango\bin\10.3.70.0\HostOL.dll
C:\Program Files\zango\bin\10.3.70.0\link.ico
C:\Program Files\zango\bin\10.3.70.0\OEAddOn.exe
C:\Program Files\zango\bin\10.3.70.0\Srv.exe
C:\Program Files\zango\bin\10.3.70.0\Toolbar.dll
C:\Program Files\zango\bin\10.3.70.0\Wallpaper.dll
C:\Program Files\zango\bin\10.3.70.0\Weather.exe
C:\Program Files\zango\bin\10.3.70.0\WeSkin.dll
C:\Program Files\zango\bin\10.3.70.0\ZangoSA.exe
C:\Program Files\zango\bin\10.3.70.0\ZangoSAAX.dll
C:\Program Files\zango\bin\10.3.70.0\ZangoSADF.exe
C:\Program Files\zango\bin\10.3.70.0\ZangoSAHook.dll
C:\Program Files\zango\bin\10.3.70.0\ZangoUninstaller.exe

.
((((((((((((((((((((((((( Files Created from 2008-06-08 to 2008-07-08 )))))))))))))))))))))))))))))))
.

2008-07-05 10:13 . 2008-07-05 10:13 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-05 10:13 . 2008-07-05 10:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-05 10:13 . 2008-07-05 10:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-07-05 10:12 . 2008-07-05 10:12 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-04 16:47 . 2008-07-04 16:47 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-04 16:47 . 2008-07-04 16:47 <DIR> d-------- C:\Deckard
2008-06-24 11:46 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-06-24 11:46 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-06-10 14:57 . 2008-06-10 14:57 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-06-10 14:57 . 2008-06-10 18:58 <DIR> d-------- C:\Program Files\Ant War
2008-06-10 14:57 . 2008-06-10 14:57 827,392 --a------ C:\WINDOWS\system32\FLASH.OCX
2008-06-09 12:36 . 2008-06-09 12:44 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Super-Cow
2008-06-09 12:05 . 2008-06-09 12:05 <DIR> d-------- C:\Program Files\Kea
2008-06-08 02:14 . 2008-06-08 12:49 3,163 --a------ C:\WINDOWS\AXCursor.INI
2008-06-08 01:45 . 2008-06-08 01:45 <DIR> d-------- C:\Program Files\Axialis

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-08 15:29 --------- d-----w C:\Documents and Settings\Administrator\Application Data\MegauploadToolbar
2008-07-05 10:21 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-07-04 01:00 96,520 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-04 01:00 76,040 ----a-w C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-04 01:00 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll
2008-07-02 10:54 --------- d-----w C:\Program Files\Diner Dash
2008-06-25 02:03 --------- d-----w C:\Program Files\Yahoo!
2008-06-15 10:51 --------- d-----w C:\Program Files\DigiEffects AgedFilm Demo
2008-06-15 07:53 --------- d-----w C:\Documents and Settings\Administrator\Application Data\BearShare
2008-06-06 09:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-06-05 03:29 --------- d-----w C:\Program Files\NCBuy
2008-06-05 03:07 --------- d-----w C:\Program Files\SkyPaint
2008-06-05 02:45 --------- d-----w C:\Program Files\Sallys Salon
2008-06-04 05:16 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Image Zone Express
2008-06-03 07:32 --------- d-----w C:\Program Files\Xvid
2008-06-02 12:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-06-02 12:50 --------- d-----w C:\Documents and Settings\Administrator\Application Data\PlayFirst
2008-06-02 12:49 --------- d-----w C:\Program Files\Doggie Dash
2008-06-01 12:38 --------- d-----w C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-06-01 12:30 --------- d-----w C:\Program Files\QuickFix
2008-05-30 10:17 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-30 07:39 --------- d-----w C:\Program Files\ZakFromAnotherPlanet
2008-05-29 07:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-05-29 07:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-28 15:46 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-05-28 03:04 --------- d-----w C:\Program Files\ReflexiveArcade
2008-05-27 11:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\n7-89-o9-3r-4t-r9
2008-05-27 11:29 --------- d-----w C:\Documents and Settings\Administrator\Application Data\GameHouse
2008-05-27 11:26 --------- d-----w C:\Program Files\GameHouse
2008-05-24 09:41 --------- d-----w C:\Program Files\FLV to AVI MPEG WMV 3GP MP4 iPod Converter
2008-05-24 05:58 --------- d-----w C:\Program Files\uTorrent
2008-05-19 11:41 50,688 ----a-w C:\WINDOWS\system32\wbhelp2.dll
2008-05-11 19:05 --------- d-----w C:\Program Files\Common Files\SWF Studio
2008-05-11 18:53 --------- d-----w C:\Program Files\PopCap Games
2008-05-10 20:36 --------- d-----w C:\Documents and Settings\Administrator\Application Data\A2Soft Shared
2008-04-27 02:35 180,224 ----a-w C:\WINDOWS\system32\xvidvfw.dll
2008-04-27 02:33 765,952 ----a-w C:\WINDOWS\system32\xvidcore.dll
2008-04-20 01:01 24,192 ----a-w C:\Documents and Settings\Administrator\usbsermptxp.sys
2008-04-20 01:01 22,768 ----a-w C:\Documents and Settings\Administrator\usbsermpt.sys
2008-04-18 03:34 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-01-17 03:53 1,990 ----a-w C:\Program Files\DeIsL1.isu
2001-11-23 04:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
1997-11-08 12:29 68,608 ----a-w C:\Program Files\MLCheck.dll
1997-11-08 07:10 54,272 ----a-w C:\Program Files\ml-Uninstall.Exe
1997-11-06 02:33 199,680 ----a-w C:\Program Files\mlff-png.dll
1997-11-06 00:55 186,012 ----a-w C:\Program Files\3DTP.HLP
1997-11-06 00:54 275 ----a-w C:\Program Files\3DTP.CNT
1997-10-31 02:38 133 ----a-w C:\Program Files\MLCheck.cfg
1997-01-09 11:27 14,715 ----a-w C:\Program Files\standardnodes.wrl
1996-05-10 04:09 33,792 ----a-w C:\Program Files\_ISREG32.DLL
2008-01-07 11:50 56 --sh--r C:\WINDOWS\system32\26A5CDFE9A.sys
.

------- Sigcheck -------

2005-10-13 01:14 694272 0f346a32db874f1c31c6931132fb0fb2 C:\WINDOWS\system32\wininet.dll

2005-10-15 17:07 974336 7fb96a922d5d8bbbcdb16906af6741d6 C:\WINDOWS\explorer.exe
.
((((((((((((((((((((((((((((( snapshot@2008-07-07_17.05.23.91 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-06 22:19:00 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-08 23:51:13 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-12-17 17:13 3810544]
"Google Update"="C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.1.25.0\GoogleUpdate.exe" [2008-06-15 14:37 51184]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-07-12 18:15 106496]
"SiS Tray"="C:\WINDOWS\system32\sistray.EXE" [2002-11-17 10:36 303104]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30 81920]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-17 22:25 98304]
"NeroCheck"="C:\WINDOWS\system32\\NeroCheck.exe" [2001-07-09 18:50 155648]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12 49152]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-04 09:00 1232152]
"CameraFixer"="C:\WINDOWS\CameraFixer.exe" [2005-10-03 11:23 20480]
"tsnpstd3"="C:\WINDOWS\tsnpstd3.exe" [2005-11-04 15:05 90112]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [2005-09-05 15:55 339968]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
YouTube Uploader.lnk - C:\Documents and Settings\Administrator\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe [2007-11-09 13:33:08 71152]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-16 19:28:00 110592]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
"DisableCAD"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"DisableCAD"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)
"NoSMHelp"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm
"aux1"= ctwdm32.dll
"aux2"= ctwdm32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-04 09:00]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-04 09:00]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-04 09:00]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-04 09:00]
R2 StkASSrv;Syntek STK1160 Service;C:\WINDOWS\System32\StkASv2K.exe [2006-05-23 23:49]
S3 Inimgpritsr;Inimgpritsr;C:\WINDOWS\system32\rasautou.exe [2001-08-24 01:00]
S3 StkAMini;Syntek STK1160;C:\WINDOWS\system32\Drivers\StkAMini.sys [2006-11-15 17:32]
S3 StkScan;Syntek STK1160 Still Image;C:\WINDOWS\system32\Drivers\StkScan.sys [2006-06-27 18:27]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-09 07:52:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-07-09 7:57:23 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-08 23:56:53
ComboFix2.txt 2008-07-07 09:06:02

Pre-Run: 7,105,527,808 bytes free
Post-Run: 7,326,584,832 bytes free

424

#12 Buckeye_Sam

Malware Expert

Group: Malware Response Team
Posts: 17,382
Joined: 23-December 04
Gender:Male
Location:Pickerington, Ohio

Posted 09 July 2008 - 09:02 AM

Whoa! Do you have any idea where Zango came from?

There's a lot of file sharing programs installed on this computer and that in itself is very risky. It's likely where these malware infections are coming from.

That being said, your log looks pretty good right now.
How are things on your end?

#13 hookedforever

Member

Group: Members
Posts: 37
Joined: 02-July 08
Gender:Female
Location:philippines

Posted 09 July 2008 - 10:52 AM

i have my uncle to blame regarding that Zango thingy..He said he accidentally clicked on some add and then it started installing Zango. I tried uninstalling the program but it wouldn't so I just ran ComboFix as scheduled and I'm glad everything Zango-related was gone after ComboFix was ran. The pc seems ok now. :thumbsup:

Thanks to you again, Sam.

There's this notification saying that I should update my shockwave? Should I? Hehe..I don't know what's that for...

I guess I can also update my Java now.

Sam, is it safe to run ComboFix and the other programs you asked me to download every time I feel that there's malware on my pc? I mean, which programs can I run without your supervision?

This post has been edited by hookedforever: 09 July 2008 - 12:41 PM

#14 Buckeye_Sam

Malware Expert

Group: Malware Response Team
Posts: 17,382
Joined: 23-December 04
Gender:Male
Location:Pickerington, Ohio

Posted 09 July 2008 - 04:02 PM

Shockwave and java should be updated whenever there is an update available. Updates are almost always to make the program more secure.

You should not run Combofix or any of the other specific tools that we've used without the right assistance. To do so is risky. Combofix is a very powerful program. Members of the HJT Team here are constantly kept in the loop on updates that are done to the program, as well as potential bugs and risk factors. I would strongly advise against running it on my own. That's one of the reasons why I always give final instructions to remove Combofix once we're done. Which is what we'll do now.

But first, your log shows that you don't have the recovery console installed.
Check this link for more info on the recovery console and how to get it installed.

How to install and use the Windows XP Recovery Console

===================

Next, let's remove Combofix now that we're done with it and clean up a few other things.

Click START then RUN
Now type Combofix /u in the runbox and click OK
When shown the disclaimer, Select "2"

==================

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

You can find instructions on how to enable and reenable system restore here:

Windows XP System Restore Guide

Renable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
- From within Internet Explorer click on the Tools menu and then click on Options.
- Click once on the Security tab
- Click once on the Internet icon so it becomes highlighted.
- Click once on the Custom Level button.
  - Change the Download signed ActiveX controls to Prompt
  - Change the Download unsigned ActiveX controls to Disable
  - Change the Initialize and script ActiveX controls not marked as safe to Disable
  - Change the Installation of desktop items to Prompt
  - Change the Launching programs and files in an IFRAME to Prompt
  - Change the Navigate sub-frames across different domains to Prompt
  - When all these settings have been made, click on the OK button.
  - If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

A tutorial on installing & using this product can be found here:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found here:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

:thumbsup:

#15 hookedforever

Member

Group: Members
Posts: 37
Joined: 02-July 08
Gender:Female
Location:philippines

Posted 10 July 2008 - 09:53 AM

Ok I'll keep that in mind. :spacer:

I've removed COmboFix, installed the 3 other programs and followed the things you specified and my pc is working smoothly so far... :thumbsup:

I really don't know how to thank you Sam. You've been such a great help. I've learned a lot too. Im glad there are people like you. Thank you so much.