Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Avsystemcare ?


  • Please log in to reply
18 replies to this topic

#1 damsl in distress

damsl in distress

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:38 AM

Posted 29 July 2007 - 06:27 PM

Hi I keep getting a lot of pop-ups for AVSystemCare, Nintendo Wii, Mobile Phones. I have used : AVG-SPYWARE, AVG ANTI-VRUS, SPYBOT SEARCH & DESTROY, AD-AWARE (Crashed), SPYWARE DOCTOR (began failing), SUPER-ANTISPY, SPYWAREBLASTER, VIRGINMEDIA PCGUARD (now removed). I have also ran "cleanmgr" tried Housecall and Panda Anit-Virus both could not complete the process. Tried McAfee AVERT stinger, I have a firewall (all upto date). I have tried SmitFraudFix. ALL TO NO AVAIL. I have now done (I think) an HJT (HiJackThis). Please help...The only thing now I can think of to clean my hard drive???

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:14:23, on 30/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\system32\bcmwltry.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe
C:\WINDOWS\system32\MMTray.exe
C:\WINDOWS\system32\MMTray2k.exe
C:\WINDOWS\system32\MMTrayLSI.exe
C:\WINDOWS\system32\qttask.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\RF Wireless Mouse\cm20.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\InterVideo\WinDVD4PR\SchSvr.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [RemoveCpl] RemoveCpl.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [FastTVSync] "C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe"
O4 - HKLM\..\Run: [MMTray] MMTray.exe
O4 - HKLM\..\Run: [MMTray2K] MMTray2k.exe
O4 - HKLM\..\Run: [MMTrayLSI] MMTrayLSI.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Start RF Wireless Mouse] C:\Program Files\RF Wireless Mouse\cm20.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: InterVideo Scheduler server.lnk = C:\Program Files\InterVideo\WinDVD4PR\SchSvr.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q105&bd=presario&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1185649119156
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NTLOAD - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe (file missing)
O23 - Service: NTSVCMGR - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 8829 bytes

Any help would be greatly appreciated!

GOOD MORNING
Can anyone help?

Edited by damsl in distress, 30 July 2007 - 05:37 AM.


BC AdBot (Login to Remove)

 


#2 damsl in distress

damsl in distress
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:38 AM

Posted 30 July 2007 - 06:24 AM

Hi Pre-empting things a bit I know but I ran Rogue Remover and it stated it didn't find anything. When I went back on the internet it was still happening. I have ran ComboFix in SAFE MODE and below is the log report. I hope I am not mixing you up but would you be so kind to take a look and advise. Also if I do get rid of this any suggestions on the best anti-spyware...like SuperAntiSpy or SpywareBlaster...PLEASE HELP!

ComboFix 07-07-28.5 - "Admin" 2007-07-30 12:06:26.1 [GMT 1:00] - NTFS [SAFE MODE]
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.True


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\winupdates
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\nvs2.inf
C:\WINDOWS\system32\rvzebmptxb.dat
C:\WINDOWS\system32\rvzebmptxb.exe
C:\WINDOWS\system32\rvzebmptxb_nav.dat
C:\WINDOWS\system32\rvzebmptxb_navps.dat


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\ntldr.sys


((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-30 )))))))))))))))))))))))))))))))


2007-07-30 12:01 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-30 11:40 <DIR> d-------- C:\Program Files\RogueRemover
2007-07-30 00:13 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-29 22:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-29 22:02 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-07-29 22:02 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-29 22:02 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\SUPERAntiSpyware.com
2007-07-29 21:09 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-07-29 20:54 3,620 --a------ C:\WINDOWS\system32\tmp.reg
2007-07-29 20:23 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-07-29 20:22 <DIR> d-------- C:\Program Files\MSBuild
2007-07-29 20:19 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-07-29 20:18 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-07-29 20:17 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-07-29 20:16 <DIR> d-------- C:\d705efd87191f2eaac8fcfb98c24d92c
2007-07-29 20:15 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-07-29 20:15 <DIR> d-------- C:\1c22ea841f69cc042e7cd6d6ef
2007-07-29 20:13 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-07-29 20:13 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-07-29 20:13 <DIR> d-------- C:\f908bef192c8a245752f
2007-07-29 20:13 <DIR> d-------- C:\d09332dab5e425db08
2007-07-29 20:12 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-07-29 20:10 <DIR> d-------- C:\WINDOWS\RegisteredPackages
2007-07-29 20:05 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2007-07-29 20:05 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2007-07-29 20:05 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2007-07-29 14:31 <DIR> d-------- C:\WINDOWS\system32\Panda Software
2007-07-29 13:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-29 12:18 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-28 21:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Virgin Broadband
2007-07-28 21:30 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\Virgin Broadband
2007-07-28 20:26 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-07-28 15:06 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-07-28 15:02 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-07-28 15:02 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\Google
2007-07-28 15:01 <DIR> d-------- C:\Program Files\Google
2007-07-28 15:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2007-07-26 20:20 <DIR> d-------- C:\Program Files\TEsT Box-II
2007-07-19 12:24 <DIR> d-------- C:\Program Files\SP2 Connection Patcher
2007-07-19 12:24 <DIR> d-------- C:\Program Files\LimeWire Download Accelerator
2007-07-19 12:24 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\UPLOAD 4 AUDIO
2007-07-18 18:23 5,242,880 --a------ C:\DOCUME~1\Admin\ntuser.dat
2007-07-18 16:50 14 --a------ C:\WINDOWS\system32\systeminfo.dll
2007-07-18 16:49 <DIR> d-------- C:\Program Files\BlazeVideo
2007-07-18 16:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BlazeVideo
2007-07-16 20:33 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2007-07-16 20:33 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2007-07-16 20:33 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2007-07-16 20:33 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2007-07-16 20:33 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys
2007-07-16 20:33 15,360 --a------ C:\WINDOWS\system32\drivers\MPE.sys
2007-07-16 20:33 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-07-16 20:33 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys
2007-07-16 20:33 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2007-07-16 20:32 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-07-16 20:32 363,520 --a------ C:\WINDOWS\system32\PsisDecd.dll
2007-07-16 20:32 11,776 --a------ C:\WINDOWS\system32\drivers\BdaSup.sys
2007-07-16 20:29 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\ArcSoft
2007-07-16 20:28 11,776 --a------ C:\WINDOWS\system32\drivers\afc.sys
2007-07-16 20:27 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2007-07-16 20:27 <DIR> d-------- C:\Program Files\Common Files\ArcSoft
2007-07-16 20:26 18,944 --a------ C:\WINDOWS\system32\drivers\BDA_Loader_225.sys
2007-07-16 20:26 14,592 --a------ C:\WINDOWS\system32\drivers\BDA_Capture_225.sys
2007-07-16 20:26 118,784 --a------ C:\WINDOWS\system32\Westlake.dll
2007-07-16 20:26 <DIR> d-------- C:\Program Files\ArcSoft
2007-07-13 21:50 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\TVU Networks
2007-07-13 20:25 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\JLC's Software
2007-07-13 20:24 <DIR> d-------- C:\Program Files\JLC's Software
2007-07-13 19:12 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\Media Player Classic
2007-07-10 08:12 438,272 --a------ C:\WINDOWS\system32\SkinCrafter.dll
2007-07-04 23:54 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-07-03 23:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-27 09:14 47408 --a------ C:\DOCUME~1\Admin\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-07-19 13:21 359040 --a------ C:\WINDOWS\system32\drivers\OLDA.tmp
2007-07-16 20:27 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-16 18:27 --------- d-------- C:\DOCUME~1\Admin\APPLIC~1\BitTorrent
2007-07-15 01:39 --------- d-------- C:\DOCUME~1\Admin\APPLIC~1\Ahead
2007-07-13 13:20 --------- d-------- C:\Program Files\Common Files\SureThing Shared
2007-05-16 16:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2005-01-31 23:31 0 --a------ C:\DOCUME~1\Admin\APPLIC~1\wklnhst.dat
2005-01-16 18:19:06 4,608 --sha-r C:\WINDOWS\system\DRIVER\cygcrypt-0.dll
2005-01-16 18:19:06 1,140,617 --sha-r C:\WINDOWS\system\DRIVER\cygwin1.dll
2005-01-28 12:30:22 1,478 --sha-r C:\WINDOWS\system\DRIVER\servicelogon.dll
2006-03-09 22:53:10 1,877 --sha-r C:\WINDOWS\system\DRIVER\servicesmgr.dll
2005-01-28 12:30:22 1,477 --sh--r C:\WINDOWS\system\DRIVER\svchostlogon.dll
2006-03-09 22:53:05 1,575 --sha-r C:\WINDOWS\system\DRIVER\winlogon.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-08 04:40]
"AGRSMMSG"="AGRSMMSG.exe" [2004-08-24 12:19 C:\WINDOWS\AGRSMMSG.exe]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 18:24 C:\WINDOWS\system32\Ati2mdxx.exe]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-03-01 14:05]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-03-25 22:00]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe" [2004-06-03 23:05]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 02:01]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-08-19 12:50]
"bcmwltry"="bcmwltry.exe" [2003-07-26 00:28 C:\WINDOWS\system32\bcmwltry.exe]
"RemoveCpl"="RemoveCpl.exe" [2003-01-15 00:50 C:\WINDOWS\system32\RemoveCpl.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-06-29 11:54]
"FastTVSync"="C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe" [2003-09-08 03:33]
"MMTray"="MMTray.exe" [2003-03-25 06:49 C:\WINDOWS\system32\MMTray.exe]
"MMTray2K"="MMTray2k.exe" [2003-03-25 06:49 C:\WINDOWS\system32\MMTray2k.exe]
"MMTrayLSI"="MMTrayLSI.exe" [2003-03-25 06:49 C:\WINDOWS\system32\MMTrayLSI.exe]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2005-04-12 11:15]
"Start RF Wireless Mouse"="C:\Program Files\RF Wireless Mouse\cm20.exe" [2004-03-06 10:08]
"Tweak UI"="TWEAKUI.CPL" [2003-03-25 06:49 C:\WINDOWS\system32\tweakui.cpl]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe" [2004-11-12 02:50]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-04-14 16:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 15:01]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:00]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-07-28 15:01:46]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 02:06:58]
InterVideo Scheduler server.lnk - C:\Program Files\InterVideo\WinDVD4PR\SchSvr.exe [2005-03-13 20:50:08]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2005-03-13 20:50:25]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= C:\PROGRA~1\DVDREG~1\DVDShell.dll [2004-10-09 15:18 49152]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Admin^Start Menu^Programs^Startup^desktop.ini]
path=C:\Documents and Settings\Admin\Start Menu\Programs\Startup\desktop.ini
backup=C:\WINDOWS\pss\desktop.iniStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV CfgWiz]
"C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"

R0 atiide;atiide;C:\WINDOWS\system32\DRIVERS\atiide.sys
R0 caboagp;ATI Cabo AGP Filter;C:\WINDOWS\system32\DRIVERS\atisgkaf.sys
R0 DevUpper;TI UltraMedia CardBus Controller Filter Driver;C:\WINDOWS\system32\DRIVERS\tiumflt.sys
R0 imagedrv;imagedrv;C:\WINDOWS\system32\Drivers\imagedrv.sys
R0 imagesrv;imagesrv;C:\WINDOWS\system32\DRIVERS\imagesrv.sys
R1 eabfiltr;EABFiltr;\??\C:\WINDOWS\system32\drivers\EABFiltr.sys
R1 SASDIFSV;SASDIFSV;\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
R1 SASKUTIL;SASKUTIL;\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
R1 StarOpen;StarOpen;C:\WINDOWS\system32\drivers\StarOpen.sys
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI;C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
R2 SoundMAX Agent Service (default);SoundMAX Agent Service;C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
R3 Afc;PPdus ASPI Shell;C:\WINDOWS\system32\drivers\Afc.sys
R3 Iviaspi;IVI ASPI Shell;C:\WINDOWS\system32\drivers\iviaspi.sys
R3 ROOTMODEM;Microsoft Legacy Modem Driver;C:\WINDOWS\system32\Drivers\RootMdm.sys
R3 SASENUM;SASENUM;\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
R3 tiumfwl;tiumfwl;C:\WINDOWS\system32\drivers\tiumfwl.sys
S2 CSS DVP;CSS DVP;C:\WINDOWS\system32\DRIVERS\css-dvp.sys
S2 NTLOAD;NTLOAD;C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe /name:"NTLOAD" /start:"C:\WINDOWS\system\driver\csrss.exe"
S3 BDA_Capture_225;USB Digital-TV receiver Driver 2.0.1.8;C:\WINDOWS\system32\Drivers\BDA_Capture_225.sys
S3 BDA_Loader_225;USB Digital-TV Receiver Firmware Loader 6.5.8.0;C:\WINDOWS\system32\Drivers\BDA_Loader_225.sys
S3 eabusb;eabusb;\??\C:\WINDOWS\system32\drivers\eabusb.sys
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0;c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
S3 FTDIBUS;USB Serial Converter Driver;C:\WINDOWS\system32\drivers\ftdibus.sys
S3 FTSER2K;USB Serial Port Driver;C:\WINDOWS\system32\drivers\ftser2k.sys
S3 idsvc;Windows CardSpace;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe"
S3 MPE;BDA MPE Filter;C:\WINDOWS\system32\DRIVERS\MPE.sys
S3 P2k;Motorola USB Device;C:\WINDOWS\system32\DRIVERS\P2k.sys
S3 Pcouffin;Low level access layer for CD devices;C:\WINDOWS\system32\Drivers\Pcouffin.sys
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys
S3 usbser;Motorola USB Modem Driver;C:\WINDOWS\system32\DRIVERS\usbser.sys
S3 usbsermpt;Motorola USB Modem Driver for MPT;C:\WINDOWS\system32\DRIVERS\usbsermpt.sys
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"


Contents of the 'Scheduled Tasks' folder
2007-07-30 11:00:00 C:\WINDOWS\Tasks\AF90B479914B29E9.job - c:\docume~1\admin\applic~1\upload~1\Coal Roam Owns.exe
2005-03-20 21:40:00 C:\WINDOWS\Tasks\Easy Internet Sign-up.job - C:\Program Files\Easy Internet signup\HPSdpApp.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-30 12:11:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\NTLOAD]
"ImagePath"="C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe /name:\"NTLOAD\" /start:\"C:\WINDOWS\system\driver\csrss.exe\""

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\NTSVCMGR]
"ImagePath"="C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe /name:\"NTSVCMGR\" /start:\"C:\WINDOWS\system\driver\services.exe C:\WINDOWS\system\driver\ntauth.dll\""

Completion time: 2007-07-30 12:14:30 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-30 12:13

--- E O F ---

Anything else I should now??? I added to my post by reply to try not confuse everyone - Sorry if this was wrong!

Edited by damsl in distress, 30 July 2007 - 07:03 AM.


#3 damsl in distress

damsl in distress
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:38 AM

Posted 01 August 2007 - 07:01 AM

Hi

Can anybody advise me on this matter?

It would be very much appreciated.

#4 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:38 AM

Posted 07 August 2007 - 01:54 PM

It looks like combofix took care of your main problem, but there's some leftovers that need to be cleared up

Download Brute Force Uninstaller.
Unzip it to it’s own folder (c:\BFU)

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download EGDACCESS Remover. Save it in the folder you made earlier (c:\BFU)

Start the Brute Force Uninstaller by doubleclicking BFU.exe

In the scriptline to execute copy and paste c:\bfu\EGDACCESS.bfu
Press execute and let it do it’s job.

Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.
  • Open a new notepad window (Start>All programs>accessories>notepad)
  • Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard
    Driver::
    NTLOAD
    NTSVCMGR
    Folder::
    C:\WINDOWS\SYSTEM\DRIVER
    c:\docume~1\admin\applic~1\upload~1
    File::
    C:\WINDOWS\Tasks\AF90B479914B29E9.job
  • Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
  • Save it to the desktop as CFscript.txt
  • Now drag and drop CFscript.txt onto combofix.exe as in the picture below and follow the prompts:
    Posted Image
  • When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall


#5 damsl in distress

damsl in distress
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:38 AM

Posted 07 August 2007 - 03:55 PM

Hi random/random,

I have done what you asked...Hopefully correctly and here is the log!

ComboFix 07-07-28.5 - "Admin" 2007-08-07 21:42:53.2 [GMT 1:00] - NTFS [SAFE MODE]
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.True
Command switches used :: C:\Documents and Settings\Admin\Desktop\CFscript.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


c:\docume~1\admin\applic~1\upload~1
c:\docume~1\admin\applic~1\upload~1\0
C:\WINDOWS\SYSTEM\DRIVER
C:\WINDOWS\SYSTEM\DRIVER\compasdfsadf.txt
C:\WINDOWS\SYSTEM\DRIVER\Copy (2) of 5.txt
C:\WINDOWS\SYSTEM\DRIVER\cygcrypt-0.dll
C:\WINDOWS\SYSTEM\DRIVER\cygwin1.dll
C:\WINDOWS\SYSTEM\DRIVER\Driver32.dll
C:\WINDOWS\SYSTEM\DRIVER\servicelogon.dll
C:\WINDOWS\SYSTEM\DRIVER\servicesmgr.dll
C:\WINDOWS\SYSTEM\DRIVER\svchostlogon.dll
C:\WINDOWS\SYSTEM\DRIVER\winlogon.dll
C:\WINDOWS\Tasks\AF90B479914B29E9.job


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NTLOAD
-------\LEGACY_NTSVCMGR
-------\NTLOAD
-------\NTSVCMGR


((((((((((((((((((((((((( Files Created from 2007-07-07 to 2007-08-07 )))))))))))))))))))))))))))))))


2007-08-07 21:31 <DIR> d-------- C:\BRUTE FORCE UNINSTALLER
2007-07-30 19:23 33,408 --a------ C:\WINDOWS\system32\drivers\freedom.sys
2007-07-30 19:22 <DIR> d-------- C:\Program Files\Common Files\PestPatrol
2007-07-30 19:22 <DIR> d-------- C:\Program Files\Common Files\Command Software
2007-07-30 19:21 <DIR> d-------- C:\Program Files\Virgin Broadband
2007-07-30 12:01 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-30 11:40 <DIR> d-------- C:\Program Files\RogueRemover
2007-07-30 00:13 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-29 22:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-29 22:02 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-07-29 22:02 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-29 22:02 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\SUPERAntiSpyware.com
2007-07-29 21:09 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-07-29 20:54 3,620 --a------ C:\WINDOWS\system32\tmp.reg
2007-07-29 20:23 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-07-29 20:22 <DIR> d-------- C:\Program Files\MSBuild
2007-07-29 20:19 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-07-29 20:18 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-07-29 20:17 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-07-29 20:16 <DIR> d-------- C:\d705efd87191f2eaac8fcfb98c24d92c
2007-07-29 20:15 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-07-29 20:15 <DIR> d-------- C:\1c22ea841f69cc042e7cd6d6ef
2007-07-29 20:13 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-07-29 20:13 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-07-29 20:13 <DIR> d-------- C:\f908bef192c8a245752f
2007-07-29 20:13 <DIR> d-------- C:\d09332dab5e425db08
2007-07-29 20:12 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-07-29 20:10 <DIR> d-------- C:\WINDOWS\RegisteredPackages
2007-07-29 20:05 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2007-07-29 20:05 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2007-07-29 20:05 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2007-07-29 14:31 <DIR> d-------- C:\WINDOWS\system32\Panda Software
2007-07-29 13:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-29 12:18 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-28 21:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Virgin Broadband
2007-07-28 21:30 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\Virgin Broadband
2007-07-28 20:26 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-07-28 15:06 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-07-28 15:02 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-07-28 15:02 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\Google
2007-07-28 15:01 <DIR> d-------- C:\Program Files\Google
2007-07-28 15:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2007-07-26 20:20 <DIR> d-------- C:\Program Files\TEsT Box-II
2007-07-19 12:24 <DIR> d-------- C:\Program Files\SP2 Connection Patcher
2007-07-19 12:24 <DIR> d-------- C:\Program Files\LimeWire Download Accelerator
2007-07-18 18:23 5,242,880 --a------ C:\DOCUME~1\Admin\ntuser.dat
2007-07-18 16:50 14 --a------ C:\WINDOWS\system32\systeminfo.dll
2007-07-18 16:49 <DIR> d-------- C:\Program Files\BlazeVideo
2007-07-18 16:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BlazeVideo
2007-07-16 20:33 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2007-07-16 20:33 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2007-07-16 20:33 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2007-07-16 20:33 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2007-07-16 20:33 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys
2007-07-16 20:33 15,360 --a------ C:\WINDOWS\system32\drivers\MPE.sys
2007-07-16 20:33 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-07-16 20:33 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys
2007-07-16 20:33 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2007-07-16 20:32 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-07-16 20:32 363,520 --a------ C:\WINDOWS\system32\PsisDecd.dll
2007-07-16 20:32 11,776 --a------ C:\WINDOWS\system32\drivers\BdaSup.sys
2007-07-16 20:29 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\ArcSoft
2007-07-16 20:28 11,776 --a------ C:\WINDOWS\system32\drivers\afc.sys
2007-07-16 20:27 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2007-07-16 20:27 <DIR> d-------- C:\Program Files\Common Files\ArcSoft
2007-07-16 20:26 18,944 --a------ C:\WINDOWS\system32\drivers\BDA_Loader_225.sys
2007-07-16 20:26 14,592 --a------ C:\WINDOWS\system32\drivers\BDA_Capture_225.sys
2007-07-16 20:26 118,784 --a------ C:\WINDOWS\system32\Westlake.dll
2007-07-16 20:26 <DIR> d-------- C:\Program Files\ArcSoft
2007-07-13 21:50 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\TVU Networks
2007-07-13 20:25 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\JLC's Software
2007-07-13 20:24 <DIR> d-------- C:\Program Files\JLC's Software
2007-07-13 19:12 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\Media Player Classic
2007-07-10 08:12 438,272 --a------ C:\WINDOWS\system32\SkinCrafter.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-27 09:14 47408 --a------ C:\DOCUME~1\Admin\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-07-19 13:21 359040 --a------ C:\WINDOWS\system32\drivers\OLDA.tmp
2007-07-16 20:27 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-16 18:27 --------- d-------- C:\DOCUME~1\Admin\APPLIC~1\BitTorrent
2007-07-15 01:39 --------- d-------- C:\DOCUME~1\Admin\APPLIC~1\Ahead
2007-07-13 13:20 --------- d-------- C:\Program Files\Common Files\SureThing Shared
2007-07-04 23:54 --------- d-------- C:\Program Files\MSXML 4.0
2007-05-16 16:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2005-01-31 23:31 0 --a------ C:\DOCUME~1\Admin\APPLIC~1\wklnhst.dat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-08 04:40]
"AGRSMMSG"="AGRSMMSG.exe" [2004-08-24 12:19 C:\WINDOWS\AGRSMMSG.exe]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 18:24 C:\WINDOWS\system32\Ati2mdxx.exe]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-03-01 14:05]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-03-25 22:00]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe" [2004-06-03 23:05]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 02:01]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-08-19 12:50]
"bcmwltry"="bcmwltry.exe" [2003-07-26 00:28 C:\WINDOWS\system32\bcmwltry.exe]
"RemoveCpl"="RemoveCpl.exe" [2003-01-15 00:50 C:\WINDOWS\system32\RemoveCpl.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-06-29 11:54]
"FastTVSync"="C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe" [2003-09-08 03:33]
"MMTray"="MMTray.exe" [2003-03-25 06:49 C:\WINDOWS\system32\MMTray.exe]
"MMTray2K"="MMTray2k.exe" [2003-03-25 06:49 C:\WINDOWS\system32\MMTray2k.exe]
"MMTrayLSI"="MMTrayLSI.exe" [2003-03-25 06:49 C:\WINDOWS\system32\MMTrayLSI.exe]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2005-04-12 11:15]
"Start RF Wireless Mouse"="C:\Program Files\RF Wireless Mouse\cm20.exe" [2004-03-06 10:08]
"Tweak UI"="TWEAKUI.CPL" [2003-03-25 06:49 C:\WINDOWS\system32\tweakui.cpl]
"Broadbandadvisor.exe"="C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-01-24 14:12]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe" [2004-11-12 02:50]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-04-14 16:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 15:01]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:00]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-07-28 15:01:46]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 02:06:58]
InterVideo Scheduler server.lnk - C:\Program Files\InterVideo\WinDVD4PR\SchSvr.exe [2005-03-13 20:50:08]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2005-03-13 20:50:25]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= C:\PROGRA~1\DVDREG~1\DVDShell.dll [2004-10-09 15:18 49152]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Admin^Start Menu^Programs^Startup^desktop.ini]
path=C:\Documents and Settings\Admin\Start Menu\Programs\Startup\desktop.ini
backup=C:\WINDOWS\pss\desktop.iniStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV CfgWiz]
"C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"

R0 atiide;atiide;C:\WINDOWS\system32\DRIVERS\atiide.sys
R0 caboagp;ATI Cabo AGP Filter;C:\WINDOWS\system32\DRIVERS\atisgkaf.sys
R0 DevUpper;TI UltraMedia CardBus Controller Filter Driver;C:\WINDOWS\system32\DRIVERS\tiumflt.sys
R0 imagedrv;imagedrv;C:\WINDOWS\system32\Drivers\imagedrv.sys
R0 imagesrv;imagesrv;C:\WINDOWS\system32\DRIVERS\imagesrv.sys
R1 eabfiltr;EABFiltr;\??\C:\WINDOWS\system32\drivers\EABFiltr.sys
R1 SASDIFSV;SASDIFSV;\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
R1 SASKUTIL;SASKUTIL;\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
R1 StarOpen;StarOpen;C:\WINDOWS\system32\drivers\StarOpen.sys
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI;C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
R2 CSS DVP;CSS DVP;C:\WINDOWS\system32\DRIVERS\css-dvp.sys
R2 FreeTdi;Radialpoint Filter (RPS-12798);C:\WINDOWS\system32\Drivers\FreeTdi.sys
R2 SoundMAX Agent Service (default);SoundMAX Agent Service;C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
R3 Afc;PPdus ASPI Shell;C:\WINDOWS\system32\drivers\Afc.sys
R3 Freedom;Freedom Miniport;C:\WINDOWS\system32\DRIVERS\FREEDOM.SYS
R3 Iviaspi;IVI ASPI Shell;C:\WINDOWS\system32\drivers\iviaspi.sys
R3 ROOTMODEM;Microsoft Legacy Modem Driver;C:\WINDOWS\system32\Drivers\RootMdm.sys
R3 SASENUM;SASENUM;\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
R3 tiumfwl;tiumfwl;C:\WINDOWS\system32\drivers\tiumfwl.sys
S3 BDA_Capture_225;USB Digital-TV receiver Driver 2.0.1.8;C:\WINDOWS\system32\Drivers\BDA_Capture_225.sys
S3 BDA_Loader_225;USB Digital-TV Receiver Firmware Loader 6.5.8.0;C:\WINDOWS\system32\Drivers\BDA_Loader_225.sys
S3 eabusb;eabusb;\??\C:\WINDOWS\system32\drivers\eabusb.sys
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0;c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
S3 FTDIBUS;USB Serial Converter Driver;C:\WINDOWS\system32\drivers\ftdibus.sys
S3 FTSER2K;USB Serial Port Driver;C:\WINDOWS\system32\drivers\ftser2k.sys
S3 idsvc;Windows CardSpace;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe"
S3 MPE;BDA MPE Filter;C:\WINDOWS\system32\DRIVERS\MPE.sys
S3 P2k;Motorola USB Device;C:\WINDOWS\system32\DRIVERS\P2k.sys
S3 Pcouffin;Low level access layer for CD devices;C:\WINDOWS\system32\Drivers\Pcouffin.sys
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys
S3 usbser;Motorola USB Modem Driver;C:\WINDOWS\system32\DRIVERS\usbser.sys
S3 usbsermpt;Motorola USB Modem Driver for MPT;C:\WINDOWS\system32\DRIVERS\usbsermpt.sys
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"


Contents of the 'Scheduled Tasks' folder
2005-03-20 21:40:00 C:\WINDOWS\Tasks\Easy Internet Sign-up.job - C:\Program Files\Easy Internet signup\HPSdpApp.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-07 21:48:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-07 21:50:28 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-07 21:50
C:\ComboFix2.txt ... 2007-07-30 12:14

--- E O F ---



Please advise of any next steps...If necessary, or if all is OK now.

#6 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:38 AM

Posted 07 August 2007 - 04:39 PM

Go here to run an online scannner from Kaspersky.
  • Note: You will need to use Internet explorer for this scan
  • Click on "Kaspersky Online Scanner"
  • A new smaller window will pop up. Press on "Accept". After reading the contents.
  • Now Kaspersky will update the anti-virus database. Let it run.
  • Click on "Next">"Scan Settings", and make sure the database is set to "extended". And check both the scan options. Then click OK.
  • Then click on "My Computer", and the scan will start.
  • Once finished, save the log as "KAV.txt" to the desktop.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post back with the Kaspersky log, a new HijackThis log & let me know of any remaining problems

#7 damsl in distress

damsl in distress
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:38 AM

Posted 07 August 2007 - 07:56 PM

Hi random/random

I ran Kaspersky online scanner and never got a log report (as I know them) so I have copied and pasted.

http://www.kaspersky.com/kos/eng/partner/d...avwebscan.html#
Total number of scanned objects: 45362
Number of viruses found: 1
Number of infected objects: 10
Number of suspicious objects: 0
Duration of the scan process: 01:01:34

Here is the new HiJack This Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:54:23, on 08/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Virgin Broadband\PCguard\fws.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\system32\bcmwltry.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\MMTray.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\MMTray2k.exe
C:\WINDOWS\system32\MMTrayLSI.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\RF Wireless Mouse\cm20.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Virgin Broadband\PCguard\FBHR.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [RemoveCpl] RemoveCpl.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MMTray] MMTray.exe
O4 - HKLM\..\Run: [MMTray2K] MMTray2k.exe
O4 - HKLM\..\Run: [MMTrayLSI] MMTrayLSI.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Start RF Wireless Mouse] C:\Program Files\RF Wireless Mouse\cm20.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q105&bd=presario&pf=laptop
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1185649119156
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\fws.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 9371 bytes


The system is running very very slow...Is there still a problem?
Please advise


#8 damsl in distress

damsl in distress
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:38 AM

Posted 09 August 2007 - 02:48 AM

Hi

Can anyone update me Please.
Is there anything I need to do now.
Since I did the KAV.txt bit the laptop is running very very slow...e.g. getting onto the internet, drawing the screen, also when I open my software which is installed.

PLEASE PLEASE ADVISE

#9 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:38 AM

Posted 09 August 2007 - 12:14 PM

I ran Kaspersky online scanner and never got a log report (as I know them)


Do you mean that you know what the files that kaspersky detected are?

You have an number of unnecessary autostart programs that can be remove to speed up your PC

Run HijackThis
Click on do a system scan only
Place a checkmark next to these lines(if still present)

O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [RemoveCpl] RemoveCpl.exe
O4 - HKLM\..\Run: [MMTray] MMTray.exe
O4 - HKLM\..\Run: [MMTray2K] MMTray2k.exe
O4 - HKLM\..\Run: [MMTrayLSI] MMTrayLSI.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

Then close all windows except HijackThis and click Fix Checked

Let me know if this improves the performance of your PC

#10 damsl in distress

damsl in distress
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:38 AM

Posted 09 August 2007 - 07:09 PM

Hi random/random,

Sorry for the delay and Thank You for helping me out.

The 'kaspersky' log report...I expected to look like the HJT log but all I got was this:

Total number of scanned objects: 45362
Number of viruses found: 1
Number of infected objects: 10
Number of suspicious objects: 0
Duration of the scan process: 01:01:34

I have done HJT system scan only and fix checked the things you suggested. I restarted the PC and it did seem to log on faster.

The slowness was also whilst actually logged on i.e using the internet - drawing the screen, or if I choose Nero or Word it seems slow going in...
What I shall do now is monitor the speed and let you know.

In the meantime many many Thanks for your guidance.....Is there anything else I need to do???
Also being cheeky here but I have a Compaq logo appear whilst the laptop is logging on...Can I get rid of this? It doesn't matter if not!

#11 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:38 AM

Posted 11 August 2007 - 06:01 AM

Also being cheeky here but I have a Compaq logo appear whilst the laptop is logging on...Can I get rid of this? It doesn't matter if not!


I am not aware of any way of doing this

Let's see if we can get a report from a different online scanner
  • Note: You will need to use Internet explorer for this scan
  • Go here to run an online scan from F-Secure
  • Click on Start scanning
  • This will open a new internet explorer window
  • It will require an activex control, please install it
  • Click Accept
  • Click Full System Scan
  • It will now download the scanner, this may take a while, please be patient
  • It will then start scanning, wait for the scan to finish
  • Click Automatic cleaning (recommended)
  • Wait for it finish the cleaning process
  • Click show report
  • This will open up a window with the results of the scan, copy and paste those results as a reply to this topic


#12 damsl in distress

damsl in distress
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:38 AM

Posted 11 August 2007 - 02:37 PM

Hi

Here is the F-Secure log (May I add, That the ISP was down and I could not get onto the internet for a little while) so I had to save it in word.

Scanning Report
Saturday, August 11, 2007 17:28:31 - 18:28:38
Computer name: LAPTOP
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\

Result: 1 malware found
Possible Browser Hijack attempt (spyware)
• System (Disinfected)
Statistics
Scanned:
• Files: 30594
• System: 4905
• Not scanned: 2
Actions:
• Disinfected: 1
• Renamed: 0
• Deleted: 0
• None: 0
• Submitted: 0
Files not scanned:
• C:\PAGEFILE.SYS
• C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
Options
Scanning engines:
• F-Secure AVP: 7.0.171, 2007-08-10
• F-Secure Blacklight: 1.0.64
• F-Secure Draco: 1.0.35, 0260-23-12
• F-Secure Libra: 2.4.2, 2007-08-10
• F-Secure Orion: 1.2.37, 2007-08-10
• F-Secure Pegasus: 1.19.0, 2007-07-05
Scanning options:
• Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
• Use Advanced heuristics


and Here is the LATEST HiJack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:25:18, on 11/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Virgin Broadband\PCguard\fws.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\bcmwltry.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\RF Wireless Mouse\cm20.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\internet explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Virgin Broadband\PCguard\FBHR.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Start RF Wireless Mouse] C:\Program Files\RF Wireless Mouse\cm20.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q105&bd=presario&pf=laptop
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1185649119156
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\fws.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 8461 bytes

My problem still is slowness, I have already deleted some software like Intervideo and Media Portal...Also it as gone very slow logging off.
Any other start ups or log off stuff I can get rid of???

Should I use ComboFix?
Is there a site where I can look up the importance of the 'items' listed in the HiJack This Log, so I can give you a break...sometimes!

#13 damsl in distress

damsl in distress
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:38 AM

Posted 11 August 2007 - 02:59 PM

Hi random/random

I forgot to mention, sometimes when my desktop refreshes 1 of my icon 'picture' disappears and only comes back if I log off and on again.
Don't know if this means anything?
The slowness I don't think is related to software even though I have deleted a couple as this only began after I got the initiaL fault logged (or perhaps I didn't notice???)

Your help if greatly appreciated.
Thank You

#14 damsl in distress

damsl in distress
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:38 AM

Posted 11 August 2007 - 06:42 PM

Hi again

Coincidence...I don't know

but since I have ran F-Secure...When I log into an account like ebay and on-line banking it is logging me out and when I log back in again all seems ok.

What do you think the cause of this might be?

Oh and when I go into my internet browser which I've always had...it is saying 'unknown zone (mixed)' again, when I log out of the I.E. and log in it changes to internet.........strange???

Edited by damsl in distress, 11 August 2007 - 06:44 PM.


#15 damsl in distress

damsl in distress
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:38 AM

Posted 11 August 2007 - 08:09 PM

Hi
me again..

I have noticed that the loss of my icon 'picture' always occurs when I come out of control panel

Can you suggest owt for this




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users