Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

[Resolved]Bsod


  • This topic is locked This topic is locked
18 replies to this topic

#1 hibachi

hibachi

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 11 August 2007 - 08:38 PM

I started here and was redirected here.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:43:38 PM, on 8/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\aol\ACS\AOLacsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\AOL\1131813307\ee\AOLSoftware.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\EZ-DUB\EZ-DUB.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\D-Link\D-Link Wireless N USB Adapter DWA-130\wirelesscm.exe
c:\program files\common files\aol\1131813307\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1131813307\ee\aolsoftware.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
c:\program files\common files\aol\1131813307\ee\anotify.exe
C:\Documents and Settings\Ann\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bobandgeorge.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bobandgeorge.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar3.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1131813307\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000230.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000230.exe (User 'Default user')
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: EZ-DUB Finder.lnk = C:\Program Files\EZ-DUB\EZ-DUB.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: Wireless Connection Manager.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {5E8FD788-C323-4357-AB76-7CBCEFBA573C} (SpyBouncer.SBDownloader) - http://www.spybouncer.com/downloader.ocx
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4056/ftp...302/Coupons.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\aol\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 11430 bytes

BC AdBot (Login to Remove)

 


#2 Trevuren

Trevuren

  • Malware Response Team
  • 1,006 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:12:05 PM

Posted 11 August 2007 - 09:52 PM

Hello hibachi and welcome to the malware Forum.


I go by the nickname of Trevuren and I will be helping you with your problem.


A. I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto-updating for the Viewpoint Manager -- the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.

To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.


Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware
I recommend that you remove the Viewpoint products; however, decide for yourself. To uninstall the Viewpoint components (Viewpoint, Viewpoint Manager, Viewpoint Media Player):

1. Click Start, then Settings, then click Control Panel.
2. In Control Panel, double-click Add or Remove Programs.
3. In Add or Remove Programs, Remove the Viewpoint component
4. Do the same for each Viewpoint component.


B. Please provide a list of uninstallable programs.

To Provide a List of Installed Programs
  • Run HijackThis.
  • Click Config>>Miscellaneous Tools>>Open Uninstall Manager>>Save List
  • Save list to Desktop
  • Copy the Notepad list and Paste it into this thread.

C. I need to get you to move HijackThis to a folder of its own so that nothing gets deleted by mistake

1. Right click in an empty space on your desktop.

2. From the Menu, click New, then Folder and a folder will appear on your desktop.

3. Name the folder HJT

4. Drag the current HijackThis icon from your desktop into the new Folder that was just created.

5. Now, run the program and post a fresh HJT log for review.

Regards,

Trevuren

Microsoft MVP - Consumer Security 2008 - 2009

Posted Image

#3 hibachi

hibachi
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 11 August 2007 - 10:20 PM

Thank you Trevuren.

I uninstalled the viewpoint components as you advised.

Here is the list of uninstallable programs:
Ad-Aware SE Personal
Adobe Flash Player Plugin
Adobe Reader 6.0
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Instant Messenger
AOL Toolbar
AOL Uninstaller
AOL You've Got Pictures Screensaver
AT&T Yahoo! Applications
avast! Antivirus
BCM V.92 56K Modem
BitTorrent 3.3
Britannica Ready Reference
Broadcom Advanced Control Suite
CardRd81
CCHelp
CCScore
Classic MP6410 MP3 Player
CleanUp!
COMODO Firewall Pro
CR2
DAO
Debugging Tools for Windows
Dell Picture Studio - Dell Image Expert
Dell Solution Center
DellSupport
DivX Player
DivX Pro Codec Adware
D-Link Wireless N USB Adapter DWA-130
DVDSentry
Easy CD Creator 5 Basic
Easy Video Capture 1.0
ESSAdpt
ESSANUP
ESSBrwr
ESSCAM
ESSCDBK
ESScore
ESSCT
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTUTOR
ESSvpaht
ESSvpot
EZ-DUB
EZ-DUB Finder
Fraps
From Dusk Till Dawn
Google Toolbar for Internet Explorer
GunBound
HijackThis 2.0.2
HLPCCTR
HLPIndex
HLPPDOCK
HLPRFO
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Format SDK (KB910998)
Hoyle Casino 5
hp instant support
HP Memories Disc
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
HP Photo and Imaging 2.0 - hp psc 1200 series
hp psc 1200 series
Ink
Intel® Extreme Graphics Driver
iPod for Windows 2006-03-23
iPod Updater 2004-07-15
iTunes
Jasc Paint Shop Pro 8
Java™ SE Runtime Environment 6 Update 1
jv16 PowerTools 1.4.1
Kazaa Media Desktop 2.5.1
Kodak EasyShare software
KSU
Learn2 Player (Uninstall Only)
LimeWire 4.12.14
Macromedia Dreamweaver MX
Macromedia Extension Manager
Macromedia Fireworks MX
Macromedia Flash MX
Macromedia FreeHand 10
Macromedia Shockwave Player
Magic Starter 7th Edition
McAfee.com SecurityCenter
McAfee.com VirusScan Online
Megaman X - Rush to Battle
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft AntiSpyware
Microsoft Data Access Components KB870669
Microsoft Visual C++ 2005 Redistributable
Modem Helper
Mozilla Firefox (0.8.)
Mozilla Firefox (1.0)
Mozilla Thunderbird (1.0)
MUSICMATCH Jukebox
My Photo Adventure
My Photo Adventure 2
Nero Suite
Notifier
OTtBP
OTtBPSDK
Paint Shop Pro 7
PCDLNCH
PlayFKiSS
PowerDVD
Pure Networks Port Magic
Quicken 2002 New User Edition
QuickTime
RealOne Player
RPG Maker 2000 1.05
RTP 1.32 Add-On for RM2k
RTP for RM2K (Png, Wav, Midi, Fonts)
RuMSX
SBC Self Support Tool
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
SFR
SFR2
SmartFTP
Soldat 1.2
Spybot - Search & Destroy 1.4
SpywareBlaster v3.4
Trillian
Unreal Tournament
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB910437)
VCAMCEN
VPRINTOL
Web Savings from Ebates
Winamp3 (remove only)
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Media Format Runtime
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
WordPerfect Office 2002
WordPerfect Office 2002


And here is the new HJT log ran from inside the HJT folder:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:15:48 PM, on 8/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\aol\ACS\AOLacsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\AOL\1131813307\ee\AOLSoftware.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\EZ-DUB\EZ-DUB.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\D-Link\D-Link Wireless N USB Adapter DWA-130\wirelesscm.exe
c:\program files\common files\aol\1131813307\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1131813307\ee\aolsoftware.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Ann\Desktop\HJT\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bobandgeorge.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bobandgeorge.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar3.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1131813307\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000230.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000230.exe (User 'Default user')
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: EZ-DUB Finder.lnk = C:\Program Files\EZ-DUB\EZ-DUB.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: Wireless Connection Manager.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {5E8FD788-C323-4357-AB76-7CBCEFBA573C} (SpyBouncer.SBDownloader) - http://www.spybouncer.com/downloader.ocx
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4056/ftp...302/Coupons.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\aol\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 11272 bytes

#4 Trevuren

Trevuren

  • Malware Response Team
  • 1,006 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:12:05 PM

Posted 12 August 2007 - 12:49 AM

A. Before we do anything else, we must disable TeaTimer and leave it disabled until we are all done.

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.
  • Now with both Spybot and Tea Timer shut down:
  • Download ResetTeaTimer.bat.
  • Double click ResetTeaTimer.bat to remove all entries set by TeaTimer

B. I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto-updating for the Viewpoint Manager -- the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.

To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.


Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware
I recommend that you remove the Viewpoint products; however, decide for yourself. To uninstall the Viewpoint components (Viewpoint, Viewpoint Manager, Viewpoint Media Player):

1. Click Start, then Settings, then click Control Panel.
2. In Control Panel, double-click Add or Remove Programs.
3. In Add or Remove Programs, Remove the Viewpoint component
4. Do the same for each Viewpoint component.


C. In addition to Viewpoint, the following programs should be uninstalled from your system:

DivX Pro Codec Adware <==malware
Kazaa Media Desktop 2.5.1 <==bundled malware. There are safer alternatives
Mozilla Firefox (0.8.) <==No longer needed


D. Please download this file - combofix.exe by sUBs
  • You must download to and run it from your Desktop
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log.
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

Regards,

Trevuren

Microsoft MVP - Consumer Security 2008 - 2009

Posted Image

#5 hibachi

hibachi
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 12 August 2007 - 01:22 AM

I disabled TeaTimer and then ran ResetTeaTimer.bat

Here is the log for ComboFix:

ComboFix 07-08-12.2 - "Ann" 2007-08-12 1:03:01.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.238 [GMT -5:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\NDNuninstall4_94.exe
C:\WINDOWS\NDNuninstall6_22.exe


((((((((((((((((((((((((( Files Created from 2007-07-12 to 2007-08-12 )))))))))))))))))))))))))))))))


2007-08-12 01:02 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-11 17:13 <DIR> d-------- C:\Program Files\Comodo
2007-08-11 12:42 <DIR> d-------- C:\symbols
2007-08-11 12:35 <DIR> d-------- C:\Program Files\Debugging Tools for Windows
2007-08-08 19:24 <DIR> d-------- C:\WINDOWS\pss
2007-07-31 18:59 499,328 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\MRVW245.sys
2007-07-31 18:59 <DIR> d-------- C:\WINDOWS\USBdevice
2007-07-31 18:59 <DIR> d-------- C:\Program Files\D-Link
2007-07-29 14:11 <DIR> d-------- C:\Downloads
2007-07-28 15:33 <DIR> d-------- C:\Program Files\uTorrent
2007-07-28 15:33 <DIR> d-------- C:\DOCUME~1\Ann\APPLIC~1\uTorrent
2007-07-20 00:32 <DIR> d-------- C:\DOCUME~1\Randy\APPLIC~1\Jasc Software Inc
2007-07-17 14:04 <DIR> d-------- C:\DOCUME~1\Ann\Shared
2007-07-17 14:04 <DIR> d-------- C:\DOCUME~1\Ann\Incomplete
2007-07-17 14:04 <DIR> d-------- C:\DOCUME~1\Ann\APPLIC~1\LimeWire


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-12 01:00 --------- d-------- C:\Program Files\DivX
2007-08-11 22:05 --------- d-------- C:\Program Files\Viewpoint
2007-08-08 19:47 --------- d-------- C:\Program Files\Microsoft AntiSpyware
2007-07-31 18:59 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-27 17:07 783224 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-07-27 17:02 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-27 17:02 92848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-27 17:00 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-27 16:59 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-27 16:58 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-27 16:57 95608 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-07-12 17:16 --------- d-------- C:\Program Files\My Photo Adventure
2007-07-11 16:06 --------- d-------- C:\DOCUME~1\Ann\APPLIC~1\AdobeUM
2007-07-01 23:05 --------- d-------- C:\DOCUME~1\Ann\APPLIC~1\Motive
2007-06-30 16:01 --------- d-------- C:\DOCUME~1\Ann\APPLIC~1\Google
2007-06-29 11:36 --------- d-------- C:\DOCUME~1\Ann\APPLIC~1\Yahoo!
2007-06-25 16:41 --------- d-------- C:\Program Files\Yahoo!
2007-06-25 14:17 --------- d-------- C:\Program Files\SBC LightSpeed Self Support Tool
2007-06-25 14:17 --------- d-------- C:\Program Files\Common Files\Motive
2007-06-25 14:16 --------- d-------- C:\Program Files\SBC Self Support Tool
2007-06-25 14:14 --------- d-------- C:\Program Files\illiminable
2007-06-25 14:14 --------- d-------- C:\Program Files\Common Files\SureThing Shared
2007-06-22 22:32 --------- d--h----- C:\DOCUME~1\Ann\APPLIC~1\GTek
2007-06-22 22:31 --------- d-------- C:\Program Files\DellSupport
2003-05-27 09:45 207758 --a------ C:\Program Files\INSTALL.LOG


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-01-13 14:07]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-01-13 13:53]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 C:\WINDOWS\BCMSMMSG.exe]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-08-14 18:22]
"MCAgentExe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2002-09-06 18:15]
"MCUpdateExe"="C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe" [2002-09-04 10:28]
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2002-10-04 15:09]
"HostManager"="C:\Program Files\Common Files\AOL\1131813307\ee\AOLSoftware.exe" [2006-09-25 19:52]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-27 17:03]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]
"AIM"="C:\Program Files\AIM\aim.exe" [2004-09-01 11:26]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"services32"=C:\Program Files\Common Files\Windows\mc-110-12-0000230.exe

C:\Documents and Settings\Ann\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 09:00:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0a\aoltray.exe [2005-09-17 17:18:59]
DESKTOP.INI [2002-09-03 09:00:00]
EZ-DUB Finder.lnk - C:\Program Files\EZ-DUB\EZ-DUB.exe [2005-09-13 19:47:52]
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2002-12-02 21:08:34]
Wireless Connection Manager.lnk - C:\Program Files\D-Link\D-Link Wireless N USB Adapter DWA-130\wirelesscm.exe [2007-07-31 18:59:20]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL Companion.lnk
backup=C:\WINDOWS\pss\AOL Companion.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=C:\WINDOWS\pss\SBC Self Support Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=C:\WINDOWS\pss\ymetray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ann^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Ann\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
"C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 DcCam;Kodak Camera Proxy;C:\WINDOWS\system32\DRIVERS\DcCam.sys
R1 NPPTNT;NPPTNT;\??\C:\WINDOWS\System32\npptNT.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
R2 DCFS2K;Kodak DCFS2K Driver;C:\WINDOWS\system32\drivers\dcfs2k.sys
R3 BCMModem;BCM V.92 56K Modem;C:\WINDOWS\system32\DRIVERS\BCMSM.sys
R3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
R3 MxlW2k;MxlW2k;C:\WINDOWS\system32\drivers\MxlW2k.sys
R3 NaiFiltr;NaiFiltr;C:\WINDOWS\system32\DRIVERS\NaiFiltr.sys
S1 Exportit;Exportit;C:\WINDOWS\system32\DRIVERS\exportit.sys
S3 DcFpoint;DcFpoint;C:\WINDOWS\system32\DRIVERS\DcFpoint.sys
S3 DcLps;Legacy Polling Service;C:\WINDOWS\system32\DRIVERS\DcLps.sys
S3 DcPTP;dcptp;C:\WINDOWS\system32\DRIVERS\DcPTP.sys
S3 Mp3Drv;Classic MP6410 MP3 Player Control Driver;C:\WINDOWS\system32\Drivers\Mp3Drv.sys
S3 StScsi;StScsi;C:\WINDOWS\system32\DRIVERS\StScsi.sys


Contents of the 'Scheduled Tasks' folder
2004-03-26 02:40:08 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1055382000.job - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
2007-08-12 06:07:00 C:\WINDOWS\Tasks\McAfee.com Update Check (BLACKIE-Ann).job - C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
2007-08-12 06:09:00 C:\WINDOWS\Tasks\McAfee.com Update Check (BLACKIE-Brad).job - C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
2007-08-12 06:09:00 C:\WINDOWS\Tasks\McAfee.com Update Check (BLACKIE-Greg).job - C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
2007-08-12 06:10:00 C:\WINDOWS\Tasks\McAfee.com Update Check (BLACKIE-Randy).job - C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
2007-08-12 06:11:00 C:\WINDOWS\Tasks\McAfee.com Update Check (DFPNDV21-Owner).job - C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
2004-03-26 02:41:13 C:\WINDOWS\Tasks\WebReg 20040325204113.job - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-12 01:10:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-08-12 1:12:25
C:\ComboFix-quarantined-files.txt ... 2007-08-12 01:11

--- E O F ---



And here is the latest HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:15:43 AM, on 8/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\aol\ACS\AOLacsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\AOL\1131813307\ee\AOLSoftware.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\EZ-DUB\EZ-DUB.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\D-Link\D-Link Wireless N USB Adapter DWA-130\wirelesscm.exe
c:\program files\common files\aol\1131813307\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1131813307\ee\aolsoftware.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Ann\Desktop\HJT\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bobandgeorge.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar3.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1131813307\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKUS\S-1-5-18\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000230.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000230.exe (User 'Default user')
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: EZ-DUB Finder.lnk = C:\Program Files\EZ-DUB\EZ-DUB.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: Wireless Connection Manager.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {5E8FD788-C323-4357-AB76-7CBCEFBA573C} (SpyBouncer.SBDownloader) - http://www.spybouncer.com/downloader.ocx
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4056/ftp...302/Coupons.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\aol\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 10497 bytes

#6 Trevuren

Trevuren

  • Malware Response Team
  • 1,006 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:12:05 PM

Posted 12 August 2007 - 01:53 PM

Please copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.
  • Please RUN HijackThis

    1. Click the SCAN button to produce a log.


    2. Place a check mark beside each one of the following items:

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKUS\S-1-5-18\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000230.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000230.exe (User 'Default user')
    O16 - DPF: {5E8FD788-C323-4357-AB76-7CBCEFBA573C} (SpyBouncer.SBDownloader) - http://www.spybouncer.com/downloader.ocx
    O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab




    3. Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.


  • Now to Remove some malware:

    1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the code box below into the Notepad window:

File::
C:\Program Files\Common Files\Windows\mc-110-12-0000230.exe

Folder::
C:\Program Files\Viewpoint
C:\Program Files\Microsoft AntiSpyware

DirLook:
C:\symbols

Driver::
Viewpoint Manager Service

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. If the tool does not initiate a reboot itself, please restart the system yourself, then post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Microsoft MVP - Consumer Security 2008 - 2009

Posted Image

#7 hibachi

hibachi
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 12 August 2007 - 03:57 PM

Everything completed as I was told.

Combofix Log:

ComboFix 07-08-12.2 - "Ann" 2007-08-12 15:13:35.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.238 [GMT -5:00]
Command switches used :: C:\Documents and Settings\Ann\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\Program Files\Common Files\Windows\mc-110-12-0000230.exe


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Microsoft AntiSpyware
C:\Program Files\Microsoft AntiSpyware\cleaner.log
C:\Program Files\Microsoft AntiSpyware\errors.log
C:\Program Files\Microsoft AntiSpyware\gcAgentsData.gcd
C:\Program Files\Microsoft AntiSpyware\gcAgentsDataStoreData.gcd
C:\Program Files\Microsoft AntiSpyware\gcAntiSpywareLibrary.dll
C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasInstallHelper.exe
C:\Program Files\Microsoft AntiSpyware\gcASNotice.exe
C:\Program Files\Microsoft AntiSpyware\gcASPrivacyLib.dll
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServAlert.exe
C:\Program Files\Microsoft AntiSpyware\gcASSoapLib.dll
C:\Program Files\Microsoft AntiSpyware\gcasSWUpdater.exe
C:\Program Files\Microsoft AntiSpyware\gcASThreatAudit.dll
C:\Program Files\Microsoft AntiSpyware\GCCollection.dll
C:\Program Files\Microsoft AntiSpyware\gcDeterminationData.gcd
C:\Program Files\Microsoft AntiSpyware\gcDeterminationDataUser.gcd
C:\Program Files\Microsoft AntiSpyware\gcEventsData.gcd
C:\Program Files\Microsoft AntiSpyware\gcExplorersData.gcd
C:\Program Files\Microsoft AntiSpyware\gcIPtoHostQueue.exe
C:\Program Files\Microsoft AntiSpyware\gcSoftwareUpdateLib.dll
C:\Program Files\Microsoft AntiSpyware\gcTCPObjLib.dll
C:\Program Files\Microsoft AntiSpyware\gcThreatAuditIgnoredThreatsData.gcd
C:\Program Files\Microsoft AntiSpyware\gcThreatAuditQuarantineData.gcd
C:\Program Files\Microsoft AntiSpyware\gcThreatAuditScanData.gcd
C:\Program Files\Microsoft AntiSpyware\gcThreatAuditScanHistoryData.gcd
C:\Program Files\Microsoft AntiSpyware\gcThreatAuditSettingsData.gcd
C:\Program Files\Microsoft AntiSpyware\gcThreatAuditThreatData.gcd
C:\Program Files\Microsoft AntiSpyware\gcUserData.gcd
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareUpdater.exe
C:\Program Files\Microsoft AntiSpyware\MicrosoftAntiSpyware.chm
C:\Program Files\Microsoft AntiSpyware\MSSSRT.exe
C:\Program Files\Microsoft AntiSpyware\scan_cookies.avi
C:\Program Files\Microsoft AntiSpyware\scan_files.avi
C:\Program Files\Microsoft AntiSpyware\scan_memory.avi
C:\Program Files\Microsoft AntiSpyware\scan_registry.avi
C:\Program Files\Microsoft AntiSpyware\shellextension.dll
C:\Program Files\Microsoft AntiSpyware\uncompresslicense.txt
C:\Program Files\Microsoft AntiSpyware\updateprogress.avi
C:\Program Files\Viewpoint
C:\Program Files\Viewpoint\Viewpoint Experience Technology\AxMetaStream_0303001D.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\MTSDownloadSites.txt
C:\Program Files\Viewpoint\Viewpoint Media Player\AolInstantInstallMMX_Win.mtj
C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream_.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\ClassIDs.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\ComponentMgr.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\ComponentMgr_03000F11.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\AOLUserShell.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\Cursors.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\JpegReader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\Mts3Reader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SceneComponent.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SreeDMMX.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SWFView.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMgr.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMPSpeech.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMPVideo.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\WaveletReader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\DownloadedComponents\VMgr_Win\Exec.exe
C:\Program Files\Viewpoint\Viewpoint Media Player\MetaStreamID.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MtsAxInstaller.exe
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\AOLUserShell.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\JpegReader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\Mts3Reader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\SceneComponent.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\SreeDMMX.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\SWFView.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\VMPVideo.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\VMPVideo2.dll
C:\symbols
C:\symbols\ACPI.sys\41107D272dd80\ACPI.sys
C:\symbols\afd.sys\41107EB521d00\afd.sys
C:\symbols\dxg.sys\41107B9311580\dxg.sys
C:\symbols\Fastfat.SYS\41107EB723000\Fastfat.SYS
C:\symbols\fltmgr.sys\41107BAD1e780\fltmgr.sys
C:\symbols\halaacpi.dll\41107B2920380\halaacpi.dll
C:\symbols\halaacpi.pdb\861E03E9E71D469BB4E544F22FD14C821\halaacpi.pdb
C:\symbols\kdcom.dll\3B7D83461b80\kdcom.dll
C:\symbols\KSecDD.sys\41107B5116780\KSecDD.sys
C:\symbols\mssmbios.sys\41107D333c80\mssmbios.sys
C:\symbols\Mup.sys\41107EF81a580\Mup.sys
C:\symbols\NDIS.sys\41107EC32ca80\NDIS.sys
C:\symbols\netbt.sys\41107ECC27c00\netbt.sys
C:\symbols\Ntfs.sys\41107EEA8c480\Ntfs.sys
C:\symbols\ntoskrnl.exe\42250FF9214100\ntoskrnl.exe
C:\symbols\ntoskrnl.pdb\32962337F0F646388B39535CD8DD70E82\ntoskrnl.pdb
C:\symbols\pci.sys\41107D3110a80\pci.sys
C:\symbols\pingme.txt
C:\symbols\psched.sys\41107C6010e00\psched.sys
C:\symbols\rdbss.sys\418047D52aa00\rdbss.sys
C:\symbols\sr.sys\41107CDE11f00\sr.sys
C:\symbols\srv.sys\427FFDAD51300\srv.sys
C:\symbols\tcpip.sys\43C7103C57d80\tcpip.sys
C:\symbols\update.sys\41107B0833200\update.sys
C:\symbols\usbccgp.sys\41107D6D7b80\usbccgp.sys
C:\symbols\usbhub.sys\41107D68e100\usbhub.sys
C:\symbols\USBPORT.SYS\41107D6222e80\USBPORT.SYS
C:\symbols\VIDEOPRT.SYS\41107D0813780\VIDEOPRT.SYS
C:\symbols\watchdog.sys\41107D244500\watchdog.sys
C:\symbols\win32k.pdb\D8788E4736B34ED5B8516DBB9D45E9942\win32k.pd_
C:\symbols\win32k.sys\43446A581c1180\win32k.sys


((((((((((((((((((((((((( Files Created from 2007-07-12 to 2007-08-12 )))))))))))))))))))))))))))))))


2007-08-12 01:02 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-11 17:13 <DIR> d-------- C:\Program Files\Comodo
2007-08-11 12:35 <DIR> d-------- C:\Program Files\Debugging Tools for Windows
2007-08-08 19:24 <DIR> d-------- C:\WINDOWS\pss
2007-07-31 18:59 499,328 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\MRVW245.sys
2007-07-31 18:59 <DIR> d-------- C:\WINDOWS\USBdevice
2007-07-31 18:59 <DIR> d-------- C:\Program Files\D-Link
2007-07-29 14:11 <DIR> d-------- C:\Downloads
2007-07-28 15:33 <DIR> d-------- C:\Program Files\uTorrent
2007-07-28 15:33 <DIR> d-------- C:\DOCUME~1\Ann\APPLIC~1\uTorrent
2007-07-20 00:32 <DIR> d-------- C:\DOCUME~1\Randy\APPLIC~1\Jasc Software Inc
2007-07-17 14:04 <DIR> d-------- C:\DOCUME~1\Ann\Shared
2007-07-17 14:04 <DIR> d-------- C:\DOCUME~1\Ann\Incomplete
2007-07-17 14:04 <DIR> d-------- C:\DOCUME~1\Ann\APPLIC~1\LimeWire


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-12 01:00 --------- d-------- C:\Program Files\DivX
2007-07-31 18:59 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-27 17:07 783224 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-07-27 17:02 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-27 17:02 92848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-27 17:00 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-27 16:59 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-27 16:58 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-27 16:57 95608 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-07-12 17:16 --------- d-------- C:\Program Files\My Photo Adventure
2007-07-11 16:06 --------- d-------- C:\DOCUME~1\Ann\APPLIC~1\AdobeUM
2007-07-01 23:05 --------- d-------- C:\DOCUME~1\Ann\APPLIC~1\Motive
2007-06-30 16:01 --------- d-------- C:\DOCUME~1\Ann\APPLIC~1\Google
2007-06-29 11:36 --------- d-------- C:\DOCUME~1\Ann\APPLIC~1\Yahoo!
2007-06-25 16:41 --------- d-------- C:\Program Files\Yahoo!
2007-06-25 14:17 --------- d-------- C:\Program Files\SBC LightSpeed Self Support Tool
2007-06-25 14:17 --------- d-------- C:\Program Files\Common Files\Motive
2007-06-25 14:16 --------- d-------- C:\Program Files\SBC Self Support Tool
2007-06-25 14:14 --------- d-------- C:\Program Files\illiminable
2007-06-25 14:14 --------- d-------- C:\Program Files\Common Files\SureThing Shared
2007-06-22 22:32 --------- d--h----- C:\DOCUME~1\Ann\APPLIC~1\GTek
2007-06-22 22:31 --------- d-------- C:\Program Files\DellSupport
2003-05-27 09:45 207758 --a------ C:\Program Files\INSTALL.LOG


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-01-13 14:07]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-01-13 13:53]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 C:\WINDOWS\BCMSMMSG.exe]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-08-14 18:22]
"MCAgentExe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2002-09-06 18:15]
"MCUpdateExe"="C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe" [2002-09-04 10:28]
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2002-10-04 15:09]
"HostManager"="C:\Program Files\Common Files\AOL\1131813307\ee\AOLSoftware.exe" [2006-09-25 19:52]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-27 17:03]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]
"AIM"="C:\Program Files\AIM\aim.exe" [2004-09-01 11:26]

C:\Documents and Settings\Ann\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 09:00:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0a\aoltray.exe [2005-09-17 17:18:59]
DESKTOP.INI [2002-09-03 09:00:00]
EZ-DUB Finder.lnk - C:\Program Files\EZ-DUB\EZ-DUB.exe [2005-09-13 19:47:52]
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2002-12-02 21:08:34]
Wireless Connection Manager.lnk - C:\Program Files\D-Link\D-Link Wireless N USB Adapter DWA-130\wirelesscm.exe [2007-07-31 18:59:20]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL Companion.lnk
backup=C:\WINDOWS\pss\AOL Companion.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=C:\WINDOWS\pss\SBC Self Support Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=C:\WINDOWS\pss\ymetray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ann^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Ann\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 DcCam;Kodak Camera Proxy;C:\WINDOWS\system32\DRIVERS\DcCam.sys
R1 NPPTNT;NPPTNT;\??\C:\WINDOWS\System32\npptNT.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
R2 DCFS2K;Kodak DCFS2K Driver;C:\WINDOWS\system32\drivers\dcfs2k.sys
R3 BCMModem;BCM V.92 56K Modem;C:\WINDOWS\system32\DRIVERS\BCMSM.sys
R3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
R3 MxlW2k;MxlW2k;C:\WINDOWS\system32\drivers\MxlW2k.sys
R3 NaiFiltr;NaiFiltr;C:\WINDOWS\system32\DRIVERS\NaiFiltr.sys
S1 Exportit;Exportit;C:\WINDOWS\system32\DRIVERS\exportit.sys
S3 DcFpoint;DcFpoint;C:\WINDOWS\system32\DRIVERS\DcFpoint.sys
S3 DcLps;Legacy Polling Service;C:\WINDOWS\system32\DRIVERS\DcLps.sys
S3 DcPTP;dcptp;C:\WINDOWS\system32\DRIVERS\DcPTP.sys
S3 Mp3Drv;Classic MP6410 MP3 Player Control Driver;C:\WINDOWS\system32\Drivers\Mp3Drv.sys
S3 StScsi;StScsi;C:\WINDOWS\system32\DRIVERS\StScsi.sys


Contents of the 'Scheduled Tasks' folder
2004-03-26 02:40:08 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1055382000.job - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
2007-08-12 20:45:50 C:\WINDOWS\Tasks\McAfee.com Update Check (BLACKIE-Ann).job - C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
2007-08-12 20:24:00 C:\WINDOWS\Tasks\McAfee.com Update Check (BLACKIE-Brad).job - C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
2007-08-12 20:24:00 C:\WINDOWS\Tasks\McAfee.com Update Check (BLACKIE-Greg).job - C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
2007-08-12 20:25:00 C:\WINDOWS\Tasks\McAfee.com Update Check (BLACKIE-Randy).job - C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
2007-08-12 20:46:00 C:\WINDOWS\Tasks\McAfee.com Update Check (DFPNDV21-Owner).job - C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
2004-03-26 02:41:13 C:\WINDOWS\Tasks\WebReg 20040325204113.job - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-12 15:45:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-12 15:48:53 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-12 15:48
C:\ComboFix2.txt ... 2007-08-12 01:12

--- E O F ---


HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:53:50 PM, on 8/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\aol\ACS\AOLacsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\AOL\1131813307\ee\AOLSoftware.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\EZ-DUB\EZ-DUB.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\D-Link\D-Link Wireless N USB Adapter DWA-130\wirelesscm.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\program files\common files\aol\1131813307\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1131813307\ee\aolsoftware.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Ann\Desktop\HJT\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bobandgeorge.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar3.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1131813307\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: EZ-DUB Finder.lnk = C:\Program Files\EZ-DUB\EZ-DUB.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: Wireless Connection Manager.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4056/ftp...302/Coupons.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\aol\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9656 bytes

#8 Trevuren

Trevuren

  • Malware Response Team
  • 1,006 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:12:05 PM

Posted 12 August 2007 - 04:16 PM

A. 1. Go to Start->Run and type in notepad and hit OK.

2. Then copy and paste the content of the following codebox into Notepad:

sc stop "Viewpoint Manager Service"
sc delete "Viewpoint Manager Service"
del delete.bat

3. Save the file as "delete.bat". Make sure to save it with the quotes.

4. Double click delete.bat.


B. I want you to download CWShredder (the stand alone version is free).
Run the program and click Check for Update. Make sure that all browser windows are closed with the exception of CWShredder and choose FIX. Here is the link:
CWS Shredder

REBOOT YOUR SYSTEM


C. Please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner
Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:Scan Archives
      Scan Mail Bases
  • Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
Posted Image
Posted Image
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply, along with a fresh HijackThis log
Microsoft MVP - Consumer Security 2008 - 2009

Posted Image

#9 hibachi

hibachi
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 12 August 2007 - 07:42 PM

Kscan report:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, August 12, 2007 7:38:29 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 13/08/2007
Kaspersky Anti-Virus database records: 379075
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 125179
Number of viruses found: 10
Number of infected objects: 73
Number of suspicious objects: 4
Duration of the scan process: 02:54:03

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111121.zip/WINDOWS/NDNuninstall4_94.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111121.zip/WINDOWS/NDNuninstall6_10.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111121.zip/WINDOWS/NDNuninstall6_22.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111121.zip/WINDOWS/NDNuninstall6_30.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.g skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111121.zip ZIP: infected - 4 skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111122.zip/WINDOWS/NDNuninstall4_94.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111122.zip/WINDOWS/NDNuninstall6_10.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111122.zip/WINDOWS/NDNuninstall6_22.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111122.zip/WINDOWS/NDNuninstall6_30.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.g skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111122.zip ZIP: infected - 4 skipped
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111121.zip/WINDOWS/NDNuninstall4_94.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111121.zip/WINDOWS/NDNuninstall6_10.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111121.zip/WINDOWS/NDNuninstall6_22.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111121.zip/WINDOWS/NDNuninstall6_30.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.g skipped
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111121.zip ZIP: infected - 4 skipped
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111122.zip/WINDOWS/NDNuninstall4_94.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111122.zip/WINDOWS/NDNuninstall6_10.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111122.zip/WINDOWS/NDNuninstall6_22.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111122.zip/WINDOWS/NDNuninstall6_30.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.g skipped
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111122.zip ZIP: infected - 4 skipped
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\52b36fa2a77009efe4b6e018e15dd50d_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7c04aa73c62f8fc466fe343448bc411f_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer10.zip/actalert.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer10.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer2.zip/install.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer2.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\Ann\Application Data\Mozilla\Firefox\Profiles\0vbf9o1q.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Ann\Application Data\Mozilla\Firefox\Profiles\0vbf9o1q.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Ann\Application Data\Mozilla\Firefox\Profiles\0vbf9o1q.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Ann\Application Data\Mozilla\Firefox\Profiles\0vbf9o1q.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Ann\Application Data\Mozilla\Firefox\Profiles\0vbf9o1q.default\cert8.db Object is locked skipped
C:\Documents and Settings\Ann\Application Data\Mozilla\Firefox\Profiles\0vbf9o1q.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Ann\Application Data\Mozilla\Firefox\Profiles\0vbf9o1q.default\history.dat Object is locked skipped
C:\Documents and Settings\Ann\Application Data\Mozilla\Firefox\Profiles\0vbf9o1q.default\key3.db Object is locked skipped
C:\Documents and Settings\Ann\Application Data\Mozilla\Firefox\Profiles\0vbf9o1q.default\parent.lock Object is locked skipped
C:\Documents and Settings\Ann\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Ann\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111121.zip/WINDOWS/NDNuninstall4_94.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Documents and Settings\Ann\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111121.zip/WINDOWS/NDNuninstall6_10.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Documents and Settings\Ann\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111121.zip/WINDOWS/NDNuninstall6_22.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Documents and Settings\Ann\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111121.zip/WINDOWS/NDNuninstall6_30.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.g skipped
C:\Documents and Settings\Ann\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111121.zip ZIP: infected - 4 skipped
C:\Documents and Settings\Ann\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111122.zip/WINDOWS/NDNuninstall4_94.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Documents and Settings\Ann\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111122.zip/WINDOWS/NDNuninstall6_10.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Documents and Settings\Ann\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111122.zip/WINDOWS/NDNuninstall6_22.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Documents and Settings\Ann\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111122.zip/WINDOWS/NDNuninstall6_30.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.g skipped
C:\Documents and Settings\Ann\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111122.zip ZIP: infected - 4 skipped
C:\Documents and Settings\Ann\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\Ann\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Ann\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Ann\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ann\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ann\ntuser.dat Object is locked skipped
C:\Documents and Settings\Ann\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Brad\Desktop\Pictures\Wallpaper\doavolleyss.exe/WISE0014.BIN Infected: not-a-virus:AdWare.Win32.EZula.d skipped
C:\Documents and Settings\Brad\Desktop\Pictures\Wallpaper\doavolleyss.exe WiseSFX: infected - 1 skipped
C:\Documents and Settings\Brad\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111121.zip/WINDOWS/NDNuninstall4_94.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Documents and Settings\Brad\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111121.zip/WINDOWS/NDNuninstall6_10.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Documents and Settings\Brad\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111121.zip/WINDOWS/NDNuninstall6_22.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Documents and Settings\Brad\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111121.zip/WINDOWS/NDNuninstall6_30.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.g skipped
C:\Documents and Settings\Brad\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111121.zip ZIP: infected - 4 skipped
C:\Documents and Settings\Brad\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111122.zip/WINDOWS/NDNuninstall4_94.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Documents and Settings\Brad\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111122.zip/WINDOWS/NDNuninstall6_10.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Documents and Settings\Brad\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111122.zip/WINDOWS/NDNuninstall6_22.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Documents and Settings\Brad\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111122.zip/WINDOWS/NDNuninstall6_30.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.g skipped
C:\Documents and Settings\Brad\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111122.zip ZIP: infected - 4 skipped
C:\Documents and Settings\Brad\Local Settings\Temp\sst_inst.exe/WISE0095.BIN/WISE0008.BIN Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
C:\Documents and Settings\Brad\Local Settings\Temp\sst_inst.exe/WISE0095.BIN/WISE0009.BIN Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
C:\Documents and Settings\Brad\Local Settings\Temp\sst_inst.exe/WISE0095.BIN Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
C:\Documents and Settings\Brad\Local Settings\Temp\sst_inst.exe WiseSFX: infected - 3 skipped
C:\Documents and Settings\Brad\Local Settings\Temp\sst_inst.exe WiseSFX Dropper: infected - 3 skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Randy\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111121.zip/WINDOWS/NDNuninstall4_94.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Documents and Settings\Randy\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111121.zip/WINDOWS/NDNuninstall6_10.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Documents and Settings\Randy\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111121.zip/WINDOWS/NDNuninstall6_22.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Documents and Settings\Randy\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111121.zip/WINDOWS/NDNuninstall6_30.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.g skipped
C:\Documents and Settings\Randy\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111121.zip ZIP: infected - 4 skipped
C:\Documents and Settings\Randy\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111122.zip/WINDOWS/NDNuninstall4_94.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Documents and Settings\Randy\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111122.zip/WINDOWS/NDNuninstall6_10.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Documents and Settings\Randy\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111122.zip/WINDOWS/NDNuninstall6_22.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Documents and Settings\Randy\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111122.zip/WINDOWS/NDNuninstall6_30.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.g skipped
C:\Documents and Settings\Randy\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111122.zip ZIP: infected - 4 skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\NDNuninstall4_94.exe.vir Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\QooBox\Quarantine\C\WINDOWS\NDNuninstall6_22.exe.vir Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\RECYCLER\S-1-5-21-1025931256-1673496444-2557047841-1006\Dc3869\a570a171[1].js Infected: Trojan-Downloader.JS.Small.af skipped
C:\RECYCLER\S-1-5-21-1025931256-1673496444-2557047841-1006\Dc3871\a573aa75[1].js Infected: Trojan-Downloader.JS.Small.af skipped
C:\RECYCLER\S-1-5-21-1025931256-1673496444-2557047841-1006\Dc3879\first-random-page[1].htm Infected: Trojan-Clicker.JS.Linker.q skipped
C:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped
C:\System Volume Information\catalog.wci\00010015.ci Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped
C:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiCL0001.001 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1434\A0150764.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1434\A0150765.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.g skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1434\A0150766.exe Infected: not-a-virus:AdWare.Win32.BlazeFind.e skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1437\A0154865.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1437\A0154866.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1438\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\user32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\win32k.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\wmpcore.dll Object is locked skipped
C:\WINDOWS\cpbrkpie.ocx Infected: not-a-virus:AdWare.Win32.Coupons.h skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\eSearchBar\exactSetup.exe/WISE0011.BIN Infected: not-a-virus:AdWare.Win32.Exact.a skipped
C:\WINDOWS\eSearchBar\exactSetup.exe/WISE0012.BIN Infected: not-a-virus:AdWare.Win32.Exact.a skipped
C:\WINDOWS\eSearchBar\exactSetup.exe/WISE0013.BIN Infected: not-a-virus:AdWare.Win32.Exact.a skipped
C:\WINDOWS\eSearchBar\exactSetup.exe WiseSFX: infected - 3 skipped
C:\WINDOWS\eSearchBar\exactSetup.exe WiseSFX Dropper: infected - 3 skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Antivirus.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_4fc.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


New HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:41:13 PM, on 8/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\aol\ACS\AOLacsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\AOL\1131813307\ee\AOLSoftware.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AIM\aim.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\EZ-DUB\EZ-DUB.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\D-Link\D-Link Wireless N USB Adapter DWA-130\wirelesscm.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\program files\common files\aol\1131813307\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1131813307\ee\aolsoftware.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Ann\Desktop\HJT\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bobandgeorge.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar3.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1131813307\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: EZ-DUB Finder.lnk = C:\Program Files\EZ-DUB\EZ-DUB.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: Wireless Connection Manager.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4056/ftp...302/Coupons.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\aol\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9773 bytes

#10 Trevuren

Trevuren

  • Malware Response Team
  • 1,006 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:12:05 PM

Posted 12 August 2007 - 09:02 PM

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\Documents and Settings\Administrator\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111121.zip
C:\Documents and Settings\Administrator\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111122.zip
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111121.zip
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111122.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer10.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer2.zip
C:\Documents and Settings\Ann\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111121.zip
C:\Documents and Settings\Ann\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111122.zip
C:\Documents and Settings\Brad\Desktop\Pictures\Wallpaper\doavolleyss.exe
C:\Documents and Settings\Brad\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111121.zip
C:\Documents and Settings\Brad\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111122.zip
C:\Documents and Settings\Brad\Local Settings\Temp\sst_inst.exe
C:\Documents and Settings\Randy\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111121.zip
C:\Documents and Settings\Randy\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111122.zip
C:\WINDOWS\cpbrkpie.ocx	

Folder::
C:\WINDOWS\eSearchBar

Registry::
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"StartPage"="http://go.microsoft.com/fwlink/?LinkId=69157"


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Microsoft MVP - Consumer Security 2008 - 2009

Posted Image

#11 hibachi

hibachi
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 12 August 2007 - 09:32 PM

Combofix Log:

omboFix 07-08-12.2 - "Ann" 2007-08-12 21:08:24.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.226 [GMT -5:00]
Command switches used :: C:\Documents and Settings\Ann\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\Documents and Settings\Administrator\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111121.zip
C:\Documents and Settings\Administrator\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111122.zip
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111121.zip
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111122.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer10.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer2.zip
C:\Documents and Settings\Ann\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111121.zip
C:\Documents and Settings\Ann\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111122.zip
C:\Documents and Settings\Brad\Desktop\Pictures\Wallpaper\doavolleyss.exe
C:\Documents and Settings\Brad\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111121.zip
C:\Documents and Settings\Brad\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111122.zip
C:\Documents and Settings\Brad\Local Settings\Temp\sst_inst.exe
C:\Documents and Settings\Randy\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111121.zip
C:\Documents and Settings\Randy\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051218111122.zip
C:\WINDOWS\cpbrkpie.ocx


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer10.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer2.zip
C:\Documents and Settings\Brad\Desktop\Pictures\Wallpaper\doavolleyss.exe
C:\Documents and Settings\Brad\Local Settings\Temp\sst_inst.exe
C:\WINDOWS\cpbrkpie.ocx
C:\WINDOWS\eSearchBar
C:\WINDOWS\eSearchBar\exactSetup.exe


((((((((((((((((((((((((( Files Created from 2007-07-13 to 2007-08-13 )))))))))))))))))))))))))))))))


2007-08-12 16:34 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-08-12 16:34 <DIR> d-------- C:\WINDOWS\LastGood
2007-08-12 16:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-12 01:02 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-11 17:13 <DIR> d-------- C:\Program Files\Comodo
2007-08-11 12:35 <DIR> d-------- C:\Program Files\Debugging Tools for Windows
2007-08-08 19:24 <DIR> d-------- C:\WINDOWS\pss
2007-07-31 18:59 499,328 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\MRVW245.sys
2007-07-31 18:59 <DIR> d-------- C:\WINDOWS\USBdevice
2007-07-31 18:59 <DIR> d-------- C:\Program Files\D-Link
2007-07-29 14:11 <DIR> d-------- C:\Downloads
2007-07-28 15:33 <DIR> d-------- C:\Program Files\uTorrent
2007-07-28 15:33 <DIR> d-------- C:\DOCUME~1\Ann\APPLIC~1\uTorrent
2007-07-20 00:32 <DIR> d-------- C:\DOCUME~1\Randy\APPLIC~1\Jasc Software Inc
2007-07-17 14:04 <DIR> d-------- C:\DOCUME~1\Ann\Shared
2007-07-17 14:04 <DIR> d-------- C:\DOCUME~1\Ann\Incomplete
2007-07-17 14:04 <DIR> d-------- C:\DOCUME~1\Ann\APPLIC~1\LimeWire


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-12 01:00 --------- d-------- C:\Program Files\DivX
2007-07-31 18:59 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-27 17:07 783224 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-07-27 17:02 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-27 17:02 92848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-27 17:00 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-27 16:59 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-27 16:58 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-27 16:57 95608 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-07-12 17:16 --------- d-------- C:\Program Files\My Photo Adventure
2007-07-11 16:06 --------- d-------- C:\DOCUME~1\Ann\APPLIC~1\AdobeUM
2007-07-01 23:05 --------- d-------- C:\DOCUME~1\Ann\APPLIC~1\Motive
2007-06-30 16:01 --------- d-------- C:\DOCUME~1\Ann\APPLIC~1\Google
2007-06-29 11:36 --------- d-------- C:\DOCUME~1\Ann\APPLIC~1\Yahoo!
2007-06-25 16:41 --------- d-------- C:\Program Files\Yahoo!
2007-06-25 14:17 --------- d-------- C:\Program Files\SBC LightSpeed Self Support Tool
2007-06-25 14:17 --------- d-------- C:\Program Files\Common Files\Motive
2007-06-25 14:16 --------- d-------- C:\Program Files\SBC Self Support Tool
2007-06-25 14:14 --------- d-------- C:\Program Files\illiminable
2007-06-25 14:14 --------- d-------- C:\Program Files\Common Files\SureThing Shared
2007-06-22 22:32 --------- d--h----- C:\DOCUME~1\Ann\APPLIC~1\GTek
2007-06-22 22:31 --------- d-------- C:\Program Files\DellSupport
2003-05-27 09:45 207758 --a------ C:\Program Files\INSTALL.LOG


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-01-13 14:07]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-01-13 13:53]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 C:\WINDOWS\BCMSMMSG.exe]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-08-14 18:22]
"MCAgentExe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2002-09-06 18:15]
"MCUpdateExe"="C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe" [2002-09-04 10:28]
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2002-10-04 15:09]
"HostManager"="C:\Program Files\Common Files\AOL\1131813307\ee\AOLSoftware.exe" [2006-09-25 19:52]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-27 17:03]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]
"AIM"="C:\Program Files\AIM\aim.exe" [2004-09-01 11:26]

C:\Documents and Settings\Ann\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 09:00:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0a\aoltray.exe [2005-09-17 17:18:59]
DESKTOP.INI [2002-09-03 09:00:00]
EZ-DUB Finder.lnk - C:\Program Files\EZ-DUB\EZ-DUB.exe [2005-09-13 19:47:52]
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2002-12-02 21:08:34]
Wireless Connection Manager.lnk - C:\Program Files\D-Link\D-Link Wireless N USB Adapter DWA-130\wirelesscm.exe [2007-07-31 18:59:20]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL Companion.lnk
backup=C:\WINDOWS\pss\AOL Companion.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=C:\WINDOWS\pss\SBC Self Support Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=C:\WINDOWS\pss\ymetray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ann^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Ann\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 DcCam;Kodak Camera Proxy;C:\WINDOWS\system32\DRIVERS\DcCam.sys
R1 NPPTNT;NPPTNT;\??\C:\WINDOWS\System32\npptNT.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
R2 DCFS2K;Kodak DCFS2K Driver;C:\WINDOWS\system32\drivers\dcfs2k.sys
R3 BCMModem;BCM V.92 56K Modem;C:\WINDOWS\system32\DRIVERS\BCMSM.sys
R3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
R3 MxlW2k;MxlW2k;C:\WINDOWS\system32\drivers\MxlW2k.sys
R3 NaiFiltr;NaiFiltr;C:\WINDOWS\system32\DRIVERS\NaiFiltr.sys
S1 Exportit;Exportit;C:\WINDOWS\system32\DRIVERS\exportit.sys
S3 DcFpoint;DcFpoint;C:\WINDOWS\system32\DRIVERS\DcFpoint.sys
S3 DcLps;Legacy Polling Service;C:\WINDOWS\system32\DRIVERS\DcLps.sys
S3 DcPTP;dcptp;C:\WINDOWS\system32\DRIVERS\DcPTP.sys
S3 Mp3Drv;Classic MP6410 MP3 Player Control Driver;C:\WINDOWS\system32\Drivers\Mp3Drv.sys
S3 StScsi;StScsi;C:\WINDOWS\system32\DRIVERS\StScsi.sys


Contents of the 'Scheduled Tasks' folder
2004-03-26 02:40:08 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1055382000.job - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
2007-08-13 02:14:00 C:\WINDOWS\Tasks\McAfee.com Update Check (BLACKIE-Ann).job - C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
2007-08-13 02:14:00 C:\WINDOWS\Tasks\McAfee.com Update Check (BLACKIE-Brad).job - C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
2007-08-13 02:14:00 C:\WINDOWS\Tasks\McAfee.com Update Check (BLACKIE-Greg).job - C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
2007-08-13 02:10:00 C:\WINDOWS\Tasks\McAfee.com Update Check (BLACKIE-Randy).job - C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
2007-08-13 02:11:00 C:\WINDOWS\Tasks\McAfee.com Update Check (DFPNDV21-Owner).job - C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
2004-03-26 02:41:13 C:\WINDOWS\Tasks\WebReg 20040325204113.job - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-12 21:14:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-08-12 21:15:44
C:\ComboFix-quarantined-files.txt ... 2007-08-12 21:15
C:\ComboFix2.txt ... 2007-08-12 15:48
C:\ComboFix3.txt ... 2007-08-12 01:12

--- E O F ---


HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:27:40 PM, on 8/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\aol\ACS\AOLacsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\AOL\1131813307\ee\AOLSoftware.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\EZ-DUB\EZ-DUB.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\D-Link\D-Link Wireless N USB Adapter DWA-130\wirelesscm.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\common files\aol\1131813307\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\program files\common files\aol\1131813307\ee\aolsoftware.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Documents and Settings\Ann\Desktop\HJT\HiJackThis.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bobandgeorge.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar3.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1131813307\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: EZ-DUB Finder.lnk = C:\Program Files\EZ-DUB\EZ-DUB.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: Wireless Connection Manager.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4056/ftp...302/Coupons.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\aol\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9682 bytes

#12 Trevuren

Trevuren

  • Malware Response Team
  • 1,006 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:12:05 PM

Posted 13 August 2007 - 11:48 AM

You will need to log in as Randy and Ann and empty the content of their Quarantine folder. If you are unable to login for them, ask them to do it themselves.

First to access this Quarantine, Hidden files and Folders must be visible:

To enable the viewing of Hidden files follow these steps:

1. Close all programs so that you are at your desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and click Folder Options.
4. After the new window appears select the View tab.
5. Put a checkmark in the checkbox labeled Display the contents of system folders.
6. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
7. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
8. Remove the checkmark from the checkbox labeled Hide protected operating system files.
9. Press the Apply button and then the OK button and shutdown My Computer.
10. Now your computer is configured to show all hidden files.


Remember to rehide them when you are finished your work.

==========================================================================

Congratulations, your log looks CLEAN

There are a few things you must do once you are completely clean:

1. Time for some housekeeping

Please download the OTMoveIt by OldTimer
  • Save it to your desktop.
  • Run the tool by clicking on the icon.
  • Click the Cleanup button.
  • The tools that we used as well as this one will be removed from your system.

2. Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

3. Now Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
Here are some tips to reduce the potential for spyware infection in the future:

Make sure you keep your Windows OS current by visiting Windows update
regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open.

I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
  • Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
And also see TonyKlein's good advice
So how did I get infected in the first place?

Regards,

Trevuren

Microsoft MVP - Consumer Security 2008 - 2009

Posted Image

#13 hibachi

hibachi
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 13 August 2007 - 11:58 AM

Thank you Very very very very much Trevuren! However, how do I get to the quarantine folder you mentioned and how do I delete the files in there? Do I just show hidden files and run those clean up programs or is there a certain folder I need to find and manually delete?

#14 Trevuren

Trevuren

  • Malware Response Team
  • 1,006 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:12:05 PM

Posted 13 August 2007 - 12:50 PM

Manually delete the files please.

Trevuren
Microsoft MVP - Consumer Security 2008 - 2009

Posted Image

#15 hibachi

hibachi
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 13 August 2007 - 01:00 PM

Where are the files though? Is it located in the root directory for the C:\ or some where else?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users