Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Search Hijacked By Dodgy Search Engines


  • This topic is locked This topic is locked
30 replies to this topic

#1 jayrizzle

jayrizzle

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 14 September 2007 - 03:07 PM

Hi,

I'm looking for some help if at all possible. Everytime I do a googlesearch, the results come up as normal, but if I click on one, instead of going to the link displayed, a random search engine (such as fresh-weather.com or some other obscure name) kicks in and redirects.

I read something about fixwareout being useful in fixing something like this, so I tried downloading and running that, but it won't run - it says I don't have admin rights (even though as far as I know, I do).

Any help would be appreciated. Here's the HJT log. Thanks in advance.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:02:51, on 14/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\CyberLat\CyberLat RAM Cleaner 1.1\CyberLat Ram Cleaner 1,1.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBVE.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\POP-UP~1\PSFree.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\BT Broadband Desktop Help\bin\mpbtn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Claire\Desktop\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [CyberLat Ram Cleaner] C:\Program Files\CyberLat\CyberLat RAM Cleaner 1.1\CyberLat Ram Cleaner 1,1.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [btbb_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
O4 - HKLM\..\Run: [EPSON Stylus DX5000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBVE.EXE /FU "C:\WINDOWS\TEMP\E_S8F.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Microsoft AntiSpyware helper - {16593A03-CF85-4722-ACC2-070872AF1A0F} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {16593A03-CF85-4722-ACC2-070872AF1A0F} - (no file) (HKCU)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avchecker/cont...s/AvDetInst.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37380.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.sc-server1.bt.com/broadband/MotivePreQual.cab
O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) - http://www.zoomify.com/download/zoomify305.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A3C8200D-445F-4EA6-87DD-8E905073C951}: NameServer = 85.255.115.18,85.255.112.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{EF5AE37E-930A-4643-B7A9-220854BC4274}: NameServer = 85.255.115.18,85.255.112.220
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.18 85.255.112.220
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 10061 bytes

BC AdBot (Login to Remove)

 


#2 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:03 AM

Posted 15 September 2007 - 08:12 PM

Hello and welcome to BC. :thumbsup:

Please scan with HijackThis and put a checkmark against the following entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O9 - Extra button: Microsoft AntiSpyware helper - {16593A03-CF85-4722-ACC2-070872AF1A0F} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {16593A03-CF85-4722-ACC2-070872AF1A0F} - (no file) (HKCU)
O17 - HKLM\System\CCS\Services\Tcpip\..\{A3C8200D-445F-4EA6-87DD-8E905073C951}: NameServer = 85.255.115.18,85.255.112.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{EF5AE37E-930A-4643-B7A9-220854BC4274}: NameServer = 85.255.115.18,85.255.112.220
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.18 85.255.112.220


Close all browsers/windows, except HijackThis, and click on "fix checked". Exit HijackThis.

==============================

Please delete the existing Fixwareout and s download FixWareout from one of these sites:

http://downloads.subratam.org/Fixwareout.exe
http://download.bleepingcomputer.com/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log in the forum please.

#3 jayrizzle

jayrizzle
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 17 September 2007 - 10:33 AM

Hi amateur,

Thanks for the response. I did as you said, and the items on HJT have gone, but the fixwareout is still coming up with the same message. I install it, make sure the fixit is checked, then the DOS window opens up, press any key, etc. So when I press any key, it comes up with the "Not Admin!! Adminstrative priviliges are required" message.

Any idea why this might be happening?

#4 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:03 AM

Posted 17 September 2007 - 11:06 AM

Hi,

Click here to download a folder. It contains a program written by Rathat, and it is a policy Controller. Save and extract this program to the desktop. Once extracted, click on the RatsCheddar.exe file. Enable everything then click on Exit.

Warning: This program was developed for Windows XP ONLY. Do not run this program in any other Operating System.

Then try running Fixwareout and let me know.

#5 jayrizzle

jayrizzle
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 17 September 2007 - 12:37 PM

Hi amateur,

Downloaded RatsCheddar, enabled everything, but no joy - still getting the same message on fixwareout.

#6 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:03 AM

Posted 17 September 2007 - 12:59 PM

OK. I'll be back with something else to try in short while.

#7 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:03 AM

Posted 17 September 2007 - 01:14 PM

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login under your account.


Then run: Control Userpasswords2. See this link how to: http://www.kellys-korner-xp.com/win_xp_passwords.htm

1. At a command prompt, type "control userpasswords2" and press Enter to open the Windows 2000-style User Accounts
application.
2. On the Users tab, clear the Users Must Enter A User Name And Password To Use This Computer check box and then
click OK.
3. In the Automatically Log On dialog box that appears, type the user name and password for the account you want to be
logged on each time you start your computer.

Then go to the Control Panel -> User Accounts and upgrade your local account back to Administrator and reboot.

See if that fixes the problem.

#8 jayrizzle

jayrizzle
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 18 September 2007 - 08:51 AM

Hi,

Followed your instructions, but fixwareout still coming back with the same message about "no admin rights", even though I do have admin rights.

#9 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:03 AM

Posted 18 September 2007 - 10:40 AM

Hi,

Please delete the existing Wareoutfix. Reboot and download a fresh copy and try.

Also, download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
  • Please attach extra.txt to your post.
To attach a file to a new post, simply
  • Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
  • copy and paste the following into the "Upload File from your Computer" box:

    C:\Deckard\System Scanner\extra.txt

  • Click Upload.

=====================

#10 jayrizzle

jayrizzle
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 18 September 2007 - 12:24 PM

Hi,

Tried deleting and reinstalling fixwareout again - no joy, same problem with the "no admin" message. Just to clarify again, I do have admin rights, so not sure what's causing that.

Downloaded dss and ran it. Here's the main.txt file (extra.txt is attached as requested):

Deckard's System Scanner v20070905.67
Run by Claire on 2007-09-18 18:08:25
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
211: 2007-09-18 17:09:25 UTC - RP698 - Deckard's System Scanner Restore Point
210: 2007-09-18 16:25:38 UTC - RP697 - System Checkpoint
209: 2007-09-17 10:31:48 UTC - RP696 - System Checkpoint
208: 2007-09-15 23:02:17 UTC - RP695 - System Checkpoint
207: 2007-09-14 14:19:25 UTC - RP694 - System Checkpoint


-- First Restore Point --
1: 2007-06-22 20:52:32 UTC - RP488 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 76% (more than 75%).
Total Physical Memory: 255 MiB (512 MiB recommended).


-- HijackThis (run as Claire.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:12:55, on 18/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLat\CyberLat RAM Cleaner 1.1\CyberLat Ram Cleaner 1,1.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBVE.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\POP-UP~1\PSFree.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\BT Broadband Desktop Help\bin\mpbtn.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Documents and Settings\Claire\Desktop\dss.exe
C:\DOCUME~1\Claire\Desktop\Claire.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [CyberLat Ram Cleaner] C:\Program Files\CyberLat\CyberLat RAM Cleaner 1.1\CyberLat Ram Cleaner 1,1.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [btbb_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
O4 - HKLM\..\Run: [EPSON Stylus DX5000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBVE.EXE /FU "C:\WINDOWS\TEMP\E_S8F.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avchecker/cont...s/AvDetInst.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37380.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.sc-server1.bt.com/broadband/MotivePreQual.cab
O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) - http://www.zoomify.com/download/zoomify305.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9322 bytes

-- HijackThis Fixed Entries (C:\DOCUME~1\Claire\Desktop\backups\) --------------

backup-20041201-142357-292 O20 - AppInit_DLLs: 9ryujc4e6og1wu.dll
backup-20041202-050110-249 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/sp.htm?id=9
backup-20041202-050110-338 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=9
backup-20041202-050110-537 O20 - AppInit_DLLs: 9ryujc4e6og1wu.dll
backup-20041202-050110-559 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=9
backup-20041202-050110-790 R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=9
backup-20041202-050231-594 O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\ZCHEIT~1.DLL
backup-20041202-050531-557 O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
backup-20041229-211434-307 O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CD} - http://direct.data-line.us/gbn842.exe
backup-20041229-211434-749 O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.156.31.79/100039/uk/ringtone/ringtone.exe
backup-20041229-211434-912 O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CC} - http://direct.data-line.us/gbn842.exe
backup-20041231-142134-147 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Claire\LOCALS~1\Temp\sp.dll/sp.html
backup-20041231-142134-198 O18 - Filter: text/plain - {F8A58C06-F930-450C-9B2B-90BBD27AC406} - C:\WINDOWS\System32\neno.dll
backup-20041231-142134-740 O18 - Filter: text/html - {F8A58C06-F930-450C-9B2B-90BBD27AC406} - C:\WINDOWS\System32\neno.dll
backup-20041231-142134-851 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Claire\LOCALS~1\Temp\sp.dll/sp.html
backup-20050102-031101-180 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
backup-20050102-031101-222 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Claire\LOCALS~1\Temp\sp.dll/sp.html
backup-20050102-031101-229 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
backup-20050102-031101-361 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
backup-20050102-031101-527 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
backup-20050102-031101-560 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
backup-20050102-031101-713 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
backup-20050102-031101-960 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Claire\LOCALS~1\Temp\sp.dll/sp.html
backup-20050102-033836-148 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
backup-20050102-033836-283 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
backup-20050102-033836-477 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
backup-20050102-033836-609 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Claire\LOCALS~1\Temp\sp.dll/sp.html
backup-20050102-033836-962 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
backup-20050104-001448-226 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
backup-20050104-001448-567 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
backup-20050104-001448-776 O2 - BHO: (no name) - {B5263163-23B2-4F24-951F-A67FE9E88F69} - C:\WINDOWS\System32\neno.dll
backup-20050104-001448-787 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Claire\LOCALS~1\Temp\sp.dll/sp.html
backup-20050104-001448-962 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
backup-20050202-172921-577 O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exe
backup-20050218-175902-168 O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\System32\iecustom32.dll
backup-20050218-175902-348 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\sfcman32.dll/sp.html (obfuscated)
backup-20050218-175902-414 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
backup-20050218-175902-441 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
backup-20050218-175902-483 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\sfcman32.dll/sp.html (obfuscated)
backup-20050218-175902-526 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\sfcman32.dll/sp.html (obfuscated)
backup-20050218-175902-615 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
backup-20050218-175902-661 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
backup-20050218-175902-774 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\sfcman32.dll/sp.html (obfuscated)
backup-20050218-175902-806 R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s
backup-20050218-175902-814 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
backup-20050218-180814-863 O2 - BHO: Name - {4A48E1F3-DF50-46E0-91DC-BCDAFC652A5B} - C:\WINDOWS\System32\msomr.dll (file missing)
backup-20050418-191059-347 O4 - HKCU\..\Run: [eB27RXfqg] rtmbject.exe
backup-20050418-192553-158 O4 - HKCU\..\Run: [Zoie] C:\WINDOWS\System32\r?ndll.exe
backup-20050418-192553-179 O4 - HKCU\..\Run: [Aida] C:\WINDOWS\System32\eetu.exe
backup-20050418-192653-383 O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
backup-20050420-121807-191 O19 - User stylesheet: (file missing)
backup-20050420-121807-377 O4 - HKLM\..\Run: [vstX37T] rwitb.exe
backup-20050420-121807-548 O4 - HKLM\..\Run: [Windows Task Manager] c:\windows\system32\taskmg.exe
backup-20050420-121807-789 O2 - BHO: (no name) - {BACB7890-9022-9CD2-2731-BDA94A9A0DE5} - C:\WINDOWS\System32\maocjsgx.dll
backup-20050420-121807-831 O3 - Toolbar: (no name) - {44BE0690-5429-47f0-85BB-3FFD8020233E} - (no file)
backup-20060828-183846-346 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
backup-20060828-183846-795 O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - C:\Program Files\PCODEC\isaddon.dll
backup-20060828-183856-543 O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - C:\Program Files\PCODEC\isaddon.dll
backup-20060828-210843-642 O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - C:\Program Files\PCODEC\isaddon.dll
backup-20060829-003622-546 O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - C:\Program Files\PCODEC\isaddon.dll
backup-20060925-131545-818 O16 - DPF: {134F7664-943D-3BB9-65F5-70B91DF46C86} - http://www.v-codec.com/getcodec/SVideoCodec4_01a.exe
backup-20070910-124821-500 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
backup-20070910-124821-783 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
backup-20070910-124821-834 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
backup-20070910-124821-895 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
backup-20070917-162514-392 O9 - Extra button: Microsoft AntiSpyware helper - {16593A03-CF85-4722-ACC2-070872AF1A0F} - (no file) (HKCU)
backup-20070917-162514-613 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
backup-20070917-162514-945 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
backup-20070917-162518-656 O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {16593A03-CF85-4722-ACC2-070872AF1A0F} - (no file) (HKCU)
backup-20070917-162519-489 O17 - HKLM\System\CCS\Services\Tcpip\..\{EF5AE37E-930A-4643-B7A9-220854BC4274}: NameServer = 85.255.115.18,85.255.112.220
backup-20070917-162519-666 O17 - HKLM\System\CCS\Services\Tcpip\..\{A3C8200D-445F-4EA6-87DD-8E905073C951}: NameServer = 85.255.115.18,85.255.112.220
backup-20070917-162519-693 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.18 85.255.112.220

-- File Associations -----------------------------------------------------------

.bat - batfile - shell\edit\command - unable to read value
.cmd - cmdfile - shell\edit\command - unable to read value
.inf - inffile - shell\open\command - unable to read value
.ini - inifile - shell\open\command - notepad.exe %1
.reg - regfile - shell\edit\command - unable to read value
.txt - txtfile - shell\open\command - notepad.exe %1
.vbs - VBSFile - shell\edit\command - unable to read value


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R1 SbcpHid - c:\windows\system32\drivers\sbcphid.sys
R3 MRENDIS5 (MRENDIS5 NDIS Protocol Driver) - c:\program files\common files\motive\mrendis5.sys <Not Verified; Motive, Inc.; Motive Rawether for Windows>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>

S2 PavProc (Panda Process Protection Driver) - c:\windows\system32\drivers\pavproc.sys (file missing)
S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)
S3 MREMPR5 (MREMPR5 NDIS Protocol Driver) - c:\program files\common files\motive\mrempr5.sys <Not Verified; Motive, Inc.; Motive Rawether for Windows>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S4 hwclock (Hardware Clock Driver) - c:\windows\system32\hwclock.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-09-18 17:18:01 366 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job
2007-09-14 17:15:00 392 --a------ C:\WINDOWS\Tasks\1-Click Maintenance.job
2007-08-30 20:45:03 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2007-08-18 and 2007-09-18 -----------------------------

2007-09-10 15:17:11 0 d-------- C:\Documents and Settings\Claire\Application Data\Grisoft
2007-08-18 19:00:21 0 d-------- C:\Documents and Settings\Claire\Application Data\EPSON


-- Find3M Report ---------------------------------------------------------------

2007-09-14 16:22:59 0 d-------- C:\Documents and Settings\Claire\Application Data\uTorrent
2007-09-09 13:40:52 0 d-------- C:\Documents and Settings\Claire\Application Data\AVG7
2007-08-28 16:48:26 0 d-------- C:\Program Files\BRC IIF Transaction Creator
2007-08-15 12:30:26 0 d-------- C:\Program Files\Java
2007-07-29 12:18:05 0 d-------- C:\Documents and Settings\Claire\Application Data\Skype
2007-07-29 11:55:09 0 d-------- C:\Program Files\Skype
2007-07-29 11:54:56 0 d-------- C:\Program Files\Common Files\Skype
2007-07-29 11:54:13 0 d-a------ C:\Program Files\Common Files


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CyberLat Ram Cleaner"="C:\Program Files\CyberLat\CyberLat RAM Cleaner 1.1\CyberLat Ram Cleaner 1" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [15/09/2007 10:26]
"btbb_wcm_McciTrayApp"="C:\Program Files\btbb_wcm\McciTrayApp.exe" [30/11/2006 11:51]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [12/07/2007 04:00]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [25/10/2006 19:58]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [30/10/2006 10:36]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [27/04/2005 04:31]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [09/03/2007 00:02]
"btbb_McciTrayApp"="C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe" [26/05/2007 20:21]
"EPSON Stylus DX5000 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBVE.exe" [14/02/2006 05:00]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [08/02/2007 01:12]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" [08/02/2007 01:13]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [11/06/2007 10:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PopUpStopperFreeEdition"="C:\PROGRA~1\POP-UP~1\PSFree.exe" [29/04/2003 10:40]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 08:56]

C:\Documents and Settings\Claire\Start Menu\Programs\Startup\
DESKTOP.INI [03/09/2002 09:00:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/09/2005 23:05:26]
BT Broadband Desktop Help.lnk - C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe [28/02/2007 16:24:25]
DESKTOP.INI [03/09/2002 09:00:00]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [02/07/2007 18:16:52]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [29/05/2007 19:18:39]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"DisableTaskMgr"=0 (0x0)
"DisableCMD"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewContextMenu"=0 (0x0)
"NoFolderOptions"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"="kdbti.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 7.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL 7.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\AOL 7.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
C:\WINDOWS\System32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1162044733\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized




-- End of Deckard's System Scanner: finished at 2007-09-18 18:16:18 ------------

Attached Files



#11 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:03 AM

Posted 18 September 2007 - 05:40 PM

Hi,

Let's see if you can run this tool:

Please download ComboFix

Note: It is important that it is saved directly to your desktop.

Close all browsers.

Open notepad (it must be notepad, not wordpad, or it won't work) and copy/paste the text in the quotebox below into it (starting from Registry....):

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"=-

Save this as CFScript.txt


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply along with a fresh HijackThis log.

#12 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:03 AM

Posted 18 September 2007 - 09:11 PM

Also, please run Deckard's System Scanner again, this time using these instructions:

Click the Windows 'Start' button > Select 'Run' - then copy/paste the following text into the run box & click OK

"%userprofile%\desktop\dss.exe" /daft

* Read the disclaimer and click okay.
* Click on the Scan button.
* Place a checkmark next to the following entries:


.bat
.cmd
.inf
.ini
.reg
.txt
.vbs


* Click the Fix button.
* Re-scan and save a logfile. By default, it will save as daft.txt.

Post the contents of that file with your next post please.

#13 jayrizzle

jayrizzle
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 19 September 2007 - 08:06 AM

Hi,

Here's the Combofix log:







ComboFix 07-09-18.4 - "Claire" 2007-09-19 12:48:04.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.51 [GMT 1:00]
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\kdbti.exe

.
((((((((((((((((((((((((( Files Created from 2007-08-19 to 2007-09-19 )))))))))))))))))))))))))))))))
.

2007-09-19 12:43 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-18 18:08 <DIR> d-------- C:\Deckard
2007-09-10 15:11 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-19 13:45 0 --a------ C:\WINDOWS\system32\drivers\lvuvc.hs
2007-09-14 16:22 --------- d-------- C:\DOCUME~1\Claire\APPLIC~1\uTorrent
2007-08-28 16:48 --------- d-------- C:\Program Files\BRC IIF Transaction Creator
2007-08-18 19:00 --------- d-------- C:\DOCUME~1\Claire\APPLIC~1\EPSON
2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\SYSTEM32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2007-07-29 12:18 --------- d-------- C:\DOCUME~1\Claire\APPLIC~1\Skype
2007-07-29 11:56 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Skype
2007-07-29 11:55 --------- d-------- C:\Program Files\Skype
2007-07-29 11:54 --------- d-------- C:\Program Files\Common Files\Skype
2007-07-02 18:16 127034 -r------- C:\WINDOWS\bwUnin-8.1.1.50-8876480SL.exe
2007-06-26 07:08 1104896 --a------ C:\WINDOWS\SYSTEM32\msxml3.dll
2007-06-19 14:31 282112 --a------ C:\WINDOWS\SYSTEM32\gdi32.dll
2007-03-06 11:40 200846 --a------ C:\Program Files\RuntimeSetup.exe
2007-03-06 11:40 1068 --a------ C:\Program Files\runtimesetup.ini
2006-05-11 22:26 725504 --a------ C:\Program Files\1033.MST
2006-05-11 22:26 35885568 --a------ C:\Program Files\iPod for Windows 2005-09-23.msi
2006-05-11 22:25 4632 --a------ C:\Program Files\0x0409.ini
2005-06-29 13:53 7520256 --a------ C:\Program Files\SkypeSetup.exe
2005-04-13 19:34 3304944 --a------ C:\Program Files\Shareaza_2.1.0.0.exe
2004-06-27 18:01 0 --a------ C:\DOCUME~1\Claire\system.sys
2003-06-10 20:00 810 --a------ C:\Program Files\INSTALL.LOG
2003-04-09 14:38 8839120 --a------ C:\Program Files\AcroReader51_ENU.exe
2003-04-08 21:36 770048 --a------ C:\Program Files\winmx331.exe
2005-05-26 23:13:58 56 --sh--r C:\WINDOWS\SYSTEM32\76F8B37982.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CyberLat Ram Cleaner"="C:\Program Files\CyberLat\CyberLat RAM Cleaner 1.1\CyberLat Ram Cleaner 1" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-09-15 10:26]
"btbb_wcm_McciTrayApp"="C:\Program Files\btbb_wcm\McciTrayApp.exe" [2006-11-30 11:51]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-04-27 04:31]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]
"btbb_McciTrayApp"="C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe" [2007-05-26 20:21]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-08 01:12]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" [2007-02-08 01:13]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PopUpStopperFreeEdition"="C:\PROGRA~1\POP-UP~1\PSFree.exe" [2003-04-29 10:40]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
BT Broadband Desktop Help.lnk - C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe [2007-02-28 16:24:25]
DESKTOP.INI [2002-09-03 09:00:00]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-07-02 18:16:52]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-05-29 19:18:39]

C:\DOCUME~1\Claire\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 09:00:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 7.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL 7.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\AOL 7.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
C:\WINDOWS\System32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1162044733\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
R3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
R3 itchfltr;iTouch Keyboard Filter;C:\WINDOWS\system32\DRIVERS\itchfltr.sys
S2 PavProc;Panda Process Protection Driver;\??\C:\WINDOWS\system32\DRIVERS\PavProc.sys
S3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
S4 hwclock;Hardware Clock Driver;C:\WINDOWS\System32\hwclock.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-09-14 16:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe
"2007-08-30 19:45:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-09-19 12:18:19 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-19 13:48:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-19 14:01:21 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-19 14:01
.
--- E O F ---

#14 jayrizzle

jayrizzle
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 19 September 2007 - 08:10 AM

Here's the DSS daft.txt as requested:

DAFT Log saved on 2007-09-19 14:07:48
-----------------------------------------------------------------------
All associations okay!


Here's the latest HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:10:16, on 19/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLat\CyberLat RAM Cleaner 1.1\CyberLat Ram Cleaner 1,1.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\POP-UP~1\PSFree.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\BT Broadband Desktop Help\bin\mpbtn.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Claire\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [CyberLat Ram Cleaner] C:\Program Files\CyberLat\CyberLat RAM Cleaner 1.1\CyberLat Ram Cleaner 1,1.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [btbb_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avchecker/cont...s/AvDetInst.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37380.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.sc-server1.bt.com/broadband/MotivePreQual.cab
O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) - http://www.zoomify.com/download/zoomify305.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8822 bytes



#15 jayrizzle

jayrizzle
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 19 September 2007 - 08:35 AM

Amateur,

hi, bit of a breakthrough.

after running the combofix and the dss as you requested (the logs I posted in the posts before this one), I thought I'd just give the fixwareout another go, on the off-chance that it might work... and it did. It prompted me to reboot and all that stuff. Here's the report from fixwareout:

Username "Claire" - 19/09/2007 14:12:44 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{61820C7F-1F2D-4EC6-AC52-4AA4C5CE956B}
"DhcpNameServer"="85.255.115.18,85.255.112.220" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{A3C8200D-445F-4EA6-87DD-8E905073C951}
"DhcpNameServer"="85.255.115.18,85.255.112.220" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CyberLat Ram Cleaner"="C:\\Program Files\\CyberLat\\CyberLat RAM Cleaner 1.1\\CyberLat Ram Cleaner 1,1.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"btbb_wcm_McciTrayApp"="C:\\Program Files\\btbb_wcm\\McciTrayApp.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_02\\bin\\jusched.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"btbb_McciTrayApp"="C:\\Program Files\\BT Broadband Desktop Help\\bin\\BTHelpNotifier.exe"
"LogitechCommunicationsManager"="\"C:\\Program Files\\Common Files\\LogiShrd\\LComMgr\\Communications_Helper.exe\""
"LogitechQuickCamRibbon"="\"C:\\Program Files\\Logitech\\QuickCam10\\QuickCam10.exe\" /hide"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PopUpStopperFreeEdition"="\"C:\\PROGRA~1\\POP-UP~1\\PSFree.exe\""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
C:\WINDOWS\System32\AUTOEXEC.NT missing
~~~~~ End report ~~~~~


Are we getting somewhere now? *fingers crossed*




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users