Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Desktop Hit: Please Help Diagnose


  • Please log in to reply
17 replies to this topic

#1 Gecko.

Gecko.

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 12 October 2007 - 07:08 PM

Been clean for almost 2 years . . . but now the Desktop was hit by a bunch of stuff. I've managed to clean out a bunch of stuff using Ewido, but it just isn't right. Ewido is still giving off alerts concerning "Trojan.Small (wtsicc.exe)" and "Downloader.Win32.Agent.q" which I thought were clean, but the popups keep coming exponentially.

Thanks in advance :thumbsup:

Here is the latest HJT Log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:03:49 PM, on 10/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
D:\Programs\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
D:\Programs\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\JOHNVA~1\APPLIC~1\FNTS~1\dvdplay.exe
D:\Programs\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\ISM\ISMModule6.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ISM2\ISMPack6.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
D:\Programs\palmOne\Hotsync.exe
C:\PROGRA~1\NORTON~1\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Programs\Photodex\CompuPicPro\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
D:\Programs\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\WINDOWS\system32\wscntfy.exe
D:\Programs\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\John\Application Data\?icrosoft.NET\??rvices.exe
D:\Programs\Azureus\Azureus.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Removal tools\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1ED77D17-EED3-EC21-A03C-9E2B5D9183E9} - C:\WINDOWS\system32\smekwgo.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Programs\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: BndDrive2 BHO Class - {8C6D5A56-791E-4fe8-9D64-81781FA15D68} - C:\Program Files\ISM\BndDrive6.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [USBToolTip] "D:\Programs\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "D:\Programs\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UnlockerAssistant] "D:\Programs\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aias] "C:\DOCUME~1\JOHNVA~1\APPLIC~1\FNTS~1\dvdplay.exe" -vt yazb
O4 - HKCU\..\Run: [ISMModule6] "C:\Program Files\ISM\ISMModule6.exe"
O4 - HKCU\..\Run: [ISMPack6] "C:\Program Files\ISM2\ISMPack6.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Programs\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Reboot.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HotSync Manager.lnk = D:\Programs\palmOne\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Programs\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Programs\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Programs\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://mail.ppvlaw.com
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1188822924043
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://remote.gcrlaw.net/Remote/msrdp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Programs\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - D:\Programs\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: W2k PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Programs\Photodex\CompuPicPro\ScsiAccess.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - D:\Programs\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 10295 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:15 AM

Posted 13 October 2007 - 05:06 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Gecko :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

If you have previously downloaded ComboFix,please delete that version now.
Now download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 Gecko.

Gecko.
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 13 October 2007 - 04:33 PM

Richie~

Thank you for your assistance. As requested, here are the logs:

-------------------------------------------------------------------------------------------------------------------------

ComboFix 07-10-13.1 - John 2007-10-12 23:21:15.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.257 [GMT -4:00]
Running from: C:\Documents and Settings\John\desktop\combofix.exe
Command switches used :: /killall
* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\John\Application Data\FNTS~1
C:\Documents and Settings\John\Application Data\FNTS~1\dvdplay.exe
C:\Documents and Settings\John\Application Data\FNTS~1\F?nts\
C:\Documents and Settings\John\Application Data\ICROSO~1.NET
C:\Documents and Settings\John\Application Data\ICROSO~1.NET\??rvices.exe
C:\Documents and Settings\John\Start Menu\Programs\Outerinfo
C:\Documents and Settings\John\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Program Files\ISM
C:\Program Files\ISM\BndDrive6.dll
C:\Program Files\ISM\BndDrive6.dll
C:\Program Files\ISM\dictionary.gz
C:\Program Files\ISM\dictionary.gz
C:\Program Files\ISM\ISMModule6.exe
C:\Program Files\ISM\ISMModule6.exe
C:\Program Files\ISM\targets.gz
C:\Program Files\ISM\targets.gz
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\Terms.rtf
C:\WINDOWS\system32\smekwgo.dll

.
((((((((((((((((((((((((( Files Created from 2007-09-13 to 2007-10-13 )))))))))))))))))))))))))))))))
.

2007-10-12 23:20 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-10 22:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-10 21:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-10 21:49 <DIR> d-------- C:\Documents and Settings\John\.housecall6.6
2007-10-09 21:14 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-10-08 07:31 <DIR> d-------- C:\Program Files\ISM2
2007-10-07 07:31 <DIR> d-------- C:\Program Files\ηasks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-07 11:31 --------- d-----w C:\Program Files\?asks
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2007-07-19 07:00 3,583,488 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2002-07-26 21:02 153,088 ----a-w C:\Program Files\UNWISE.EXE
2004-01-15 00:44:24 32 --sha-w C:\WINDOWS\{258EA8A1-A05A-442A-A697-DDB35C564332}.dat
2005-06-26 21:32:28 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-22 04:37:42 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
2004-01-15 00:44:24 32 --sha-w C:\WINDOWS\system32\{026B53CA-20B6-44CD-9AB0-ADF063CF180B}.dat
2004-01-28 03:24:28 8 --sh--r C:\WINDOWS\system32\ADA2146E68.sys
2007-05-23 04:10:12 2,828 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2005-07-14 18:31:20 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CountrySelection"="pctptt.exe" [2001-03-22 05:08 C:\WINDOWS\system32\pctptt.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-12-02 16:11]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2003-12-02 16:11]
"Advanced Tools Check"="C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE" [2002-08-26 22:35]
"Cmaudio"="cmicnfg.cpl" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2003-09-17 10:43]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2003-06-18 01:00]
"CTHelper"="CTHELPER.EXE" [2007-04-09 12:32 C:\WINDOWS\system32\CtHelper.exe]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 18:06]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-08-25 16:14]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2004-08-25 16:14]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2004-03-10 15:26]
"USB2Check"="C:\WINDOWS\system32\PCLECoInst.dll" [2004-04-06 19:05]
"USBToolTip"="D:\Programs\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe" [2004-04-23 12:00]
"Adobe Version Cue CS2"="D:\Programs\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 18:58]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-03-13 20:36]
"UnlockerAssistant"="D:\Programs\Unlocker\UnlockerAssistant.exe" [2006-09-07 13:19]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"Aias"="C:\DOCUME~1\JOHNVA~1\APPLIC~1\FNTS~1\dvdplay.exe" []
"ISMModule6"="C:\Program Files\ISM\ISMModule6.exe" []
"ISMPack6"="C:\Program Files\ISM2\ISMPack6.exe" [2007-09-28 09:27]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"SpybotSD TeaTimer"="D:\Programs\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Reboot.exe [2001-03-15 05:07:50]
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-01-14 20:58:44]
HotSync Manager.lnk - D:\Programs\palmOne\Hotsync.exe [2004-06-09 15:16:08]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AIM"=C:\Programs\AIM\aim.exe -cnetwait.odl
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"Microsoft Location Finder"="C:\Program Files\Microsoft Location Finder\LocationFinder.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"RoxioAudioCentral"="C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
"ViewMgr"=C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
"Symantec NetDriver Monitor"=C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 DVDVRRdr_xp;DVDVRRdr_xp;C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
R1 VIAPFD;VIAPFD;C:\WINDOWS\system32\Drivers\VIAPFD.SYS
R2 NVXBAR;nVidia WDM A/V Crossbar;C:\WINDOWS\system32\DRIVERS\NVxbar.sys
R2 Pctspk;W2k PCtel speaker phone;C:\WINDOWS\system32\pctspk.exe
R3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
S3 APLMp50;APLMp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\APLMp50.sys
S3 NPDriver;Norton Unerase Protection Driver;\??\C:\WINDOWS\System32\Drivers\NPDRIVER.SYS
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys
S3 SiS7012;Service for AC'97 Sample Driver (WDM);C:\WINDOWS\system32\drivers\sis7012.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-13 00:00:02 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
"2007-10-13 02:17:24 C:\WINDOWS\Tasks\Symantec NetDetect.job"
"2007-10-12 23:30:24 C:\WINDOWS\Tasks\1-Click Maintenance.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-12 23:25:43
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-12 23:33:57 - machine was rebooted
.
--- E O F ---
-------------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:26:28 PM, on 10/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Programs\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\Programs\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\PROGRA~1\NORTON~1\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Programs\Photodex\CompuPicPro\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
D:\Programs\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
D:\Programs\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ISM2\ISMPack6.exe
D:\Programs\Spybot - Search & Destroy\TeaTimer.exe
D:\Programs\palmOne\Hotsync.exe
D:\Programs\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Programs\Azureus\Azureus.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Removal tools\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Programs\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [USBToolTip] "D:\Programs\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "D:\Programs\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UnlockerAssistant] "D:\Programs\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aias] "C:\DOCUME~1\JOHNVA~1\APPLIC~1\FNTS~1\dvdplay.exe" -vt yazb
O4 - HKCU\..\Run: [ISMModule6] "C:\Program Files\ISM\ISMModule6.exe"
O4 - HKCU\..\Run: [ISMPack6] "C:\Program Files\ISM2\ISMPack6.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Programs\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Reboot.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HotSync Manager.lnk = D:\Programs\palmOne\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Programs\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Programs\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Programs\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://mail.ppvlaw.com
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1188822924043
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://remote.gcrlaw.net/Remote/msrdp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Programs\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - D:\Programs\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: W2k PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Programs\Photodex\CompuPicPro\ScsiAccess.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - D:\Programs\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 10017 bytes

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:15 AM

Posted 14 October 2007 - 02:44 AM

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6 update 3'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java versions.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.

Please disable Spybot S&D’s protection,or it will interfere.
You can enable it after you're clean.
Open Spybot and click on 'Mode' and check 'Advanced Mode'.
Click on 'Tools' in bottom left hand corner.
Click on the 'System Startup' icon.
Uncheck 'Teatimer' box and/or uncheck 'Resident'.
Click the 'Allow Change' box.
Then, check next to the computer clock to see if the icon for Spybot is still there.
If it is, right click it and choose 'exit Spybot-S&D Resident'.
Restart your computer.
If you find you're experiencing problems disabling Spybot's Tea-Timer,follow the info in the link below:
http://www.russelltexas.com/malware/teatimer.htm

Please download OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths inside the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\Program Files\ISM2
C:\WINDOWS\{258EA8A1-A05A-442A-A697-DDB35C564332}.dat
C:\WINDOWS\system32\{026B53CA-20B6-44CD-9AB0-ADF063CF180B}.dat


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image

Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.


Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O4 - HKCU\..\Run: [Aias] "C:\DOCUME~1\JOHNVA~1\APPLIC~1\FNTS~1\dvdplay.exe" -vt yazb
O4 - HKCU\..\Run: [ISMModule6] "C:\Program Files\ISM\ISMModule6.exe"
O4 - HKCU\..\Run: [ISMPack6] "C:\Program Files\ISM2\ISMPack6.exe"
O4 - Global Startup: Reboot.exe

Exit Hijackthis.

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#5 Gecko.

Gecko.
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 14 October 2007 - 09:52 AM

Richie~

Completed as directed. :thumbsup: Still have popups coming (and an internet speed monitor thingy too). As requested, here are the logs:


-------------------------------------------------------------------------------------------------------------------------
Move.It.Log.log

C:\Program Files\ISM2 moved successfully.
C:\WINDOWS\{258EA8A1-A05A-442A-A697-DDB35C564332}.dat moved successfully.
C:\WINDOWS\system32\{026B53CA-20B6-44CD-9AB0-ADF063CF180B}.dat moved successfully.

Created on 10/14/2007 08:26:18

-------------------------------------------------------------------------------------------------------------------------
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/14/2007 at 10:16 AM

Application Version : 3.9.1008


Core Rules Database Version : 3324
Trace Rules Database Version: 1325

Scan type : Complete Scan
Total Scan Time : 01:28:54

Memory items scanned : 450
Memory threats detected : 1
Registry items scanned : 7573
Registry threats detected : 11
File items scanned : 62278
File threats detected : 373

Adware.AdSponsor/ISM
C:\PROGRAM FILES\ISM2\ISMPACK6.EXE
C:\PROGRAM FILES\ISM2\ISMPACK6.EXE
HKU\S-1-5-21-854245398-1708537768-2147255075-1004\Software\BndDrive
C:\Documents and Settings\John\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\John\Start Menu\Programs\Internet Speed Monitor
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9D1AA8DD-50CF-4F70-8445-AE584ECD1EDC}\RP1024\A0080874.EXE
C:\_OTMOVEIT\MOVEDFILES\PROGRAM FILES\ISM2\ISMPACK6.EXE
C:\WINDOWS\Prefetch\ISMPACK6.EXE-117E7D2E.pf

Adware.Tracking Cookie
C:\Documents and Settings\John\Cookies\John@ads.mixtraffic[1].txt
C:\Documents and Settings\John\Cookies\John@regalinteractive[2].txt
C:\Documents and Settings\John\Cookies\John@i.screensavers[1].txt
C:\Documents and Settings\John\Cookies\John@edge.ru4[3].txt
C:\Documents and Settings\John\Cookies\John@tracker.roitesting[1].txt
C:\Documents and Settings\John\Cookies\John@tremor.adbureau[1].txt
C:\Documents and Settings\John\Cookies\John@qnsr[1].txt
C:\Documents and Settings\John\Cookies\John@adultdvdtalk[3].txt
C:\Documents and Settings\John\Cookies\John@zedo[1].txt
C:\Documents and Settings\John\Cookies\John@interclick[2].txt
C:\Documents and Settings\John\Cookies\John@doubleclick[1].txt
C:\Documents and Settings\John\Cookies\John@partners.webmasterplan[1].txt
C:\Documents and Settings\John\Cookies\John@dist.belnk[4].txt
C:\Documents and Settings\John\Cookies\John@www.xctrk[3].txt
C:\Documents and Settings\John\Cookies\John@adultdvdmarketplace[1].txt
C:\Documents and Settings\John\Cookies\John@trackdaymag[2].txt
C:\Documents and Settings\John\Cookies\John@ads.glispa[1].txt
C:\Documents and Settings\John\Cookies\John@gostats[1].txt
C:\Documents and Settings\John\Cookies\John@atwola[2].txt
C:\Documents and Settings\John\Cookies\John@247realmedia[3].txt
C:\Documents and Settings\John\Cookies\John@e-2dj6wjnyejazabo.stats.esomniture[2].txt
C:\Documents and Settings\John\Cookies\John@nextag[3].txt
C:\Documents and Settings\John\Cookies\John@eyeblast.adbureau[1].txt
C:\Documents and Settings\John\Cookies\John@windowsmedia[1].txt
C:\Documents and Settings\John\Cookies\John@adbrite[2].txt
C:\Documents and Settings\John\Cookies\John@burstnet[1].txt
C:\Documents and Settings\John\Cookies\John@ads.ah-ha[1].txt
C:\Documents and Settings\John\Cookies\John@msnportal.112.2o7[2].txt
C:\Documents and Settings\John\Cookies\John@entrepreneur.122.2o7[1].txt
C:\Documents and Settings\John\Cookies\John@partypoker[1].txt
C:\Documents and Settings\John\Cookies\John@specificclick[1].txt
C:\Documents and Settings\John\Cookies\John@adopt.specificclick[3].txt
C:\Documents and Settings\John\Cookies\John@citi.bridgetrack[4].txt
C:\Documents and Settings\John\Cookies\John@server.iad.liveperson[5].txt
C:\Documents and Settings\John\Cookies\John@emarketmakers[1].txt
C:\Documents and Settings\John\Cookies\John@tacoda[1].txt
C:\Documents and Settings\John\Cookies\John@adrevolver[1].txt
C:\Documents and Settings\John\Cookies\John@www.pornbay[2].txt
C:\Documents and Settings\John\Cookies\John@as-us.falkag[2].txt
C:\Documents and Settings\John\Cookies\John@reduxads.valuead[3].txt
C:\Documents and Settings\John\Cookies\John@ads.pointroll[1].txt
C:\Documents and Settings\John\Cookies\John@clickbank[1].txt
C:\Documents and Settings\John\Cookies\John@e-2dj6wgkoogdpmbq.stats.esomniture[2].txt
C:\Documents and Settings\John\Cookies\John@ad.adition[3].txt
C:\Documents and Settings\John\Cookies\John@fortunecity[2].txt
C:\Documents and Settings\John\Cookies\John@statse.webtrendslive[1].txt
C:\Documents and Settings\John\Cookies\John@e-2dj6wjnyohajkbo.stats.esomniture[1].txt
C:\Documents and Settings\John\Cookies\John@tribalfusion[2].txt
C:\Documents and Settings\John\Cookies\John@trafficmp[1].txt
C:\Documents and Settings\John\Cookies\John@ad.admarketplace[2].txt
C:\Documents and Settings\John\Cookies\John@indextools[1].txt
C:\Documents and Settings\John\Cookies\John@roiservice[1].txt
C:\Documents and Settings\John\Cookies\John@e-2dj6wjmygjczwlp.stats.esomniture[2].txt
C:\Documents and Settings\John\Cookies\John@ads.belointeractive[1].txt
C:\Documents and Settings\John\Cookies\John@adlegend[3].txt
C:\Documents and Settings\John\Cookies\John@partners.adultadworld[1].txt
C:\Documents and Settings\John\Cookies\John@ad.outerinfo[3].txt
C:\Documents and Settings\John\Cookies\John@media.adrevolver[3].txt
C:\Documents and Settings\John\Cookies\John@m1.webstats4u[1].txt
C:\Documents and Settings\John\Cookies\John@serving.rpowermedia[2].txt
C:\Documents and Settings\John\Cookies\John@adultcdmovies[2].txt
C:\Documents and Settings\John\Cookies\John@e-2dj6wjk4ondpwlp.stats.esomniture[1].txt
C:\Documents and Settings\John\Cookies\John@ads.adbrite[1].txt
C:\Documents and Settings\John\Cookies\John@adopt.euroclick[3].txt
C:\Documents and Settings\John\Cookies\John@www.burstnet[2].txt
C:\Documents and Settings\John\Cookies\John@precisionclick[1].txt
C:\Documents and Settings\John\Cookies\John@goodyear.122.2o7[1].txt
C:\Documents and Settings\John\Cookies\John@ads.addynamix[1].txt
C:\Documents and Settings\John\Cookies\John@www.entrepreneur[1].txt
C:\Documents and Settings\John\Cookies\John@dealtime[3].txt
C:\Documents and Settings\John\Cookies\John@eas.apm.emediate[2].txt
C:\Documents and Settings\John\Cookies\John@bs.serving-sys[1].txt
C:\Documents and Settings\John\Cookies\John@ads.motogp[2].txt
C:\Documents and Settings\John\Cookies\John@focalex[2].txt
C:\Documents and Settings\John\Cookies\John@exitexchange[1].txt
C:\Documents and Settings\John\Cookies\John@creview.adbureau[2].txt
C:\Documents and Settings\John\Cookies\John@revsci[1].txt
C:\Documents and Settings\John\Cookies\John@e-2dj6wjny-1lazkc.stats.esomniture[2].txt
C:\Documents and Settings\John\Cookies\John@3.adbrite[3].txt
C:\Documents and Settings\John\Cookies\John@2o7[1].txt
C:\Documents and Settings\John\Cookies\John@pro-market[2].txt
C:\Documents and Settings\John\Cookies\John@revenue[4].txt
C:\Documents and Settings\John\Cookies\John@web-stat[2].txt
C:\Documents and Settings\John\Cookies\John@ads1.rodale[1].txt
C:\Documents and Settings\John\Cookies\John@stat.onestat[3].txt
C:\Documents and Settings\John\Cookies\John@www.macromedia[1].txt
C:\Documents and Settings\John\Cookies\John@ehg-maniatv.hitbox[1].txt
C:\Documents and Settings\John\Cookies\John@accelerator-media[1].txt
C:\Documents and Settings\John\Cookies\John@ads.cnn[2].txt
C:\Documents and Settings\John\Cookies\John@ad.yieldmanager[2].txt
C:\Documents and Settings\John\Cookies\John@media.adrevolver[5].txt
C:\Documents and Settings\John\Cookies\John@ads.revsci[2].txt
C:\Documents and Settings\John\Cookies\John@partner2profit[1].txt
C:\Documents and Settings\John\Cookies\John@www.adultsins[1].txt
C:\Documents and Settings\John\Cookies\John@icc.intellisrv[1].txt
C:\Documents and Settings\John\Cookies\John@cgi-bin[3].txt
C:\Documents and Settings\John\Cookies\John@fastclick[1].txt
C:\Documents and Settings\John\Cookies\John@realmedia[2].txt
C:\Documents and Settings\John\Cookies\John@ads.realcastmedia[2].txt
C:\Documents and Settings\John\Cookies\John@questionmarket[3].txt
C:\Documents and Settings\John\Cookies\John@adknowledge[3].txt
C:\Documents and Settings\John\Cookies\John@adopt.hbmediapro[3].txt
C:\Documents and Settings\John\Cookies\John@clicktorrent[4].txt
C:\Documents and Settings\John\Cookies\John@www.googleadservices[2].txt
C:\Documents and Settings\John\Cookies\John@www.burstbeacon[1].txt
C:\Documents and Settings\John\Cookies\John@mediatraffic[1].txt
C:\Documents and Settings\John\Cookies\John@videoegg.adbureau[2].txt
C:\Documents and Settings\John\Cookies\John@ads.realtechnetwork[4].txt
C:\Documents and Settings\John\Cookies\John@perf.overture[1].txt
C:\Documents and Settings\John\Cookies\John@windowsmedia[2].txt
C:\Documents and Settings\John\Cookies\John@ad.yieldmanager[1].txt
C:\Documents and Settings\John\Cookies\John@windowsmedia[1].txt
C:\Documents and Settings\John\Cookies\John@gostats[2].txt
C:\Documents and Settings\John\Cookies\John@c2.gostats[2].txt
C:\Documents and Settings\John\Cookies\John@atwola[1].txt
C:\Documents and Settings\John\Cookies\John@maxserving[1].txt
C:\Documents and Settings\John\Cookies\John@ads.newgrounds[2].txt
C:\Documents and Settings\John\Cookies\John@zedo[2].txt
C:\Documents and Settings\John\Cookies\John@adknowledge[2].txt
C:\Documents and Settings\John\Cookies\John@specificclick[1].txt
C:\Documents and Settings\John\Cookies\John@rightmedia[2].txt
C:\Documents and Settings\John\Cookies\John@adopt.specificclick[2].txt
C:\Documents and Settings\John\Cookies\John@xiti[2].txt
C:\Documents and Settings\John\Cookies\John@atwola[2].txt
C:\Documents and Settings\John\Cookies\John@creativeby.viewpoint[1].txt
C:\Documents and Settings\John\Cookies\John@apmebf[1].txt
C:\Documents and Settings\John\Cookies\John@c3.gostats[2].txt
C:\Documents and Settings\John\Cookies\John@eas.apm.emediate[3].txt
C:\Documents and Settings\John\Cookies\John@linksynergy[1].txt
C:\Documents and Settings\John\Cookies\John@dist.belnk[2].txt
C:\Documents and Settings\John\Cookies\John@nextag[2].txt
C:\Documents and Settings\John\Cookies\John@windowsmedia[4].txt
C:\Documents and Settings\John\Cookies\John@belnk[1].txt
C:\Documents and Settings\John\Cookies\John@windowsmedia[3].txt
C:\Documents and Settings\John\Cookies\John@atwola[3].txt
C:\Documents and Settings\John\Cookies\John@banner[1].txt
C:\Documents and Settings\John\Cookies\John@dist.belnk[3].txt
C:\Documents and Settings\John\Cookies\John@redorbit[1].txt
C:\Documents and Settings\John\Cookies\John@linksynergy[1].txt
C:\Documents and Settings\John\Cookies\John@ads.cc214142[2].txt
C:\Documents and Settings\John\Cookies\John@indextools[1].txt
C:\Documents and Settings\John\Cookies\John@clicktorrent[2].txt
C:\Documents and Settings\John\Cookies\John@www.1000adultdvd[1].txt
C:\Documents and Settings\John\Cookies\John@adrevolver[3].txt
C:\Documents and Settings\John\Cookies\John@2o7[1].txt
C:\Documents and Settings\John\Cookies\John@adserver.cheatplanet[2].txt
C:\Documents and Settings\John\Cookies\John@ads.cc214142[3].txt
C:\Documents and Settings\John\Cookies\John@linksynergy[2].txt
C:\Documents and Settings\John\Cookies\John@versiontracker[2].txt
C:\Documents and Settings\John\Cookies\John@entrepreneur[2].txt
C:\Documents and Settings\John\Cookies\John@www.clicktorrent[2].txt
C:\Documents and Settings\John\Cookies\John@adrevolver[1].txt
C:\Documents and Settings\John\Cookies\John@clicktorrent[1].txt
C:\Documents and Settings\John\Cookies\John@fcstats.bcentral[2].txt
C:\Documents and Settings\John\Cookies\John@atwola[5].txt
C:\Documents and Settings\John\Cookies\John@entrepreneur.us.intellitxt[1].txt
C:\Documents and Settings\John\Cookies\John@xml.bravenetmedianetwork[1].txt
C:\Documents and Settings\John\Cookies\John@adlegend[1].txt
C:\Documents and Settings\John\Cookies\John@clickability[1].txt
C:\Documents and Settings\John\Cookies\John@qnsr[1].txt
C:\Documents and Settings\John\Cookies\John@toseeka[1].txt
C:\Documents and Settings\John\Cookies\John@entrepreneur[1].txt
C:\Documents and Settings\John\Cookies\John@adultdvdserotica[2].txt
C:\Documents and Settings\John\Cookies\John@entrepreneur.us.intellitxt[2].txt
C:\Documents and Settings\John\Cookies\John@a.websponsors[1].txt
C:\Documents and Settings\John\Cookies\John@adultadworld[1].txt
C:\Documents and Settings\John\Cookies\John@1-click[2].txt
C:\Documents and Settings\John\Cookies\John@nextag[1].txt
C:\Documents and Settings\John\Cookies\John@adultdvdtalk[1].txt
C:\Documents and Settings\John\Cookies\John@pt.crossmediaservices[1].txt
C:\Documents and Settings\John\Cookies\John@partner2profit[1].txt
C:\Documents and Settings\John\Cookies\John@adultreviews[1].txt
C:\Documents and Settings\John\Cookies\John@www.sexinsex[1].txt
C:\Documents and Settings\John\Cookies\John@ads.expedia[1].txt
C:\Documents and Settings\John\Cookies\John@roiservice[2].txt
C:\Documents and Settings\John\Cookies\John@atwola[4].txt
C:\Documents and Settings\John\Cookies\John@vhost.oddcast[2].txt
C:\Documents and Settings\John\Cookies\John@webstats4u[1].txt
C:\Documents and Settings\John\Cookies\John@adult.dvdempire[2].txt
C:\Documents and Settings\John\Cookies\John@stats[1].txt
C:\Documents and Settings\John\Cookies\John@www.screensavers[1].txt
C:\Documents and Settings\John\Cookies\John@adultcdmovies[1].txt
C:\Documents and Settings\John\Cookies\John@www.adultdvdnow[1].txt
C:\Documents and Settings\John\Cookies\John@azjmp[2].txt
C:\Documents and Settings\John\Cookies\John@adserve.webtoolcafe[1].txt
C:\Documents and Settings\John\Cookies\John@clickshift[1].txt
C:\Documents and Settings\John\Cookies\John@porncoven.compactxxx[1].txt
C:\Documents and Settings\John\Cookies\John@porncoven.eroticpool[1].txt
C:\Documents and Settings\John\Cookies\John@www2.adultreviews[1].txt
C:\Documents and Settings\John\Cookies\John@adopt.hbmediapro[2].txt
C:\Documents and Settings\John\Cookies\John@i.screensavers[2].txt
C:\Documents and Settings\John\Cookies\John@interclick[1].txt
C:\Documents and Settings\John\Cookies\John@screensavers[2].txt
C:\Documents and Settings\John\Cookies\John@adult_dvd[1].txt
C:\Documents and Settings\John\Cookies\John@www.adultdvdserotica[1].txt
C:\Documents and Settings\John\Cookies\John@adinterax[1].txt
C:\Documents and Settings\John\Cookies\John@adopt.specificclick[3].txt
C:\Documents and Settings\John\Cookies\John@ads.monster[2].txt
C:\Documents and Settings\John\Cookies\John@pointroll[1].txt
C:\Documents and Settings\John\Cookies\John@a.websponsors[2].txt
C:\Documents and Settings\John\Cookies\John@adserving.autotrader[2].txt
C:\Documents and Settings\John\Cookies\John@bannerspace[2].txt
C:\Documents and Settings\John\Cookies\John@adserver.adreactor[1].txt
C:\Documents and Settings\John\Cookies\John@server.cpmstar[1].txt
C:\Documents and Settings\John\Cookies\John@clicktorrent[4].txt
C:\Documents and Settings\John\Cookies\John@www.netdebit-counter[1].txt
C:\Documents and Settings\John\Cookies\John@kanoodle[1].txt
C:\Documents and Settings\John\Cookies\John@clicksor[1].txt
C:\Documents and Settings\John\Cookies\John@adultfriendfinder[1].txt
C:\Documents and Settings\John\Cookies\John@tracking.foxnews[1].txt
C:\Documents and Settings\John\Cookies\John@mediatraffic[2].txt
C:\Documents and Settings\John\Cookies\John@counter.surfcounters[2].txt
C:\Documents and Settings\John\Cookies\John@adrevolver[4].txt
C:\Documents and Settings\John\Cookies\John@partner2profit[2].txt
C:\Documents and Settings\John\Cookies\John@a.websponsors[1].txt
C:\Documents and Settings\John\Cookies\John@stats.cdrinfo[1].txt
C:\Documents and Settings\John\Cookies\John@azjmp[2].txt
C:\Documents and Settings\John\Cookies\John@www.ppctracking[1].txt
C:\Documents and Settings\John\Cookies\John@azoogleads[1].txt
C:\Documents and Settings\John\Cookies\John@hc2.humanclick[1].txt
C:\Documents and Settings\John\Cookies\John@sexotorrent[2].txt
C:\Documents and Settings\John\Cookies\John@specificclick[2].txt
C:\Documents and Settings\John\Cookies\John@bizrate[2].txt
C:\Documents and Settings\John\Cookies\John@ads.thedieselstop[2].txt
C:\Documents and Settings\John\Cookies\John@indextools[2].txt
C:\Documents and Settings\John\Cookies\John@www.rowise[1].txt
C:\Documents and Settings\John\Cookies\John@3.adbrite[2].txt
C:\Documents and Settings\John\Cookies\John@adultreviews[2].txt
C:\Documents and Settings\John\Cookies\John@interclick[2].txt
C:\Documents and Settings\John\Cookies\John@adserving.autotrader[1].txt
C:\Documents and Settings\John\Cookies\John@adcache.rvtraderonline[1].txt
C:\Documents and Settings\John\Cookies\John@www2.adultreviews[2].txt
C:\Documents and Settings\John\Cookies\John@porninspector[2].txt
C:\Documents and Settings\John\Cookies\John@www.pornstartoday[1].txt
C:\Documents and Settings\John\Cookies\John@ads.as4x.tmcs[2].txt
C:\Documents and Settings\John\Cookies\John@adopt.specificclick[2].txt
C:\Documents and Settings\John\Cookies\John@ads.digitalmedianet[1].txt
C:\Documents and Settings\John\Cookies\John@ad.abum[1].txt
C:\Documents and Settings\John\Cookies\John@media.adrevolver[2].txt
C:\Documents and Settings\John\Cookies\John@kanoodle[2].txt
C:\Documents and Settings\John\Cookies\John@www.3dstats[1].txt
C:\Documents and Settings\John\Cookies\John@tripod[1].txt
C:\Documents and Settings\John\Cookies\John@yourdailymedia[1].txt
C:\Documents and Settings\John\Cookies\John@4.adbrite[2].txt
C:\Documents and Settings\John\Cookies\John@ads.videoadvertising[2].txt
C:\Documents and Settings\John\Cookies\John@www.sexotorrent[1].txt
C:\Documents and Settings\John\Cookies\John@ads.realtechnetwork[2].txt
C:\Documents and Settings\John\Cookies\John@ad.contentmedianetwork[1].txt
C:\Documents and Settings\John\Cookies\John@adbrite[1].txt
C:\Documents and Settings\John\Cookies\John@toplist[1].txt
C:\Documents and Settings\John\Cookies\John@empornium[2].txt
C:\Documents and Settings\John\Cookies\John@ads.revsci[1].txt
C:\Documents and Settings\John\Cookies\John@adultdvdtalk[2].txt
C:\Documents and Settings\John\Cookies\John@atwola[6].txt
C:\Documents and Settings\John\Cookies\John@qnsr[2].txt
C:\Documents and Settings\John\Cookies\John@ads.ytmnd[2].txt
C:\Documents and Settings\John\Cookies\John@adlegend[1].txt
C:\Documents and Settings\John\Cookies\John@warlog[2].txt
C:\Documents and Settings\John\Cookies\John@adinterax[3].txt
C:\Documents and Settings\John\Cookies\John@adultadworld[3].txt
C:\Documents and Settings\John\Cookies\John@pbh.adbureau[2].txt
C:\Documents and Settings\John\Cookies\John@serialz[1].txt
C:\Documents and Settings\John\Cookies\John@ads.adbrite[2].txt
C:\Documents and Settings\John\Cookies\John@adultcdmovies[1].txt
C:\Documents and Settings\John\Cookies\John@server.iad.liveperson[1].txt
C:\Documents and Settings\John\Cookies\John@usenext[2].txt
C:\Documents and Settings\John\Cookies\John@server.iad.liveperson[2].txt
C:\Documents and Settings\John\Cookies\John@adserver.topspeed[2].txt
C:\Documents and Settings\John\Cookies\John@www6.addfreestats[1].txt
C:\Documents and Settings\John\Cookies\John@server.iad.liveperson[4].txt
C:\Documents and Settings\John\Cookies\John@adultdvdexplorer[1].txt
C:\Documents and Settings\John\Cookies\John@www.sexdvd[1].txt
C:\Documents and Settings\John\Cookies\John@adult.dvdempire[2].txt
C:\Documents and Settings\John\Cookies\John@nextag[2].txt
C:\Documents and Settings\John\Cookies\John@clicktorrent[1].txt
C:\Documents and Settings\John\Cookies\John@www.adultdvdemart[2].txt
C:\Documents and Settings\John\Cookies\John@www.adultdvdnow[2].txt
C:\Documents and Settings\John\Cookies\John@server.iad.liveperson[7].txt
C:\Documents and Settings\John\Cookies\John@forum.adultdvdtalk[2].txt
C:\Documents and Settings\John\Cookies\John@movies.adulttoystash[1].txt
C:\Documents and Settings\John\Cookies\John@ad.abum[2].txt
C:\Documents and Settings\John\Cookies\John@adultdvdtoday[2].txt
C:\Documents and Settings\John\Cookies\John@superstats[1].txt
C:\Documents and Settings\John\Cookies\John@media.scopelight[1].txt
C:\Documents and Settings\John\Cookies\John@1000adultdvd[2].txt
C:\Documents and Settings\John\Cookies\John@ads.revsci[3].txt
C:\Documents and Settings\John\Cookies\John@serialz[1].txt
C:\Documents and Settings\John\Cookies\John@stats1.webmetrics[1].txt
C:\Documents and Settings\John\Cookies\John@www.adultdvdemart[3].txt
C:\Documents and Settings\John\Cookies\John@usenext[3].txt
C:\Documents and Settings\John\Cookies\John@bizrate[1].txt
C:\Documents and Settings\John\Cookies\John@ad.zanox[1].txt
C:\Documents and Settings\John\Cookies\John@www.adultfilmcentral[1].txt
C:\Documents and Settings\John\Cookies\John@adultasiananime[2].txt
C:\Documents and Settings\John\Cookies\John@adecn[2].txt
C:\Documents and Settings\John\Cookies\John@www.clicktorrent[1].txt
C:\Documents and Settings\John\Cookies\John@adult.dvdempire[3].txt
C:\Documents and Settings\John\Cookies\John@p2pxxx[1].txt
C:\Documents and Settings\John\Cookies\John@divx.adbureau[2].txt
C:\Documents and Settings\John\Cookies\John@adultsins[1].txt
C:\Documents and Settings\John\Cookies\John@gallery.adultlocals[1].txt
C:\Documents and Settings\John\Cookies\John@myexxx[2].txt
C:\Documents and Settings\John\Cookies\John@server.iad.liveperson[9].txt
C:\Documents and Settings\John\Cookies\John@bargainadultdvd[2].txt
C:\Documents and Settings\John\Cookies\John@kanoodle[3].txt
C:\Documents and Settings\John\Cookies\John@eb.adbureau[2].txt
C:\Documents and Settings\John\Cookies\John@adult.apps.ifriendsgroups[1].txt
C:\Documents and Settings\John\Cookies\John@pornstar.dvdempire[1].txt
C:\Documents and Settings\John\Cookies\John@azjmp[1].txt
C:\Documents and Settings\John\Cookies\John@www.adultdvdmarketplace[1].txt
C:\Documents and Settings\John\Cookies\John@forum.adultdvdtalk[3].txt
C:\Documents and Settings\John\Cookies\John@server.iad.liveperson[6].txt
C:\Documents and Settings\John\Cookies\John@movies.adulttoystash[2].txt
C:\Documents and Settings\John\Cookies\John@ads.ookla[1].txt
C:\Documents and Settings\John\Cookies\John@toplist[1].txt
C:\Documents and Settings\John\Cookies\John@www.fileporn[2].txt
C:\Documents and Settings\John\Cookies\John@imedia.foxsports[1].txt
C:\Documents and Settings\John\Cookies\John@adultadworld[1].txt
C:\Documents and Settings\John\Cookies\John@rotator.adjuggler[3].txt
C:\Documents and Settings\John\Cookies\John@adserver.easyad[2].txt
C:\Documents and Settings\John\Cookies\John@jamster[1].txt
C:\Documents and Settings\John\Cookies\John@adultdvdexplorer[2].txt
C:\Documents and Settings\John\Cookies\John@richmedia.yahoo[1].txt
C:\Documents and Settings\John\Cookies\John@www.poweradvertising[1].txt
C:\Documents and Settings\John\Cookies\John@www6.addfreestats[2].txt
C:\Documents and Settings\John\Cookies\John@www.3dstats[2].txt
C:\Documents and Settings\John\Cookies\John@eas.apm.emediate[1].txt
C:\Documents and Settings\John\Cookies\John@main.bisexual[2].txt
C:\Documents and Settings\John\Cookies\John@ad2.adnetinteractive[2].txt
C:\Documents and Settings\John\Cookies\John@ad.directanetworks[2].txt
C:\Documents and Settings\John\Cookies\John@amazingadult[2].txt
C:\Documents and Settings\John\Cookies\John@server.iad.liveperson[8].txt
C:\Documents and Settings\John\Cookies\John@adserver5.teracent[1].txt
C:\Documents and Settings\John\Cookies\John@ad.xplusone[2].txt
C:\Documents and Settings\John\Cookies\John@ad.interclick[2].txt
C:\Documents and Settings\John\Cookies\John@adserving.autotrader[1].txt
C:\Documents and Settings\John\Cookies\John@ad.consortemedia[2].txt
C:\Documents and Settings\John\Cookies\John@server.iad.liveperson[10].txt
C:\Documents and Settings\John\Cookies\John@ads.joinaxxess[1].txt
C:\Documents and Settings\John\Cookies\John@ads.motogp[1].txt
C:\Documents and Settings\John\Cookies\John@www.googleadservices[1].txt
C:\Documents and Settings\John\Cookies\John@ads.realtechnetwork[3].txt
C:\Documents and Settings\John\Cookies\John@adinterax[2].txt
C:\Documents and Settings\John\Cookies\John@adserver.warpradio[2].txt
C:\Documents and Settings\John\Cookies\John@www.jamster[1].txt
C:\Documents and Settings\John\Cookies\John@lynxtrack[2].txt
C:\Documents and Settings\John\Cookies\John@clicktorrent[3].txt
C:\Documents and Settings\John\Cookies\John@spamblockerutility[2].txt
C:\Documents and Settings\John\Cookies\John@www.xctrk[1].txt
C:\Documents and Settings\John\Cookies\John@www.mediatraffic[2].txt
C:\Documents and Settings\John\Cookies\John@exitexchange[2].txt
C:\Documents and Settings\John\Cookies\John@ads.evtv1[1].txt
C:\Documents and Settings\John\Cookies\John@ad.outerinfo[1].txt
C:\Documents and Settings\John\Cookies\John@ads.realtechnetwork[1].txt
C:\Documents and Settings\John\Cookies\John@directtrack[1].txt
C:\Documents and Settings\John\Cookies\John@angleinteractive.directtrack[2].txt

Trojan.Net-MSV/VPS-H
HKCR\BndDrive2.Band
HKCR\BndDrive2.Band\CLSID
HKCR\BndDrive2.Band\CurVer
HKCR\BndDrive2.Band.1
HKCR\BndDrive2.Band.1\CLSID
HKCR\BndDrive2.BHO
HKCR\BndDrive2.BHO\CLSID
HKCR\BndDrive2.BHO\CurVer
HKCR\BndDrive2.BHO.1
HKCR\BndDrive2.BHO.1\CLSID

Adware.ClickSpring
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9D1AA8DD-50CF-4F70-8445-AE584ECD1EDC}\RP1027\A0080913.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9D1AA8DD-50CF-4F70-8445-AE584ECD1EDC}\RP1027\A0080917.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9D1AA8DD-50CF-4F70-8445-AE584ECD1EDC}\RP1022\A0080831.DLL
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\SMEKWGO.DLL.VIR
C:\QOOBOX\QUARANTINE\C\DOCUMENTS AND SETTINGS\JOHN\APPLICATION DATA\FNTS~1\DVDPLAY.EXE.VIR

Unclassified.Unknown Origin/System
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9D1AA8DD-50CF-4F70-8445-AE584ECD1EDC}\RP1036\A0081701.EXE
D:\REMOVAL TOOLS\BACKUPS\BACKUP-20071014-084530-264-REBOOT.EXE

Trojan.Agent-Deinstall
C:\233.TMP

Trojan.Downloader-Gen/Suspicious
C:\TEMP\SLYSOFTCLONEDVDV2.8.5.1PATCHTBE\PATCH.EXE
C:\PROGRAMS\CLONEDVD2\PATCH.EXE
D:\TOOLS\CLONEDVD_2.8.5.1\SLYSOFTCLONEDVDV2.8.5.1PATCHTBE\PATCH.EXE

-------------------------------------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:43:54 AM, on 10/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Programs\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
D:\Programs\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Programs\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Programs\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\PROGRA~1\NORTON~1\AdvTools\NPROTECT.EXE
D:\Programs\palmOne\Hotsync.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Programs\Photodex\CompuPicPro\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
D:\Programs\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\WINDOWS\system32\wscntfy.exe
D:\Removal tools\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [USBToolTip] "D:\Programs\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "D:\Programs\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UnlockerAssistant] "D:\Programs\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Programs\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HotSync Manager.lnk = D:\Programs\palmOne\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Programs\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://mail.ppvlaw.com
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1188822924043
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://remote.gcrlaw.net/Remote/msrdp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O20 - Winlogon Notify: !SASWinLogon - D:\Programs\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Programs\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - D:\Programs\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: W2k PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Programs\Photodex\CompuPicPro\ScsiAccess.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - D:\Programs\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 9262 bytes

-------------------------------------------------------------------------------------------------------------------------

Edited by Gecko., 14 October 2007 - 10:46 AM.


#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:15 AM

Posted 14 October 2007 - 11:34 AM

Download DelDomains.zip and extract/unzip it to your desktop:
Now right click on Deldomains.inf then click on 'Install'.
After right clicking on Deldomains.inf 'Install' it will have appeared nothing happened,this is normal.


Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

You should copy/print the following because you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis"
* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
* When done, a message will be displayed at the bottom advising if any viruses were found.
* Click "Yes to all" if it asks if you want to cure/move the file.
* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the DrWeb.csv report to your desktop.
* Exit Dr.Web Cureit when done.
* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)


Run this online virus/spyware scan using Internet Explorer:
Kaspersky WebScanner
Next click Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make that the following are selected:
• Scan using the following Anti-Virus database:
• Standard
• Scan Options:
• Scan Archives
• Scan Mail Bases
• Click OK
• Now under select a target to scan:
• Select My Computer
• This will start the program and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
• Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste the contents of that file into your next reply.


Download\unzip to your desktop AVG Anti-Rootkit:
http://free.grisoft.com/softw/70free/setup...up-1.1.0.42.exe
Launch AVG,click on the 'Search for Rootkits' tab.
Then click on 'Perform in-depth search'.
When the scan has finished,right click on the scan results 'Save results'.
Copy and paste those results into your next reply.


Download SmitfraudFix (by S!Ri), to your desktop.
Double click on Smitfraudfix.cmd
Select option 1 – Search, by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy and paste the content of that report into your next reply.

*IMPORTANT*
Do NOT run any other options until you are asked to do so!

*Note*
process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes.
Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
Posted Image
Posted Image

#7 Gecko.

Gecko.
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 14 October 2007 - 08:27 PM

Richie~

Took a while, but completed as directed. As requested, here are the logs:


-------------------------------------------------------------------------------------------------------------------------
DrWeb.csv

tsitra72.exe; c:\windows;Trojan.DownLoader.31817; Deleted.
Stream1.dll; D:\Programs\WMR11;Trojan.Proxy.1381; Deleted.
ntwoxqz.dll; c:\windows\system32;Adware.ClickSpring.origin; Incurable.Moved.
ntwoxqz.dll; C:\WINDOWS\system32;Adware.ClickSpring.origin; ;

-------------------------------------------------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, October 14, 2007 8:49:10 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 15/10/2007
Kaspersky Anti-Virus database records: 409234

Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics
Total number of scanned objects 126495
Number of viruses found 11
Number of infected objects 30
Number of suspicious objects 0
Duration of the scan process 02:56:58

Infected Object Name Virus Name Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\outlook.pst/Personal Folders/Drafts/Exchange Server/Server/Personal/Computers/Virus/01 Jul 2005 23:43 from alford bill:SPAM: Re.Your bill/vpz.zip/bill.exe Infected: Backdoor.Win32.Dumador.cy skipped

C:\WINDOWS\outlook.pst/Personal Folders/Drafts/Exchange Server/Server/Personal/Computers/Virus/01 Jul 2005 23:43 from alford bill:SPAM: Re.Your bill/vpz.zip Infected: Backdoor.Win32.Dumador.cy skipped

C:\WINDOWS\outlook.pst/Personal Folders/Drafts/Exchange Server/Server/Personal/Computers/Virus/30 Jun 2005 11:49 from devy abner:SPAM: Re.Your bill/m.zip/bill.exe Infected: Backdoor.Win32.Dumador.cy skipped

C:\WINDOWS\outlook.pst/Personal Folders/Drafts/Exchange Server/Server/Personal/Computers/Virus/30 Jun 2005 11:49 from devy abner:SPAM: Re.Your bill/m.zip Infected: Backdoor.Win32.Dumador.cy skipped

C:\WINDOWS\outlook.pst/Personal Folders/Drafts/Exchange Server/Server/Personal/Computers/Virus/04 Aug 2005 13:14 from eBay:Verify Your Data With eBay Inc [Fri,.html Infected: Trojan-Spy.HTML.Bayfraud.hn skipped

C:\WINDOWS\outlook.pst/Personal Folders/Drafts/Exchange Server/Server/Personal/Computers/Virus/16 Aug 2005 12:54 from services@paypal.com:SPAM: Protect Your Pa.html Infected: Trojan-Spy.HTML.Bankfraud.iz skipped

C:\WINDOWS\outlook.pst Mail MS Mail: infected - 6 skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle1.zip/Yazzle1552OinAdmin.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle1.zip ZIP: infected - 1 skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\John\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\VHYZC7J2\a8f5a020e4b833865a1034489887c8b9[1].zip/b122.exe Infected: Trojan-Downloader.Win32.Agent.dpn skipped

C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\VHYZC7J2\a8f5a020e4b833865a1034489887c8b9[1].zip ZIP: infected - 1 skipped

C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\19S8WJON\cvc[1].exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped

C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\19S8WJON\cvc[1].exe NSIS: infected - 1 skipped

C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\19S8WJON\tsitra[1].exe Infected: Trojan-Downloader.Win32.Agent.dve skipped

C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\VB6Q5QDT\movie[1].qtl Infected: Exploit.Multi.Qtp.b skipped

C:\Documents and Settings\John\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\John\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\John\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\John\Local Settings\Temp\~DF3D7.tmp Object is locked skipped

C:\Documents and Settings\John\Local Settings\Temp\~DF3E7.tmp Object is locked skipped

C:\Documents and Settings\John\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\John\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\John\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\John\.housecall6.6\Quarantine\231.tmp.bac_a03572/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped

C:\Documents and Settings\John\.housecall6.6\Quarantine\231.tmp.bac_a03572 NSIS: infected - 1 skipped

C:\Documents and Settings\John\.housecall6.6\Quarantine\231.tmp.bac_a03572 CryptFF.b: infected - 1 skipped

C:\Documents and Settings\John\.housecall6.6\Quarantine\A0080848.exe.bac_a03572 Infected: Trojan-PSW.Win32.Delf.zj skipped

C:\Documents and Settings\John\DoctorWeb\Quarantine\b122.exe Infected: Trojan-Downloader.Win32.Agent.dpn skipped

C:\Program Files\Common Files\Yazzle1552OinAdmin.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped

C:\Program Files\Norton AntiVirus\Quarantine\35CA163E.exe Infected: Trojan-Dropper.Win32.Delf.fd skipped

C:\Program Files\Temporary\wininstall.exe Infected: Trojan.Win32.Agent.bqn skipped

C:\Program Files\WinAble\winable.exe Infected: Trojan-Downloader.Win32.Adload.lv skipped

C:\System Volume Information\_restore{9D1AA8DD-50CF-4F70-8445-AE584ECD1EDC}\RP1024\A0080878.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped

C:\System Volume Information\_restore{9D1AA8DD-50CF-4F70-8445-AE584ECD1EDC}\RP1036\A0081839.exe Infected: Trojan-Downloader.Win32.Agent.dve skipped

C:\System Volume Information\_restore{9D1AA8DD-50CF-4F70-8445-AE584ECD1EDC}\RP1036\A0081841.exe Infected: Trojan-Downloader.Win32.Agent.dpn skipped

C:\System Volume Information\_restore{9D1AA8DD-50CF-4F70-8445-AE584ECD1EDC}\RP1036\change.log Object is locked skipped

C:\System Volume Information\_restore{9D1AA8DD-50CF-4F70-8445-AE584ECD1EDC}\RP1022\A0080847.EXE Infected: Trojan-Downloader.Win32.Agent.dve skipped

C:\23.tmp/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped

C:\23.tmp NSIS: infected - 1 skipped

Scan process completed.

-------------------------------------------------------------------------------------------------------------------------
AVG Anti-Rootkit

Nothing.

-------------------------------------------------------------------------------------------------------------------------
SmitFraudFix v2.240

Scan done at 21:13:59.41, Sun 10/14/2007
Run from C:\Documents and Settings\John\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Programs\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\Programs\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
D:\Programs\Unlocker\UnlockerAssistant.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Programs\SUPERAntiSpyware\SUPERAntiSpyware.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\John


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\John\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\JOHNVA~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: SiS 900-Based PCI Fast Ethernet Adapter - Packet Scheduler Miniport
DNS Server Search Order: 68.94.156.1
DNS Server Search Order: 68.94.157.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{29B8CCAA-1CCF-48BC-9768-DB0DA505171B}: DhcpNameServer=68.94.156.1 68.94.157.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{29B8CCAA-1CCF-48BC-9768-DB0DA505171B}: DhcpNameServer=68.94.156.1 68.94.157.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{29B8CCAA-1CCF-48BC-9768-DB0DA505171B}: DhcpNameServer=68.94.156.1 68.94.157.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.94.156.1 68.94.157.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.94.156.1 68.94.157.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.94.156.1 68.94.157.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

-------------------------------------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:27:01 PM, on 10/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Programs\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\Programs\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
D:\Programs\Unlocker\UnlockerAssistant.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Programs\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\??mbols\s?chost.exe
C:\Program Files\WinAble\winable.exe
D:\Programs\palmOne\Hotsync.exe
D:\Programs\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\PROGRA~1\NORTON~1\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Programs\Photodex\CompuPicPro\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
D:\Programs\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\SMBOLS~1\alg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
D:\Removal tools\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: BndDrive2 BHO Class - {8C6D5A56-791E-4fe8-9D64-81781FA15D68} - C:\Program Files\ISM\BndDrive6.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [USBToolTip] "D:\Programs\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "D:\Programs\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UnlockerAssistant] "D:\Programs\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Programs\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ISMPack6] "C:\Program Files\ISM2\ISMPack6.exe"
O4 - HKCU\..\Run: [Kiis] "C:\Program Files\??mbols\s?chost.exe"
O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
O4 - HKCU\..\Run: [Aias] "C:\WINDOWS\system32\SMBOLS~1\alg.exe" -vt ndrv
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HotSync Manager.lnk = D:\Programs\palmOne\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Programs\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1188822924043
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://remote.gcrlaw.net/Remote/msrdp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O20 - Winlogon Notify: !SASWinLogon - D:\Programs\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Programs\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - D:\Programs\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: W2k PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Programs\Photodex\CompuPicPro\ScsiAccess.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - D:\Programs\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 9995 bytes

-------------------------------------------------------------------------------------------------------------------------

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:15 AM

Posted 15 October 2007 - 07:01 AM

Kaspersky detected the following which is bad news i'm afraid:

C:\WINDOWS\outlook.pst/Personal Folders/Drafts/Exchange Server/Server/Personal/Computers/Virus/01 Jul 2005 23:43 from alford bill:SPAM: Re.Your bill/vpz.zip/bill.exe Infected: Backdoor.Win32.Dumador.cy skipped

C:\WINDOWS\outlook.pst/Personal Folders/Drafts/Exchange Server/Server/Personal/Computers/Virus/01 Jul 2005 23:43 from alford bill:SPAM: Re.Your bill/vpz.zip Infected: Backdoor.Win32.Dumador.cy skipped

C:\WINDOWS\outlook.pst/Personal Folders/Drafts/Exchange Server/Server/Personal/Computers/Virus/30 Jun 2005 11:49 from devy abner:SPAM: Re.Your bill/m.zip/bill.exe Infected: Backdoor.Win32.Dumador.cy skipped

C:\WINDOWS\outlook.pst/Personal Folders/Drafts/Exchange Server/Server/Personal/Computers/Virus/30 Jun 2005 11:49 from devy abner:SPAM: Re.Your bill/m.zip Infected: Backdoor.Win32.Dumador.cy skipped

C:\WINDOWS\outlook.pst/Personal Folders/Drafts/Exchange Server/Server/Personal/Computers/Virus/04 Aug 2005 13:14 from eBay:Verify Your Data With eBay Inc [Fri,.html Infected: Trojan-Spy.HTML.Bayfraud.hn skipped

C:\WINDOWS\outlook.pst/Personal Folders/Drafts/Exchange Server/Server/Personal/Computers/Virus/16 Aug 2005 12:54 from services@paypal.com:SPAM: Protect Your Pa.html Infected: Trojan-Spy.HTML.Bankfraud.iz skipped

A Backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to be used by the attacker for malicious purposes unknown to the user.

They are typically installed without user interaction through security exploits, and may allow an attacker to remotely control the infected machine. Such risks may allow the attacker to install additional malware and use the compromised machine to participate in denial of service attacks, spamming, and bot nets, or to transmit sensitive data to a remote server. The malware may be cloaked and not visible to the user. These risks severely compromise the system by lowering security settings, installing 'backdoors,' infecting system files, or spreading to other networked machines.

If your computer was used for online banking or has credit card information on it, all passwords should be changed immediately to include those used for email, eBay and forums.
You should consider them to be compromised.
They should be changed by using a different computer and not the infected one,if not an attacker may get the new passwords and transaction information.
Banking and credit card institutions should be notified of the possible security breech.

Since your computer was compromised read:
How to report ID theft, fraud, drive-by installs, hijacking and malware:
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall:
http://www.dslreports.com/faq/10063

Let me know if you want to carry on and clean up your system,although i cannot guaratee your system will be 100% safe even when we've done.
Weigh up all the circumstances be reading through the info in the links above,then let me know what you want to do in your next reply.
Posted Image
Posted Image

#9 Gecko.

Gecko.
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 15 October 2007 - 08:46 PM

Richie~

After that feedback I think I can feel the Grim Reaper's breath on the back of my neck . . . :blink:

But seriously . . .

. . . at my last place of employment I also wore a network admin's hat. Those are emails that employees received that I stored for later virus analysis and detection. I fogot I even had those, they are over 2+ years old. The viruses in those emails are (or should be) inchoate. The attachment in which they came were never activated. A simple delete and purge from Outlook should take care of those you listed.

That being the case, I do not want to give up on our fight now . . . :thumbsup: . . . its a matter of principle.

Besides, these popups and an internet speed monitor thingys are driving me nuts and preventing me from effectively doing my other work.
.

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:15 AM

Posted 16 October 2007 - 04:35 AM

A simple delete and purge from Outlook should take care of those you listed.

Ok,do that now then please if you will.

Delete everything inside the following folders:
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery
C:\Documents and Settings\John\.housecall6.6\Quarantine
C:\Documents and Settings\John\DoctorWeb\Quarantine
C:\Program Files\Norton AntiVirus\Quarantine

Click on Start/Run,type cleanmgr into the 'Open:' space,then press Ok.
Let it scan your system for files to remove.
Make sure these 3 are checked and nothing else,then press Ok.
* Temporary Files
* Temporary Internet Files
* Recycle Bin


Please double-click OTMoveIt.exe to run it.
Copy the file paths inside the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
C:\Program Files\Temporary\wininstall.exe
C:\Program Files\WinAble
C:\23.tmp
C:\23.tmp NSIS

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image

Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.


Download SDFix.exe and save it to your desktop:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

* Double click on SDFix on your desktop,and install the fix to C:\

Please then reboot your computer into Safe Mode by doing the following:

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.

Also post a new Hijackthis log.
Let me know whats happening now please.
Posted Image
Posted Image

#11 Gecko.

Gecko.
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 16 October 2007 - 08:06 PM

Richie~

Completed as directed. :thumbsup:

Popups still coming.

As requested, here are the logs:


-------------------------------------------------------------------------------------------------------------------------
Move.It.Log.log

C:\Program Files\Common Files\Yazzle1552OinAdmin.exe moved successfully.
C:\Program Files\Temporary\wininstall.exe moved successfully.
C:\Program Files\WinAble moved successfully.
C:\23.tmp moved successfully.
File/Folder C:\23.tmp NSIS not found.

Created on 10/16/2007 20:41:14

-------------------------------------------------------------------------------------------------------------------------
SDFix: Version 1.109
Run by John on Tue 10/16/2007 at 08:50 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix


Safe Mode:

Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Trojan Files Found:

C:\414.TMP - Deleted
C:\415.TMP - Deleted
C:\234.TMP - Deleted
C:\236.TMP - Deleted
C:\239.TMP - Deleted
C:\241.TMP - Deleted
C:\26.TMP - Deleted
C:\2A.TMP - Deleted
C:\2D.TMP - Deleted
C:\34.TMP - Deleted
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe - Deleted

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Sun 26 Jun 2005 616,448 A.SHR --- "C:\WINDOWS\system32\cygwin1.dll"
Wed 22 Jun 2005 45,568 A.SHR --- "C:\WINDOWS\system32\cygz.dll"
Tue 27 Jan 2004 8 ..SHR --- "C:\WINDOWS\system32\ADA2146E68.sys"
Wed 23 May 2007 2,828 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Thu 14 Jul 2005 27,648 A.SH. --- "C:\WINDOWS\system32\AVSredirect.dll"
Wed 3 Oct 2007 230,912 ..SHR --- "C:\Program Files\??mbols\s?chost.exe"
Thu 12 Feb 1998 24,064 A..HR --- "C:\Programs\Gravity\killdir.exe"
Sun 14 Oct 2007 71,680 ..SHR --- "C:\WINDOWS\system32\s?mbols\alg.exe"
Thu 22 Mar 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sun 15 Aug 2004 1,206 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg.reg"
Sun 15 Aug 2004 12,368 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient.reg"
Fri 29 Jun 2007 146,944 A.SH. --- "C:\_OTMoveIt\MovedFiles\Program Files\Common Files\Yazzle1552OinAdmin.exe"
Wed 25 Jul 2007 31,744 ...H. --- "C:\Documents and Settings\John\Application Data\Microsoft\Templates\~WRL2302.tmp"
Tue 13 Mar 2007 29,696 ...H. --- "C:\Documents and Settings\John\Application Data\Microsoft\Word\~WRL0004.tmp"
Wed 25 Oct 2006 29,696 ...H. --- "C:\Documents and Settings\John\Application Data\Microsoft\Word\~WRL0002.tmp"
Thu 8 Mar 2007 29,696 ...H. --- "C:\Documents and Settings\John\Application Data\Microsoft\Word\~WRL1830.tmp"
Thu 19 Jul 2007 30,208 ...H. --- "C:\Documents and Settings\John\Application Data\Microsoft\Word\~WRL2568.tmp"

Finished!

-------------------------------------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:57:20 PM, on 10/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Programs\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\Programs\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\PROGRA~1\NORTON~1\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Programs\Photodex\CompuPicPro\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
D:\Programs\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Messenger\msmsgs.exe
D:\Programs\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
D:\Programs\Unlocker\UnlockerAssistant.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Programs\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\??mbols\s?chost.exe
C:\WINDOWS\system32\SMBOLS~1\alg.exe
D:\Programs\palmOne\Hotsync.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Removal tools\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: BndDrive2 BHO Class - {8C6D5A56-791E-4fe8-9D64-81781FA15D68} - C:\Program Files\ISM\BndDrive6.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [USBToolTip] "D:\Programs\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "D:\Programs\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UnlockerAssistant] "D:\Programs\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Programs\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ISMPack6] "C:\Program Files\ISM2\ISMPack6.exe"
O4 - HKCU\..\Run: [Kiis] "C:\Program Files\??mbols\s?chost.exe"
O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
O4 - HKCU\..\Run: [Aias] "C:\WINDOWS\system32\SMBOLS~1\alg.exe" -vt ndrv
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HotSync Manager.lnk = D:\Programs\palmOne\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Programs\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1188822924043
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://remote.gcrlaw.net/Remote/msrdp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O20 - Winlogon Notify: !SASWinLogon - D:\Programs\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Programs\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - D:\Programs\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: W2k PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Programs\Photodex\CompuPicPro\ScsiAccess.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - D:\Programs\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 9918 bytes

-------------------------------------------------------------------------------------------------------------------------

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:15 AM

Posted 17 October 2007 - 06:58 AM

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: BndDrive2 BHO Class - {8C6D5A56-791E-4fe8-9D64-81781FA15D68} - C:\Program Files\ISM\BndDrive6.dll
O4 - HKCU\..\Run: [ISMPack6] "C:\Program Files\ISM2\ISMPack6.exe"
O4 - HKCU\..\Run: [Kiis] "C:\Program Files\??mbols\s?chost.exe"
O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
O4 - HKCU\..\Run: [Aias] "C:\WINDOWS\system32\SMBOLS~1\alg.exe" -vt ndrv

Exit Hijackthis.

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.


Double click on Combofix.exe again and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.


Also post a new Hijackthis log please.
Posted Image
Posted Image

#13 Gecko.

Gecko.
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 17 October 2007 - 10:06 PM

Richie~

Completed as directed.

Popups still coming.

As requested, here are the logs:


-------------------------------------------------------------------------------------------------------------------------
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 10/17/2007 at 09:50 PM
Application Version : 3.9.1008
Core Rules Database Version : 3326
Trace Rules Database Version: 1327
Scan type : Complete Scan
Total Scan Time : 02:04:50


Memory items scanned : 222
Memory threats detected : 0
Registry items scanned : 7590
Registry threats detected : 14
File items scanned : 62266
File threats detected : 76

Adware.Tracking Cookie
C:\Documents and Settings\John\Cookies\john@tremor.adbureau[2].txt
C:\Documents and Settings\John\Cookies\john@zedo[2].txt
C:\Documents and Settings\John\Cookies\john@interclick[2].txt
C:\Documents and Settings\John\Cookies\john@doubleclick[1].txt
C:\Documents and Settings\John\Cookies\john@www.xctrk[2].txt
C:\Documents and Settings\John\Cookies\john@indiads[2].txt
C:\Documents and Settings\John\Cookies\john@atdmt[2].txt
C:\Documents and Settings\John\Cookies\john@serving-sys[2].txt
C:\Documents and Settings\John\Cookies\john@burstnet[2].txt
C:\Documents and Settings\John\Cookies\john@anad.tacoda[1].txt
C:\Documents and Settings\John\Cookies\john@adbrite[2].txt
C:\Documents and Settings\John\Cookies\john@msnportal.112.2o7[1].txt
C:\Documents and Settings\John\Cookies\john@tacoda[2].txt
C:\Documents and Settings\John\Cookies\john@adserver4.teracent[1].txt
C:\Documents and Settings\John\Cookies\john@adrevolver[1].txt
C:\Documents and Settings\John\Cookies\john@www.pornbay[2].txt
C:\Documents and Settings\John\Cookies\john@hitbox[2].txt
C:\Documents and Settings\John\Cookies\john@ads.pointroll[2].txt
C:\Documents and Settings\John\Cookies\john@trafficmp[2].txt
C:\Documents and Settings\John\Cookies\john@tribalfusion[1].txt
C:\Documents and Settings\John\Cookies\john@berlinads2[2].txt
C:\Documents and Settings\John\Cookies\john@overture[1].txt
C:\Documents and Settings\John\Cookies\john@ads.auctionads[1].txt
C:\Documents and Settings\John\Cookies\john@bluestreak[2].txt
C:\Documents and Settings\John\Cookies\john@media.adrevolver[2].txt
C:\Documents and Settings\John\Cookies\john@ads.adbrite[1].txt
C:\Documents and Settings\John\Cookies\john@ad.outerinfoads[1].txt
C:\Documents and Settings\John\Cookies\john@www.burstnet[2].txt
C:\Documents and Settings\John\Cookies\john@precisionclick[1].txt
C:\Documents and Settings\John\Cookies\john@ehg-kasperskylab.hitbox[1].txt
C:\Documents and Settings\John\Cookies\john@bs.serving-sys[1].txt
C:\Documents and Settings\John\Cookies\john@eas.apm.emediate[1].txt
C:\Documents and Settings\John\Cookies\john@ads.motogp[1].txt
C:\Documents and Settings\John\Cookies\john@exitexchange[1].txt
C:\Documents and Settings\John\Cookies\john@revsci[1].txt
C:\Documents and Settings\John\Cookies\john@ehg-accuweather.hitbox[2].txt
C:\Documents and Settings\John\Cookies\john@perf.overture[1].txt
C:\Documents and Settings\John\Cookies\john@media.adrevolver[3].txt
C:\Documents and Settings\John\Cookies\john@ad.yieldmanager[2].txt
C:\Documents and Settings\John\Cookies\john@ads.revsci[1].txt
C:\Documents and Settings\John\Cookies\john@advertising[2].txt
C:\Documents and Settings\John\Cookies\john@fastclick[2].txt
C:\Documents and Settings\John\Cookies\john@realmedia[2].txt
C:\Documents and Settings\John\Cookies\john@questionmarket[1].txt
C:\Documents and Settings\John\Cookies\john@clicktorrent[2].txt
C:\Documents and Settings\John\Cookies\john@www.burstbeacon[2].txt
C:\Documents and Settings\John\Cookies\john@ads.realtechnetwork[1].txt

Adware.AdSponsor
HKCR\AppId\AdBand.DLL
HKCR\AppId\AdBand.DLL#AppID

Adware.ClickSpring/Outer Info Network
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#Publisher
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#HelpLink
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#InstallLocation
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#NoModify
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#NoRepair
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#DisplayVersion
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#DisplayIcon
C:\Program Files\Outerinfo\Terms.rtf
C:\Program Files\Outerinfo
C:\Documents and Settings\John\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\John\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\John\Start Menu\Programs\Outerinfo

Adware.AdSponsor/ISM
HKU\S-1-5-21-854245398-1708537768-2147255075-1004\Software\antica
HKU\S-1-5-21-854245398-1708537768-2147255075-1004\Software\BndDrive
C:\Documents and Settings\John\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\John\Start Menu\Programs\Internet Speed Monitor
C:\PROGRAM FILES\ISM\ISM.EXE
C:\PROGRAM FILES\ISM\BNDLOADER.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9D1AA8DD-50CF-4F70-8445-AE584ECD1EDC}\RP1025\A0080900.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9D1AA8DD-50CF-4F70-8445-AE584ECD1EDC}\RP1027\A0080914.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9D1AA8DD-50CF-4F70-8445-AE584ECD1EDC}\RP1036\A0081711.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9D1AA8DD-50CF-4F70-8445-AE584ECD1EDC}\RP1036\A0081779.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9D1AA8DD-50CF-4F70-8445-AE584ECD1EDC}\RP1020\A0080822.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9D1AA8DD-50CF-4F70-8445-AE584ECD1EDC}\RP1039\A0082016.DLL
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\ISM\BNDDRIVE6.DLL.VIR
D:\REMOVAL TOOLS\BACKUPS\BACKUP-20071017-194317-873.DLL

Adware.ClickSpring
C:\WINDOWS\SYSTEM32\SMBOLS~1\ALG.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9D1AA8DD-50CF-4F70-8445-AE584ECD1EDC}\RP1036\A0081843.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9D1AA8DD-50CF-4F70-8445-AE584ECD1EDC}\RP1036\A0081845.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9D1AA8DD-50CF-4F70-8445-AE584ECD1EDC}\RP1038\A0081948.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9D1AA8DD-50CF-4F70-8445-AE584ECD1EDC}\RP1038\A0081952.DLL

Trojan.Unknown Origin
C:\WINDOWS\SYSTEM32\WTSICC.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9D1AA8DD-50CF-4F70-8445-AE584ECD1EDC}\RP1038\A0082004.EXE

Trojan.Downloader-Gen/Suspicious
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9D1AA8DD-50CF-4F70-8445-AE584ECD1EDC}\RP1036\A0081712.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{9D1AA8DD-50CF-4F70-8445-AE584ECD1EDC}\RP1036\A0081713.EXE

Adware.ClickSpring/Yazzle
C:\_OTMOVEIT\MOVEDFILES\PROGRAM FILES\COMMON FILES\YAZZLE1552OINADMIN.EXE

Trojan.Downloader-Gen/WinAble-Installer
C:\_OTMOVEIT\MOVEDFILES\PROGRAM FILES\TEMPORARY\WININSTALL.EXE

Trojan.Net-Winable
C:\_OTMOVEIT\MOVEDFILES\PROGRAM FILES\WINABLE\WINABLE.EXE

-------------------------------------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:02:54 PM, on 10/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Programs\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\Programs\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
D:\Programs\Unlocker\UnlockerAssistant.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Programs\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Programs\palmOne\Hotsync.exe
D:\Programs\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\PROGRA~1\NORTON~1\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Programs\Photodex\CompuPicPro\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
D:\Programs\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Removal tools\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {820A6BBC-A879-AB89-0C26-8F9A86FD4DB4} - C:\WINDOWS\system32\whl.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [USBToolTip] "D:\Programs\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "D:\Programs\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UnlockerAssistant] "D:\Programs\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Programs\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HotSync Manager.lnk = D:\Programs\palmOne\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Programs\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1188822924043
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://remote.gcrlaw.net/Remote/msrdp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O20 - Winlogon Notify: !SASWinLogon - D:\Programs\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Programs\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - D:\Programs\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: W2k PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Programs\Photodex\CompuPicPro\ScsiAccess.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - D:\Programs\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 9521 bytes

-------------------------------------------------------------------------------------------------------------------------

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:15 AM

Posted 18 October 2007 - 05:03 AM

* Run HijackThis
* Click on Open the Misc Tools section
* Click Delete a file on reboot
* Find and select this file:
C:\WINDOWS\system32\whl.dll
* Click Open
* You will be asked if you want to restart your computer, click Yes
* Your computer will be restarted

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {820A6BBC-A879-AB89-0C26-8F9A86FD4DB4} - C:\WINDOWS\system32\whl.dll


Download AboutBuster:
http://www.malwarebytes.org/AboutBuster.zip
Unzip the files to a 'new' folder on your Desktop.
Run AboutBuster and click OK.
Click the Update button to see if there are any updates.
Close the program now.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Run AboutBuster and click Begin Removal button.
Once that's done,just hit the OK button.
Click Exit once you are done.
Click the OK button and it should exit.
Open up the 'Ab LogFile.txt' (which was created in the same folder as AboutBuster) and post the log into your next reply.


Run 'ESET Online Scanner' using Internet Explorer:
http://www.eset.com/onlinescan/
Place a check in the box 'YES,I accept the Terms of Use' after reading.
Then click 'Start'.
Allow the activex control to install.
Then click 'Start' in the 'ESET Online Scanner' window.
Place a check in the box 'Remove found threats'.
Leave the box 'Scan unwanted applications' blank.
Then press 'Scan'.
The scan will take up some time so please be patient.
Once the scan has finished,post the entire contents of the logfile:
C:\Program Files\EsetOnlineScanner\log.txt
Also post a new HijackThis log.


Download\unzip to your desktop AVG Anti-Rootkit:
http://free.grisoft.com/softw/70free/setup...up-1.1.0.42.exe
Launch AVG,click on the 'Search for Rootkits' tab.
Then click on 'Perform in-depth search'.
When the scan has finished,right click on the scan results 'Save results'.
Copy and paste those results into your next reply.


Please download Rootchk.exe and save to your desktop:
Important:- Temporarily disable any real-time monitoring programs (see note below).
Disconnect from the Internet.
Double-click on rootchk.exe to run the program.
A command prompt window will open as the scan begins and then close.
When the scan is completed, a logfile named rootlog.txt will open and be saved to the root directory usually C:\.
Copy and paste the contents of the log into your next reply.
Re-enable active protection on any program you temporarily disabled.
Note:
To avoid false positives,it is important that you temporarily disable ZoneAlarm Pro firewall,or any other security program that protects your registry (Spybot's Teatimer,Ad-Aware's Adwatch, Prevx, etc) before running the rootchk scan.
Click on this link to see a list of other programs that should be disabled.

Also post a new Hijackthis log.
Posted Image
Posted Image

#15 Gecko.

Gecko.
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 18 October 2007 - 09:12 PM

Richie~

Completed as directed.

As requested, here are the logs:


-------------------------------------------------------------------------------------------------------------------------
AboutBuster 6.07
Scan started on [10/18/2007] at [7:13:27 PM]
-------------------------------------------------------------
No Files Found!
-------------------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 7:14:33 PM

-------------------------------------------------------------------------------------------------------------------------
ESET Online Scanner
# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49

# vers_standard_module=2602 (20071018)
# vers_arch_module=1.058 (20070906)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=b74b09fdc0ff4c4e8edfa0e8b3e6b22f
# end=finished
# remove_checked=true
# unwanted_checked=false
# utc_time=2007-10-19 01:19:36
# local_time=2007-10-18 09:19:36 (-0500, Eastern Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=401132
# found=20
# scan_time=5580
C:\Documents and Settings\John\Local Settings\Temp\!update.exe a variant of Win32/TrojanDownloader.PurityScan trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\??mbols\s?chost.exe probably a variant of Win32/Adware.PurityScan application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{9D1AA8DD-50CF-4F70-8445-AE584ECD1EDC}\RP1024\A0080878.exe Win32/TrojanDownloader.PurityScan.EG trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{9D1AA8DD-50CF-4F70-8445-AE584ECD1EDC}\RP1027\A0080918.exe probably a variant of Win32/Adware.PurityScan application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{9D1AA8DD-50CF-4F70-8445-AE584ECD1EDC}\RP1036\A0081839.exe Win32/TrojanDownloader.Agent.BLS trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{9D1AA8DD-50CF-4F70-8445-AE584ECD1EDC}\RP1036\A0081841.exe probably a variant of Win32/TrojanDownloader.Agent trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{9D1AA8DD-50CF-4F70-8445-AE584ECD1EDC}\RP1038\A0081949.exe probably a variant of Win32/TrojanDownloader.Agent trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{9D1AA8DD-50CF-4F70-8445-AE584ECD1EDC}\RP1038\A0082001.exe probably a variant of Win32/Adware.PurityScan application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{9D1AA8DD-50CF-4F70-8445-AE584ECD1EDC}\RP1022\A0080832.exe probably a variant of Win32/Adware.PurityScan application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{9D1AA8DD-50CF-4F70-8445-AE584ECD1EDC}\RP1022\A0080847.EXE a variant of Win32/TrojanDownloader.Agent.BLS trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{9D1AA8DD-50CF-4F70-8445-AE584ECD1EDC}\RP1039\A0082022.EXE a variant of Win32/TrojanDownloader.PurityScan trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{9D1AA8DD-50CF-4F70-8445-AE584ECD1EDC}\RP1039\A0082024.exe Win32/TrojanDownloader.PurityScan.EG trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{9D1AA8DD-50CF-4F70-8445-AE584ECD1EDC}\RP1039\A0082025.exe probably a variant of Win32/Agent trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{9D1AA8DD-50CF-4F70-8445-AE584ECD1EDC}\RP1039\A0082026.EXE probably a variant of Win32/TrojanDownloader.Adload trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{9D1AA8DD-50CF-4F70-8445-AE584ECD1EDC}\RP1040\A0082049.dll probably a variant of Win32/Adware.PurityScan application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{9D1AA8DD-50CF-4F70-8445-AE584ECD1EDC}\RP1040\A0082052.EXE a variant of Win32/TrojanDownloader.PurityScan trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{9D1AA8DD-50CF-4F70-8445-AE584ECD1EDC}\RP1040\A0082116.exe probably a variant of Win32/Adware.PurityScan application (unable to clean - deleted) 00000000000000000000000000000000
C:\qoobox\Quarantine\C\Documents and Settings\John\Application Data\ICROSO~1.NET\??rvices.exe.vir probably a variant of Win32/Adware.PurityScan application (unable to clean - deleted) 00000000000000000000000000000000
C:\_OTMoveIt\MovedFiles\23.tmp Win32/TrojanDownloader.PurityScan.EG trojan (deleted) 00000000000000000000000000000000
C:\_OTMoveIt\MovedFiles\23.tmp »NSIS »Yazzle1552OinAdmin.exe Win32/TrojanDownloader.PurityScan.EG trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000

-------------------------------------------------------------------------------------------------------------------------
AVG Anti-Rootkit

Nothing.

-------------------------------------------------------------------------------------------------------------------------
*********************************
ROOTCHK-(21-09-07)-LOG, by ejvindh
Thu 10/18/2007 21:42:05.34

The rootkits that are detected by this tool were not found.

ROOTCHK-LOG-end
*********************************


catchme 0.3.1160 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-18 21:42:06
Windows 5.1.2600 Service Pack 2
scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

hidden processes: 0
hidden services: 0
hidden files: 0

-------------------------------------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:02:40 PM, on 10/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Programs\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\Programs\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Programs\palmOne\Hotsync.exe
D:\Programs\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\PROGRA~1\NORTON~1\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Programs\Photodex\CompuPicPro\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
D:\Programs\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Removal tools\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [USBToolTip] "D:\Programs\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "D:\Programs\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UnlockerAssistant] "D:\Programs\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Programs\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Aias] "C:\WINDOWS\system32\SMBOLS~1\alg.exe" -vt ndrv
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HotSync Manager.lnk = D:\Programs\palmOne\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Programs\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1188822924043
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://remote.gcrlaw.net/Remote/msrdp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O20 - Winlogon Notify: !SASWinLogon - D:\Programs\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Programs\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - D:\Programs\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: W2k PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Programs\Photodex\CompuPicPro\ScsiAccess.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - D:\Programs\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 9500 bytes

-------------------------------------------------------------------------------------------------------------------------




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users