Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Fake Antispyware : Ultimatecleaner 2007


  • Please log in to reply
17 replies to this topic

#1 Lord

Lord

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 03 December 2007 - 11:39 AM

I've run ad-aware and stinger - but both show clean, while the deluge of pop ups continue...

here is the log file:






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:00:28 PM, on 12/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\system32\umonit.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: (no name) - 0>FC3CF0-4B15-11D1-ABED-709549C10000} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: MSVPS System - {A4D00A75-F69A-49FD-9058-AB925712CCFF} - C:\WINDOWS\popnetkqw.dll
O2 - BHO: (no name) - Š=FB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O3 - Toolbar: The jokwmp - {AB9235F6-DB9F-4FDC-AAFB-A3BAF1849E34} - C:\WINDOWS\jokwmp.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\system32\umonit.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [up open] C:\DOCUME~1\Shiavax\APPLIC~1\PINGON~1\part flag.exe
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\BP Go!Zilla v4.1\download-with-gozilla.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1181325029375
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\mmssbqcbq.dll
O20 - Winlogon Notify: botreg - C:\Documents and Settings\All Users\Documents\Settings\bot.dll
O21 - SSODL: sapnet - {70C4A2F7-E8F8-4B89-A620-200DB3A65D23} - C:\WINDOWS\sapnet.dll
O21 - SSODL: rmvgor - {385540C9-9B19-4CCD-BB35-046BBE75215B} - C:\WINDOWS\rmvgor.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 6642 bytes

BC AdBot (Login to Remove)

 


#2 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:05:32 PM

Posted 03 December 2007 - 12:11 PM

Hello Lord and welcome to BC :thumbsup:

My name is SNOWHITE and I will be helping you with your Malware problem. Your computer have couple of different types of malwares, we will need more steps for cleaning it, so please stick with me until i let you know your are ready to go.

Please follow the steps below exactly in the order they are written:

Step #1

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

NOTE: If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.


NOTE: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Step #2

Please download NoLop and save it to your desktop.
alternate download link 1
alternate download link 2
  • First close any other programs you have running as this will require a reboot.
  • Double click NoLop.exe to run it.
  • Now click the button labeled "Search and Destroy"
    <<your computer will now be scanned for infected files>>
  • When scanning is finished you will be prompted to reboot only if infected. Click OK.
  • Now click the "REBOOT" button.
  • A Message should popup from NoLop. If not, double click the program again and it will finish.
  • Please post the contents of C:\NoLop.log in your next reply.
--If you receive an error: "mscomctl.ocx or one of its dependencies are not correctly registered", please download mscomctl.ocx to your system32 folder then rerun NoLop..

Step #3

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
What DSS will do:
  • create a new System Restore point in Windows XP and Vista.
  • clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.
Note: If you don't have HijackThis installed on your computer, dss will prompt you to download and install it for you, please allow this to happen !

In your next post please include the following reports:
  • SmitfraudFix report
  • NoLop report
  • dss scan reports main.txt and extra.txt
Let me know how the things went.

Regards,

Edited by SNOWHITE, 03 December 2007 - 12:13 PM.

SNOWHITE
Posted Image

#3 Lord

Lord
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 03 December 2007 - 12:35 PM

Thanks SnoWhite - heres the report (spelt "rapport")


SmitFraudFix v2.257

Scan done at 23:03:16.39, Mon 12/03/2007
Run from C:\Documents and Settings\Shiavax\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\system32\umonit.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\jokwmp.dll FOUND !
C:\WINDOWS\popnetkqw.dll FOUND !
C:\WINDOWS\rmvgor.dll FOUND !
C:\WINDOWS\sapnet.dll FOUND !
C:\WINDOWS\xpupdate.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Shiavax


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Shiavax\Application Data

C:\Documents and Settings\Shiavax\Application Data\Install.dat FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Shiavax\Recent\FAVORI~1

C:\DOCUME~1\Shiavax\Recent\FAVORI~1\Error Cleaner.url FOUND !
C:\DOCUME~1\Shiavax\Recent\FAVORI~1\Privacy Protector.url FOUND !
C:\DOCUME~1\Shiavax\Recent\FAVORI~1\Spyware?Malware Protection.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

C:\DOCUME~1\Shiavax\Desktop\Error Cleaner.url FOUND !
C:\DOCUME~1\Shiavax\Desktop\Privacy Protector.url FOUND !
C:\DOCUME~1\Shiavax\Desktop\Spyware?Malware Protection.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\RichVideoCodec\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\WINDOWS\\system32\\mmssbqcbq.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Broadcom 440x 10/100 Integrated Controller - Packet Scheduler Miniport
DNS Server Search Order: 202.88.130.67
DNS Server Search Order: 202.88.1.30

HKLM\SYSTEM\CCS\Services\Tcpip\..\{7A285220-3F41-4F49-A74F-B065FCEF34EA}: DhcpNameServer=202.88.130.67 202.88.1.30
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7A285220-3F41-4F49-A74F-B065FCEF34EA}: DhcpNameServer=202.88.130.67 202.88.1.30
HKLM\SYSTEM\CS3\Services\Tcpip\..\{7A285220-3F41-4F49-A74F-B065FCEF34EA}: DhcpNameServer=202.88.130.67 202.88.1.30
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=202.88.130.67 202.88.1.30
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=202.88.130.67 202.88.1.30
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=202.88.130.67 202.88.1.30


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

#4 Lord

Lord
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 03 December 2007 - 12:50 PM

and the second log...

NoLop! Log by Skate_Punk_21

Fix running from: C:\Documents and Settings\Shiavax\Desktop
[12/3/2007]
[11:10:41 PM]

---Infection Files Found/Removed---
C:\WINDOWS\tasks\B11DF7B6962E6B52.job

Beginning Removal...
Rebooting...
Removing Lop's Leftover Files/Folders...
Editing Registry...
**Fix Complete!**

---Listing AppData sub directories---

C:\Documents and Settings\Administrator\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\All Users\Application Data\Aol -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Creative
C:\Documents and Settings\All Users\Application Data\Downloaded Installations
C:\Documents and Settings\All Users\Application Data\Freemeowdebugintra
C:\Documents and Settings\All Users\Application Data\Google
C:\Documents and Settings\All Users\Application Data\Gtek
C:\Documents and Settings\All Users\Application Data\Hp
C:\Documents and Settings\All Users\Application Data\Installshield
C:\Documents and Settings\All Users\Application Data\Intel
C:\Documents and Settings\All Users\Application Data\Live 64 Math Does
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Otto
C:\Documents and Settings\All Users\Application Data\Pc Suite
C:\Documents and Settings\All Users\Application Data\Quicktime
C:\Documents and Settings\All Users\Application Data\Skype
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
C:\Documents and Settings\All Users\Application Data\Yahoo!
C:\Documents and Settings\Default User\Application Data\Corel
C:\Documents and Settings\Default User\Application Data\Gtek
C:\Documents and Settings\Default User\Application Data\Identities
C:\Documents and Settings\Default User\Application Data\Intel
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Default User\Application Data\Sun
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Networkservice\Application Data\Intel
C:\Documents and Settings\Networkservice\Application Data\Microsoft
C:\Documents and Settings\Shiavax\Application Data\Adobe
C:\Documents and Settings\Shiavax\Application Data\Adobeaum
C:\Documents and Settings\Shiavax\Application Data\Adobeum -- EMPTY Directory
C:\Documents and Settings\Shiavax\Application Data\Anti-virus-pro.com
C:\Documents and Settings\Shiavax\Application Data\Copytodvd -- EMPTY Directory
C:\Documents and Settings\Shiavax\Application Data\Corel
C:\Documents and Settings\Shiavax\Application Data\Corel Photo Album
C:\Documents and Settings\Shiavax\Application Data\Creative
C:\Documents and Settings\Shiavax\Application Data\Cyberlink
C:\Documents and Settings\Shiavax\Application Data\Getrighttogo
C:\Documents and Settings\Shiavax\Application Data\Google
C:\Documents and Settings\Shiavax\Application Data\Gtek
C:\Documents and Settings\Shiavax\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Shiavax\Application Data\Hp
C:\Documents and Settings\Shiavax\Application Data\Identities
C:\Documents and Settings\Shiavax\Application Data\Image Zone Express
C:\Documents and Settings\Shiavax\Application Data\Intel
C:\Documents and Settings\Shiavax\Application Data\Intertrust
C:\Documents and Settings\Shiavax\Application Data\Lavasoft
C:\Documents and Settings\Shiavax\Application Data\Leadertech
C:\Documents and Settings\Shiavax\Application Data\Macromedia
C:\Documents and Settings\Shiavax\Application Data\Microsoft
C:\Documents and Settings\Shiavax\Application Data\Microsoft Web Folders -- EMPTY Directory
C:\Documents and Settings\Shiavax\Application Data\Mozilla
C:\Documents and Settings\Shiavax\Application Data\Nokia
C:\Documents and Settings\Shiavax\Application Data\Nokia Multimedia Player
C:\Documents and Settings\Shiavax\Application Data\Otto
C:\Documents and Settings\Shiavax\Application Data\Pc Suite
C:\Documents and Settings\Shiavax\Application Data\Ping Once Ball
C:\Documents and Settings\Shiavax\Application Data\Skype
C:\Documents and Settings\Shiavax\Application Data\Slysoft
C:\Documents and Settings\Shiavax\Application Data\Sonic
C:\Documents and Settings\Shiavax\Application Data\Sun
C:\Documents and Settings\Shiavax\Application Data\Talkback
C:\Documents and Settings\Shiavax\Application Data\Thunderbird
C:\Documents and Settings\Shiavax\Application Data\Vso
C:\Documents and Settings\Shiavax\Application Data\Yahoo!

#5 Lord

Lord
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 03 December 2007 - 01:03 PM

main.txt :

Deckard's System Scanner v20071014.68
Run by Shiavax on 2007-12-03 23:24:42
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; System Restore is disabled (service is not running).


-- Last 5 Restore Point(s) --
10: 2007-11-24 03:32:14 UTC - RP282 - System Checkpoint
9: 2007-11-22 17:22:56 UTC - RP281 - Installed Colin McRae Rally 2005
8: 2007-11-21 18:55:34 UTC - RP280 - System Checkpoint
7: 2007-11-19 03:09:09 UTC - RP279 - System Checkpoint
6: 2007-11-17 12:30:19 UTC - RP278 - System Checkpoint


-- First Restore Point --
1: 2007-11-11 10:40:55 UTC - RP273 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Shiavax.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:27:13 PM, on 12/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\system32\umonit.exe
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Documents and Settings\Shiavax\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Shiavax.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: (no name) - 0>FC3CF0-4B15-11D1-ABED-709549C10000} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: MSVPS System - {A4D00A75-F69A-49FD-9058-AB925712CCFF} - C:\WINDOWS\popnetkqw.dll
O2 - BHO: (no name) - Š=FB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O3 - Toolbar: The jokwmp - {AB9235F6-DB9F-4FDC-AAFB-A3BAF1849E34} - C:\WINDOWS\jokwmp.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\system32\umonit.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [up open] C:\DOCUME~1\Shiavax\APPLIC~1\PINGON~1\part flag.exe
O4 - HKCU\..\RunOnce: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /play
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\BP Go!Zilla v4.1\download-with-gozilla.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1181325029375
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\mmssbqcbq.dll
O20 - Winlogon Notify: botreg - C:\Documents and Settings\All Users\Documents\Settings\bot.dll
O21 - SSODL: sapnet - {70C4A2F7-E8F8-4B89-A620-200DB3A65D23} - C:\WINDOWS\sapnet.dll
O21 - SSODL: rmvgor - {385540C9-9B19-4CCD-BB35-046BBE75215B} - C:\WINDOWS\rmvgor.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 6866 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 APPDRV - c:\windows\system32\drivers\appdrv.sys <Not Verified; Dell Inc; Application Driver>
R1 cdrbsvsd - c:\windows\system32\drivers\cdrbsvsd.sys <Not Verified; B.H.A Corporation; B's Recorder GOLD7>
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Inc; OMCI Driver>
R1 tmtdi (Trend Micro TDI Driver) - c:\windows\system32\drivers\tmtdi.sys <Not Verified; Trend Micro Inc.; Trend Micro Network Security Component 1.0>
R1 Tosrfcom (Bluetooth RFCOMM from TOSHIBA) - c:\windows\system32\drivers\tosrfcom.sys <Not Verified; TOSHIBA Corporation; Bluetooth RFCOMM Driver>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.4.9.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.4.9.0>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R2 tm_cfw (Common Firewall Driver) - c:\windows\system32\drivers\tm_cfw.sys <Not Verified; Trend Micro Inc.; Trend Network Security Component 1.0>
R3 tosporte (Bluetooth Port Driver from Toshiba) - c:\windows\system32\drivers\tosporte.sys <Not Verified; TOSHIBA Corporation; TOSHIBA Bluetooth Port Emulation Driver>
R3 Tosrfbd (Bluetooth RFBUS from TOSHIBA) - c:\windows\system32\drivers\tosrfbd.sys <Not Verified; TOSHIBA CORPORATION; Bluetooth BUS Driver(WindowsXP,Windows2000)>
R3 Tosrfbnp (Bluetooth RFBNEP from TOSHIBA) - c:\windows\system32\drivers\tosrfbnp.sys <Not Verified; TOSHIBA Corporation; Bluetooth RFBNEP Driver from TOSHIBA>
R3 Tosrfhid (Bluetooth RFHID from TOSHIBA) - c:\windows\system32\drivers\tosrfhid.sys <Not Verified; TOSHIBA Corporation.; Bluetooth HID Driver from TOSHIBA>
R3 tosrfnds (Bluetooth Personal Area Network from TOSHIBA) - c:\windows\system32\drivers\tosrfnds.sys <Not Verified; TOSHIBA Corporation.; Bluetooth BNEP Driver from TOSHIBA>
R3 Tosrfusb (Bluetooth USB Controller) - c:\windows\system32\drivers\tosrfusb.sys <Not Verified; TOSHIBA CORPORATION; Microsoft® Windows NT® Operating System>

S0 PxHelp20 - c:\windows\system32\drivers\pxhelp20.sys (file missing)
S2 ASCTRM - c:\windows\system32
S3 fixustor - c:\windows\system32\drivers\fixustor.sys <Not Verified; Genesys Logic; USB storage patch driver>
S3 Pcouffin (Low level access layer for CD devices) - c:\windows\system32\drivers\pcouffin.sys (file missing)
S3 toshidpt (TOSHIBA Bluetooth HID port driver) - c:\windows\system32\drivers\toshidpt.sys <Not Verified; TOSHIBA Corporation.; TOSHIBA Bluetooth HID Mini Port Driver>
S3 TosRfSnd (Bluetooth Audio Device (WDM) from TOSHIBA) - c:\windows\system32\drivers\tosrfsnd.sys <Not Verified; TOSHIBA Corporation; Bluetooth Audio Driver>
S3 usbbus (LGE CDMA Composite USB Device) - c:\windows\system32\drivers\lgusbbus.sys <Not Verified; LG Electronics Inc.; LG CDMA USB Multi function Driver>
S3 UsbDiag (LGE CDMA USB Serial Port) - c:\windows\system32\drivers\lgusbdiag.sys <Not Verified; LG Electronics Inc.; LG CDMA USB Diagnostics Driver>
S3 USBModem (LGE CDMA USB Modem) - c:\windows\system32\drivers\lgusbmodem.sys <Not Verified; LG Electronics Inc.; LG CDMA USB Modem Driver>
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 NICCONFIGSVC - c:\program files\dell\nicconfigsvc\nicconfigsvc.exe <Not Verified; Dell Inc.; NicConfigSvc>
R2 PcCtlCom (Trend Micro Central Control Component) - c:\progra~1\trendm~1\intern~1\pcctlcom.exe <Not Verified; Trend Micro Incorporated.; Trend Micro Internet Security>
R2 RegSrvc (Intel® PROSet/Wireless Registry Service) - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; Intel® PROSet/Wireless Registry Service>
R2 Tmntsrv (Trend Micro Real-time Service) - c:\progra~1\trendm~1\intern~1\tmntsrv.exe <Not Verified; Trend Micro Incorporated.; Trend Micro Internet Security>
R2 TmPfw (Trend Micro Personal Firewall) - c:\progra~1\trendm~1\intern~1\tmpfw.exe <Not Verified; Trend Micro Inc.; Trend Network Security Component 1.0>
R2 tmproxy (Trend Micro Proxy Service) - c:\progra~1\trendm~1\intern~1\tmproxy.exe <Not Verified; Trend Micro Inc.; Trend Micro Network Security Components 1.0>
R2 WLANKEEPER (Intel® PROSet/Wireless SSO Service) - c:\program files\intel\wireless\bin\wlkeeper.exe <Not Verified; Intel® Corporation; SSO Service>

S3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>
S4 Bluetooth Hid Switch Service - "c:\program files\bluetooth\hidswitchservice\hidsw.exe" <Not Verified; Cambridge Silicon Radio; HID Switch Service>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\219E921444FC000
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\219E921444FC000
Service: NIC1394


-- Scheduled Tasks -------------------------------------------------------------

2007-11-23 16:00:00 406 --ah----- C:\WINDOWS\Tasks\{53B6A01B-3933-4557-8F1A-5CA6F0A398CF}_LORDSCENTRAL_Shiavax.job
2007-11-23 16:00:00 406 --ah----- C:\WINDOWS\Tasks\{00187C02-249C-4587-A780-360ADDFCB998}_LORDSCENTRAL_Shiavax.job
2007-11-22 09:00:00 406 --ah----- C:\WINDOWS\Tasks\{73239C7E-1D6B-4E80-A5BD-3376868BE500}_LORDSCENTRAL_Shiavax.job
2006-04-28 04:09:22 258 --a------ C:\WINDOWS\Tasks\ISP signup reminder 1.job


-- Files created between 2007-11-03 and 2007-12-03 -----------------------------

2007-12-03 23:11:32 0 d------c- C:\NoLopBackups
2007-12-03 23:03:19 1638 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-03 19:25:38 0 d-------- C:\Program Files\WinAble
2007-12-03 19:25:36 0 d-------- C:\Program Files\Temporary
2007-12-03 19:25:29 6656 --a------ C:\WINDOWS\system32\create.exe
2007-12-03 19:23:39 20449 --a------ C:\WINDOWS\system32\1353397141.dll
2007-12-03 19:22:43 137306 --a------ C:\WINDOWS\noskrnl.exe
2007-12-03 19:22:12 20480 --a------ C:\WINDOWS\system32\mmssbqcbq.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-03 19:21:44 35840 --a------ C:\WINDOWS\mrofinu27.exe
2007-12-03 19:19:42 109056 --a------ C:\Documents and Settings\Shiavax\http_ws2.dll
2007-12-03 19:17:50 20480 --a------ C:\WINDOWS\system32\mmssfjbfj.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-03 19:17:35 50176 --a----c- C:\WinSock.dll
2007-11-24 17:03:14 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-11-24 17:03:14 0 d-------- C:\Documents and Settings\Administrator\Application Data
2007-11-24 17:03:14 0 d-------- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-11-24 16:02:04 45072 --a------ C:\WINDOWS\taskmon.exe
2007-11-24 16:02:04 12960 --a------ C:\WINDOWS\system32\taskmon.sys
2007-11-24 16:01:51 7388 --a------ C:\WINDOWS\system32\newmaxxsv234.exe
2007-11-24 14:33:20 13824 --a------ C:\WINDOWS\system32\max1d11643v.exe
2007-11-24 14:32:32 0 --a------ C:\Documents and Settings\Shiavax\Application Data\Install.dat
2007-11-24 14:32:31 27730 --a------ C:\WINDOWS\xpupdate.exe
2007-11-24 14:31:50 17285 --a------ C:\WINDOWS\system32\kernelwind32.exe
2007-11-24 14:01:57 331776 --a------ C:\WINDOWS\sapnet.dll
2007-11-24 14:01:57 278528 --a------ C:\WINDOWS\rmvgor.dll <Not Verified; ; rmvgor>
2007-11-24 14:01:57 274432 --a------ C:\WINDOWS\popnetkqw.dll <Not Verified; ; popnetkqw>
2007-11-24 14:01:57 81920 --a------ C:\WINDOWS\nethop.exe
2007-11-24 14:01:57 188416 --a------ C:\WINDOWS\jokwmp.dll <Not Verified; ; jokwmp Module>
2007-11-24 13:31:21 0 d-------- C:\Documents and Settings\Shiavax\Application Data\Anti-Virus-Pro.com
2007-11-24 13:31:18 0 d-------- C:\Program Files\AntiVirusPro
2007-11-24 12:50:49 22664 --a------ C:\WINDOWS\system32\ctfmona.exe
2007-11-24 12:46:59 0 d-------- C:\Program Files\RichVideoCodec
2007-11-21 21:29:03 0 d-------- C:\Program Files\Qlock
2007-11-09 21:49:26 0 d-------- C:\Program Files\Ping once ball


-- Find3M Report ---------------------------------------------------------------

2007-12-03 21:59:35 0 d-------- C:\Program Files\Trend Micro
2007-11-22 22:53:04 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-11-14 23:48:51 7674 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-11-14 23:48:45 88 -r-hs---- C:\WINDOWS\system32\68EC5497E8.sys
2007-11-13 21:31:16 0 d-------- C:\Documents and Settings\Shiavax\Application Data\Image Zone Express
2007-11-09 21:53:11 0 d-------- C:\Documents and Settings\Shiavax\Application Data\Ping once ball
2007-10-19 09:46:16 27936 --a------ C:\Documents and Settings\Shiavax\Application Data\PatchUpdate_HP_CounterReport_Update_HPSU.log
2007-10-19 09:45:51 2112 --a------ C:\Documents and Settings\Shiavax\Application Data\HPSU_48BitScanUpdate.log
2007-10-19 09:39:24 25365 --a------ C:\Documents and Settings\Shiavax\Application Data\Update_HP_RedboxHprblog_HPSU.log
2007-10-19 09:15:54 139264 --a------ C:\WINDOWS\system32\hpzjrd01.dll <Not Verified; Hewlett Packard; Hewlett Packard Rediscovery Library>
2007-10-10 19:08:09 56 -r-hs---- C:\WINDOWS\system32\E89754EC68.sys
2007-10-10 19:08:06 0 d-------- C:\Documents and Settings\Shiavax\Application Data\Corel
2007-10-09 21:51:50 0 d-------- C:\Documents and Settings\Shiavax\Application Data\AdobeAUM
2007-10-08 14:02:54 0 d-------- C:\Program Files\Google
2007-10-08 12:15:44 0 d-------- C:\Program Files\SlySoft
2007-10-05 07:50:00 0 d-------- C:\Documents and Settings\Shiavax\Application Data\Skype
2007-10-02 19:51:39 53248 --a------ C:\WINDOWS\uneng.exe
2007-10-02 19:11:24 3258432 --a------ C:\Documents and Settings\Shiavax\Application Data\NMM-MetaData.db
2007-09-14 17:39:57 187 --a------ C:\Documents and Settings\Shiavax\Application Data\G-Force Prefs (WindowsMediaPlayer).txt
2007-09-06 16:45:24 112187 --a------ C:\WINDOWS\hpoins07.dat
2007-09-04 15:51:01 1156 --a------ C:\WINDOWS\mozver.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A4D00A75-F69A-49FD-9058-AB925712CCFF}]
11/23/2007 11:43 PM 274432 --a------ C:\WINDOWS\popnetkqw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Disc Detector"="C:\Program Files\Creative\ShareDLL\CtNotify.exe" [12/26/2001 02:00 AM]
"CTStartup"="C:\Program Files\Creative\Splash Screen\CTEaxSpl.exe" [09/13/2002 01:04 AM]
"UMonit"="C:\WINDOWS\system32\umonit.exe" [11/27/2003 04:16 PM]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [09/27/2005 06:04 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [08/29/2006 07:54 PM]
"up open"="C:\DOCUME~1\Shiavax\APPLIC~1\PINGON~1\part flag.exe" [11/09/2007 09:49 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"CTStartup"="C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /play

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"PcSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"sapnet"= {70C4A2F7-E8F8-4B89-A620-200DB3A65D23} - C:\WINDOWS\sapnet.dll [11/23/2007 11:43 PM 331776]
"rmvgor"= {385540C9-9B19-4CCD-BB35-046BBE75215B} - C:\WINDOWS\rmvgor.dll [11/23/2007 11:43 PM 278528]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\botreg]
C:\Documents and Settings\All Users\Documents\Settings\bot.dll 12/03/2007 07:21 PM 12899 C:\Documents and Settings\All Users\Documents\Settings\bot.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\mmssbqcbq.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=C:\WINDOWS\pss\Bluetooth Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BulletProof Go!Zilla.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BulletProof Go!Zilla.lnk
backup=C:\WINDOWS\pss\BulletProof Go!Zilla.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=C:\WINDOWS\pss\Picture Package Menu.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=C:\WINDOWS\pss\Picture Package VCD Maker.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Shiavax^Start Menu^Programs^Startup^EngNet Clocks.lnk]
path=C:\Documents and Settings\Shiavax\Start Menu\Programs\Startup\EngNet Clocks.lnk
backup=C:\WINDOWS\pss\EngNet Clocks.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Shiavax^Start Menu^Programs^Startup^qlock.lnk]
path=C:\Documents and Settings\Shiavax\Start Menu\Programs\Startup\qlock.lnk
backup=C:\WINDOWS\pss\qlock.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Shiavax^Start Menu^Programs^Startup^Smart Desktop Calendar.lnk]
path=C:\Documents and Settings\Shiavax\Start Menu\Programs\Startup\Smart Desktop Calendar.lnk
backup=C:\WINDOWS\pss\Smart Desktop Calendar.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Shiavax^Start Menu^Programs^Startup^U.S. Robotics USB Phone.lnk]
path=C:\Documents and Settings\Shiavax\Start Menu\Programs\Startup\U.S. Robotics USB Phone.lnk
backup=C:\WINDOWS\pss\U.S. Robotics USB Phone.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
"C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmona]
C:\WINDOWS\system32\ctfmona.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Firewall auto setup]
C:\DOCUME~1\Shiavax\LOCALS~1\Temp\winlogon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
"C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
"C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IridiumTimeWizard]
E:\before 7 sept 2005\iridium.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel32]
C:\WINDOWS\system32\drivers\etc\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MATH DOES FIRST MODE]
C:\Documents and Settings\All Users\Application Data\live 64 math does\vga corn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
C:\Program Files\NetWaiting\netWaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NOMAD Detector]
"C:\Program Files\Creative\NOMAD Jukebox Zen (USB2.0)\PlayCenter2\CTNMRUN.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\noskrnl]
C:\WINDOWS\noskrnl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OE_OEM]
"C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe]
"C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu27.exe 61A847B5BBF72810358B2B27128065E9C084320161C4661227A755E9C2933154389A

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runtime.exe]
C:\WINDOWS\system32\runtime.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Service Pack 1]
C:\WINDOWS\system32\vedxg6ame4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowLOMControl]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spoolsvv]
C:\WINDOWS\system32\spoolsvv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System]
C:\WINDOWS\system32\kernelwind32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemSv12]
C:\WINDOWS\system32\newmaxxsv234.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TataIndicomStartUp]
C:\Program Files\Tata Indicom Wireless Internet Service\TataIndicomStartUp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\up open]
C:\DOCUME~1\Shiavax\APPLIC~1\PINGON~1\part flag.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader]
C:\Windows\xpupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe




-- End of Deckard's System Scanner: finished at 2007-12-03 23:28:19 ------------

#6 Lord

Lord
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 03 December 2007 - 01:04 PM

extra.txt :

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Genuine Intel® CPU T2300 @ 1.66GHz
CPU 1: Genuine Intel® CPU T2300 @ 1.66GHz
Percentage of Memory in Use: 45%
Physical Memory (total/avail): 1014.37 MiB / 550.39 MiB
Pagefile Memory (total/avail): 2440.79 MiB / 2115.66 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1929.03 MiB

C: is Fixed (NTFS) - 49.8 GiB total, 9.16 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - TOSHIBA MK6032GSX - 54.49 GiB - 3 partitions
\PARTITION0 - Unknown - 39.19 MiB
\PARTITION1 (bootable) - Installable File System - 49.8 GiB - C:
\PARTITION2 - Unknown - 4.64 GiB



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntivirusOverride is set.

FW: Trend Micro PC-cillin Internet Security (Firewall) v12 (Trend Micro, Inc.)
AV: Trend Micro PC-cillin Internet Security v12.7.1017 (Trend Micro, Inc.) Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Shiavax\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=LORDSCENTRAL
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Shiavax
LOGONSERVER=\\LORDSCENTRAL
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\PC Connectivity Solution\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Adaptec Shared\System
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 14 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0e08
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Shiavax\LOCALS~1\Temp
TMP=C:\DOCUME~1\Shiavax\LOCALS~1\Temp
USERDOMAIN=LORDSCENTRAL
USERNAME=Shiavax
USERPROFILE=C:\Documents and Settings\Shiavax
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

Shiavax (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
--> MsiExec.exe /I{95D9B4D8-B091-4fab-80EA-313EB4B82FD6}
--> MsiExec.exe /I{EB997E90-5EB0-4eb5-90D0-90B1D2F0CA03}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3C080B57-0D1E-4C73-B03B-68A9EF9F23F3}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3C080B57-0D1E-4C73-B03B-68A9EF9F23F3}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48E3A9E6-FA13-11D5-8CC9-00A0C98192B6}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48E3A9E6-FA13-11D5-8CC9-00A0C98192B6}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{869E0E63-21D4-4B71-ABB4-AA27D82E52F4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{869E0E63-21D4-4B71-ABB4-AA27D82E52F4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{86CE70AB-EE71-4B17-9458-8D3C7C9E77CF}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{86CE70AB-EE71-4B17-9458-8D3C7C9E77CF}\setup.exe" -l0x9 /remove
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Acrobat - Reader 6.0.2 Update --> MsiExec.exe /I{AC76BA86-0000-0000-0000-6028747ADE01}
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe -q
Adobe Reader 6.0.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}
Adobe® Photoshop® Album Starter Edition 3.0 --> MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}
Bluetooth Stack for Windows by Toshiba --> MsiExec.exe /X{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}
Broadcom Management Programs --> MsiExec.exe /I{26E1BFB0-E87E-4696-9F89-B467F01F81E5}
BulletProof Go!Zilla (remove only) --> "C:\Program Files\BP Go!Zilla v4.1\unins000.exe"
Canon Camera Support Core Library --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{26BDE7D8-93F0-4A07-AD47-1707DB417941} /l1033
Canon Camera Window for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{B34BE30D-A759-4EC2-B58F-19FE2DEBF651}
Canon MovieEdit Task for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{DE286975-ACF1-45B8-9EF7-34E162B2C817}
Canon PhotoRecord --> MsiExec.exe /X{BEF56F2D-56ED-4176-BF72-7B68D4A3B98D}
Canon RAW Image Task for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{68E7E8BD-2233-49BE-81D6-1A1FAF1B5196}
Canon RemoteCapture Task for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{CF2C1A86-5A98-4862-A3AE-9992E3A6427D}
Canon Utilities PhotoStitch 3.1 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{EF4C7EB0-D71B-43A3-9552-8053DE4B0401}
Canon Utilities ZoomBrowser EX --> MsiExec.exe /X{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}
CiD Help --> C:\DOCUME~1\Shiavax\APPLIC~1\PINGON~1\part flag.exe -uninstall
Conexant HDA D110 MDC V.92 Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3\HXFSETUP.EXE -U -Idel1028k.inf
Corel Paint Shop Pro X --> MsiExec.exe /I{1A15507A-8551-4626-915D-3D5FA095CC1B}
Corel Photo Album 6 --> MsiExec.exe /X{8A9B8148-DDD7-448F-BD6C-358386D32354}
Creative Jukebox Driver --> C:\Program Files\Creative\Jukebox 3 Drivers\DrvUnins.exe /s
Dell Digital Jukebox Driver --> C:\Program Files\Dell\Digital Jukebox Drivers\DrvUnins.exe /s
Dell ResourceCD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
Dell Support 3.1 --> MsiExec.exe /X{548EEA8E-8299-497F-8057-811D2D7097DC}
Digital Content Portal --> MsiExec.exe /I{6D5FCA42-1486-4E32-AFE8-1B7E2AA59D33}
Documentation & Support Launcher --> MsiExec.exe /X{B0DF58A2-40DF-4465-AA56-38623EC9938C}
Download Plugin for Internet Explorer --> C:\Program Files\Download Plugin\DlPlugin-MSIE_1.5.0.0\setup2.exe uninstall
Easy CD Creator 5 Basic --> MsiExec.exe /I{609F7AC8-C510-11D4-A788-009027ABA5D0}
EngNet Clocks 1.2 --> "C:\Program Files\EngNet Clocks\unins000.exe"
Games, Music, & Photos Launcher --> MsiExec.exe /X{B6884A07-0305-47AE-9969-8F26FADC17DE}
GemMaster Mystic --> "C:\Program Files\GemMaster\uninstallgemmaster.exe"
Generic color icon driver --> C:\WINDOWS\temp\fixustor\remove.exe
Genesys USB Mass Storage Device --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B4BF87C8-3EEC-4774-82A2-584F109187B1}\Setup.exe"
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotel Reception Desk --> MsiExec.exe /I{17812FD1-3ECB-49CE-993A-8C796F1F1BD6}
HP Extended Capabilities 5.3 --> C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
HP Image Zone Express --> MsiExec.exe /X{FE64AE29-0883-4C70-8388-DC026019C900}
HP Imaging Device Functions 5.3 --> C:\Program Files\HP\Digital Imaging\DigitalImagingMonitor\hpzscr01.exe -datfile hpqbud01.dat
HP PSC & OfficeJet 5.3.B --> "C:\Program Files\HP\Digital Imaging\{5B79CFD1-6845-4158-9D7D-6BE89DF2C135}\setup\hpzscr01.exe" -datfile hposcr07.dat
HP Software Update --> MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D}
HP Solution Center & Imaging Support Tools 5.3 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
Incomedia WebSite X1 --> C:\WINDOWS\system32\ix1Setup.exe /Uninst:C:\WebSite X1
Intel® Graphics Media Accelerator Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_27A6 PCI\VEN_8086&DEV_27A2
Intel® PROSet/Wireless Software --> C:\WINDOWS\Installer\iProInst.exe
Internal Network Card Power Management --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F528948-0E80-4C96-B455-DE4167CB1DF7}\setup.exe" -l0x9 UNINSTALL APPDRVNT4
Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
LG USB Modem driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C3ABE126-2BB2-4246-BFE1-6797679B3579}\Setup.exe" -l0x9
Macromedia Flash Player --> MsiExec.exe /X{4ecaf021-478c-40c1-b777-3368a15f9966}
mCore --> MsiExec.exe /I{E81667C6-2856-46D6-ABEA-6A2F42166779}
mDrWiFi --> MsiExec.exe /I{F6090A17-0967-4A8A-B3C3-422A1B514D49}
mHlpDell --> MsiExec.exe /I{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}
Microsoft ActiveSync 3.7 --> "C:\WINDOWS\ISUNINST.EXE" -f"C:\Program Files\Microsoft ActiveSync\DeIsL1.isu" -c"C:\Program Files\Microsoft ActiveSync\ceuninst.dll"
Microsoft Office 2000 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft Office Web Components --> MsiExec.exe /I{002C9999-0000-0000-C000-000000000112}
Microsoft Plus! Digital Media Edition Installer --> MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}
mIWA --> MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mLogView --> MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse --> MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Mozilla Firefox (2.0) --> C:\Program Files\Mozilla Firefox\uninstall\uninst.exe
mPfMgr --> MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz --> MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe --> MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
mSSO --> MsiExec.exe /I{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}
Musicmatch® Jukebox --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{85D3CC30-8859-481A-9654-FD9B74310BEF}\setup.exe" -l0x9 -uninst
mWlsSafe --> MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mWMI --> MsiExec.exe /I{63DB9CCD-2B56-4217-9A3D-507AC78320CA}
mXML --> MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401}
mZConfig --> MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023}
Nokia Connectivity Cable Driver --> MsiExec.exe /X{0FF1922C-B6C4-40BB-AF30-BEF75A482444}
Nokia PC Suite --> MsiExec.exe /I{1B58C9D2-1925-413F-B29A-C4E7596C43F5}
NOMAD Jukebox Zen (USB2.0) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{05E4D93C-C00D-11D6-9E5C-00D0B76A8705}\SETUP.EXE" -l0x9
Otto --> "C:\Program Files\EnglishOtto\uninstallotto.exe"
PC Connectivity Solution --> MsiExec.exe /I{D8E4A66D-DB68-481F-ABA8-AC622566D4CB}
PowerDVD 5.7 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
Qlock Lite --> "C:\Program Files\Qlock\uninstall.exe"
QuickSet --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C5074CC4-0E26-4716-A307-960272A90040}\setup.exe" -l0x9 APPDRVNT4
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
RezBook Version 2.40.4 Build 3332 --> C:\WINDOWS\pchealth\UNWISE.EXE C:\WINDOWS\pchealth\INSTALL.LOG
Rich Video Codec v1.6 --> C:\Program Files\RichVideoCodec\Uninstall.exe
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Skype™ 3.5 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic Encoders --> MsiExec.exe /I{9941F0AA-B903-4AF4-A055-83A9815CC011}
Sonic MyDVD LE --> MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}
Sonic RecordNow Audio --> MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Sonic Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Sony USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}\Setup.exe" UNINSTALL
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Tata Indicom Internet Service Dialer --> c:\Program Files\tatauninstall.exe
Texas Instruments PCIxx20 drivers. --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{6F30B469-5ED7-4734-8252-B9BC962A2AB3} /l1033
Trend Micro PC-cillin Internet Security 12 --> MsiExec.exe /X{7698EDA5-A90F-4205-99CB-8FF6F9048ED9}
U.S. Robotics USB Phone --> "C:\Program Files\U.S. Robotics\U.S. Robotics USB Phone\uninstall.exe"
Update Rollup 2 for Windows XP Media Center Edition 2005 --> C:\WINDOWS\$NtUninstallKB900325$\spuninst\spuninst.exe
VSO CopyToDVD 3 --> "C:\Program Files\VSO\unins000.exe"
WebVideo Support --> C:\WINDOWS\nethop.exe
Windows Driver Package - Nokia (WUDFRd) WPD (11/03/2006 6.82.26.2) --> C:\PROGRA~1\DIFX\D6ACC4BE676423A2B130B78A4B627FC457D98997\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\pccswpddri_6B630EE2E66584353C6CD8683D447072872F34D8\pccswpddriver.inf
Windows Driver Package - Nokia Modem (11/03/2006 6.82.0.1) --> C:\PROGRA~1\DIFX\D6ACC4BE676423A2B130B78A4B627FC457D98997\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\nokbtmdm_4EFFAAE27A08EDFDE145390033D8EF099DA65567\nokbtmdm.inf
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows XP Media Center Edition 2005 KB908246 --> "C:\WINDOWS\$NtUninstallKB908246$\spuninst\spuninst.exe"
Windows XP Media Center Edition 2005 KB908250 --> "C:\WINDOWS\$NtUninstallKB908250$\spuninst\spuninst.exe"
Windows XP Media Center Edition 2005 KB912067 -->
WordPerfect Office 12 --> MsiExec.exe /I{AF19F291-F22F-4798-9662-525305AE9E48}
Yahoo! Internet Mail --> C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG


-- Application Event Log -------------------------------------------------------

Event Record #/Type14013 / Error
Event Submitted/Written: 12/03/2007 11:09:00 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application explorer.exe, version 6.0.2900.3156, faulting module unknown, version 0.0.0.0, fault address 0x00095075.
Processing media-specific event for [explorer.exe!ws!]

Event Record #/Type14011 / Error
Event Submitted/Written: 12/03/2007 10:47:26 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application explorer.exe, version 6.0.2900.3156, faulting module unknown, version 0.0.0.0, fault address 0x00095075.
Processing media-specific event for [explorer.exe!ws!]

Event Record #/Type14009 / Error
Event Submitted/Written: 12/03/2007 10:10:32 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application explorer.exe, version 6.0.2900.3156, faulting module unknown, version 0.0.0.0, fault address 0x00095075.
Processing media-specific event for [explorer.exe!ws!]

Event Record #/Type14007 / Error
Event Submitted/Written: 12/03/2007 09:44:30 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application explorer.exe, version 6.0.2900.3156, faulting module unknown, version 0.0.0.0, fault address 0x00095075.
Processing media-specific event for [explorer.exe!ws!]

Event Record #/Type14005 / Error
Event Submitted/Written: 12/03/2007 09:28:48 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application explorer.exe, version 6.0.2900.3156, faulting module unknown, version 0.0.0.0, fault address 0x00095075.
Processing media-specific event for [explorer.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type30882 / Error
Event Submitted/Written: 12/03/2007 08:29:50 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Computer Browser service terminated with the following error:
%%1460

Event Record #/Type30879 / Warning
Event Submitted/Written: 12/03/2007 08:26:12 PM
Event ID/Source: 20169 / RemoteAccess
Event Description:
Unable to contact a DHCP server. The Automatic Private IP Address 169.254.184.17 will be
assigned to dial-in clients. Clients may be unable to access resources on
the network.

Event Record #/Type30866 / Error
Event Submitted/Written: 12/03/2007 08:24:55 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The ASCTRM service failed to start due to the following error:
%%2001

Event Record #/Type30864 / Warning
Event Submitted/Written: 12/03/2007 08:24:20 PM
Event ID/Source: 1007 / Dhcp
Event Description:
Your computer has automatically configured the IP address for the Network
Card with network address 001422CD0D41. The IP address being used is 202.88.177.67.

Event Record #/Type30856 / Error
Event Submitted/Written: 12/03/2007 07:44:26 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Computer Browser service terminated with the following error:
%%1460



-- End of Deckard's System Scanner: finished at 2007-12-03 23:28:19 ------------

#7 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:05:32 PM

Posted 03 December 2007 - 01:34 PM

PLEASE READ THIS POST COMPLETELY, IT MAY MAKE IT EASIER FOR YOU IF YOU COPY AND PASTE THIS POST INTO A NEW TEXT DOCUMENT OR PRINT IT FOR REFERENCE LATER



Please follow the steps below exactly in the order they are written:

Step #1

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

Step #2
1. Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
2. Download combofix from one of these links:
Link1
Link2
3. Double click combofix.exe & follow the prompts.
4. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Note:
Combofix should never take more that 20 minutes including the reboot if malware is detected.

If it does, open task-manager > use the processes tab (press ctrl alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.

If that happened we want to know, and also what process you had to end.
Post back with SmitfraudFix report, ComboFix report, run HijackThis again after combofix finish its job and post new report back here.

Let me know how the things will go.
SNOWHITE
Posted Image

#8 Lord

Lord
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 03 December 2007 - 02:05 PM

SmitFraudFix v2.257

Scan done at 0:21:36.60, Tue 12/04/2007
Run from C:\Documents and Settings\Shiavax\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\jokwmp.dll Deleted
C:\WINDOWS\popnetkqw.dll Deleted
C:\WINDOWS\rmvgor.dll Deleted
Deleting [HKEY_CLASSES_ROOT\CLSID\{385540C9-9B19-4CCD-BB35-046BBE75215B}]
Deleting [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{385540C9-9B19-4CCD-BB35-046BBE75215B}]
C:\WINDOWS\sapnet.dll Deleted
Deleting [HKEY_CLASSES_ROOT\CLSID\{70C4A2F7-E8F8-4B89-A620-200DB3A65D23}]
C:\WINDOWS\xpupdate.exe Deleted
C:\Documents and Settings\Shiavax\Application Data\Install.dat Deleted
C:\DOCUME~1\Shiavax\Desktop\Error Cleaner.url Deleted
C:\DOCUME~1\Shiavax\Desktop\Privacy Protector.url Deleted
C:\DOCUME~1\Shiavax\Desktop\Spyware?Malware Protection.url Deleted
C:\DOCUME~1\Shiavax\Recent\FAVORI~1\Error Cleaner.url Deleted
C:\DOCUME~1\Shiavax\Recent\FAVORI~1\Privacy Protector.url Deleted
C:\DOCUME~1\Shiavax\Recent\FAVORI~1\Spyware?Malware Protection.url Deleted
C:\Program Files\RichVideoCodec\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{7A285220-3F41-4F49-A74F-B065FCEF34EA}: DhcpNameServer=202.88.130.67 202.88.1.30
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7A285220-3F41-4F49-A74F-B065FCEF34EA}: DhcpNameServer=202.88.130.67 202.88.1.30
HKLM\SYSTEM\CS3\Services\Tcpip\..\{7A285220-3F41-4F49-A74F-B065FCEF34EA}: DhcpNameServer=202.88.130.67 202.88.1.30
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=202.88.130.67 202.88.1.30
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=202.88.130.67 202.88.1.30
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=202.88.130.67 202.88.1.30


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

#9 Lord

Lord
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 03 December 2007 - 02:26 PM

ComboFix 07-12-02.6 - Shiavax 2007-12-04 0:45:07.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.512 [GMT 5.5:30]
Running from: C:\Documents and Settings\Shiavax\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users.\documents\settings\bot.dll
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\Documents and Settings\Shiavax\Application Data\macromedia\Flash Player\#SharedObjects\MB85NTFT\iforex.com
C:\Documents and Settings\Shiavax\Application Data\macromedia\Flash Player\#SharedObjects\MB85NTFT\iforex.com\Emerp\Events\flash_object.swf\user_data.sol
C:\Documents and Settings\Shiavax\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\Documents and Settings\Shiavax\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol
C:\Program Files\Temporary
C:\Program Files\WinAble
C:\WINDOWS\dat.txt
C:\WINDOWS\mrofinu27.exe
C:\WINDOWS\noskrnl.config
C:\WINDOWS\noskrnl.exe
C:\WINDOWS\rs.txt
C:\WINDOWS\search_res.txt
C:\WINDOWS\system32\1353397141.dll
C:\WINDOWS\system32\away.exe.exe
C:\WINDOWS\system32\config\55005244.Evt
C:\WINDOWS\system32\ctfmona.exe
C:\WINDOWS\system32\drivers\symavc32.sys
C:\WINDOWS\system32\drivers\VXA34.sys
C:\WINDOWS\system32\kernelwind32.exe
C:\WINDOWS\system32\max1d11643v.exe
C:\WINDOWS\system32\newmaxxsv234.exe
C:\Documents and Settings\All Users.\documents\settings

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_ASC3550P
-------\LEGACY_DRIVER
-------\LEGACY_SYSLIBRARY
-------\LEGACY_VXA34
-------\asc3550p


((((((((((((((((((((((((( Files Created from 2007-11-03 to 2007-12-03 )))))))))))))))))))))))))))))))
.

2007-12-04 00:21 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-12-04 00:21 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-12-04 00:21 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-12-04 00:21 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-12-04 00:21 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-12-03 23:24 . 2007-12-03 23:24 <DIR> d----c--- C:\Deckard
2007-12-03 23:11 . 2007-12-03 23:13 <DIR> d----c--- C:\NoLopBackups
2007-12-03 23:03 . 2007-12-04 00:21 1,638 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-03 19:25 . 2007-12-03 19:25 6,656 --a------ C:\WINDOWS\system32\create.exe
2007-12-03 19:22 . 2007-12-03 19:22 20,480 --a------ C:\WINDOWS\system32\mmssbqcbq.dll
2007-12-03 19:20 . 2007-12-03 19:20 29 --a------ C:\WINDOWS\system32\wgqtstag.tmp
2007-12-03 19:19 . 2007-12-03 19:19 109,056 --a------ C:\Documents and Settings\Shiavax\http_ws2.dll
2007-12-03 19:17 . 2007-12-03 19:22 50,176 --a--c--- C:\WinSock.dll
2007-12-03 19:17 . 2007-12-03 19:17 20,480 --a------ C:\WINDOWS\system32\mmssfjbfj.dll
2007-11-24 16:02 . 2007-11-24 16:33 45,072 --a------ C:\WINDOWS\taskmon.exe
2007-11-24 16:02 . 2007-11-24 16:33 12,960 --a------ C:\WINDOWS\system32\taskmon.sys
2007-11-24 14:01 . 2007-11-23 23:43 81,920 --a------ C:\WINDOWS\nethop.exe
2007-11-24 13:31 . 2007-11-24 14:55 <DIR> d-------- C:\Program Files\AntiVirusPro
2007-11-24 13:31 . 2007-11-24 13:31 <DIR> d-------- C:\Documents and Settings\Shiavax\Application Data\Anti-Virus-Pro.com
2007-11-21 21:29 . 2007-11-21 21:29 <DIR> d-------- C:\Program Files\Qlock
2007-11-09 21:49 . 2007-11-09 21:49 <DIR> d-------- C:\Program Files\Ping once ball

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-03 16:29 --------- d-----w C:\Program Files\Trend Micro
2007-11-22 17:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-14 18:18 7,674 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-11-13 16:01 --------- d-----w C:\Documents and Settings\Shiavax\Application Data\Image Zone Express
2007-11-09 16:23 --------- d-----w C:\Documents and Settings\Shiavax\Application Data\Ping once ball
2007-11-09 16:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\live 64 math does
2007-11-09 16:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\freemeowdebugintra
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-19 03:45 139,264 ----a-w C:\WINDOWS\system32\hpzjrd01.dll
2007-10-10 13:38 --------- d-----w C:\Documents and Settings\Shiavax\Application Data\Corel
2007-10-09 16:21 --------- d-----w C:\Documents and Settings\Shiavax\Application Data\AdobeAUM
2007-10-08 08:32 --------- d-----w C:\Program Files\Google
2007-10-08 06:45 --------- d-----w C:\Program Files\SlySoft
2007-10-05 02:20 --------- d-----w C:\Documents and Settings\Shiavax\Application Data\Skype
2007-10-02 14:21 53,248 ----a-w C:\WINDOWS\uneng.exe
2007-10-02 14:21 45,056 ----a-w C:\WINDOWS\system32\cdrtc.dll
2007-10-02 14:21 45,056 ----a-w C:\WINDOWS\system32\cdral.dll
2007-05-10 00:48 2,780,728 ----a-w C:\Program Files\ydrop3us.exe
2006-11-30 18:06 26,624 ----a-w C:\Program Files\December Shiavax.xls
2006-11-24 00:40 815,616 ----a-w C:\Program Files\GODZILLA.EXE
2006-09-13 20:08 284 ----a-w C:\Documents and Settings\Shiavax\Application Data\ViewerApp.dat
2006-06-03 22:57 251 ----a-w C:\Program Files\wt3d.ini
2003-11-28 04:40 94,208 ----a-w C:\Program Files\TATAUninstall.exe
2006-09-21 16:36 56 --sh--r C:\WINDOWS\system32\B44D47F8D0.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-08-29 19:54]
"up open"="C:\DOCUME~1\Shiavax\APPLIC~1\PINGON~1\part flag.exe" [2007-11-09 21:49]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"CTStartup"="C:\Program Files\Creative\Splash Screen\CTEaxSpl.exe" [2002-09-13 01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Disc Detector"="C:\Program Files\Creative\ShareDLL\CtNotify.exe" [2001-12-26 02:00]
"CTStartup"="C:\Program Files\Creative\Splash Screen\CTEaxSpl.exe" [2002-09-13 01:04]
"UMonit"="C:\WINDOWS\system32\umonit.exe" [2003-11-27 16:16]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2005-09-27 06:04]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 17:15]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\WINDOWS\system32\mmssbqcbq.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=C:\WINDOWS\pss\Bluetooth Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BulletProof Go!Zilla.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BulletProof Go!Zilla.lnk
backup=C:\WINDOWS\pss\BulletProof Go!Zilla.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=C:\WINDOWS\pss\Picture Package Menu.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=C:\WINDOWS\pss\Picture Package VCD Maker.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Shiavax^Start Menu^Programs^Startup^EngNet Clocks.lnk]
path=C:\Documents and Settings\Shiavax\Start Menu\Programs\Startup\EngNet Clocks.lnk
backup=C:\WINDOWS\pss\EngNet Clocks.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Shiavax^Start Menu^Programs^Startup^qlock.lnk]
path=C:\Documents and Settings\Shiavax\Start Menu\Programs\Startup\qlock.lnk
backup=C:\WINDOWS\pss\qlock.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Shiavax^Start Menu^Programs^Startup^Smart Desktop Calendar.lnk]
path=C:\Documents and Settings\Shiavax\Start Menu\Programs\Startup\Smart Desktop Calendar.lnk
backup=C:\WINDOWS\pss\Smart Desktop Calendar.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Shiavax^Start Menu^Programs^Startup^U.S. Robotics USB Phone.lnk]
path=C:\Documents and Settings\Shiavax\Start Menu\Programs\Startup\U.S. Robotics USB Phone.lnk
backup=C:\WINDOWS\pss\U.S. Robotics USB Phone.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2002-04-10 16:44 679936 --a------ C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-06-06 23:46 57344 --a------ C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmona]
C:\WINDOWS\system32\ctfmona.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-12-06 11:35 127035 --a------ C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-12-10 06:59 49152 --------- C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-09-30 00:31 67584 --a------ C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Firewall auto setup]
C:\DOCUME~1\Shiavax\LOCALS~1\Temp\winlogon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2004-02-03 11:12 401491 --a------ C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-05-11 23:12 49152 --a------ C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-12-14 10:11 77824 --a------ C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-12-14 10:15 118784 --a------ C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2005-12-14 10:14 98304 --a------ C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
2005-12-28 22:25 667718 --a------ C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IridiumTimeWizard]
E:\before 7 sept 2005\iridium.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel32]
2007-12-03 19:19 135789 --a------ C:\WINDOWS\system32\drivers\etc\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MATH DOES FIRST MODE]
2007-12-04 00:49 735232 --a------ C:\Documents and Settings\All Users\Application Data\live 64 math does\vga corn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
C:\Program Files\NetWaiting\netWaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NOMAD Detector]
2002-03-05 03:15 18432 --a------ C:\Program Files\Creative\NOMAD Jukebox Zen (USB2.0)\PlayCenter2\CTNMRUN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\noskrnl]
C:\WINDOWS\noskrnl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OE_OEM]
2005-08-16 06:08 20553 --a------ C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe]
2005-08-31 03:00 823362 --a------ C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu27.exe 61A847B5BBF72810358B2B27128065E9C084320161C4661227A755E9C2933154389A

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runtime.exe]
C:\WINDOWS\system32\runtime.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Service Pack 1]
C:\WINDOWS\system32\vedxg6ame4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowLOMControl]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
C:\Program Files\Skype\Phone\Skype.exe /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spoolsvv]
C:\WINDOWS\system32\spoolsvv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2005-11-30 05:26 761947 --a------ C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System]
C:\WINDOWS\system32\kernelwind32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemSv12]
C:\WINDOWS\system32\newmaxxsv234.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TataIndicomStartUp]
C:\Program Files\Tata Indicom Wireless Internet Service\TataIndicomStartUp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\up open]
2007-11-09 21:49 539648 --a------ C:\DOCUME~1\Shiavax\APPLIC~1\PINGON~1\part flag.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader]
C:\Windows\xpupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe -quiet

R1 cdrbsvsd;cdrbsvsd;C:\WINDOWS\system32\drivers\cdrbsvsd.sys
S3 AX88772;ASIX AX88772 USB2.0 to Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\ax88772.sys
S3 fixustor;fixustor;C:\WINDOWS\system32\drivers\fixustor.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

*Newly Created Service* - SHAREDACCESS
.
Contents of the 'Scheduled Tasks' folder
"2006-04-27 22:39:22 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2007-11-23 10:30:00 C:\WINDOWS\Tasks\{00187C02-249C-4587-A780-360ADDFCB998}_LORDSCENTRAL_Shiavax.job"
- C:\WINDOWS\system32\mobsync.exeI /Schedule=
"2007-11-23 10:30:00 C:\WINDOWS\Tasks\{53B6A01B-3933-4557-8F1A-5CA6F0A398CF}_LORDSCENTRAL_Shiavax.job"
- C:\WINDOWS\system32\mobsync.exeI /Schedule=
"2007-11-22 03:30:00 C:\WINDOWS\Tasks\{73239C7E-1D6B-4E80-A5BD-3376868BE500}_LORDSCENTRAL_Shiavax.job"
- C:\WINDOWS\system32\mobsync.exeI /Schedule=
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-04 00:50:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Disc Detector = C:\Program Files\Creative\ShareDLL\CtNotify.exe?X???????????????????E?@?Disc Detector?A????? ?A?` ????B?e!@???@???@?? C?????E?@?????????@?B???A????? ?A?? ????B???@?????P?????@?? ????????A~??????????@???????????????????B?????? ??????????????????????????r?B
CTStartup = "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run?Z?A~d???*?A~?????????/??????h?@?x?????B~D??????sx??s?m??????y??w????@@@????|D@@?????>??w?????9??H??????|???|???????|L(?s?9???????/?s????????D???????????????????,????????????+?s@@@?D???`|?w??????@
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
CTStartup = "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /play??A~d???*?A~?????????/??????h?@?x?????B~D??????sx??s?m??????y??w????@@@????|D@@?????>??w?????9??H??????|???|???????|L(?s?9???????/?s????????D???????????????????,????????????+?s@@@?D???`|?w??????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-04 0:50:58 - machine was rebooted
.
--- E O F ---

#10 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:05:32 PM

Posted 03 December 2007 - 05:56 PM

Lord,

Due to the nature of the infections present on your computer I recommend these actions:

1) use a known secure computer to change all of your online passwords
2) contact your bank and credit card company for possible unauthorized transactions

More info can be found here:


How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?



PLEASE READ THIS POST COMPLETELY, IT MAY MAKE IT EASIER FOR YOU IF YOU COPY AND PASTE THIS POST INTO A NEW TEXT DOCUMENT OR PRINT IT FOR REFERENCE LATER



Please follow the steps below exactly in the order they are written:

Step #1

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

CiD Help
Download Plugin for Internet Explorer
WebVideo Support

Please note any other programs that you don't recognize in that list in your next response

Step #2

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\ctfmona.exe
C:\DOCUME~1\Shiavax\LOCALS~1\Temp\winlogon.exe
C:\WINDOWS\system32\drivers\etc\svchost.exe
C:\WINDOWS\mrofinu27.exe
C:\WINDOWS\system32\runtime.exe
C:\WINDOWS\system32\vedxg6ame4.exe
C:\WINDOWS\system32\spoolsvv.exe
C:\WINDOWS\system32\kernelwind32.exe
C:\WINDOWS\system32\newmaxxsv234.exe
C:\Windows\xpupdate.exe
C:\Documents and Settings\Shiavax\Application Data\Anti-Virus-Pro.com

Folder::
C:\Program Files\AntiVirusPro
C:\Program Files\Ping once ball
C:\Documents and Settings\All Users\Application Data\live 64 math does
C:\Documents and Settings\All Users\Application Data\freemeowdebugintra
C:\DOCUME~1\Shiavax\APPLIC~1\PINGON~1

Suspect::[29]
C:\Documents and Settings\Shiavax\http_ws2.dll
C:\WINDOWS\taskmon.exe
C:\WINDOWS\system32\taskmon.sys

Collect::[29]
C:\WINDOWS\system32\create.exe
C:\WINDOWS\system32\mmssbqcbq.dll
C:\WINDOWS\system32\wgqtstag.tmp
C:\WINDOWS\system32\mmssfjbfj.dll

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"up open"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmona]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Firewall auto setup]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel32]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MATH DOES FIRST MODE]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\noskrnl]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runtime.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Service Pack 1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spoolsvv]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemSv12]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\up open]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader]

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!


Save this as "CFScript"


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

This will start ComboFix again. Additonally, ComboFix will generate the following files on your desktop
  • A zipped file on your desktop called Submit [Date Time].zip
  • And another file named - CF-Submit.htm
ComboFix may need to reboot to finish its work. Let it.

When CF has finished running, it will generate the ComboFix.log which will appear on your screen.

If CF-Submit.htm is detected, ComboFix will generate this message box:

Posted Image

Clicking OK will cause the machine's browser to load CF-Submit.htm

Posted Image

Click the "Browse" button and locate the Submit [Date Time].zip file on your desktop.
  • Click on the file to Select it.
  • Submit the file by clicking "OK"
Once the file has been submitted, please DELETE both files on your desktop.

Step #3

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
Step #4

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 3 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u3...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.

    • Java 2 Runtime Environment, SE v1.4.2_03
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.

Post the following reports/logs into your next reply:
  • Combofix report
  • SDFix report
  • A new HijackThis log (run after SDFix has finished its work.)
Regards,
SNOWHITE
Posted Image

#11 Lord

Lord
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 04 December 2007 - 01:23 PM

SDFix: Version 1.116

Run by Shiavax on Tue 12/04/2007 at 11:38 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing SharedAccess Service

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\system32\taskmon.sys - Deleted
C:\WINDOWS\taskmon.exe - Deleted




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-04 23:43:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Sat 20 May 2006 8 A.SHR --- "C:\i386\68EC5497E8.sys"
Sat 20 May 2006 3,140 A.SH. --- "C:\i386\KGyGaAvL.sys"
Wed 14 Nov 2007 88 ..SHR --- "C:\WINDOWS\system32\68EC5497E8.sys"
Thu 21 Sep 2006 56 ..SHR --- "C:\WINDOWS\system32\B44D47F8D0.sys"
Wed 10 Oct 2007 56 ..SHR --- "C:\WINDOWS\system32\E89754EC68.sys"
Wed 14 Nov 2007 7,674 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Tue 6 Jun 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 19 Dec 2006 684,032 A.SH. --- "C:\ALL PICS\Homi 19 June 2007\DCIM\131CANON\SIV46.tmp"
Tue 4 Dec 2007 85,946 A..H. --- "C:\Documents and Settings\Shiavax\Local Settings\temp\BIT2.tmp"
Tue 4 Dec 2007 85,946 A..H. --- "C:\Documents and Settings\Shiavax\Local Settings\temp\BITC.tmp"
Tue 4 Dec 2007 296,668 A..H. --- "C:\Documents and Settings\Shiavax\Local Settings\temp\BITD4.tmp"
Tue 4 Dec 2007 331,413 A..H. --- "C:\Documents and Settings\Shiavax\Local Settings\temp\BITD6.tmp"
Tue 4 Dec 2007 0 A..H. --- "C:\Documents and Settings\Shiavax\Local Settings\temp\BITD7.tmp"
Tue 4 Dec 2007 0 A..H. --- "C:\Documents and Settings\Shiavax\Local Settings\temp\BITDC.tmp"
Sat 29 Mar 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\573b8bee2d25ffedabde94732ae6dbae\BITB.tmp"
Mon 4 Dec 2006 31,250 A.SHR --- "C:\Deckard\System Scanner\backup\WINDOWS\temp\bot43DE.tmp"
Tue 2 Oct 2007 720,896 ...H. --- "C:\Documents and Settings\Shiavax\Application Data\Microsoft\Word\~WRL0564.tmp"
Tue 10 Oct 2006 48,128 ...H. --- "C:\Documents and Settings\Shiavax\Application Data\Microsoft\Word\~WRL1030.tmp"
Tue 10 Oct 2006 49,152 ...H. --- "C:\Documents and Settings\Shiavax\Application Data\Microsoft\Word\~WRL1182.tmp"
Tue 10 Oct 2006 48,128 ...H. --- "C:\Documents and Settings\Shiavax\Application Data\Microsoft\Word\~WRL1363.tmp"
Mon 20 Nov 2006 19,456 ...H. --- "C:\Documents and Settings\Shiavax\Application Data\Microsoft\Word\~WRL1730.tmp"
Mon 20 Nov 2006 19,456 ...H. --- "C:\Documents and Settings\Shiavax\Application Data\Microsoft\Word\~WRL2140.tmp"
Tue 2 Oct 2007 722,432 ...H. --- "C:\Documents and Settings\Shiavax\Application Data\Microsoft\Word\~WRL2167.tmp"
Mon 20 Nov 2006 19,456 ...H. --- "C:\Documents and Settings\Shiavax\Application Data\Microsoft\Word\~WRL2201.tmp"
Tue 10 Oct 2006 50,688 ...H. --- "C:\Documents and Settings\Shiavax\Application Data\Microsoft\Word\~WRL2518.tmp"
Tue 2 Oct 2007 720,896 ...H. --- "C:\Documents and Settings\Shiavax\Application Data\Microsoft\Word\~WRL2662.tmp"
Tue 10 Oct 2006 52,736 ...H. --- "C:\Documents and Settings\Shiavax\Application Data\Microsoft\Word\~WRL3001.tmp"
Tue 2 Oct 2007 739,328 ...H. --- "C:\Documents and Settings\Shiavax\Application Data\Microsoft\Word\~WRL3368.tmp"
Mon 20 Nov 2006 19,456 ...H. --- "C:\Documents and Settings\Shiavax\Application Data\Microsoft\Word\~WRL3460.tmp"
Tue 10 Oct 2006 48,640 ...H. --- "C:\Documents and Settings\Shiavax\Application Data\Microsoft\Word\~WRL3759.tmp"
Tue 2 Oct 2007 722,944 ...H. --- "C:\Documents and Settings\Shiavax\Application Data\Microsoft\Word\~WRL4041.tmp"
Sun 22 Jan 2006 635,904 A..H. --- "C:\Documents and Settings\Shiavax\Desktop\THUMB BACKUP\111 JET DESKTOP\2006 MASTER TARIFF\~WRL0340.tmp"
Sun 22 Jan 2006 420,864 A..H. --- "C:\Documents and Settings\Shiavax\Desktop\THUMB BACKUP\111 JET DESKTOP\2006 MASTER TARIFF\~WRL0438.tmp"
Sun 22 Jan 2006 636,416 A..H. --- "C:\Documents and Settings\Shiavax\Desktop\THUMB BACKUP\111 JET DESKTOP\2006 MASTER TARIFF\~WRL1011.tmp"
Sun 22 Jan 2006 624,128 A..H. --- "C:\Documents and Settings\Shiavax\Desktop\THUMB BACKUP\111 JET DESKTOP\2006 MASTER TARIFF\~WRL1515.tmp"
Sun 22 Jan 2006 418,816 A..H. --- "C:\Documents and Settings\Shiavax\Desktop\THUMB BACKUP\111 JET DESKTOP\2006 MASTER TARIFF\~WRL2217.tmp"
Sun 22 Jan 2006 414,720 A..H. --- "C:\Documents and Settings\Shiavax\Desktop\THUMB BACKUP\111 JET DESKTOP\2006 MASTER TARIFF\~WRL2716.tmp"
Sun 22 Jan 2006 634,368 A..H. --- "C:\Documents and Settings\Shiavax\Desktop\THUMB BACKUP\111 JET DESKTOP\2006 MASTER TARIFF\~WRL3166.tmp"
Sun 22 Jan 2006 635,392 A..H. --- "C:\Documents and Settings\Shiavax\Desktop\THUMB BACKUP\111 JET DESKTOP\2006 MASTER TARIFF\~WRL3416.tmp"
Sun 22 Jan 2006 636,416 A..H. --- "C:\Documents and Settings\Shiavax\Desktop\THUMB BACKUP\111 JET DESKTOP\2006 MASTER TARIFF\~WRL3955.tmp"
Sun 5 Jun 2005 265,096 A..H. --- "C:\Documents and Settings\Shiavax\Desktop\THUMB BACKUP\111 JET DESKTOP\before 7 sept 2005\~WRL3826.TMP"
Wed 19 Apr 2006 1,063,424 A..H. --- "C:\Documents and Settings\Shiavax\Desktop\THUMB BACKUP\111 JET DESKTOP\CHHAYA\~WRL0671.tmp"
Thu 30 Mar 2006 1,003,520 A..H. --- "C:\Documents and Settings\Shiavax\Desktop\THUMB BACKUP\111 JET DESKTOP\CHHAYA\~WRL0677.tmp"
Tue 19 Dec 2006 684,032 A.SH. --- "C:\Documents and Settings\Shiavax\Desktop\Unused Desktop Shortcuts\Homi 12.6.07\131CANON\SIV46.tmp"
Mon 16 Oct 2006 0 A..HR --- "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\Oem\Recycled.sys"
Mon 3 Dec 2007 0 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Shiavax\LOCALS~1\Temp\BIT1.tmp"
Mon 3 Dec 2007 85,946 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Shiavax\LOCALS~1\Temp\BIT10.tmp"
Mon 3 Dec 2007 0 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Shiavax\LOCALS~1\Temp\BIT11.tmp"
Mon 3 Dec 2007 0 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Shiavax\LOCALS~1\Temp\BIT12.tmp"
Mon 3 Dec 2007 85,946 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Shiavax\LOCALS~1\Temp\BIT2.tmp"
Mon 3 Dec 2007 0 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Shiavax\LOCALS~1\Temp\BIT3.tmp"
Mon 3 Dec 2007 0 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Shiavax\LOCALS~1\Temp\BIT4.tmp"
Mon 3 Dec 2007 0 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Shiavax\LOCALS~1\Temp\BIT5.tmp"
Mon 3 Dec 2007 0 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Shiavax\LOCALS~1\Temp\BIT6.tmp"
Mon 3 Dec 2007 0 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Shiavax\LOCALS~1\Temp\BIT7.tmp"
Mon 3 Dec 2007 0 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Shiavax\LOCALS~1\Temp\BIT8.tmp"
Mon 3 Dec 2007 0 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Shiavax\LOCALS~1\Temp\BIT9.tmp"
Mon 3 Dec 2007 85,946 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Shiavax\LOCALS~1\Temp\BITA.tmp"
Mon 3 Dec 2007 85,946 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Shiavax\LOCALS~1\Temp\BITB.tmp"
Mon 3 Dec 2007 0 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Shiavax\LOCALS~1\Temp\BITC.tmp"
Mon 3 Dec 2007 326,491 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Shiavax\LOCALS~1\Temp\BITCF.tmp"
Mon 3 Dec 2007 85,946 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Shiavax\LOCALS~1\Temp\BITD.tmp"
Mon 3 Dec 2007 326,491 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Shiavax\LOCALS~1\Temp\BITD3.tmp"
Mon 3 Dec 2007 296,668 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Shiavax\LOCALS~1\Temp\BITD4.tmp"
Mon 3 Dec 2007 325,382 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Shiavax\LOCALS~1\Temp\BITD6.tmp"
Mon 3 Dec 2007 0 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Shiavax\LOCALS~1\Temp\BITD7.tmp"
Mon 3 Dec 2007 344,545 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Shiavax\LOCALS~1\Temp\BITD8.tmp"
Mon 3 Dec 2007 0 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Shiavax\LOCALS~1\Temp\BITDA.tmp"
Mon 3 Dec 2007 325,382 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Shiavax\LOCALS~1\Temp\BITDB.tmp"
Mon 3 Dec 2007 0 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Shiavax\LOCALS~1\Temp\BITDC.tmp"
Mon 3 Dec 2007 344,545 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Shiavax\LOCALS~1\Temp\BITDD.tmp"
Mon 3 Dec 2007 347,813 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Shiavax\LOCALS~1\Temp\BITDE.tmp"
Mon 3 Dec 2007 344,545 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Shiavax\LOCALS~1\Temp\BITDF.tmp"
Mon 3 Dec 2007 0 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Shiavax\LOCALS~1\Temp\BITE.tmp"
Mon 3 Dec 2007 0 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Shiavax\LOCALS~1\Temp\BITF.tmp"
Sat 26 Nov 2005 97,280 A..H. --- "C:\Documents and Settings\Shiavax\Desktop\THUMB BACKUP\111 JET DESKTOP\2006 MASTER TARIFF\SEPT 05 MASTER TARIFF ALL INCLUSIVE\~WRL1169.tmp"
Sat 17 Dec 2005 97,792 A..H. --- "C:\Documents and Settings\Shiavax\Desktop\THUMB BACKUP\111 JET DESKTOP\2006 MASTER TARIFF\SEPT 05 MASTER TARIFF ALL INCLUSIVE\~WRL1307.tmp"
Sat 21 May 2005 706,048 A..H. --- "C:\Documents and Settings\Shiavax\Desktop\THUMB BACKUP\111 JET DESKTOP\before 7 sept 2005\EP 2005 2006\~WRL0005.tmp"
Fri 13 May 2005 539,136 A..H. --- "C:\Documents and Settings\Shiavax\Desktop\THUMB BACKUP\111 JET DESKTOP\before 7 sept 2005\EP 2005 2006\~WRL1542.tmp"
Sat 21 May 2005 705,536 A..H. --- "C:\Documents and Settings\Shiavax\Desktop\THUMB BACKUP\111 JET DESKTOP\before 7 sept 2005\EP 2005 2006\~WRL1841.tmp"
Sat 7 May 2005 537,088 A..H. --- "C:\Documents and Settings\Shiavax\Desktop\THUMB BACKUP\111 JET DESKTOP\before 7 sept 2005\EP 2005 2006\~WRL2356.tmp"
Sat 21 May 2005 707,072 A..H. --- "C:\Documents and Settings\Shiavax\Desktop\THUMB BACKUP\111 JET DESKTOP\before 7 sept 2005\EP 2005 2006\~WRL3061.tmp"
Fri 9 Apr 2004 113,152 A..H. --- "C:\Documents and Settings\Shiavax\Desktop\THUMB BACKUP\111 JET DESKTOP\before 7 sept 2005\gsa20044444444444444444444444444444444444444444\~WRL3721.tmp"
Thu 4 Mar 2004 55,296 A..H. --- "C:\Documents and Settings\Shiavax\Desktop\THUMB BACKUP\111 JET DESKTOP\before 7 sept 2005\printing forms\~WRL0004.tmp"
Sat 26 Nov 2005 71,168 A..H. --- "C:\Documents and Settings\Shiavax\Desktop\THUMB BACKUP\111 JET DESKTOP\before 7 sept 2005\printing forms\~WRL3034.tmp"
Thu 27 Apr 2006 20,992 A..H. --- "C:\Documents and Settings\Shiavax\Desktop\THUMB BACKUP\111 JET DESKTOP\COMPANY\GESCO\~WRL0004.tmp"
Thu 27 Apr 2006 20,992 A..H. --- "C:\Documents and Settings\Shiavax\Desktop\THUMB BACKUP\111 JET DESKTOP\COMPANY\GESCO\~WRL1636.tmp"
Thu 27 Apr 2006 20,992 A..H. --- "C:\Documents and Settings\Shiavax\Desktop\THUMB BACKUP\111 JET DESKTOP\COMPANY\GESCO\~WRL2186.tmp"
Fri 13 Jan 2006 23,552 A..H. --- "C:\Documents and Settings\Shiavax\Desktop\THUMB BACKUP\111 JET DESKTOP\COMPANY\HLL RENEWAL 2006\~WRL1904.tmp"
Mon 31 Oct 2005 38,912 A..H. --- "C:\Documents and Settings\Shiavax\Desktop\THUMB BACKUP\111 JET DESKTOP\COMPANY\TELCO 2005 RENEWAL\~WRL0001.tmp"
Fri 25 Mar 2005 37,376 A..H. --- "C:\Documents and Settings\Shiavax\Desktop\THUMB BACKUP\111 JET DESKTOP\COMPANY\TELCO 2005 RENEWAL\~WRL0004.tmp"
Mon 31 Oct 2005 39,424 A..H. --- "C:\Documents and Settings\Shiavax\Desktop\THUMB BACKUP\111 JET DESKTOP\COMPANY\TELCO 2005 RENEWAL\~WRL0151.tmp"
Mon 31 Oct 2005 23,040 A..H. --- "C:\Documents and Settings\Shiavax\Desktop\THUMB BACKUP\111 JET DESKTOP\COMPANY\TELCO 2005 RENEWAL\~WRL0542.tmp"
Sun 16 Jul 2006 70,656 A.SH. --- "C:\Documents and Settings\Shiavax\Desktop\THUMB BACKUP\111 JET DESKTOP\downloads\DVD to Pocket PC\Setup.exe"
Sun 16 Jul 2006 9,918,976 A..H. --- "C:\Documents and Settings\Shiavax\Desktop\THUMB BACKUP\111 JET DESKTOP\downloads\DVD to Pocket PC\WMEncoder.exe"
Mon 16 Oct 2006 0 A..HR --- "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\Oem\Chinese\Recycled.sys"
Mon 16 Oct 2006 0 A..HR --- "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\Oem\English\Recycled.sys"
Mon 16 Oct 2006 0 A..HR --- "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\Oem\SChinese\Recycled.sys"
Mon 16 Oct 2006 0 A..HR --- "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Shared_Assets\locales\en_gb\Recycled.sys"
Sun 23 Apr 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Sun 23 Apr 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Sun 23 Apr 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"
Mon 26 Dec 2005 45,568 A..H. --- "C:\Documents and Settings\Shiavax\Desktop\THUMB BACKUP\111 JET DESKTOP\COMPANY\TELCO 2005 RENEWAL\2005 RENEWAL\~WRL1560.tmp"
Mon 26 Dec 2005 45,568 A..H. --- "C:\Documents and Settings\Shiavax\Desktop\THUMB BACKUP\111 JET DESKTOP\COMPANY\TELCO 2005 RENEWAL\2005 RENEWAL\~WRL2531.tmp"
Fri 16 Dec 2005 44,032 A..H. --- "C:\Documents and Settings\Shiavax\Desktop\THUMB BACKUP\111 JET DESKTOP\COMPANY\TELCO 2005 RENEWAL\2005 RENEWAL\~WRL2585.tmp"
Mon 26 Dec 2005 46,080 A..H. --- "C:\Documents and Settings\Shiavax\Desktop\THUMB BACKUP\111 JET DESKTOP\COMPANY\TELCO 2005 RENEWAL\2005 RENEWAL\~WRL3572.tmp"
Sun 9 Sep 2007 385,024 A.SH. --- "C:\Documents and Settings\Shiavax\Desktop\THUMB BACKUP\111 JET DESKTOP\SCAN IMP DOCUMENTS\PASSPORT SCANS MAY 07\2007-09 (Sep)\SIV55A.tmp"

Finished!

#12 Lord

Lord
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 04 December 2007 - 02:24 PM

Well, It seems that all the steps worked out exactly as listed... so I expect that the nasties are finally out.

Is there any steps that I need to do, to ensure that my computer is not attacked again, at least not successfully?

with regards - and a lot of thanks...

Y Lord.

#13 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:05:32 PM

Posted 04 December 2007 - 07:37 PM

Hi Lord, could you please post back here the last report made by combofix? I need to check the last report and see if something is left so we can remove it.

AV: Trend Micro PC-cillin Internet Security v12.7.1017 (Trend Micro, Inc.) Outdated


Can you update your antivirus program? Let me know if you cant.

- Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
  • - Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
    http://www.ewido.net/en/download/
    • Install AVG Anti-Spyware by double clicking the installer.
    • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
    • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

- Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
- Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

- Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Posted Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.

Post back with AVG Anti-Spyware report and new HijackThis log.

Well, It seems that all the steps worked out exactly as listed... so I expect that the nasties are finally out.


Good that i hear your computer is running better, but we will need to do more research and make sure we remove every infection that could be present at the computer :thumbsup:

Best regards,
SNOWHITE
Posted Image

#14 Lord

Lord
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 05 December 2007 - 01:53 PM

Apologies - cant repost the combofix report (have deleted them all).

The Trend Micro PC-cillin being out of date --- is because have chosen to disable it - - Have downloaded AVG, which - when I ran... did catch and clean (apparently) 3-4 bad guys.

But was obviously still infected - so ran your recommended steps...

The only part I could not manage, no matter what I tried ... is in the AVG Anti-Spyware before running the full scan... Your instructions as follows could not be checked/inputted... because, in the Safe Mode - the AVG Anti-Spyware window is stretched to limits outside the screen - and the check-box's are not visible --- so I have used the default settings (whatever they were).... I hope that it does not mean the scan/clean and report -- is not complete
________________________________________________________________
* Click on Scanner on the toolbar.
* Click on the Settings tab.
o Under How to act?
+ Click on Recommended Action and choose Quarantine from the popup menu.
o Under How to scan?
+ All checkboxes should be ticked.
o Under Possibly unwanted software:
+ All checkboxes should be ticked.
o Under Reports:
+ Select Automatically generate report after every scan and uncheck Only if threats were found.
o Under What to scan?
+ Select Scan every file.
________________________________________________________________

The report is as follows....... (it caught about 8 problem files)

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:52:23 PM 12/5/2007

+ Scan result:



C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP282\A0103012.exe -> Downloader.Small.guc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP282\A0097935.exe -> Proxy.Xorpix.cj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP282\A0103006.exe -> Proxy.Xorpix.cj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP282\A0109664.exe -> Proxy.Xorpix.cj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP284\A0111153.exe -> Trojan.Obfuscated.en : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP284\A0111156.exe -> Trojan.Obfuscated.en : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP282\A0109663.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP282\A0103011.exe -> Trojan.Tibs.du : Cleaned with backup (quarantined).


::Report end
_______________________________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:20:03 AM, on 12/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\system32\umonit.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rediffmailpro.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\system32\umonit.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\RunOnce: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /play
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\BP Go!Zilla v4.1\download-with-gozilla.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1181325029375
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\mmssbqcbq.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8116 bytes

#15 Lord

Lord
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 05 December 2007 - 02:06 PM

A few questions . . .

1. The AVG Anti-Spyware --- is currently disabled. Should I activate and keep running - to what settings?

2. Now I have some 10-12 downloaded program files (smitfraudfix..... to ATF Cleaner)
do i retain them all (currently all put into a separate folder) --- or at some stage, delete them?

3. I have another Laptop (using Norton Internet security)... and a Desktop (using AVG) - - Should I be using AVG Anti-Spyware on those too, as precautionary measure? If so, any specific settings I should set the options to?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users