Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Another Virtumonde Infection....


  • This topic is locked This topic is locked
10 replies to this topic

#1 Adam PV

Adam PV

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 03 December 2007 - 05:26 PM

Hi Chaps,

I'm doing my best to help my Dad out with his PC which seems to be infected with the Virtumonde trojan.

I've run a whole variety of removal tools all of which were unsuccessful (including the removal advice on this forum).

Please find below my HJT log run whilst on a regular boot:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:57:42, on 03/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\Documents and Settings\All Users\Documents\HiJackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: (no name) - {FDED1C12-AD76-613C-344C-A3BD5C6415B2} - C:\PROGRA~1\COMMON~1\System\D_4362.dll
O2 - BHO: (no name) - {FDED2C12-A476-A13C-3B4C-A3BD546415C2} - C:\PROGRA~1\COMMON~1\System\D_4362.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe

--
End of file - 5485 bytes


The infection does all the usual redirecting to either porn sites, random spyware removal sites, or search sites. The PC is running SLOW....... please help?

BC AdBot (Login to Remove)

 


#2 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:02:39 AM

Posted 03 December 2007 - 06:18 PM

Hello Adam PV and welcome to BC :thumbsup:

My name is SNOWHITE and I will be helping you with your Malware problem.

Please follow the steps below exactly in the order they are written:

Step #1

Please re-open HiJackThis and click on "Do a system scan only". Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {FDED1C12-AD76-613C-344C-A3BD5C6415B2} - C:\PROGRA~1\COMMON~1\System\D_4362.dll
O2 - BHO: (no name) - {FDED2C12-A476-A13C-3B4C-A3BD546415C2} - C:\PROGRA~1\COMMON~1\System\D_4362.dll


Now close all windows other than HiJackThis, then click Fix Checked.

Step #2
1. Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
2. Download combofix from one of these links:
Link1
Link2
3. Double click combofix.exe & follow the prompts.
4. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Note:
Combofix should never take more that 20 minutes including the reboot if malware is detected.

If it does, open task-manager > use the processes tab (press ctrl alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.

If that happened we want to know, and also what process you had to end.
Step #3
Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.
In your next post include ComboFix report, new HijackThis report and uninstal list.

Regards,
SNOWHITE
Posted Image

#3 Adam PV

Adam PV
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 03 December 2007 - 06:34 PM

Thank you SNOWHITE for your prompt reply!

Combofix report:

ComboFix 07-12-02.6 - Ron 2007-12-03 23:27:07.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.216 [GMT 0:00]
Running from: C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\I9UZWL6B\ComboFix[1].exe
.

((((((((((((((((((((((((( Files Created from 2007-11-03 to 2007-12-03 )))))))))))))))))))))))))))))))
.

2007-12-03 19:12 . 2007-12-03 19:12 <DIR> d-------- C:\Program Files\Yahoo!
2007-12-03 19:12 . 2007-12-03 19:12 <DIR> d-------- C:\Program Files\CCleaner
2007-12-03 18:58 . 2007-12-03 18:58 <DIR> d-------- C:\Documents and Settings\Adam\Application Data\SiteAdvisor
2007-12-03 18:36 . 2007-12-03 18:58 <DIR> d-------- C:\Documents and Settings\Adam\Application Data\AVG7
2007-12-01 12:18 . 2007-12-02 10:36 <DIR> d-------- C:\Program Files\SiteAdvisor
2007-12-01 12:18 . 2007-12-02 16:18 <DIR> d-------- C:\Documents and Settings\Ron\Application Data\SiteAdvisor
2007-12-01 12:18 . 2007-12-01 12:18 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-12-01 12:18 . 2007-12-02 10:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-12-01 12:18 . 2007-12-01 12:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-11-29 11:04 . 2007-11-29 11:31 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-11-27 21:28 . 2007-12-03 18:33 <DIR> d-------- C:\Documents and Settings\Ron\Application Data\AVG7
2007-11-27 21:28 . 2007-11-27 21:28 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-27 21:27 . 2007-11-27 21:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-27 21:27 . 2007-11-28 08:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-11-26 22:33 . 2007-11-26 22:33 <DIR> d-------- C:\kav
2007-11-26 21:15 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-11-26 21:14 . 2007-11-26 21:14 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-26 21:13 . 2007-11-26 21:13 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-26 21:13 . 2007-11-26 21:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-26 18:42 . 2007-11-26 18:42 <DIR> d-------- C:\VundoFix Backups
2007-11-24 19:31 . 2007-12-03 20:34 57 --a------ C:\WINDOWS\win.ini
2007-11-24 19:31 . 2007-12-03 23:28 0 --a------ C:\WINDOWS\system.ini
2007-11-10 12:26 . 2007-11-10 12:26 <DIR> d-------- C:\Documents and Settings\Ron\Application Data\PlayFirst
2007-11-10 12:26 . 2007-11-10 12:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2007-11-10 12:04 . 2007-12-03 19:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Zylom
2007-11-04 13:19 . 2007-11-04 13:19 4 --a------ C:\WINDOWS\jknradee.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-03 20:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-12-03 20:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-27 20:10 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2007-11-27 20:10 --------- d-----w C:\Program Files\Google
2007-11-26 22:36 --------- d-----w C:\Documents and Settings\Ron\Application Data\HouseCall 6.6
2007-11-26 21:15 --------- d-----w C:\Program Files\Java
2006-10-25 20:51 17,920 ----a-w C:\Documents and Settings\Ron\Application Data\GDIPFONTCACHEV1.DAT
2006-05-31 23:28 8 --sh--r C:\WINDOWS\system32\2A581C7486.sys
.

((((((((((((((((((((((((((((( snapshot@2007-11-26_20.48.35.87 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-08 16:59:01 136,704 ----a-w C:\WINDOWS\catchme.exe
+ 2007-11-27 03:58:11 140,288 ----a-w C:\WINDOWS\catchme.exe
+ 2007-11-27 21:27:48 821,856 ----a-w C:\WINDOWS\system32\drivers\avg7core.sys
+ 2007-11-27 21:27:59 4,224 ----a-w C:\WINDOWS\system32\drivers\avg7rsw.sys
+ 2007-11-27 21:28:00 27,776 ----a-w C:\WINDOWS\system32\drivers\avg7rsxp.sys
+ 2007-11-27 21:28:09 3,968 ----a-w C:\WINDOWS\system32\drivers\avgclean.sys
+ 2007-11-27 21:28:07 19,904 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
+ 2007-11-27 21:28:07 4,960 ----a-w C:\WINDOWS\system32\drivers\avgtdi.sys
- 2006-05-03 00:19:30 49,248 ----a-w C:\WINDOWS\system32\java.exe
+ 2007-09-24 22:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2006-05-03 00:19:40 53,346 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-24 22:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2006-05-03 01:56:58 127,078 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-09-24 23:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2005-05-24 12:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 15:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 15:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-02 16:47]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2005-02-24 06:32 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\system32\rundll32.exe]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2005-12-04 15:39]
"SoundMan"="SOUNDMAN.EXE" [2003-08-15 14:34 C:\WINDOWS\SOUNDMAN.EXE]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-27 21:27]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2007-03-30 15:42]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-03 23:56]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-03 23:56]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" []
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-27 21:27]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-07-04 20:21:03]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-05-11 02:06 40048 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
2007-06-15 23:15 366400 --a------ C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareBot]
C:\Program Files\SpywareBot\SpywareBot.exe -boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-09-25 01:11 132496 --a------ C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-08-02 16:47 68856 --a------ C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]
rundll32.exe C:\WINDOWS\byyvwx.dll,forkonce

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster2]
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

S3 sscdbus;SAMSUNG USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\sscdbus.sys
S3 sscdmdfl;SAMSUNG CDMA Modem Filter;C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys
S3 sscdmdm;SAMSUNG CDMA Modem Drivers;C:\WINDOWS\system32\DRIVERS\sscdmdm.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{53799ac8-7fe3-11db-9200-0015f249bfbe}]
\Shell\AutoRun\command - G:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-21 11:00:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-27 00:00:04 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\ppGdNDTE.exe
"2007-11-28 09:00:00 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\system32\ppGdNDTE.exe
"2007-12-01 10:00:00 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\system32\ppGdNDTE.exe
"2007-12-02 11:00:00 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\system32\ppGdNDTE.exe
"2007-12-02 12:00:00 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\system32\ppGdNDTE.exe
"2007-12-02 13:00:00 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\system32\ppGdNDTE.exe
"2007-12-03 14:00:00 C:\WINDOWS\Tasks\At15.job"
"2007-12-03 15:00:00 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\system32\ppGdNDTE.exe
"2007-12-03 16:00:00 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\system32\ppGdNDTE.exe
"2007-12-03 17:00:00 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\system32\ppGdNDTE.exe
"2007-12-03 18:00:00 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\system32\ppGdNDTE.exe
"2007-11-27 01:00:00 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\system32\ppGdNDTE.exe
"2007-12-03 19:00:00 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\system32\ppGdNDTE.exe
"2007-12-02 20:00:00 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\system32\ppGdNDTE.exe
"2007-12-03 21:00:00 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\system32\ppGdNDTE.exe
"2007-12-03 22:00:00 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\system32\ppGdNDTE.exe
"2007-12-03 23:00:00 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\system32\ppGdNDTE.exe
"2007-11-27 02:00:00 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\system32\ppGdNDTE.exe
"2007-11-27 03:00:00 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\system32\ppGdNDTE.exe
"2007-11-27 00:00:05 C:\WINDOWS\Tasks\At49.job"
- C:\WINDOWS\system32\i1gYY20F.exe
"2007-11-27 04:00:00 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\system32\ppGdNDTE.exe
"2007-11-27 01:00:00 C:\WINDOWS\Tasks\At50.job"
- C:\WINDOWS\system32\i1gYY20F.exe
"2007-11-27 02:00:00 C:\WINDOWS\Tasks\At51.job"
- C:\WINDOWS\system32\i1gYY20F.exe
"2007-11-27 03:00:00 C:\WINDOWS\Tasks\At52.job"
- C:\WINDOWS\system32\i1gYY20F.exe
"2007-11-27 04:00:00 C:\WINDOWS\Tasks\At53.job"
- C:\WINDOWS\system32\i1gYY20F.exe
"2007-11-27 05:00:00 C:\WINDOWS\Tasks\At54.job"
- C:\WINDOWS\system32\i1gYY20F.exe
"2007-11-27 06:00:00 C:\WINDOWS\Tasks\At55.job"
- C:\WINDOWS\system32\i1gYY20F.exe
"2007-11-27 07:00:00 C:\WINDOWS\Tasks\At56.job"
- C:\WINDOWS\system32\i1gYY20F.exe
"2007-11-27 08:00:00 C:\WINDOWS\Tasks\At57.job"
- C:\WINDOWS\system32\i1gYY20F.exe
"2007-11-28 09:00:00 C:\WINDOWS\Tasks\At58.job"
- C:\WINDOWS\system32\i1gYY20F.exe
"2007-12-01 10:00:00 C:\WINDOWS\Tasks\At59.job"
- C:\WINDOWS\system32\i1gYY20F.exe
"2007-11-27 05:00:00 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\system32\ppGdNDTE.exe
"2007-12-02 11:00:00 C:\WINDOWS\Tasks\At60.job"
- C:\WINDOWS\system32\i1gYY20F.exe
"2007-12-02 12:00:00 C:\WINDOWS\Tasks\At61.job"
- C:\WINDOWS\system32\i1gYY20F.exe
"2007-12-02 13:00:00 C:\WINDOWS\Tasks\At62.job"
- C:\WINDOWS\system32\i1gYY20F.exe
"2007-12-03 14:00:00 C:\WINDOWS\Tasks\At63.job"
- C:\WINDOWS\system32\i1gYY20F.exe
"2007-12-03 15:00:00 C:\WINDOWS\Tasks\At64.job"
- C:\WINDOWS\system32\i1gYY20F.exe
"2007-12-03 16:00:00 C:\WINDOWS\Tasks\At65.job"
- C:\WINDOWS\system32\i1gYY20F.exe

"2007-12-03 17:00:00 C:\WINDOWS\Tasks\At66.job"
- C:\WINDOWS\system32\i1gYY20F.exe
"2007-12-03 18:00:00 C:\WINDOWS\Tasks\At67.job"
"2007-12-03 19:00:00 C:\WINDOWS\Tasks\At68.job"
- C:\WINDOWS\system32\i1gYY20F.exe
"2007-12-02 20:00:00 C:\WINDOWS\Tasks\At69.job"
- C:\WINDOWS\system32\i1gYY20F.exe
"2007-11-27 06:00:00 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\system32\ppGdNDTE.exe
"2007-12-03 21:00:00 C:\WINDOWS\Tasks\At70.job"
- C:\WINDOWS\system32\i1gYY20F.exe
"2007-12-03 22:00:00 C:\WINDOWS\Tasks\At71.job"
- C:\WINDOWS\system32\i1gYY20F.exe
"2007-12-03 23:00:00 C:\WINDOWS\Tasks\At72.job"
- C:\WINDOWS\system32\i1gYY20F.exe
"2007-11-27 07:00:00 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\system32\ppGdNDTE.exe
"2007-11-27 08:00:00 C:\WINDOWS\Tasks\At9.job"
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-03 23:28:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-03 23:29:01
C:\ComboFix2.txt ... 2007-12-03 23:00
C:\ComboFix3.txt ... 2007-12-03 20:29
.
--- E O F ---


New HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:30:31, on 03/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\All Users\Documents\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe

--
End of file - 5276 bytes


Uninstall List:

Ad-Aware SE Personal
Adobe Flash Player ActiveX
Adobe Photoshop 7.0
Adobe Reader 8.1.0
Ahead Nero Burning ROM
Apple Software Update
AVG 7.5
AVG Anti-Rootkit Free
AVIcodec (remove only)
CCleaner (remove only)
EPSON Printer Software
FUJIFILM USB Driver
Google Earth
Google Toolbar for Firefox
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Updater
HijackThis 2.0.2
Java™ 6 Update 3
Kaspersky Online Scanner
McAfee SiteAdvisor
Microsoft Office XP Professional with FrontPage
Nokia Connectivity Cable Driver
Nokia PC Connectivity Solution
Nokia PC Suite
NVIDIA Drivers
Panda ActiveScan
Picasa 2
QuickTime
Real Alternative 1.50
Realtek AC'97 Audio
Samsung PC Studio 2.1
Samsung USB Driver (MCCI 4.24)
Spybot - Search & Destroy 1.4
Windows Driver Package - Nokia Modem (04/06/2006 6.8.0.17)
Windows XP Service Pack 2
WinZip
Yahoo! Toolbar

Thanks again!

#4 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:02:39 AM

Posted 03 December 2007 - 07:39 PM

Adam PV,

Please follow the steps below exactly in the order they are written:

Step #1

Open notepad and copy/paste the text in the codebox below into it:

File::
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At49.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At50.job
C:\WINDOWS\Tasks\At51.job
C:\WINDOWS\Tasks\At52.job
C:\WINDOWS\Tasks\At53.job
C:\WINDOWS\Tasks\At54.job
C:\WINDOWS\Tasks\At55.job
C:\WINDOWS\Tasks\At56.job
C:\WINDOWS\Tasks\At57.job
C:\WINDOWS\Tasks\At58.job
C:\WINDOWS\Tasks\At59.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At60.job
C:\WINDOWS\Tasks\At61.job
C:\WINDOWS\Tasks\At62.job
C:\WINDOWS\Tasks\At63.job
C:\WINDOWS\Tasks\At64.job
C:\WINDOWS\Tasks\At65.job
C:\WINDOWS\Tasks\At66.job
C:\WINDOWS\Tasks\At67.job
C:\WINDOWS\Tasks\At68.job
C:\WINDOWS\Tasks\At69.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At70.job
C:\WINDOWS\Tasks\At71.job
C:\WINDOWS\Tasks\At72.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
C:\WINDOWS\byyvwx.dll

Folder::
C:\Program Files\SpywareBot

Collect::[29]
C:\WINDOWS\jknradee.sys
C:\WINDOWS\system32\ppGdNDTE.exe
C:\WINDOWS\system32\i1gYY20F.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareBot]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!


Save this as "CFScript"


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

This will start ComboFix again. Additonally, ComboFix will generate the following files on your desktop
  • A zipped file on your desktop called Submit [Date Time].zip
  • And another file named - CF-Submit.htm
ComboFix may need to reboot to finish its work. Let it.

When CF has finished running, it will generate the ComboFix.log which will appear on your screen.

If CF-Submit.htm is detected, ComboFix will generate this message box:

Posted Image

Clicking OK will cause the machine's browser to load CF-Submit.htm

Posted Image

Click the "Browse" button and locate the Submit [Date Time].zip file on your desktop.
  • Click on the file to Select it.
  • Submit the file by clicking "OK"
Once the file has been submitted, please DELETE both files on your desktop.

Post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log (run after ComboFix has finished its work.)
Regards,
SNOWHITE
Posted Image

#5 Adam PV

Adam PV
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 04 December 2007 - 01:34 PM

Hi SNOWHITE,

Logs as requested:


Combofix log:

ComboFix 07-12-02.6 - Ron 2007-12-04 18:25:23.6 - NTFSx86
Running from: C:\Documents and Settings\Ron\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ron\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\byyvwx.dll
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At49.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At50.job
C:\WINDOWS\Tasks\At51.job
C:\WINDOWS\Tasks\At52.job
C:\WINDOWS\Tasks\At53.job
C:\WINDOWS\Tasks\At54.job
C:\WINDOWS\Tasks\At55.job
C:\WINDOWS\Tasks\At56.job
C:\WINDOWS\Tasks\At57.job
C:\WINDOWS\Tasks\At58.job
C:\WINDOWS\Tasks\At59.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At60.job
C:\WINDOWS\Tasks\At61.job
C:\WINDOWS\Tasks\At62.job
C:\WINDOWS\Tasks\At63.job
C:\WINDOWS\Tasks\At64.job
C:\WINDOWS\Tasks\At65.job
C:\WINDOWS\Tasks\At66.job
C:\WINDOWS\Tasks\At67.job
C:\WINDOWS\Tasks\At68.job
C:\WINDOWS\Tasks\At69.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At70.job
C:\WINDOWS\Tasks\At71.job
C:\WINDOWS\Tasks\At72.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\jknradee.sys
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At49.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At50.job
C:\WINDOWS\Tasks\At51.job
C:\WINDOWS\Tasks\At52.job
C:\WINDOWS\Tasks\At53.job
C:\WINDOWS\Tasks\At54.job
C:\WINDOWS\Tasks\At55.job
C:\WINDOWS\Tasks\At56.job
C:\WINDOWS\Tasks\At57.job
C:\WINDOWS\Tasks\At58.job
C:\WINDOWS\Tasks\At59.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At60.job
C:\WINDOWS\Tasks\At61.job
C:\WINDOWS\Tasks\At62.job
C:\WINDOWS\Tasks\At63.job
C:\WINDOWS\Tasks\At64.job
C:\WINDOWS\Tasks\At65.job
C:\WINDOWS\Tasks\At66.job
C:\WINDOWS\Tasks\At67.job
C:\WINDOWS\Tasks\At68.job
C:\WINDOWS\Tasks\At69.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At70.job
C:\WINDOWS\Tasks\At71.job
C:\WINDOWS\Tasks\At72.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job

.
((((((((((((((((((((((((( Files Created from 2007-11-04 to 2007-12-04 )))))))))))))))))))))))))))))))
.

2007-12-03 19:12 . 2007-12-03 19:12 <DIR> d-------- C:\Program Files\Yahoo!
2007-12-03 19:12 . 2007-12-03 19:12 <DIR> d-------- C:\Program Files\CCleaner
2007-12-03 18:58 . 2007-12-03 18:58 <DIR> d-------- C:\Documents and Settings\Adam\Application Data\SiteAdvisor
2007-12-03 18:36 . 2007-12-03 18:58 <DIR> d-------- C:\Documents and Settings\Adam\Application Data\AVG7
2007-12-01 12:18 . 2007-12-02 10:36 <DIR> d-------- C:\Program Files\SiteAdvisor
2007-12-01 12:18 . 2007-12-02 16:18 <DIR> d-------- C:\Documents and Settings\Ron\Application Data\SiteAdvisor
2007-12-01 12:18 . 2007-12-01 12:18 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-12-01 12:18 . 2007-12-02 10:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-12-01 12:18 . 2007-12-01 12:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-11-29 11:04 . 2007-11-29 11:31 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-11-27 21:28 . 2007-12-04 18:21 <DIR> d-------- C:\Documents and Settings\Ron\Application Data\AVG7
2007-11-27 21:28 . 2007-11-27 21:28 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-27 21:27 . 2007-11-27 21:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-27 21:27 . 2007-11-28 08:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-11-26 22:33 . 2007-11-26 22:33 <DIR> d-------- C:\kav
2007-11-26 21:15 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-11-26 21:14 . 2007-11-26 21:14 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-26 21:13 . 2007-11-26 21:13 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-26 21:13 . 2007-11-26 21:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-26 18:42 . 2007-11-26 18:42 <DIR> d-------- C:\VundoFix Backups
2007-11-24 19:31 . 2007-12-03 20:34 57 --a------ C:\WINDOWS\win.ini
2007-11-24 19:31 . 2007-12-04 18:27 0 --a------ C:\WINDOWS\system.ini
2007-11-10 12:26 . 2007-11-10 12:26 <DIR> d-------- C:\Documents and Settings\Ron\Application Data\PlayFirst
2007-11-10 12:26 . 2007-11-10 12:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2007-11-10 12:04 . 2007-12-03 19:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Zylom

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-03 23:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-03 20:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-11-27 20:10 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2007-11-27 20:10 --------- d-----w C:\Program Files\Google
2007-11-26 22:36 --------- d-----w C:\Documents and Settings\Ron\Application Data\HouseCall 6.6
2007-11-26 21:15 --------- d-----w C:\Program Files\Java
2006-10-25 20:51 17,920 ----a-w C:\Documents and Settings\Ron\Application Data\GDIPFONTCACHEV1.DAT
2006-05-31 23:28 8 --sh--r C:\WINDOWS\system32\2A581C7486.sys
.

((((((((((((((((((((((((((((( snapshot@2007-11-26_20.48.35.87 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-08 16:59:01 136,704 ----a-w C:\WINDOWS\catchme.exe
+ 2007-11-27 03:58:11 140,288 ----a-w C:\WINDOWS\catchme.exe
+ 2007-11-27 21:27:48 821,856 ----a-w C:\WINDOWS\system32\drivers\avg7core.sys
+ 2007-11-27 21:27:59 4,224 ----a-w C:\WINDOWS\system32\drivers\avg7rsw.sys
+ 2007-11-27 21:28:00 27,776 ----a-w C:\WINDOWS\system32\drivers\avg7rsxp.sys
+ 2007-11-27 21:28:09 3,968 ----a-w C:\WINDOWS\system32\drivers\avgclean.sys
+ 2007-11-27 21:28:07 19,904 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
+ 2007-11-27 21:28:07 4,960 ----a-w C:\WINDOWS\system32\drivers\avgtdi.sys
- 2006-05-03 00:19:30 49,248 ----a-w C:\WINDOWS\system32\java.exe
+ 2007-09-24 22:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2006-05-03 00:19:40 53,346 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-24 22:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2006-05-03 01:56:58 127,078 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-09-24 23:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2005-05-24 12:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 15:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 15:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-02 16:47]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2005-02-24 06:32 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\system32\rundll32.exe]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2005-12-04 15:39]
"SoundMan"="SOUNDMAN.EXE" [2003-08-15 14:34 C:\WINDOWS\SOUNDMAN.EXE]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-27 21:27]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2007-03-30 15:42]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-03 23:56]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" []
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-27 21:27]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-07-04 20:21:03]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-05-11 02:06 40048 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
2007-06-15 23:15 366400 --a------ C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-09-25 01:11 132496 --a------ C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-08-02 16:47 68856 --a------ C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster2]
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

S3 sscdbus;SAMSUNG USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\sscdbus.sys
S3 sscdmdfl;SAMSUNG CDMA Modem Filter;C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys
S3 sscdmdm;SAMSUNG CDMA Modem Drivers;C:\WINDOWS\system32\DRIVERS\sscdmdm.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{53799ac8-7fe3-11db-9200-0015f249bfbe}]
\Shell\AutoRun\command - G:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-21 11:00:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-04 18:27:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-12-04 18:28:04
C:\ComboFix2.txt ... 2007-12-03 23:29
C:\ComboFix3.txt ... 2007-12-03 23:00
.
--- E O F ---



HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:32:44, on 04/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Ron\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe

--
End of file - 5049 bytes

#6 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:02:39 AM

Posted 04 December 2007 - 05:15 PM

Hello Adam PV :thumbsup:

Please follow the steps below exactly in the order they are written:

Step #1

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
What DSS will do:
  • create a new System Restore point in Windows XP and Vista.
  • clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.
Note: If you don't have HijackThis installed on your computer, dss will prompt you to download and install it for you, please allow this to happen !


Step #2

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
  • Allow the Active X control to be installed on your computer, then click the Accept button
  • Click Full System Scan and allow the components to download and the scan to complete.
  • If malware is found, check Submit samples to F-Secure then select Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan
  • When the cleaning option is presented, Uncheck Submit samples to F-Secure
  • Click Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
Notes:
  • This scan will only work with Internet Explorer
  • You must have administrator rights to run this scan
  • This scan can take several hours, so please be patient


Please post back with F-Secure report, the contents of dss reports main.txt and extra.txt. Let me know how is the computer running.

Regards,
SNOWHITE
Posted Image

#7 Adam PV

Adam PV
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 04 December 2007 - 07:29 PM

Deckard's System Scanner v20071014.68
Run by Ron on 2007-12-04 23:00:57
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 3 Restore Point(s) --
3: 2007-12-04 23:01:09 UTC - RP3 - Deckard's System Scanner Restore Point
2: 2007-12-04 18:24:41 UTC - RP2 - ComboFix created restore point
1: 2007-12-03 20:50:21 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Ron.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:01:49, on 04/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Documents and Settings\Ron\Desktop\dss.exe
C:\DOCUME~1\Ron\Desktop\Ron.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe

--
End of file - 5164 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Imagedrv - c:\windows\system32\drivers\imagedrv.sys <Not Verified; Ahead Software AG and its licensors; NERO IMAGEDRIVE>

S3 catchme - c:\docume~1\ron\locals~1\temp\catchme.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 ServiceLayer - "c:\program files\common files\pcsuite\services\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ACPI\ATK0110\1010110
Manufacturer: ATK
Name:
PNP Device ID: ACPI\ATK0110\1010110
Service:


-- Scheduled Tasks -------------------------------------------------------------

2007-11-21 11:00:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2007-11-04 and 2007-12-04 -----------------------------

2007-12-03 22:56:52 0 dr-h----- C:\Documents and Settings\Ron\Recent
2007-12-03 19:48:10 0 dr-h----- C:\Documents and Settings\Adam\Recent
2007-12-03 19:12:07 0 d-------- C:\Program Files\Yahoo!
2007-12-03 19:12:00 0 d-------- C:\Program Files\CCleaner
2007-12-03 18:58:24 0 d-------- C:\Documents and Settings\Adam\Application Data\SiteAdvisor
2007-12-03 18:36:41 0 d-------- C:\Documents and Settings\Adam\Application Data\AVG7
2007-12-01 12:18:39 0 d-------- C:\Documents and Settings\LocalService\Desktop
2007-12-01 12:18:39 0 d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-12-01 12:18:33 0 d-------- C:\Program Files\SiteAdvisor
2007-12-01 12:18:09 0 d-------- C:\Documents and Settings\Ron\Application Data\SiteAdvisor
2007-12-01 12:18:09 0 d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-12-01 12:18:09 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-11-29 11:04:14 0 d-------- C:\Program Files\Enigma Software Group
2007-11-27 22:03:35 0 dr-h----- C:\$VAULT$.AVG
2007-11-27 21:28:26 0 d-------- C:\Documents and Settings\Ron\Application Data\AVG7
2007-11-27 21:28:14 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-27 21:27:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-27 21:27:37 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-11-26 22:33:01 0 d-------- C:\kav
2007-11-26 21:14:14 0 d-------- C:\Program Files\Common Files\Java
2007-11-26 21:13:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-26 21:13:34 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-26 18:42:29 0 d-------- C:\VundoFix Backups
2007-11-10 12:26:22 0 d-------- C:\Documents and Settings\Ron\Application Data\PlayFirst
2007-11-10 12:26:22 0 d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2007-11-10 12:04:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Zylom


-- Find3M Report ---------------------------------------------------------------

2007-11-27 20:10:24 0 d-------- C:\Program Files\Microsoft IntelliPoint
2007-11-27 20:10:04 0 d-------- C:\Program Files\Google
2007-11-26 22:36:12 0 d-------- C:\Documents and Settings\Ron\Application Data\HouseCall 6.6
2007-11-26 21:15:28 0 d-------- C:\Program Files\Java
2007-11-26 21:14:14 0 d-------- C:\Program Files\Common Files
2007-09-09 10:04:16 3011 --a------ C:\Documents and Settings\Ron\Application Data\NMM-MetaData.db


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [03/08/2004 23:56 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [24/02/2005 06:32 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [03/08/2004 23:56 C:\WINDOWS\system32\rundll32.exe]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [04/12/2005 15:39]
"SoundMan"="SOUNDMAN.EXE" [15/08/2003 14:34 C:\WINDOWS\SOUNDMAN.EXE]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [27/11/2007 21:27]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [30/03/2007 15:42]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [02/08/2007 16:47]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [04/07/2006 20:21:03]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [13/02/2001 00:01:04]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster2]
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{53799ac8-7fe3-11db-9200-0015f249bfbe}]
AutoRun\command- G:\LaunchU3.exe




-- End of Deckard's System Scanner: finished at 2007-12-04 23:02:20 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Sempron™ Processor 2800+
Percentage of Memory in Use: 53%
Physical Memory (total/avail): 511.3 MiB / 240.05 MiB
Pagefile Memory (total/avail): 862.32 MiB / 607.18 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1947.52 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 19.07 GiB total, 6.44 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
F: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - Maxtor 2B020H1 - 19.08 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 19.07 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is enabled.

AV: AVG 7.5.503 v7.5.503 (Grisoft)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Ron\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_07\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=RON-ZSQ2Z7UFH2Z
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Ron
LOGONSERVER=\\RON-ZSQ2Z7UFH2Z
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 44 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2c02
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_07\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Ron\LOCALS~1\Temp
TMP=C:\DOCUME~1\Ron\LOCALS~1\Temp
USERDOMAIN=RON-ZSQ2Z7UFH2Z
USERNAME=Ron
USERPROFILE=C:\Documents and Settings\Ron
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Ron (admin)
Adam (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop 7.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
Adobe Reader 8.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
Ahead Nero Burning ROM --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Apple Software Update --> MsiExec.exe /I{55FA89BD-21D3-42F7-9249-C94C0094A83C}
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
AVG Anti-Rootkit Free --> C:\Program Files\GRISOFT\AVG Anti-Rootkit Free\Uninstall.exe
AVIcodec (remove only) --> "C:\Program Files\AVIcodec\uninst.exe"
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Dr. DivX 1.0 --> C:\WINDOWS\unvise32.exe C:\Program Files\DivX\Dr.DivX.log
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
FUJIFILM USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5490882C-6961-11D5-BAE5-00E0188E010B}\Setup.exe"
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Google Toolbar for Firefox --> MsiExec.exe /X{2CCBABCB-6427-4A55-B091-49864623C43F}
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
Google Updater --> "C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
HijackThis 2.0.2 --> "C:\Documents and Settings\Adam\Desktop\HijackThis.exe" /uninstall
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
McAfee SiteAdvisor --> C:\Program Files\SiteAdvisor\6172\uninstall.exe
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Nokia Connectivity Cable Driver --> MsiExec.exe /X{E4DD8B33-6F9B-41C5-96FF-5DBF27ED23E7}
Nokia PC Connectivity Solution --> MsiExec.exe /I{588AA47B-9115-44D3-B2E5-4F10BC659D6C}
Nokia PC Suite --> MsiExec.exe /I{77296E63-8C19-462B-ABA1-F510750A8C51}
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
QuickTime --> MsiExec.exe /I{F07B861C-72B9-40A4-8B1A-AAED4C06A7E8}
Real Alternative 1.50 --> "C:\Program Files\Real Alternative\unins000.exe"
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
Samsung PC Studio 2.1 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\8\INTEL3~1\IDriver.exe /M{D48C9BFC-FBCF-4F29-B97D-822ED6D497FE} /l1033
Samsung USB Driver (MCCI 4.24) --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{77F09242-A107-4CB6-A295-D8656C2C3795}
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Windows Driver Package - Nokia Modem (04/06/2006 6.8.0.17) --> C:\PROGRA~1\DIFX\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\nokbtmdm_7F91C37896B530901B0665F9EF32E19FF06F5687\nokbtmdm.inf
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
XviD MPEG-4 Codec --> "C:\Program Files\XviD\UninstXviD.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type7684 / Error
Event Submitted/Written: 12/03/2007 06:59:22 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type7527 / Error
Event Submitted/Written: 11/27/2007 08:59:23 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application FRONTPG.EXE, version 10.0.2623.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type7405 / Error
Event Submitted/Written: 11/19/2007 02:28:36 PM
Event ID/Source: 11 / crypt32
Event Description:
Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Event Record #/Type7404 / Error
Event Submitted/Written: 11/19/2007 02:28:36 PM
Event ID/Source: 11 / crypt32
Event Description:
Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type17898 / Error
Event Submitted/Written: 12/04/2007 11:02:03 PM
Event ID/Source: 59 / SideBySide
Event Description:
Generate Activation Context failed for C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll.
Reference error message: The operation completed successfully.
.

Event Record #/Type17897 / Error
Event Submitted/Written: 12/04/2007 11:02:03 PM
Event ID/Source: 59 / SideBySide
Event Description:
Resolve Partial Assembly failed for Microsoft.VC80.CRT.
Reference error message: The referenced assembly is not installed on your system.
.

Event Record #/Type17896 / Error
Event Submitted/Written: 12/04/2007 11:02:03 PM
Event ID/Source: 32 / SideBySide
Event Description:
Dependent Assembly Microsoft.VC80.CRT could not be found and Last Error was The referenced assembly is not installed on your system.

Event Record #/Type17895 / Error
Event Submitted/Written: 12/04/2007 11:00:43 PM
Event ID/Source: 59 / SideBySide
Event Description:
Generate Activation Context failed for C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll.
Reference error message: The operation completed successfully.
.

Event Record #/Type17894 / Error
Event Submitted/Written: 12/04/2007 11:00:43 PM
Event ID/Source: 59 / SideBySide
Event Description:
Resolve Partial Assembly failed for Microsoft.VC80.CRT.
Reference error message: The referenced assembly is not installed on your system.
.



-- End of Deckard's System Scanner: finished at 2007-12-04 23:02:20 ------------

Scanning Report
Tuesday, December 04, 2007 23:10:21 - 00:24:52
Computer name: RON-ZSQ2Z7UFH2Z
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\


--------------------------------------------------------------------------------

Result: 13 malware found
Malware.BFWT (virus)
C:\DOCUMENTS AND SETTINGS\RON\LOCAL SETTINGS\TEMPMBROIT.EXE (Submitted)
Malware.BFWU (virus)
C:\PROGRAM FILES\COMMON FILES\SYSTEM\SVCHOST.EXE (Submitted)
Tracking Cookie (spyware)
System (Disinfected)
System
System
System
System
System
System
System
System
Vundo.gen38 (virus)
C:\WINDOWS\XWVYYB.INI (Submitted)
C:\WINDOWS\YCFFII.INI (Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 25109
System: 3571
Not scanned: 2
Actions:
Disinfected: 1
Renamed: 0
Deleted: 0
None: 12
Submitted: 4
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

The PC took a huge step forwards after my previous post. Now it seems slighty better again. I suspect it's back up to it's original speed so thank you very much for all your help, its very much appreciated :thumbsup:

Adam PV

#8 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:02:39 AM

Posted 05 December 2007 - 06:02 PM

Hello Adam PV, looks much better but we still have some job to do.

Please follow the steps below exactly in the order they are written:

Step #1

Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\DOCUMENTS AND SETTINGS\RON\LOCAL SETTINGS\TEMPMBROIT.EXE
    C:\PROGRAM FILES\COMMON FILES\SYSTEM\SVCHOST.EXE
    C:\WINDOWS\XWVYYB.INI
    C:\WINDOWS\YCFFII.INI


  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Step #2


Looking over your log, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:
[/list]
If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

Step #3

You are using an outdated version of Spybot - Search & Destroy 1.4, therefor I suggest uninstalling it and installing the latest version.

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

Spybot - Search & Destroy 1.4

Please note any other programs that you don't recognize in that list in your next response


You can download the latest version (Spybot - Search & Destroy 1.5.1) at the following link : http://www.safer-networking.org/en/download/index.html

Step #4

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Step #5

Please do an online scan with Kaspersky WebScanner

NOTE: This Scanner will work with Internet Explorer Only!


Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save Report As... button:
  • Under Save as type select Text file write name for the file and save it to your Desktop.
  • Locate the file at the Desktop, open it, then copy and paste that information in your next post.
Please post back with OTMoveIt report, new HijackThis log and Kaspersky report.

Regards,
SNOWHITE
Posted Image

#9 Adam PV

Adam PV
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 09 December 2007 - 01:37 PM

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, December 09, 2007 6:32:05 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 9/12/2007
Kaspersky Anti-Virus database records: 477706
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 33280
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 00:47:21

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Ron\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Ron\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Ron\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Ron\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ron\Local Settings\History\History.IE5\MSHist012007120920071210\index.dat Object is locked skipped
C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ron\ntuser.dat Object is locked skipped
C:\Documents and Settings\Ron\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{EB0D845A-86E9-48DD-BAC5-726E30FDA032}\RP10\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\RON-ZSQ2Z7UFH2Z.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\Perflib_Perfdata_6f0.dat Object is locked skipped
C:\WINDOWS\TEMP\ZLT01862.TMP Object is locked skipped
C:\WINDOWS\TEMP\ZLT01865.TMP Object is locked skipped
C:\WINDOWS\TEMP\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


Moveit log:

C:\DOCUMENTS AND SETTINGS\RON\LOCAL SETTINGS\TEMPMBROIT.EXE moved successfully.
C:\PROGRAM FILES\COMMON FILES\SYSTEM\SVCHOST.EXE moved successfully.
C:\WINDOWS\XWVYYB.INI moved successfully.
C:\WINDOWS\YCFFII.INI moved successfully.

Created on 12/09/2007 17:27:51

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:32:58, on 09/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\2ZHF4ILJ\spybotsd15[1].exe
C:\DOCUME~1\Ron\LOCALS~1\Temp\is-D7PKO.tmp\is-07GGL.tmp
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4669 bytes

#10 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:02:39 AM

Posted 09 December 2007 - 11:45 PM

Hello Adam PV, your logs are looking good :blink:

Double click OTMoveIt once again and you should see a CleanUp! button, press that button, you may get prompt by your firewall that OTMoveIt tries to contact internet, allow this, a cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes.

NOTE: This will remove some of the tools we used so far, including OTMoveIt.


You can fix next entry with HijackThis, it is just registry leftover of uninstalled program:

Re-open HiJackThis and click on "Do a system scan only". Check the boxes next to all the entries listed below.

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.


I will keep your thread open for a couple of days, if the malware problem reappear feel free to post here. Please take time to read my recommendations below, also follow steps from 1 - 7.

Should you have any questions, please feel free to ask. ;)
  • 1.
  • Click start then run, type prefetch then press enter, click edit then select all, (all files will highlight), right click any file, click delete, confirm.


    2.
  • Clean your Cache and Cookies in IE:
    • Close all instances of Outlook Express and Internet Explorer
    • Go to Control Panel > Internet Options > General tab
    • Click the "Delete Cookies" button
    • Next to it, Click the "Delete Files" button
    • When prompted, place a check in: "Delete all offline content", click OK
    3.
  • Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
    • Go to Tools > Options.
    • Click Privacy in the menu on the left side of the Options window.
    • Click the Clear button located to the right of each option (History, Cookies, Cache).
    • Click OK to close the Options window
      Alternatively, you can clear all information stored while browsing by clicking Clear All.
      A confirmation dialog box will be shown before clearing the information.
    4.
  • Clean other Temporary files + Recycle bin
    • Go to start > run and type: cleanmgr and click ok.
    • Let it scan your system for files to remove.
    • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
    • Press OK to remove them.
  • 5.DISABLE THE VIEWING OF SYSTEM FILES
    From Windows Explorer, go to Tools>Folder Options> View tab.
  • Untick - Show hidden files and folder
  • Tick - Hide file extensions for known types
  • Tick - Hide protected operating system files
Click Yes to confirm & then click OK
  • 6.CLEAR & RESET SYSTEM RESTORE'S CACHE - (System Volume Information folder)
    Go to Start >> Run - type control sysdm.cpl,,4 & press Enter
  • Tick on the checkbox - Turn off System Restore on all drives
  • Click Apply
Turn it back 'On' by unticking the same checkbox & click OK
  • 7.SECURING INTERNET EXPLORER
    From within Internet Explorer click on the Tools menu and then click on Internet Options.
  • Select the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Select Custom Level .
  • Change 'Download signed ActiveX controls' to Prompt
  • Change 'Download unsigned ActiveX controls' to Disable
  • Change 'Initialize and script ActiveX controls not marked as safe' to Disable
  • Change 'Installation of desktop items' to Prompt
  • Change 'Launching programs and files in an IFRAME' to Prompt
  • Change 'Navigate sub-frames across different domains' to Prompt
  • When all these changes have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
[*] Select OK to exit the Internet Properties page.
[/list]Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Secunia Software Inspector
Check for other vulnerable programs running on your PC that are in need of an update.
http://secunia.com/software_inspector
Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see this link:
Understanding and Using Firewalls



SPYWAREBLASTER
SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.

Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here:
http://www.bleepingcomputer.com/forums/tutorial49.html


IE-SPYAD
IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here:
http://www.spywarewarrior.com/uiuc/resource.htm


COMODO BOClean
BOClean runs automatically in the background without interfering with your work and kills malwares INSTANTLY the moment they activate without giving them the chance to invade your machine. A tutorial on installing this product can be found here:
http://www.comodo.com/boclean/boclean.html


WINPATROL
Download and install the free version of Winpatrol. A tutorial for this product is located here:
http://www.winpatrol.com/features.html

A-SQUARED Anti-Dialer
This is a free program that provides defense against Dialers, scans the harddisk and provides a permanent background guard protection against new Dialer infections.

"Dialers are small programs that change the Internet access number of a modem-equipped computer to a much more expensive number"

To understand this threat better read this article The Dialer-Problem in Detail. a-squared Anti-Dialer can be downloaded at the following link:
http://download5.emsisoft.com/a2AntiDialerSetup.exe

A-SQUARED Free
This program is completely free of charge for private use, it removes infections of Trojans, Spyware, Adware, Worms, Keyloggers, Rootkits, Dialers and other malicious programs. It can be downloaded at the following link:
http://www.emsisoft.com/en/software/free

SUPERAntiSpyware Home Edition
Another effective program for helping remove some of the more difficult infections.
http://www.superantispyware.com/downloadfile.html
  • More Secure Browser - Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, and Opera
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.

See these links for more information:

Foistware & How To Avoid It
Browser Hijacking & How to Stop It
Rogue/Suspect Anti-Spyware Products & Web Sites
So how did I get infected in the first place?

Stand Up and Be Counted ---> Posted Image <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.


Happy surfing and stay clean! :thumbsup:


Best regards,
SNOWHITE
Posted Image

#11 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:02:39 AM

Posted 15 December 2007 - 08:34 PM

As the problem here seems to be resolved this topic is now closed.
To get it reopened PM a staff member with the address of this thread.
This applies to the topic starter only, everyone else with similar problems start a new topic.

Glad we could help :thumbsup:
SNOWHITE
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users