Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Adware.agent.bn,adware.media


  • Please log in to reply
11 replies to this topic

#1 tartansapper

tartansapper

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:10:43 AM

Posted 08 December 2007 - 07:22 PM

I have recently been infected with some Adware that i'm finding hard to remove.I have Spyware Doctor and Spyware Detector on my system with i have used to scan and remove the adware but everytime i restart the problem seems to be back.I also keep getting a pop up message from Spyware Doctor telling me it has prevented an application from attempting to close a file.The path isC:\windows\search_res.txt,the threat given is Adware.Admedia and the risk is High.I haVe also started to get a blue screen flickering occasionally which wasn't happening before.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:13:41 AM, on 12/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe
C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
C:\Program Files\SpywareDetector\SDSystemTray.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\BT Broadband Desktop Help\bin\mpbtn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0seenus/saos01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.orange.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: OFK System - {CD592DBF-7138-4805-A93B-B9491B6E53FC} - C:\WINDOWS\vipextmdx.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [EPSON Stylus DX6000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIE.EXE /FU "C:\WINDOWS\TEMP\E_S8E.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [btbb_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
O4 - HKLM\..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe -AUTO
O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [EPSON Stylus DX6000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIE.EXE /FU "C:\DOCUME~1\Owner\LOCALS~1\Temp\E_S12.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk/
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

--
End of file - 9327 bytes

Edited by tartansapper, 08 December 2007 - 07:48 PM.


BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:43 AM

Posted 09 December 2007 - 10:06 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum tartansapper
My name is Richie and i'll be helping you to fix your problems.

Please download/install Avira AntiVir Personal Edition Classic[Free]:
http://www.free-av.com/
Perform a full scan with Avira and allow it to delete everything it detects.
Restart your pc when you've done.
After restart,open Avira Antivirus and select "Reports".
Then double click the report from the full scan you have just completed.
Click the "Report File" button,then copy and paste the report into your next reply.


Download SmitfraudFix (by S!Ri),to your desktop.
Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Double click on Smitfraudfix.cmd
Select #2 and hit Enter to delete the infected files.
You will be prompted: 'Do you want to clean the registry?' answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): 'Replace infected file ?' answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process.
The report can be found at the root of the system drive, usually at C:\rapport.txt
Post the Smitfraudfix report into your next reply.


If you have previously downloaded ComboFix,please delete that version now.
Warning
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert,not for private use.
Using this tool incorrectly could render your system/pc inoperable.

Now download Combofix and save to your desktop:
Note
It is important that it is saved directly to your desktop

Close any open browsers.
Disconnect from the Internet.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 tartansapper

tartansapper
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:10:43 AM

Posted 09 December 2007 - 03:27 PM

Hiya Ritchie,

Tried following your instructions in your post but have came across a problem while trying to get the computer to boot up in safe mode.The F8 key just takes me to a 1st boot menu which really isn't any use.I tried the other keys and found that F5 took me to an advanced windows option menu where safe mode and others were listed but it just froze on that page and wouldn't let me move the cursor to the option i required.Not really sure where to go from here,ive been looking in the forums here to try and find an answer but as of yet i haven't found anything.Hope you can help,

Jim

#4 tartansapper

tartansapper
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:10:43 AM

Posted 09 December 2007 - 05:02 PM

Hi Again Ritchie,

I think i've just about managed to do all you asked in your last post so here are all the results.

Avira Antivir



AntiVir PersonalEdition Classic
Report file date: Sunday, December 09, 2007 16:37

Scanning for 963523 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: SYSTEM
Computer name: O8E0R7

Version information:
BUILD.DAT : 270 15603 Bytes 9/19/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 8/23/2007 14:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 8/16/2007 13:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 8/14/2007 16:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 8/21/2007 13:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 16:36:18
ANTIVIR1.VDF : 7.0.0.0 1640448 Bytes 9/13/2007 16:36:18
ANTIVIR2.VDF : 7.0.1.30 1575424 Bytes 11/30/2007 16:36:18
ANTIVIR3.VDF : 7.0.1.60 112128 Bytes 12/7/2007 16:36:18
AVEWIN32.DLL : 7.6.0.40 3064320 Bytes 12/9/2007 16:36:19
AVWINLL.DLL : 1.0.0.7 14376 Bytes 2/26/2007 11:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 7/18/2007 08:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 14:16:24
AVPACK32.DLL : 7.3.0.15 360488 Bytes 8/3/2007 09:46:00
AVREG.DLL : 7.0.1.6 30760 Bytes 7/18/2007 08:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 8/28/2007 13:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 7/18/2007 08:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 3/8/2007 12:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 8/7/2007 13:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 8/21/2007 13:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 7/23/2007 10:37:21

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: H:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Sunday, December 09, 2007 16:37

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'WLLoginProxy.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'BTHelp.exe' - '1' Module(s) have been scanned
Scan process 'MOTIVE~1.EXE' - '1' Module(s) have been scanned
Scan process 'NclRSSrv.exe' - '1' Module(s) have been scanned
Scan process 'NclUSBSrv.exe' - '1' Module(s) have been scanned
Scan process 'ServiceLayer.exe' - '1' Module(s) have been scanned
Scan process 'mpbtn.exe' - '1' Module(s) have been scanned
Scan process 'PCSuite.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'CTDetect.exe' - '1' Module(s) have been scanned
Scan process 'ycommon.exe' - '1' Module(s) have been scanned
Scan process 'zlclient.exe' - '0' Module(s) have been scanned
Scan process 'SDSystemTray.exe' - '1' Module(s) have been scanned
Scan process 'BTHelpNotifier.exe' - '1' Module(s) have been scanned
Scan process 'NSLauncher.exe' - '1' Module(s) have been scanned
Scan process 'realsched.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'ipoint.exe' - '1' Module(s) have been scanned
Scan process 'itype.exe' - '1' Module(s) have been scanned
Scan process 'SDTrayApp.exe' - '1' Module(s) have been scanned
Scan process 'ybrwicon.exe' - '1' Module(s) have been scanned
Scan process 'McciTrayApp.exe' - '1' Module(s) have been scanned
Scan process 'apdproxy.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'igfxtray.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'wscntfy.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'SDService.exe' - '1' Module(s) have been scanned
Scan process 'swdsvc.exe' - '1' Module(s) have been scanned
Scan process 'svcntaux.exe' - '1' Module(s) have been scanned
Scan process 'pctspk.exe' - '1' Module(s) have been scanned
Scan process 'SAgent2.exe' - '1' Module(s) have been scanned
Scan process 'CTSVCCDA.EXE' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'vsmon.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
51 processes with 51 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!
Boot sector 'G:\'
[NOTE] No virus was found!
Boot sector 'H:\'
[NOTE] No virus was found!

Starting to scan the registry.
The registry was scanned ( '41' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\42\307e0b6a-6287ddd6
[0] Archive type: ZIP
--> NewSecurityClassLoader.class
[DETECTION] Contains detection pattern of the Java virus JAVA/ByteVerify.G.2
--> NewURLClassLoader.class
[DETECTION] Contains detection pattern of the Java virus JAVA/ByteVerify.G.3
[INFO] The file was deleted!
C:\System Volume Information\_restore{8DAC5547-6999-45FB-A2D9-4E67C88074BF}\RP161\A0105023.exe
[DETECTION] Contains detection pattern of the dropper DR/Dldr.Zlob.AAGR
[INFO] The file was deleted!
C:\System Volume Information\_restore{8DAC5547-6999-45FB-A2D9-4E67C88074BF}\RP161\A0105024.ocx
[DETECTION] Is the Trojan horse TR/NewMedial.Dll
[INFO] The file was deleted!
C:\WINDOWS\nretcip.exe
[DETECTION] Is the Trojan horse TR/Dldr.Zlob.Gen
[INFO] The file was deleted!
Begin scan in 'G:\' <CLASSIC HD>
Begin scan in 'H:\' <Local Disk>


End of the scan: Sunday, December 09, 2007 18:13
Used time: 1:36:16 min

The scan has been done completely.

4192 Scanning directories
220688 Files were scanned
5 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
4 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
220683 Files not concerned
1137 Archives were scanned
1 Warnings
5 Notes

#5 tartansapper

tartansapper
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:10:43 AM

Posted 09 December 2007 - 06:20 PM

SmitFraudFix v2.259

Scan done at 20:45:16.23, Sun 12/09/2007
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


host


127.0.0.1 h-208-184-172-100.radiate.com
127.0.0.1 group-mail.com
127.0.0.1 godzilla.radiate.com
127.0.0.1 curly.aureate.com
127.0.0.1 aureatemedia.com
127.0.0.1 aim3.aureate.com
127.0.0.1 zeus.timesink.com
127.0.0.1 zeus.conducent.com
127.0.0.1 test.timesink.com
127.0.0.1 warsport.timesink.com
127.0.0.1 sterlingf.conducent.com
127.0.0.1 adqa.conducent.com
127.0.0.1 smhq-fe1-0.netgravity.com
127.0.0.1 sanders.netgravity.com
127.0.0.1 ng-webserver.netgravity.com
127.0.0.1 network-209-67-38-10.doubleclick.net
127.0.0.1 network-199-95-207-9.doubleclick.net
127.0.0.1 network-199-95-207-6.doubleclick.net
127.0.0.1 translucent.acim.com
127.0.0.1 ads50.bpath.com
127.0.0.1 ads2.bpath.com
127.0.0.1 ads08.bpath.com
127.0.0.1 quartz.bnex.com
127.0.0.1 pebble.bnex.com
127.0.0.1 ridgeback.befree.com
127.0.0.1 geocities.bfast.com
127.0.0.1 etoys.bfast.com
127.0.0.1 www.freud.aureate.com
127.0.0.1 www.download.binarybliss.com
127.0.0.1 www.dillinger.aureate.com
127.0.0.1 www.cyrus.aureate.com
127.0.0.1 www.aureatemedia.com
127.0.0.1 www.aim3.aureate.com
127.0.0.1 www.ad2-4.aureate.com
127.0.0.1 www.ad2-1.aureate.com
127.0.0.1 www.ip134.timesink.com
127.0.0.1 www.contenttest.conducent.com
127.0.0.1 www.ads3.speedbit.com
127.0.0.1 www.ads2.speedbit.com
127.0.0.1 www.phase2media.doubleclick.net
127.0.0.1 www.ny.netgravity.com
127.0.0.1 www.network-199-95-208-4.doubleclick.net
127.0.0.1 www.gravitychannel.netgravity.com
127.0.0.1 www.ad.se.doubleclick.net
127.0.0.1 www1.track4.com
127.0.0.1 www.ns2.acim.com
127.0.0.1 www.ads51.bpath.com
127.0.0.1 www.ads09.bpath.com
127.0.0.1 www.wolfhound.bfast.com
127.0.0.1 www.whippet.bfast.com
127.0.0.1 www.reporting.net
127.0.0.1 www.qwest.bfast.com
127.0.0.1 brutus.radiate.com
127.0.0.1 contents.conducent.com
127.0.0.1 resolver.doubleclick.net
127.0.0.1 gd4.doubleclick.net
127.0.0.1 exodus-gw.ewr1.doubleclick.net
127.0.0.1 ad.us.doubleclick.net
127.0.0.1 ad.nl.doubleclick.net
127.0.0.1 ad.jp.doubleclick.net
127.0.0.1 ns2.acim.com
127.0.0.1 ads45.bpath.com
127.0.0.1 ads42.bpath.com
127.0.0.1 s2.bluestreak.com
127.0.0.1 njmgt1.bfast.com
127.0.0.1 600pics.com
127.0.0.1 www.godzilla.radiate.com
127.0.0.1 www.brinks.radiate.com
127.0.0.1 www.aristotle.aureate.com
127.0.0.1 www.se.doubleclick.net
127.0.0.1 www.network-209-67-38-9.doubleclick.net
127.0.0.1 www.network-209-67-38-6.doubleclick.net
127.0.0.1 www.network-209-67-38-3.doubleclick.net
127.0.0.1 www.network-199-95-208-7.doubleclick.net
127.0.0.1 www.network-199-95-207-7.doubleclick.net
127.0.0.1 www.network-199-95-207-4.doubleclick.net
127.0.0.1 www.nda.netgravity.com
127.0.0.1 www.gravityhome.netgravity.com
127.0.0.1 www.gatekeeper.netgravity.com
127.0.0.1 www.fr1.doubleclick.net
127.0.0.1 www.exnjadgds1.doubleclick.net
127.0.0.1 www.ad.sq.doubleclick.net
127.0.0.1 www.translucent.acim.com
127.0.0.1 www.toten.acim.com
127.0.0.1 www.ads46.bpath.com
127.0.0.1 www.ads43.bpath.com
127.0.0.1 www.ads40.bpath.com
127.0.0.1 www.marble.bnex.com
127.0.0.1 www.ridgeback.befree.com
127.0.0.1 www.njmgt1.bfast.com
127.0.0.1 unspypc.com
127.0.0.1 ans3.adsoftware.com
127.0.0.1 adserv3-408-sjc2.radiate.com
127.0.0.1 nidtest.conducent.com
127.0.0.1 mail.timesink.com
127.0.0.1 dns1.conducent.com
127.0.0.1 contents1.conducent.com
127.0.0.1 contentalpha.conducent.com
127.0.0.1 3.netgravity.com
127.0.0.1 ns2.doubleclick.net
127.0.0.1 in.doubleclick.net
127.0.0.1 double-click.com
127.0.0.1 ad.no.doubleclick.net
127.0.0.1 ads48.bpath.com
127.0.0.1 ads37.bpath.com
127.0.0.1 ads34.bpath.com
127.0.0.1 ads20.bpath.com
127.0.0.1 vpos.bnex.com
127.0.0.1 samoyed.bfast.com
127.0.0.1 great-dane.bfast.com
127.0.0.1 www.gameboy.aureate.com
127.0.0.1 www.aureate-main-2611.aureate.com
127.0.0.1 www.aureate-colo-hp2424m.aureate.com
127.0.0.1 www.ans1.adsoftware.com
127.0.0.1 www.aim5.adsoftware.com
127.0.0.1 www.aim.aureate.com
127.0.0.1 www.test.conducent.com
127.0.0.1 www.softwares.timesink.com
127.0.0.1 www.proxytest.conducent.com
127.0.0.1 www.ip134.conducent.com
127.0.0.1 www.engpptp.netgravity.com
127.0.0.1 www.double-click.com
127.0.0.1 www.caelum.netgravity.com
127.0.0.1 www.ad3.doubleclick.net
127.0.0.1 www.aa.doubleclick.net
127.0.0.1 www.ads49.bpath.com
127.0.0.1 www.ads35.bpath.com
127.0.0.1 www.ads32.bpath.com
127.0.0.1 www.ads21.bpath.com
127.0.0.1 www.ads1.bpath.com
127.0.0.1 www.orion.bnex.com
127.0.0.1 www.mosaic.bnex.com
127.0.0.1 www.malachite.bnex.com
127.0.0.1 www.intranet.bnex.com
127.0.0.1 www.do.you.uh.yahoo.at.bnex.com
127.0.0.1 www.customer.bnex.com
127.0.0.1 www.s8.bluestreak.com
127.0.0.1 www.images.bfast.com
127.0.0.1 virusblast.com
127.0.0.1 deadmanwalking.radiate.com
127.0.0.1 copernicus.aureate.com
127.0.0.1 aim3.adsoftware.com
127.0.0.1 firewall.timesink.com
127.0.0.1 download.timesink.com
127.0.0.1 54.conducent.com
127.0.0.1 exnjmdgda1.doubleclick.net
127.0.0.1 dyson.netgravity.com
127.0.0.1 ad.es.doubleclick.net
127.0.0.1 ads26.bpath.com
127.0.0.1 ads23.bpath.com
127.0.0.1 ads12.bpath.com
127.0.0.1 granite.bnex.com
127.0.0.1 alpha.bnex.com
127.0.0.1 s7.bluestreak.com
127.0.0.1 verisign.bfast.com
127.0.0.1 njrep2.bfast.com
127.0.0.1 images.bfast.com
127.0.0.1 great-dane.befree.com
127.0.0.1 goshoppingonline.bfast.com
127.0.0.1 falcon.bfast.com
127.0.0.1 www.aim1.adsoftware.com
127.0.0.1 www.adsoftware.com
127.0.0.1 www.tasha.web3000.com
127.0.0.1 www.zeus.conducent.com
127.0.0.1 www.updates2.conducent.com
127.0.0.1 www.smtp.timesink.com
127.0.0.1 www.nidinternal.conducent.com
127.0.0.1 www.54.conducent.com
127.0.0.1 www.suitespot.netgravity.com
127.0.0.1 www.m.doubleclick.net
127.0.0.1 www.listserver.netgravity.com
127.0.0.1 www.ads38.bpath.com
127.0.0.1 www.ads27.bpath.com
127.0.0.1 www.ads24.bpath.com
127.0.0.1 www.ads10.bpath.com
127.0.0.1 www.www.bnex.com
127.0.0.1 www.granite.bnex.com
127.0.0.1 www.bnex.com
127.0.0.1 www.s4.bluestreak.com
127.0.0.1 www.njrep2.bfast.com
127.0.0.1 www.great-dane.bfast.com
127.0.0.1 www.falcon.bfast.com
127.0.0.1 www.enews.bfast.com
127.0.0.1 www.test.com
127.0.0.1 antivirus-gold.com
127.0.0.1 dolphinsfootball.com
127.0.0.1 bonnie2.radiate.com
127.0.0.1 web3000.com
127.0.0.1 conducent.com
127.0.0.1 redirects.timesink.com
127.0.0.1 pop3.timesink.com
127.0.0.1 pop3.conducent.com
127.0.0.1 addltest.conducent.com
127.0.0.1 uunyadgda1.doubleclick.net
127.0.0.1 proxy.netgravity.com
127.0.0.1 ny-router.netgravity.com
127.0.0.1 network-199-95-208-2.doubleclick.net
127.0.0.1 ad.contentzone.com
127.0.0.1 1.track4.com
127.0.0.1 toten.acim.com
127.0.0.1 maximizer.acim.com
127.0.0.1 ads29.bpath.com
127.0.0.1 ads18.bpath.com
127.0.0.1 ads15.bpath.com
127.0.0.1 ads01.bpath.com
127.0.0.1 ads.bpath.com
127.0.0.1 www.cook.aureate.com
127.0.0.1 www7.web3000.com
127.0.0.1 www1.web3000.com
127.0.0.1 www.contentalpha.conducent.com
127.0.0.1 www.adqa.conducent.com
127.0.0.1 www.addbtest.conducent.com
127.0.0.1 www.uk1.doubleclick.net
127.0.0.1 www.se1.doubleclick.net
127.0.0.1 www.news.netgravity.com
127.0.0.1 www.exnjmdgda1.doubleclick.net
127.0.0.1 www.dyson.netgravity.com
127.0.0.1 www.doubleclick.com
127.0.0.1 www.adcenter1.netgravity.com
127.0.0.1 www.ad.it.doubleclick.net
127.0.0.1 www.track4.com
127.0.0.1 www.ads19.bpath.com
127.0.0.1 www.ads16.bpath.com
127.0.0.1 www.ads13.bpath.com
127.0.0.1 www.preview.bnex.com
127.0.0.1 www.s0.bluestreak.com
127.0.0.1 www.befree.com
127.0.0.1 www.vulture.bfast.com
127.0.0.1 www.service.bfast.com
127.0.0.1 gzs-7206.radiate.com
127.0.0.1 gd1.radiate.com
127.0.0.1 dillinger.aureate.com
127.0.0.1 cook.aureate.com
127.0.0.1 adam.radiate.com
127.0.0.1 ad2-4.aureate.com
127.0.0.1 ad2-1.aureate.com
127.0.0.1 bob.web3000.com
127.0.0.1 updatetest.conducent.com
127.0.0.1 nidtest.timesink.com
127.0.0.1 contentqa.conducent.com
127.0.0.1 ads2.speedbit.com
127.0.0.1 ads1.speedbit.com
127.0.0.1 uk.doubleclick.net
127.0.0.1 ny.netgravity.com
127.0.0.1 network-209-67-38-7.doubleclick.net
127.0.0.1 network-209-67-38-4.doubleclick.net
127.0.0.1 network-199-95-208-8.doubleclick.net
127.0.0.1 network-199-95-208-5.doubleclick.net
127.0.0.1 network-199-95-207-5.doubleclick.net
127.0.0.1 network-199-95-207-2.doubleclick.net
127.0.0.1 network-199-95-207-138.doubleclick.net
127.0.0.1 gd20.doubleclick.net
127.0.0.1 enterprise.netgravity.com
127.0.0.1 bay-sw-10.netgravity.com
127.0.0.1 ad1.doubleclick.net
127.0.0.1 ad.se.doubleclick.net
127.0.0.1 ad.doubleclick.com
127.0.0.1 towerrecords.track4.com
127.0.0.1 gifttree.track4.com
127.0.0.1 ads07.bpath.com
127.0.0.1 ads04.bpath.com
127.0.0.1 preview.bnex.com
127.0.0.1 s3.bluestreak.com
127.0.0.1 whippet.bfast.com
127.0.0.1 doberman.befree.com
127.0.0.1 www.gzs-7206.radiate.com
127.0.0.1 www.dolphinsfootball.com
127.0.0.1 www.deadmanwalking.radiate.com
127.0.0.1 www.brutus.radiate.com
127.0.0.1 www.ask-a-chick.com
127.0.0.1 www.adam.radiate.com
127.0.0.1 www.ad2-2.aureate.com
127.0.0.1 www.sterlingf.conducent.com
127.0.0.1 www.nidinternaltest.conducent.com
127.0.0.1 www.eroom.conducent.com
127.0.0.1 www.proxy.netgravity.com
127.0.0.1 www.in.doubleclick.net
127.0.0.1 www.home.netgravity.com
127.0.0.1 www.ecommerce.netgravity.com
127.0.0.1 www.ad.de.doubleclick.net
127.0.0.1 www2.track4.com
127.0.0.1 www.ftp.track4.com
127.0.0.1 www.foxy.track4.com
127.0.0.1 www.ads50.bpath.com
127.0.0.1 www.ads08.bpath.com
127.0.0.1 www.ads05.bpath.com
127.0.0.1 www.quartz.bnex.com
127.0.0.1 www.db.bnex.com
127.0.0.1 www.preprod-geocities.bfast.com
127.0.0.1 www.husky.bfast.com
127.0.0.1 www.goshoppingonline.bfast.com
127.0.0.1 www.ftp.befree.com
127.0.0.1 psguard.com
127.0.0.1 antispywaresoldier.com
127.0.0.1 h-208-184-172-10.radiate.com
127.0.0.1 gizmo.net
127.0.0.1 freud.aureate.com
127.0.0.1 cyrus.aureate.com
127.0.0.1 bigmama.radiate.com
127.0.0.1 aristotle.aureate.com
127.0.0.1 ans10.adsoftware.com
127.0.0.1 aim4.aureate.com
127.0.0.1 aim1.aureate.com
127.0.0.1 ads3.speedbit.com
127.0.0.1 4.netgravity.com
127.0.0.1 phase2media.doubleclick.net
127.0.0.1 ns.doubleclick.net
127.0.0.1 network-199-95-207-8.doubleclick.net
127.0.0.1 exnjadgda2.doubleclick.net
127.0.0.1 draco.netgravity.com
127.0.0.1 de1.doubleclick.net
127.0.0.1 ad.sq.doubleclick.net
127.0.0.1 track4.com
127.0.0.1 e250a.track4.com
127.0.0.1 bpath.com
127.0.0.1 ads52.bpath.com
127.0.0.1 ads41.bpath.com
127.0.0.1 ads1.bpath.com
127.0.0.1 orion.bnex.com
127.0.0.1 jade.bnex.com
127.0.0.1 dev.bnex.com
127.0.0.1 befree.com
127.0.0.1 ridgeback.bfast.com
127.0.0.1 njtxn1.bfast.com
127.0.0.1 www.gozilla.com
127.0.0.1 www.bc-208-184-172-192.radiate.com
127.0.0.1 www.apc-pdu-1.aureate.com
127.0.0.1 www.ans2.adsoftware.com
127.0.0.1 www.alexander.aureate.com
127.0.0.1 www.aim6.adsoftware.com
127.0.0.1 www.aim4.aureate.com
127.0.0.1 www.aim1.aureate.com
127.0.0.1 www.adserv3-408-sjc2.radiate.com
127.0.0.1 www.nidtest.timesink.com
127.0.0.1 www.jerry.conducent.com
127.0.0.1 www.dns1.conducent.com
127.0.0.1 www.uunyadgda1.doubleclick.net
127.0.0.1 www.smhq-fe1-0.netgravity.com
127.0.0.1 www.network-209-67-38-2.doubleclick.net
127.0.0.1 www.network-199-95-208-6.doubleclick.net
127.0.0.1 www.network-199-95-208-3.doubleclick.net
127.0.0.1 www.netgravity.com
127.0.0.1 www.lucian.netgravity.com
127.0.0.1 www.gd20.doubleclick.net
127.0.0.1 www.bbn-gw.nyc1.doubleclick.net
127.0.0.1 www.ad.uk.doubleclick.net
127.0.0.1 www.ad.sg.doubleclick.net
127.0.0.1 www.ad.my.doubleclick.net
127.0.0.1 www.ad.fr.doubleclick.net
127.0.0.1 www.ad.fi.doubleclick.net
127.0.0.1 www.e250a.track4.com
127.0.0.1 www.pebble.bnex.com
127.0.0.1 www.dev.bnex.com
127.0.0.1 www.verisign.bfast.com
127.0.0.1 www.preprod.bfast.com
127.0.0.1 www.njtxn1.bfast.com
127.0.0.1 www.etoys.bfast.com
127.0.0.1 pestwiper.com
127.0.0.1 http://www.perfectedsecurity.com/
127.0.0.1 ans-test.adsoftware.com
127.0.0.1 aim4.adsoftware.com
127.0.0.1 adsoftware.com
127.0.0.1 smtp.conducent.com
127.0.0.1 sitepages.doubleclick.net
127.0.0.1 lon-router.netgravity.com
127.0.0.1 joinchannel.netgravity.com
127.0.0.1 exnjmdgds1.doubleclick.net
127.0.0.1 caelum.netgravity.com
127.0.0.1 sz.track4.com
127.0.0.1 ads47.bpath.com
127.0.0.1 ads44.bpath.com
127.0.0.1 ns1.bnex.com
127.0.0.1 s8.bluestreak.com
127.0.0.1 greyhound.bfast.com
127.0.0.1 www.h-208-184-172-100.radiate.com
127.0.0.1 www.ans10.adsoftware.com
127.0.0.1 www.aim2.adsoftware.com
127.0.0.1 www.redirectqa.conducent.com
127.0.0.1 www.contents1.conducent.com
127.0.0.1 www.addltestmaster.conducent.com
127.0.0.1 www.support.netgravity.com
127.0.0.1 www.pptp.netgravity.com
127.0.0.1 www.network-209-67-38-8.doubleclick.net
127.0.0.1 www.network-209-67-38-5.doubleclick.net
127.0.0.1 www.network-209-67-38-10.doubleclick.net
127.0.0.1 www.network-199-95-207-9.doubleclick.net
127.0.0.1 www.network-199-95-207-6.doubleclick.net
127.0.0.1 www.network-199-95-207-3.doubleclick.net
127.0.0.1 www.draco.netgravity.com
127.0.0.1 www.ads-secondary.doubleclick.net
127.0.0.1 www.ad2.doubleclick.net
127.0.0.1 www.ad.ca.doubleclick.net
127.0.0.1 www.maximizer.acim.com
127.0.0.1 www.ads48.bpath.com
127.0.0.1 www.ads45.bpath.com
127.0.0.1 www.ads42.bpath.com
127.0.0.1 www.vpos.bnex.com
127.0.0.1 www.ns1.bnex.com
127.0.0.1 www.s5.bluestreak.com
127.0.0.1 ultimatecleaner.com
127.0.0.1 razespyware.com
127.0.0.1 caesar.aureate.com
127.0.0.1 aim.adsoftware.com
127.0.0.1 zac.netgravity.com
127.0.0.1 sold.netgravity.com
127.0.0.1 ns1.doubleclick.net
127.0.0.1 network-199-95-207-148.doubleclick.net
127.0.0.1 mailexodus.doubleclick.net
127.0.0.1 m.doubleclick.net
127.0.0.1 demo.netgravity.com
127.0.0.1 gate.acim.com
127.0.0.1 ads39.bpath.com
127.0.0.1 ads36.bpath.com
127.0.0.1 ads33.bpath.com
127.0.0.1 ads22.bpath.com
127.0.0.1 onyx.bnex.com
127.0.0.1 intranet.bnex.com
127.0.0.1 customer.bnex.com
127.0.0.1 s4.bluestreak.com
127.0.0.1 njrep1.bfast.com
127.0.0.1 www.conducent.com
127.0.0.1 www.pop3.conducent.com
127.0.0.1 www.nt2.conducent.com
127.0.0.1 www.nid.timesink.com
127.0.0.1 www.nandbob.conducent.com
127.0.0.1 www.firewall.conducent.com
127.0.0.1 www.addltest.timesink.com
127.0.0.1 www.uk.doubleclick.net
127.0.0.1 www.resolver.doubleclick.net
127.0.0.1 www.network-199-95-208-10.doubleclick.net
127.0.0.1 www.london.netgravity.com
127.0.0.1 www.exnjadgda2.doubleclick.net
127.0.0.1 www.ad.contentzone.com
127.0.0.1 www.ad.au.doubleclick.net
127.0.0.1 www.accord.netgravity.com
127.0.0.1 www.www.acim.com
127.0.0.1 www.ads37.bpath.com
127.0.0.1 www.ads34.bpath.com
127.0.0.1 www.ads3.bpath.com
127.0.0.1 www.ads23.bpath.com
127.0.0.1 www.ads20.bpath.com
127.0.0.1 www.s1.bluestreak.com
127.0.0.1 www.njrep1.bfast.com
127.0.0.1 www.help.bfast.com
127.0.0.1 www.geocities.bfast.com
127.0.0.1 winhound.com
127.0.0.1 spy-sheriff.com
127.0.0.1 gzs-ld.radiate.com
127.0.0.1 gzs-6509.radiate.com
127.0.0.1 ftp.gozilla.com
127.0.0.1 download.binarybliss.com
127.0.0.1 abbott.radiate.com
127.0.0.1 tasha.web3000.com
127.0.0.1 sterlinga.conducent.com
127.0.0.1 softwares.timesink.com
127.0.0.1 smtp.timesink.com
127.0.0.1 pushv5.conducent.com
127.0.0.1 nidinternal.timesink.com
127.0.0.1 nid.timesink.com
127.0.0.1 uunyadgds1.doubleclick.net
127.0.0.1 uunet-gw.nyc1.doubleclick.net
127.0.0.1 network-199-95-208-10.doubleclick.net
127.0.0.1 mplex-dfa.doubleclick.net
127.0.0.1 m2.doubleclick.net
127.0.0.1 engpptp.netgravity.com
127.0.0.1 doubleclick.net
127.0.0.1 ad.it.doubleclick.net
127.0.0.1 2.track4.com
127.0.0.1 ftp.track4.com
127.0.0.1 ads28.bpath.com
127.0.0.1 ads25.bpath.com
127.0.0.1 ads14.bpath.com
127.0.0.1 ads11.bpath.com
127.0.0.1 megastore.bnex.com
127.0.0.1 do.you.uh.yahoo.at.bnex.com
127.0.0.1 db.bnex.com
127.0.0.1 wolfhound.bfast.com
127.0.0.1 vulture.bfast.com
127.0.0.1 ftp.befree.com
127.0.0.1 www.nid.conducent.com
127.0.0.1 www3.speedbit.com
127.0.0.1 www.mailexodus.doubleclick.net
127.0.0.1 www.m.doubleclick.com
127.0.0.1 www.joinchannel.netgravity.com
127.0.0.1 www.gd4.doubleclick.net
127.0.0.1 www.exnjmdgds1.doubleclick.net
127.0.0.1 www.ad.pt.doubleclick.net
127.0.0.1 www.ad.doubleclick.com
127.0.0.1 www3.track4.com
127.0.0.1 www.acim.com
127.0.0.1 www.ads29.bpath.com
127.0.0.1 www.ads26.bpath.com
127.0.0.1 www.ads12.bpath.com
127.0.0.1 www.ads.bpath.com
127.0.0.1 www.terrazzo.bnex.com
127.0.0.1 www.travelocity.bfast.com
127.0.0.1 www.ads.x10.com
127.0.0.1 spysheriff.com
127.0.0.1 pest-wiper.com
127.0.0.1 www.zedo.net
127.0.0.1 www.ads.vitalix.net
127.0.0.1 gozilla.com
127.0.0.1 constantine.aureate.com
127.0.0.1 bc-208-184-172-192.radiate.com
127.0.0.1 bach.aureate.com
127.0.0.1 apc-pdu-1.aureate.com
127.0.0.1 alexander.aureate.com
127.0.0.1 adserv2-301-sjc2.radiate.com
127.0.0.1 updates2.conducent.com
127.0.0.1 redirects.conducent.com
127.0.0.1 network-209-67-38-3.doubleclick.net
127.0.0.1 network-199-95-208-4.doubleclick.net
127.0.0.1 netgravity.com
127.0.0.1 gravitychannel.netgravity.com
127.0.0.1 fr1.doubleclick.net
127.0.0.1 ad3.doubleclick.net
127.0.0.1 ad.sg.doubleclick.net
127.0.0.1 ad.fi.doubleclick.net
127.0.0.1 ad.de.doubleclick.net
127.0.0.1 3aad.doubleclick.net
127.0.0.1 plum.acim.com
127.0.0.1 commission-junction.com
127.0.0.1 ads17.bpath.com
127.0.0.1 ads03.bpath.com
127.0.0.1 s0.bluestreak.com
127.0.0.1 service.bfast.com
127.0.0.1 www.h-208-184-172-10.radiate.com
127.0.0.1 www.gzs-6509.radiate.com
127.0.0.1 www.confucius.aureate.com
127.0.0.1 www.bach.aureate.com
127.0.0.1 www.aureate.com
127.0.0.1 www.ans3.adsoftware.com
127.0.0.1 www.smtp.conducent.com
127.0.0.1 www.pushv5.conducent.com
127.0.0.1 www.ftp.conducent.com
127.0.0.1 www.contentqa.conducent.com
127.0.0.1 www.speedbit.com
127.0.0.1 www.uunyadgds1.doubleclick.net
127.0.0.1 www.sanders.netgravity.com
127.0.0.1 www.rdbox.doubleclick.net
127.0.0.1 www.ns2.doubleclick.net
127.0.0.1 www.ns.doubleclick.net
127.0.0.1 www.ng-webserver.netgravity.com
127.0.0.1 www.myhome.netgravity.com
127.0.0.1 www.towerrecords.track4.com
127.0.0.1 www.ftp.acim.com
127.0.0.1 www.ads18.bpath.com
127.0.0.1 www.ads15.bpath.com
127.0.0.1 www.ads04.bpath.com
127.0.0.1 www.ads01.bpath.com
127.0.0.1 www.intarsia.bnex.com
127.0.0.1 gameboy.aureate.com
127.0.0.1 dell.radiate.com
127.0.0.1 binarybliss.com
127.0.0.1 ans1.adsoftware.com
127.0.0.1 aim5.adsoftware.com
127.0.0.1 ad2-2.aureate.com
127.0.0.1 ip134.conducent.com
127.0.0.1 hermes.conducent.com
127.0.0.1 contenttest.conducent.com
127.0.0.1 addbtest.conducent.com
127.0.0.1 speedbit.com
127.0.0.1 us.doubleclick.net
127.0.0.1 pptp-server.netgravity.com
127.0.0.1 nl.doubleclick.net
127.0.0.1 network-209-67-38-9.doubleclick.net
127.0.0.1 network-209-67-38-6.doubleclick.net
127.0.0.1 network-199-95-208-7.doubleclick.net
127.0.0.1 network-199-95-207-7.doubleclick.net
127.0.0.1 network-199-95-207-4.doubleclick.net
127.0.0.1 lucian.netgravity.com
127.0.0.1 ln.doubleclick.net
127.0.0.1 jp.doubleclick.net
127.0.0.1 ftp.netgravity.com
127.0.0.1 ads.double-click.com
127.0.0.1 ad.uk.doubleclick.net
127.0.0.1 ad.my.doubleclick.net
127.0.0.1 ad.fr.doubleclick.net
127.0.0.1 ftp.acim.com
127.0.0.1 foxy.acim.com
127.0.0.1 fingerhut.track4.com
127.0.0.1 ads51.bpath.com
127.0.0.1 ads09.bpath.com
127.0.0.1 ads06.bpath.com
127.0.0.1 bnex.com
127.0.0.1 qwest.bfast.com
127.0.0.1 preprod.bfast.com
127.0.0.1 preprod-geocities.bfast.com
127.0.0.1 imp.bfast.com
127.0.0.1 ftp.bfast.com
127.0.0.1 www.gd1.radiate.com
127.0.0.1 www.foreigner.radiate.com
127.0.0.1 www.dell.radiate.com
127.0.0.1 www.apc-pdu-2.aureate.com
127.0.0.1 www.aim3.adsoftware.com
127.0.0.1 www.aim2.aureate.com
127.0.0.1 www.aim.adsoftware.com
127.0.0.1 www.ad2-3.aureate.com
127.0.0.1 www.bob.web3000.com
127.0.0.1 www.zeus.timesink.com
127.0.0.1 www.digisle.conducent.com
127.0.0.1 www.contents.conducent.com
127.0.0.1 www.addbtest.timesink.com
127.0.0.1 www.ny-router.netgravity.com
127.0.0.1 www.mdist.doubleclick.net
127.0.0.1 www.enterprise.netgravity.com
127.0.0.1 www.ad.br.doubleclick.net
127.0.0.1 www.3aad.doubleclick.net
127.0.0.1 www.sz.track4.com
127.0.0.1 www.ads52.bpath.com
127.0.0.1 www.ads07.bpath.com
127.0.0.1 www.jade.bnex.com
127.0.0.1 www.ghost.in.the.shell.at.bnex.com
127.0.0.1 www.s6.bluestreak.com
127.0.0.1 purityscan.com
127.0.0.1 aureate-main-2611.aureate.com
127.0.0.1 aim5.aureate.com
127.0.0.1 aim2.aureate.com
127.0.0.1 aim1.adsoftware.com
127.0.0.1 7.web3000.com
127.0.0.1 softwares.conducent.com
127.0.0.1 redirecttest.conducent.com
127.0.0.1 mail.conducent.com
127.0.0.1 addltest.timesink.com
127.0.0.1 uk1.doubleclick.net
127.0.0.1 suitespot.netgravity.com
127.0.0.1 se1.doubleclick.net
127.0.0.1 no.doubleclick.net
127.0.0.1 news.netgravity.com
127.0.0.1 london.netgravity.com
127.0.0.1 gd28.doubleclick.net
127.0.0.1 gd25.doubleclick.net
127.0.0.1 gatekeeper.netgravity.com
127.0.0.1 exnjadgda1.doubleclick.net
127.0.0.1 ad.ca.doubleclick.net
127.0.0.1 ads43.bpath.com
127.0.0.1 ads40.bpath.com
127.0.0.1 ads3.bpath.com
127.0.0.1 ns2.bnex.com
127.0.0.1 marble.bnex.com
127.0.0.1 s5.bluestreak.com
127.0.0.1 scrappy.befree.com
127.0.0.1 reporting.net
127.0.0.1 help.bfast.com
127.0.0.1 www.gizmo.net
127.0.0.1 www.curly.aureate.com
127.0.0.1 www.caesar.aureate.com
127.0.0.1 www.bonnie2.radiate.com
127.0.0.1 www.ans-test.adsoftware.com
127.0.0.1 www.aim5.aureate.com
127.0.0.1 www.test.timesink.com
127.0.0.1 www.warsport.timesink.com
127.0.0.1 www.updatetest.conducent.com
127.0.0.1 www.hermes.conducent.com
127.0.0.1 www.zac.netgravity.com
127.0.0.1 www3.netgravity.com
127.0.0.1 www.network-209-67-38-4.doubleclick.net
127.0.0.1 www.network-199-95-208-8.doubleclick.net
127.0.0.1 www.network-199-95-208-5.doubleclick.net
127.0.0.1 www.network-199-95-208-2.doubleclick.net
127.0.0.1 www.network-199-95-207-2.doubleclick.net
127.0.0.1 www.m2.doubleclick.net
127.0.0.1 www.gd25.doubleclick.net
127.0.0.1 www.ads.double-click.com
127.0.0.1 www.ns1.acim.com
127.0.0.1 www.gate.acim.com
127.0.0.1 www.fingerhut.track4.com
127.0.0.1 www.bpath.com
127.0.0.1 www.ads41.bpath.com
127.0.0.1 www.onyx.bnex.com
127.0.0.1 www.ns2.bnex.com
127.0.0.1 www.s2.bluestreak.com
127.0.0.1 www.njmgt2.bfast.com
127.0.0.1 corona.radiate.com
127.0.0.1 aim.aureate.com
127.0.0.1 nandbob.conducent.com
127.0.0.1 bbn-gw.nyc1.doubleclick.net
127.0.0.1 ad.au.doubleclick.net
127.0.0.1 accord.netgravity.com
127.0.0.1 ns1.acim.com
127.0.0.1 ads49.bpath.com
127.0.0.1 ads46.bpath.com
127.0.0.1 ads32.bpath.com
127.0.0.1 mosaic.bnex.com
127.0.0.1 travsoft.bfast.com
127.0.0.1 otterhound.bfast.com
127.0.0.1 njmgt2.bfast.com
127.0.0.1 ads.x10.com
127.0.0.1 www.gzs-ld.radiate.com
127.0.0.1 www.group-mail.com
127.0.0.1 www.copernicus.aureate.com
127.0.0.1 www.abbott.radiate.com
127.0.0.1 www.mail.timesink.com
127.0.0.1 www.sitepages.doubleclick.net
127.0.0.1 www.pptp-server.netgravity.com
127.0.0.1 www.network-209-67-38-7.doubleclick.net
127.0.0.1 www.network-199-95-207-8.doubleclick.net
127.0.0.1 www.network-199-95-207-5.doubleclick.net
127.0.0.1 www.network-199-95-207-138.doubleclick.net
127.0.0.1 www.lon-router.netgravity.com
127.0.0.1 www.gd28.doubleclick.net
127.0.0.1 www.bay-sw-10.netgravity.com
127.0.0.1 www.ad1.doubleclick.net
127.0.0.1 www.ad.us.doubleclick.net
127.0.0.1 www.ad.nl.doubleclick.net
127.0.0.1 www.ad.jp.doubleclick.net
127.0.0.1 www.gifttree.track4.com
127.0.0.1 www.ads47.bpath.com
127.0.0.1 www.ads44.bpath.com
127.0.0.1 www.ads33.bpath.com
127.0.0.1 www.ads2.bpath.com
127.0.0.1 www.megastore.bnex.com
127.0.0.1 spyspotter.com
127.0.0.1 dosequis.radiate.com
127.0.0.1 costello.radiate.com
127.0.0.1 aureate.com
127.0.0.1 aureate-colo-hp2424m.aureate.com
127.0.0.1 proxytest.conducent.com
127.0.0.1 nt2.conducent.com
127.0.0.1 nidinternal.conducent.com
127.0.0.1 nid.conducent.com
127.0.0.1 ip134.timesink.com
127.0.0.1 eroom.conducent.com
127.0.0.1 support.netgravity.com
127.0.0.1 m.doubleclick.com
127.0.0.1 listserver.netgravity.com
127.0.0.1 home.netgravity.com
127.0.0.1 ecommerce.netgravity.com
127.0.0.1 adcenter1.netgravity.com
127.0.0.1 ad.pt.doubleclick.net
127.0.0.1 3.track4.com
127.0.0.1 ads38.bpath.com
127.0.0.1 ads35.bpath.com
127.0.0.1 ads24.bpath.com
127.0.0.1 ads21.bpath.com
127.0.0.1 s1.bluestreak.com
127.0.0.1 travelocity.bfast.com
127.0.0.1 njrep0.bfast.com
127.0.0.1 enews.bfast.com
127.0.0.1 www.ftp.gozilla.com
127.0.0.1 www.constantine.aureate.com
127.0.0.1 www.adserv2-301-sjc2.radiate.com
127.0.0.1 www.sterlinga.conducent.com
127.0.0.1 www.redirecttest.conducent.com
127.0.0.1 www.redirects.timesink.com
127.0.0.1 www.nidtest.conducent.com
127.0.0.1 www.addltest.conducent.com
127.0.0.1 www.us.doubleclick.net
127.0.0.1 www.network-199-95-207-10.doubleclick.net
127.0.0.1 www.jp.doubleclick.net
127.0.0.1 www.exodus-gw.ewr1.doubleclick.net
127.0.0.1 www.exnjadgda1.doubleclick.net
127.0.0.1 www.de1.doubleclick.net
127.0.0.1 www.ad.no.doubleclick.net
127.0.0.1 www.commission-junction.com
127.0.0.1 www.ads39.bpath.com
127.0.0.1 www.ads36.bpath.com
127.0.0.1 www.ads25.bpath.com
127.0.0.1 www.ads22.bpath.com
127.0.0.1 www.samoyed.bfast.com
127.0.0.1 www.otterhound.bfast.com
127.0.0.1 www.njrep0.bfast.com
127.0.0.1 www.doberman.befree.com
127.0.0.1 www.600pics.com
127.0.0.1 mm.delfinproject.com
127.0.0.1 confucius.aureate.com
127.0.0.1 brinks.radiate.com
127.0.0.1 ans2.adsoftware.com
127.0.0.1 aim6.adsoftware.com
127.0.0.1 nidinternaltest.conducent.com
127.0.0.1 jerry.conducent.com
127.0.0.1 firewall.conducent.com
127.0.0.1 se.doubleclick.net
127.0.0.1 rdbox.doubleclick.net
127.0.0.1 network-199-95-207-10.doubleclick.net
127.0.0.1 nda.netgravity.com
127.0.0.1 myhome.netgravity.com
127.0.0.1 mdist.doubleclick.net
127.0.0.1 doubleclick.com
127.0.0.1 ads27.bpath.com
127.0.0.1 ads16.bpath.com
127.0.0.1 ads13.bpath.com
127.0.0.1 ads10.bpath.com
127.0.0.1 terrazzo.bnex.com
127.0.0.1 ghost.in.the.shell.at.bnex.com
127.0.0.1 www.dosequis.radiate.com
127.0.0.1 www.costello.radiate.com
127.0.0.1 www.bigmama.radiate.com
127.0.0.1 www.aim4.adsoftware.com
127.0.0.1 www.redirects.conducent.com
127.0.0.1 www.mail.conducent.com
127.0.0.1 www.download.timesink.com
127.0.0.1 www.no.doubleclick.net
127.0.0.1 www.nl.doubleclick.net
127.0.0.1 www.mplex-dfa.doubleclick.net
127.0.0.1 www.ln.doubleclick.net
127.0.0.1 www.ftp.netgravity.com
127.0.0.1 www.doubleclick.net
127.0.0.1 www.ad.es.doubleclick.net
127.0.0.1 www.plum.acim.com
127.0.0.1 www.ads28.bpath.com
127.0.0.1 www.ads14.bpath.com
127.0.0.1 www.ads11.bpath.com
127.0.0.1 www.s7.bluestreak.com
127.0.0.1 www.scrappy.befree.com
127.0.0.1 www.ridgeback.bfast.com
127.0.0.1 www.ftp.bfast.com
127.0.0.1 www.mm.delfinproject.com
127.0.0.1 foreigner.radiate.com
127.0.0.1 ask-a-chick.com
127.0.0.1 apc-pdu-2.aureate.com
127.0.0.1 aim2.adsoftware.com
127.0.0.1 ad2-3.aureate.com
127.0.0.1 test.conducent.com
127.0.0.1 redirectqa.conducent.com
127.0.0.1 ftp.conducent.com
127.0.0.1 digisle.conducent.com
127.0.0.1 addbtest.timesink.com
127.0.0.1 pptp.netgravity.com
127.0.0.1 network-209-67-38-8.doubleclick.net
127.0.0.1 network-209-67-38-5.doubleclick.net
127.0.0.1 network-209-67-38-2.doubleclick.net
127.0.0.1 network-199-95-208-6.doubleclick.net
127.0.0.1 network-199-95-208-3.doubleclick.net
127.0.0.1 network-199-95-207-3.doubleclick.net
127.0.0.1 gravityhome.netgravity.com
127.0.0.1 exnjadgds1.doubleclick.net
127.0.0.1 ads-secondary.doubleclick.net
127.0.0.1 ad2.doubleclick.net
127.0.0.1 ad.br.doubleclick.net
127.0.0.1 aa.doubleclick.net
127.0.0.1 foxy.track4.com
127.0.0.1 acim.com
127.0.0.1 ads19.bpath.com
127.0.0.1 ads05.bpath.com
127.0.0.1 malachite.bnex.com
127.0.0.1 intarsia.bnex.com
127.0.0.1 abc.bnex.com
127.0.0.1 s6.bluestreak.com
127.0.0.1 husky.bfast.com
127.0.0.1 www.corona.radiate.com
127.0.0.1 www.binarybliss.com
127.0.0.1 www.softwares.conducent.com
127.0.0.1 www.pop3.timesink.com
127.0.0.1 www.nidinternal.timesink.com
127.0.0.1 www.firewall.timesink.com
127.0.0.1 www.ads1.speedbit.com
127.0.0.1 www4.netgravity.com
127.0.0.1 www.uunet-gw.nyc1.doubleclick.net
127.0.0.1 www.sold.netgravity.com
127.0.0.1 www.ns1.doubleclick.net
127.0.0.1 www.network-199-95-207-148.doubleclick.net
127.0.0.1 www.demo.netgravity.com
127.0.0.1 www.foxy.acim.com
127.0.0.1 www.www.bpath.com
127.0.0.1 www.ads17.bpath.com
127.0.0.1 www.ads06.bpath.com
127.0.0.1 www.ads03.bpath.com
127.0.0.1 www.alpha.bnex.com
127.0.0.1 www.abc.bnex.com
127.0.0.1 www.s3.bluestreak.com
127.0.0.1 www.travsoft.bfast.com
127.0.0.1 www.imp.bfast.com
127.0.0.1 www.greyhound.bfast.com

Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files

C:\WINDOWS\vipext???.dll Deleted
C:\Program Files\RichVideoCodec\ Deleted

DNS



Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

#6 tartansapper

tartansapper
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:10:43 AM

Posted 09 December 2007 - 06:22 PM

ComboFix 07-12-09.3 - Owner 2007-12-09 21:20:32.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.246 [GMT 0:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS\dat.txt
C:\WINDOWS\hosts
C:\WINDOWS\rs.txt
C:\WINDOWS\start.exe
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\koos.exe
C:\WINDOWS\system32\kprof
C:\WINDOWS\system32\Packet.dll
C:\WINDOWS\system32\poof
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\WanPacket.dll
C:\WINDOWS\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NPF
-------\NPF




((((((((((((((((((((((((( Files Created from 2007-11-09 to 2007-12-09 )))))))))))))))))))))))))))))))
.

2007-12-09 20:45 . 2007-12-09 20:45 4,314 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-12-09 20:43 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2007-12-09 20:43 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-12-09 20:43 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2007-12-09 20:43 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2007-12-09 20:43 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2007-12-09 16:32 . 2007-12-09 16:32 <DIR> d-------- C:\Program Files\Avira
2007-12-09 16:32 . 2007-12-09 16:32 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Avira
2007-12-09 15:56 . 2007-12-09 15:56 0 --a------ C:\WINDOWS\nsreg.dat
2007-12-09 00:12 . 2007-12-09 00:12 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-08 23:50 . 2007-12-09 21:22 5,920,800 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat
2007-12-08 23:50 . 2007-12-09 21:11 72,404 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.idx
2007-12-08 23:45 . 2007-12-08 23:45 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-12-08 23:45 . 2007-09-06 16:14 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-12-08 23:45 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\SYSTEM32\SpOrder.dll
2007-12-08 23:45 . 2007-12-08 23:47 4,212 ---h----- C:\WINDOWS\SYSTEM32\zllictbl.dat
2007-12-08 23:43 . 2007-12-09 21:17 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-12-08 21:30 . 2007-12-08 22:27 5,458 --a------ C:\WINDOWS\SYSTEM32\SDRemoveDB.db
2007-12-08 21:29 . 2007-12-09 21:13 <DIR> d-------- C:\Program Files\SpywareDetector
2007-12-08 21:29 . 2007-03-19 12:39 270,336 --a------ C:\WINDOWS\SYSTEM32\CheckDll.dll
2007-12-08 21:29 . 2007-09-17 13:39 67,024 --a------ C:\WINDOWS\SYSTEM32\CloseAll.exe
2007-12-08 21:29 . 2007-09-29 14:04 11,728 --a------ C:\WINDOWS\SYSTEM32\SDEarlyDelete.exe
2007-12-08 21:29 . 2007-12-09 21:10 123 --a------ C:\WINDOWS\SYSTEM\SysSD.dll
2007-12-08 21:29 . 2005-02-06 09:02 104 --a------ C:\WINDOWS\SYSTEM32\ProxySettings.ini
2007-12-08 17:42 . 2007-12-08 17:42 <DIR> d----c--- C:\Documents and Settings\Owner\Application Data\Desktop Mechanic
2007-12-08 17:34 . 2007-12-09 01:04 <DIR> d-a--c--- C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-08 17:33 . 2007-12-08 21:07 <DIR> d-------- C:\Program Files\Desktop Maestro
2007-12-06 20:56 . 2007-12-08 20:57 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-03 20:51 . 2007-12-03 20:51 <DIR> d----c--- C:\videooutput
2007-12-03 20:51 . 2006-11-01 14:52 765,952 --a------ C:\WINDOWS\SYSTEM32\xvidcore.dll
2007-12-03 20:51 . 2007-02-25 15:36 383,238 --a------ C:\WINDOWS\SYSTEM32\libmp3lame-0.dll
2007-12-03 20:45 . 2007-12-03 20:45 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-12-02 19:54 . 2007-12-02 19:54 <DIR> d----c--- C:\Documents and Settings\Owner\Application Data\AdobeAUM
2007-12-02 19:21 . 2007-12-02 19:21 <DIR> d-------- C:\Program Files\ffdshow
2007-12-02 19:21 . 2006-10-02 13:44 5,120 --a------ C:\WINDOWS\SYSTEM32\ff_vfw.dll
2007-12-02 19:21 . 2006-08-05 12:06 547 --a------ C:\WINDOWS\SYSTEM32\ff_vfw.dll.manifest
2007-12-02 19:15 . 2007-12-02 19:15 <DIR> d-------- C:\Program Files\Haali
2007-12-02 14:24 . 2007-12-02 14:24 <DIR> d-------- C:\Program Files\Common Files\Nokia
2007-12-02 14:21 . 2007-12-02 14:21 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2007-12-02 14:20 . 2007-02-22 10:15 137,216 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\nmwcd.sys
2007-12-02 14:20 . 2007-02-22 10:15 65,536 --a------ C:\WINDOWS\SYSTEM32\nmwcdcocls.dll
2007-12-02 14:20 . 2007-02-22 10:15 12,288 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\nmwcdcm.sys
2007-12-02 14:20 . 2007-02-22 10:15 12,288 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\nmwcdcj.sys
2007-12-02 14:20 . 2007-02-22 10:15 8,320 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\nmwcdc.sys
2007-12-02 14:17 . 2007-12-02 15:10 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Installations
2007-11-30 23:57 . 2007-12-03 22:35 <DIR> d----c--- C:\Documents and Settings\Owner\.SimpleCenter
2007-11-30 00:57 . 2007-12-03 22:31 <DIR> d-------- C:\Program Files\NCH Swift Sound
2007-11-30 00:57 . 2007-11-30 00:57 <DIR> d----c--- C:\Documents and Settings\Owner\Application Data\NCH Swift Sound
2007-11-30 00:57 . 2007-12-03 20:28 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2007-11-30 00:56 . 2007-11-30 01:01 <DIR> d-------- C:\Program Files\NCH Software
2007-11-28 21:50 . 2007-11-28 21:50 <DIR> d-------- C:\Program Files\SimpleCenter
2007-11-28 21:50 . 2007-11-28 21:50 <DIR> d-------- C:\Program Files\Common Files\i4j_jres
2007-11-28 21:49 . 2007-11-28 21:49 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-11-19 21:55 . 2007-11-19 21:55 <DIR> d----c--- C:\Documents and Settings\Owner\Application Data\vlc
2007-11-19 21:53 . 2007-11-19 21:53 <DIR> d-------- C:\Program Files\VideoLAN
2007-11-19 21:08 . 2007-11-19 21:08 36 --a------ C:\WINDOWS\SYSTEM32\m4p.dat
2007-11-17 09:49 . 2007-11-17 09:49 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-11-17 09:11 . 2007-11-17 09:11 <DIR> d-------- C:\Program Files\FLV Player
2007-11-16 00:08 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2007-11-16 00:08 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\SYSTEM32\muweb.dll
2007-11-16 00:08 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll.mui
2007-11-16 00:00 . 2007-11-16 00:00 <DIR> d-------- C:\Program Files\Microsoft Works
2007-11-15 23:56 . 2007-11-15 23:57 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-11-15 23:55 . 2007-11-17 09:50 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-15 23:54 . 2007-11-15 23:54 <DIR> dr-h-c--- C:\MSOCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-09 18:53 19,860,780 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_12_09_18_32_57_full.dmp.zip
2007-12-08 20:17 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-08 20:11 --------- dc----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-06 22:38 --------- d-----w C:\Program Files\Spyware Doctor
2007-12-02 21:17 --------- d-----w C:\Program Files\Common Files\Motive
2007-12-02 19:55 --------- dc----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2007-12-02 19:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-02 18:52 --------- dc----w C:\Documents and Settings\Owner\Application Data\PC Suite
2007-12-02 15:14 --------- dc----w C:\Documents and Settings\Owner\Application Data\Nokia
2007-12-02 14:40 --------- dc----w C:\Documents and Settings\All Users\Application Data\PC Suite
2007-12-02 14:24 --------- d-----w C:\Program Files\Common Files\PCSuite
2007-12-02 14:23 --------- dc----w C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2007-12-02 14:21 --------- d-----w C:\Program Files\DIFX
2007-12-02 14:20 --------- d-----w C:\Program Files\Nokia
2007-12-01 23:10 --------- d-----w C:\Program Files\Piolet
2007-11-28 22:33 --------- dc----w C:\Documents and Settings\Owner\Application Data\Nokia Multimedia Player
2007-11-28 22:09 --------- dc----w C:\Documents and Settings\Owner\Application Data\Datalayer
2007-11-06 09:20 831,048 ----a-w C:\WINDOWS\SYSTEM32\WudfUpdate_01005.dll
2007-10-31 20:49 --------- d-----w C:\Program Files\Common Files\xing shared
2007-10-31 20:49 --------- d-----w C:\Program Files\Common Files\Real
2007-10-31 20:48 --------- d-----w C:\Program Files\Real
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\dllcache\shell32.dll
2007-10-20 06:56 --------- d-----w C:\Program Files\MSECache
2007-10-16 21:14 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2007-04-13 14:47 266 --sha-w C:\Program Files\desktop.ini
2007-04-13 14:47 11,079 -c--a-w C:\Program Files\folder.htt
2003-08-27 10:49 3,424 -c--a-w C:\WINDOWS\INF\OTHER\cmiainfo.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CD592DBF-7138-4805-A93B-B9491B6E53FC}]
C:\WINDOWS\vipextmdx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Offline Files]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@={7D688A77-C613-11D0-999B-00C04FD655E1}

[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2007-10-26 03:34 8460288 --a------ C:\WINDOWS\SYSTEM32\SHELL32.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 17:23]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 11:00]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2007-11-09 13:16]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe" [2006-02-28 11:00 C:\WINDOWS\SYSTEM32\systray.exe]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-07-09 20:25]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-07-09 20:13]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 22:46]
"btbb_wcm_McciTrayApp"="C:\Program Files\btbb_wcm\McciTrayApp.exe" [2006-11-30 10:51]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 15:19]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 23:14]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 23:15]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-31 20:48]
"NSLauncher"="C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2006-11-28 01:12]
"btbb_McciTrayApp"="C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe" [2007-05-26 20:21]
"SystemTraySD"="C:\Program Files\SpywareDetector\SDSystemTray.exe" [2007-09-17 13:40]
"SDAutoLiveupdate"="C:\Program Files\SpywareDetector\LiveUpdateSD.exe" [2007-09-17 13:39]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-12-09 16:36]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 17:35]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SDNotify]
C:\Program Files\SpywareDetector\SDNotify.dll 2007-08-22 15:25 167936 C:\Program Files\SpywareDetector\SDNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"IgfxTray"=C:\WINDOWS\SYSTEM32\IGFXTRAY.EXE
"HotKeysCmds"=C:\WINDOWS\SYSTEM32\HKCMD.EXE
"Cmaudio"=RunDll32 cmicnfg.cpl,CMICtrlWnd
"EPSON Stylus C44 Series"=C:\WINDOWS\SYSTEM32\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O7 "EPUSB1:" /M "Stylus C44"

R2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe
R3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys
R3 SISNICXP;SiS PCI Fast Ethernet Adapter Driver for NDIS51;C:\WINDOWS\system32\DRIVERS\sisnicxp.sys
S3 adxapie;adxapie;\??\C:\DOCUME~1\Owner\LOCALS~1\Temp\adxapie.sys
S3 cdiskdun;cdiskdun;\??\C:\DOCUME~1\Owner\LOCALS~1\Temp\cdiskdun.sys
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys
S3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys

.
**************************************************************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-09 21:23:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Creative Detector = "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R??D~0?A~????*?A~??A~?s????C~????m???????????????????h???h???????]?A~??C~????m???????????????????k!?s??A~??A~6??????????w??????A~X?j???????A~???????w??A~???????s????W?D~??A~??????A~???w6??????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-09 21:24:08
.
--- E O F ---

#7 tartansapper

tartansapper
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:10:43 AM

Posted 09 December 2007 - 06:23 PM

Last but not least here is the new
Hijacklog
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:39:08 PM, on 12/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SpywareDetector\SDService.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe
C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
C:\Program Files\SpywareDetector\SDSystemTray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BT Broadband Desktop Help\bin\mpbtn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: OFK System - {CD592DBF-7138-4805-A93B-B9491B6E53FC} - C:\WINDOWS\vipextmdx.dll (file missing)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [btbb_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
O4 - HKLM\..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe -AUTO
O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk/
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: LiveUpdate - Unknown owner - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE (file missing)
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

--
End of file - 9012 bytes

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:43 AM

Posted 10 December 2007 - 05:09 AM

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1
Do not run it just yet.

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.
Do not run it just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: OFK System - {CD592DBF-7138-4805-A93B-B9491B6E53FC} - C:\WINDOWS\vipextmdx.dll (file missing)

Exit Hijackthis.

Now double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.

Now Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#9 tartansapper

tartansapper
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:10:43 AM

Posted 10 December 2007 - 12:58 PM

Hi There,

Just read your post,everything seems to be running okay now on my pc with no sign of the adware returning.Do you want me to still do everything you said in your last post?

Jim

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:43 AM

Posted 10 December 2007 - 01:50 PM

Yes if you would please Jim :thumbsup:
Posted Image
Posted Image

#11 tartansapper

tartansapper
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:10:43 AM

Posted 11 December 2007 - 03:54 PM

Here is everyhting you asked for Ritchie,

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/11/2007 at 08:31 PM

Application Version : 3.9.1008

Core Rules Database Version : 3359
Trace Rules Database Version: 1358

Scan type : Complete Scan
Total Scan Time : 00:44:02

Memory items scanned : 458
Memory threats detected : 0
Registry items scanned : 5371
Registry threats detected : 0
File items scanned : 34212
File threats detected : 1

Trojan.Net-MSV/VPS-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8DAC5547-6999-45FB-A2D9-4E67C88074BF}\RP182\A0108252.DLL

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:51:04 PM, on 12/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe
C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\SpywareDetector\SDSystemTray.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\BT Broadband Desktop Help\bin\mpbtn.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.orange.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [btbb_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
O4 - HKLM\..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe -AUTO
O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk/
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: LiveUpdate - Unknown owner - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE (file missing)
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

--
End of file - 8999 bytes

Everything seems to be running as it should be with no further problems appearing.Thank you very much for all your help this is a great site with a lot of good information on it which helps a novice like myself.Thanks again,

Jim

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:43 AM

Posted 11 December 2007 - 05:20 PM

It appears you've now virus protection installed,you must have uninstalled Avira AntiVir Personal Edition Classic,thats not a good idea Jim,you must have virus protection running at all times.
Download\install one of the following freeware options from the choice below.
Once installed update its definitions and then run a full system virus scan.

Avira AntiVir Personal Edition Classic
http://www.free-av.com/
AVG7 Free Edition Antivirus:
http://free.grisoft.com/doc/2/
Avast! 4 Home Edition:
http://files.avast.com/iavs4pro/setupeng.exe

With you having Service Pack 2 installed i'm presuming you're using the Windows Firewall.
You may be behind a hardware firewall(Router/NAT),but it would'nt hurt to install a third party software firewall to henhance protection.
A word of warning regarding the Windows Firewall in Service Pack 2,it only filters INCOMING traffic.
That means if malware happens to compromise your PC,it will be able to SEND OUT out your credit card data,and any other personal information.
I suggest you install a more robust third party firewall from below that filters both INCOMING and OUTGOING traffic.

Sygate Personal Firewall Free Edition:
http://www.filehippo.com/download_sygate_personal_firewall/
Zone Alarm Free:
http://download.zonelabs.com/bin/free/1001..._737_000_en.exe
Comodo Personal Firewall:
http://www.personalfirewall.comodo.com/
Outpost Firewall Free:
http://www.agnitum.com/products/outpostfree/index.php

You should take the time to read the following:
Understanding and Using Firewalls
http://www.bleepingcomputer.com/tutorials/understanding-and-using-firewalls/

Your log is clean :thumbsup: ,please do the following:

Click on Start/Run,copy and paste ComboFix /u into the 'Open:' space,then press Ok.

Posted Image

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

You should take the time to read and follow the information found in the links below,to help you prevent any possible future infections and stay safe and secure while online:

Simple and easy ways to keep your computer safe and secure on the Internet:
http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

How to prevent Malware:
http://users.telenet.be/bluepatchy/miekiem...prevention.html

So how did I get infected in the first place:
http://forums.spybot.info/showthread.php?t=279

Malware Cleanup Programs and Preventative Procedures:
http://russelltexas.com/malware/allclear.htm
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users