Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Dcads Malware


  • This topic is locked This topic is locked
51 replies to this topic

#1 cichlidnut

cichlidnut

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 20 December 2007 - 03:47 PM

I downloaded a WinZip file from Limewire and carelessly opened the .exe file. Started to see occasional popups. I ran a scan with BitDefender which found this:

C:\System Volume Information\_restore{F561161F-9CF0-4A5B-BD2A-6BCEC1178E07}\RP417\A0061518.EX=>(NSIS o)=>lzma_nsis0008=>(NSIS o)=>lzma_solid_ nsis0004

I deleted the file from the SVI folder in safe mode and assumed everything was good. Popups continue. I ran scans with AVG, Spybot, Registry Mechanic, Ad-aware, Microsoft Clean. I've uninstalled both Browser Optimizer Dcads and Browser Optimizer Superiorads. Popups still happen... I've read a few threads on Dcads and how to remove but I'm afraid to use the processes for someone elses PC, on my PC. I appreciate any help.

Here's my HiJackThis log. I've hi-lighted the only entry I can see with the word "dcads"

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:35:09 PM, on 12/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Logitech\MediaLife\MediaLifeService.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\mspaint.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Downloads\Installation Programs\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: dcads - {6FC3C36D-7635-4D43-BA62-0D9D2F2CD06E} - C:\WINDOWS\system32\nsj3F.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (file missing)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MediaLifeService] "C:\Program Files\Logitech\MediaLife\MediaLifeService.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk.disabled
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by127fd.bay127.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase4009.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8EF9AA4A-3F82-461A-B765-BBCFE7F31A2E}: NameServer = 192.168.2.1
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware Sandra Lite XIb\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware Sandra Lite XIb\RpcSandraSrv.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

--
End of file - 8945 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 21 December 2007 - 10:48 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum cichlidnut
My name is Richie and i'll be helping you to fix your problems.

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6 update 3'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java version.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.


If you have previously downloaded ComboFix,please delete that version now.
Warning
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert,not for private use.
Using this tool incorrectly could render your system/pc inoperable.

Now download Combofix and save to your desktop:
Note
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 cichlidnut

cichlidnut
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 21 December 2007 - 03:37 PM

Thank you for the prompt reply.

I'm afraid I'm unsure what the "ComboFix-quarantined-files.txt" is. I assume it would be a file unto itself so I hope it's not contained within this. My apologies if it is.


ComboFix 07-12-21.4 - Mdg 2007-12-21 15:22:29.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1476 [GMT -5:00]
Running from: C:\Documents and Settings\Mdg\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Mdg\Application Data\macromedia\Flash Player\#SharedObjects\Y4F6NA65\www.broadcaster.com
C:\Documents and Settings\Mdg\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Mdg\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\WINDOWS\system32\nsj3F.dll

.
((((((((((((((((((((((((( Files Created from 2007-11-21 to 2007-12-21 )))))))))))))))))))))))))))))))
.

2007-12-21 15:17 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-21 15:16 . 2007-12-21 15:16 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-19 23:33 . 2007-12-19 23:33 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-19 23:33 . 2007-12-19 23:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-19 11:38 . 2007-12-19 11:38 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-12-19 00:14 . 2007-12-19 00:14 256 --a------ C:\WINDOWS\adaway.lic
2007-12-18 14:59 . 2007-12-18 14:59 <DIR> d--hs---- C:\FOUND.003
2007-12-17 23:51 . 2007-12-17 23:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-17 22:28 . 2007-12-17 22:28 8,704 --ahs---- C:\WINDOWS\system32\Thumbs.db
2007-12-17 16:28 . 2007-12-17 16:28 <DIR> d-------- C:\Program Files\Windows Live
2007-12-17 16:28 . 2007-12-17 16:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-12-17 16:28 . 2007-12-17 16:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WindowsLiveInstaller
2007-12-17 09:48 . 2007-12-21 15:15 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-17 09:48 . 2007-12-17 09:48 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-15 10:01 . 2007-12-15 10:01 232 --a------ C:\WINDOWS\PowerReg.dat
2007-12-15 09:59 . 2007-12-15 09:59 <DIR> d-------- C:\Program Files\Hasbro Interactive
2007-12-12 15:22 . 2007-12-12 15:22 <DIR> d-------- C:\Program Files\Sygate
2007-12-12 15:22 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-12-12 15:22 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2007-12-12 15:22 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-12-12 15:22 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\WG6N.sys
2007-12-12 15:22 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\WG5N.sys
2007-12-12 15:22 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\WG4N.sys
2007-12-12 15:22 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\WG3N.sys
2007-12-11 10:57 . 2007-12-11 10:57 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-12-11 10:57 . 2007-12-11 10:57 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts
2007-12-10 08:54 . 2007-12-10 08:54 <DIR> dr-h----- C:\$VAULT$.AVG
2007-12-07 22:43 . 2007-12-07 22:43 <DIR> d-------- C:\Documents and Settings\Maureen\Application Data\AVG7
2007-11-30 16:57 . 2007-11-30 16:57 <DIR> d-------- C:\Documents and Settings\Alicia\Application Data\AVG7
2007-11-30 11:30 . 2007-11-30 11:30 <DIR> d-------- C:\Documents and Settings\Melissa\Application Data\AVG7
2007-11-30 10:22 . 2007-11-30 10:22 <DIR> d-------- C:\Documents and Settings\Mdg\Application Data\AVG7
2007-11-30 10:22 . 2007-11-30 10:22 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-30 10:22 . 2007-11-30 10:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-30 10:15 . 2007-11-30 10:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-11-28 15:50 . 2006-10-29 02:11 516,096 --a------ C:\WINDOWS\system32\rtl4.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-21 20:07 17,354 ----a-w C:\Documents and Settings\Mdg\Application Data\wklnhst.dat
2007-12-07 21:16 60,072 ----a-w C:\Documents and Settings\Mdg\Application Data\GDIPFONTCACHEV1.DAT
2007-11-15 05:32 --------- d-----w C:\Documents and Settings\Mdg\Application Data\MediaLife
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-09 01:41 --------- d-----w C:\Documents and Settings\Melissa\Application Data\Logitech
2007-11-08 16:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\MediaLife
2007-11-07 21:51 3,350 ----a-w C:\Documents and Settings\Alicia\Application Data\wklnhst.dat
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\QUARTZ.DLL
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-28 20:22 --------- d-----w C:\Documents and Settings\Mdg\Application Data\NFT
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\WMASF.DLL
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 17:21 --------- d-----w C:\Documents and Settings\Alicia\Application Data\NFT
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-23 02:26 1,184 ----a-w C:\Documents and Settings\Maureen\Application Data\wklnhst.dat
2007-10-17 17:23 10,752 ----a-w C:\WINDOWS\system32\WhoisCL.exe
2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-10 23:56 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-10 23:56 232,960 ----a-w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-10-10 23:56 105,984 ----a-w C:\WINDOWS\system32\dllcache\url.dll
2007-10-10 23:56 102,400 ----a-w C:\WINDOWS\system32\dllcache\occache.dll
2007-10-10 23:56 1,159,680 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-10 23:55 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-10 23:55 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-10 23:55 478,208 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-10 23:55 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-10 23:55 44,544 ----a-w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-10-10 23:55 384,512 ----a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-10-10 23:55 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-10 23:55 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-10 23:55 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-10 23:55 230,400 ----a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-10-10 23:55 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-10 23:55 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-10 23:55 153,088 ----a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-10-10 23:55 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-10 23:55 124,928 ----a-w C:\WINDOWS\system32\dllcache\advpack.dll
2007-10-10 10:59 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-10-10 10:59 625,152 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-10 05:46 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-09-30 22:43 59,680 ----a-w C:\Documents and Settings\Alicia\Application Data\GDIPFONTCACHEV1.DAT
2007-09-28 17:08 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-09-28 17:07 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-09-28 17:07 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-09-28 17:07 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-09-28 17:07 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-09-28 17:05 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-09-28 17:05 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-09-28 17:05 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-09-28 17:05 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-09-28 17:05 739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-09-28 17:05 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-09-28 17:05 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-09-28 17:05 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-09-28 17:05 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-09-28 17:05 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-09-28 17:05 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-09-28 17:05 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-09-28 17:05 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-08-27 16:07 2,293,712 ----a-w C:\Program Files\FLV PlayerFCSetup.exe
2007-05-26 01:11 922 ----a-w C:\Documents and Settings\Melissa\Application Data\wklnhst.dat
2007-02-26 03:43 19 ----a-w C:\Program Files\Answer.txt
2003-12-20 01:36 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2006-05-03 10:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2007-02-21 11:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 12:00]
"PowerBar"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 13:56]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-17 15:34 C:\WINDOWS\RTHDCPL.exe]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]
"MediaLifeService"="C:\Program Files\Logitech\MediaLife\MediaLifeService.exe" [2005-05-12 21:23]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 09:49]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-30 10:22]

C:\Documents and Settings\Alicia\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2007-09-17 10:19:14]

C:\Documents and Settings\Mdg\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk.disabled [2006-12-29 18:11:32]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2007-01-06 16:03:13]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2006-12-29 18:11:17]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"RegistryMechanic"=
"Alcmtr"=ALCMTR.EXE
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
"B'sCLiP"=C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe

R0 BsStor;B.H.A Storage Helper Driver;C:\WINDOWS\system32\drivers\BsStor.sys [2002-06-06 01:07]
R1 cdrbsvsd;cdrbsvsd;C:\WINDOWS\system32\drivers\cdrbsvsd.sys [2003-12-03 17:44]
R4 BsUDF;B.H.A UDF Filesystem;C:\WINDOWS\system32\drivers\BsUDF.sys [2004-01-08 16:41]

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2007-12-18 20:01:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-21 19:52:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-21 15:25:50
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
PowerBar = ????????????<?@?<?@?D?????A~??????????????A~<?@?<?@????? ???????????W?D~??A~??????A~K?A~x???????[?A~???????? ??????????????|x???0????????????n????A~?????????????????(??????X???????<?@?<?@?????Q?B~????D?@?????<?@???@?<?@?3??s??????????????????????@?_??s??@???@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-21 15:26:34
.
2007-12-12 08:05:58 --- E O F ---


And my latest Hijackthis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:36:33 PM, on 12/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\MediaLife\MediaLifeService.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Downloads\Installation Programs\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (file missing)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MediaLifeService] "C:\Program Files\Logitech\MediaLife\MediaLifeService.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk.disabled
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by127fd.bay127.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase4009.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8EF9AA4A-3F82-461A-B765-BBCFE7F31A2E}: NameServer = 192.168.2.1
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware Sandra Lite XIb\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware Sandra Lite XIb\RpcSandraSrv.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

--
End of file - 8798 bytes

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 21 December 2007 - 06:41 PM

First enable the viewing of hidden files and folders,reverse the process once you've done below:
http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1
Do not run it just yet.

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.
Do not run it just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (file missing)

Exit Hijackthis.

Find and delete:
C:\WINDOWS\adaway.lic

Now double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.

Now Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#5 cichlidnut

cichlidnut
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 21 December 2007 - 11:57 PM

Thank you again for all your help.

After following all your instructions and a four hour scan using SuperAntiSpywar, here is the log...


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/21/2007 at 11:47 PM

Application Version : 3.9.1008

Core Rules Database Version : 3366
Trace Rules Database Version: 1365

Scan type : Complete Scan
Total Scan Time : 03:28:22

Memory items scanned : 177
Memory threats detected : 0
Registry items scanned : 6304
Registry threats detected : 0
File items scanned : 57258
File threats detected : 1

Unclassified.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F561161F-9CF0-4A5B-BD2A-6BCEC1178E07}\RP433\A0062831.DLL

The latest Hijackthis log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:55:58 PM, on 12/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Logitech\MediaLife\MediaLifeService.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Downloads\Installation Programs\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MediaLifeService] "C:\Program Files\Logitech\MediaLife\MediaLifeService.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk.disabled
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by127fd.bay127.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase4009.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8EF9AA4A-3F82-461A-B765-BBCFE7F31A2E}: NameServer = 192.168.2.1
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware Sandra Lite XIb\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware Sandra Lite XIb\RpcSandraSrv.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

--
End of file - 8677 bytes

I'll update you with a performance report after a few hours of normal use.

Edited by cichlidnut, 21 December 2007 - 11:58 PM.


#6 cichlidnut

cichlidnut
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 22 December 2007 - 07:58 AM

Five seconds after posting how great the computer was running... a popup! :thumbsup:

Here's a screenshot... don't think it'll help but at least you can see I'm not crazy.

Posted Image

Edited by cichlidnut, 22 December 2007 - 08:07 AM.


#7 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 22 December 2007 - 08:54 AM

Download and scan with the free 15 day trial of Counterspy V2
Save the report when it's finished:
1.Once Counterspy has done scanning,the 'Scan Results' box will appear.
2.Click on 'View Results'.
3.Under (Recommended Action),using the drop down menus at the side of each entry found,set EVERYTHING to 'Remove'.
4.Then click on 'Take Action'.
5.Once everything has been removed,click on 'View Details'.
6.Copy and Paste those details into your next reply.


Please run F-Secure Online Virus Scanner using Internet Explorer:
http://support.f-secure.com/enu/home/ols.shtml
In the opening page read:
1.General
2.System requirements
3.Start your scan,then click on 'Start scanning'.
The 'Internet Explorer-Security Warning' box will pop up,click on 'Install'
Read the Licence Agreement,then click on 'Accept'.
In the next window that opens click on 'Custom Scan'.
Under 'Virus Scan Options',make sure 'Scan whole system' is selected.
Under 'Other Scan Options',make sure the following are selected:
'Scan programs and documents'
'Scan all files'
'Scan whole system for rootkits'
'Scan whole system for spyware'
'Scan inside archives'
'Use advanced heuristics'
Then click on 'Start'.
The 'scanner components and databases' will then be downloaded,this will take some time.
The virus scan will then start automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the ‘I want to decide item by item’ button.
For each item found,Select ‘Disinfect’ and click ‘Next’.
Click the ‘Show Report’ button,then copy and paste the entire report into your next reply.
Posted Image
Posted Image

#8 cichlidnut

cichlidnut
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 22 December 2007 - 08:45 PM

Results for CounterSpy

Scan History Details
Start Date: 12/22/2007 9:21:41 AM
End Date: 12/22/2007 12:02:44 PM
Total Time: 161 Min 3 Sec
Detected security risks

Bifrost Backdoor more information...
Details: Bifrost is an advanced remote administration tool that allows users to remotely control computers that are behind firewalls and routers.
Status: Deleted

Registry entries detected
HKEY_USERS\S-1-5-21-1981602296-893097559-3417532419-1003\SOFTWARE\WGET


After an EIGHT hour scan... :thumbsup: F-Secure Online Scan found no Malware. I'm not sure if this is a good sign or not.

The log


Scanning Report
Saturday, December 22, 2007 13:45:45 - 20:37:34

Computer name: SLEEK
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\
Result: 0 malware found
Statistics
Scanned:

* Files: 332051
* System: 5008
* Not scanned: 75

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 0
* Submitted: 0

Files not scanned:

* �.GxzAGEFILE.SYS C:\PROGRAM FILES\MAXIS\THE SIMS\USERDATA\PHOTOALBUM\_
* C:\PROGRAM FILES\MAXIS\THE SIMS\USERDATA\IMPORT\_
* C:\PROGRAM FILES\MAXIS\THE SIMS\USERDATA\EXPORT\_
* C:\PROGRAM FILES\MAXIS\THE SIMS\GAMEDATA\SCENARIO.TDS
* C:\PROGRAM FILES\MAXIS\THE SIMS\GAMEDATA\WALLS\_
* C:\PROGRAM FILES\MAXIS\THE SIMS\GAMEDATA\USEROBJECTS\_
* C:\PROGRAM FILES\MAXIS\THE SIMS\GAMEDATA\SKINS\_
* C:\PROGRAM FILES\MAXIS\THE SIMS\GAMEDATA\FLOORS\_
* C:\PROGRAM FILES\MAXIS\THE SIMS\DOWNLOADS\_
* C:\PROGRAM FILES\B'S CLIP\WIN2K\GAA.BIN
* C:\PROGRAM FILES\B'S RECORDER GOLD7\RAMCHECK.DAT
* C:\PROGRAM FILES\B'S RECORDER GOLD7\SSECMODE1.BIN
* C:\PROGRAM FILES\B'S RECORDER GOLD7\SSECMODE2.BIN
* C:\PROGRAM FILES\REGISTRY MECHANIC\BACKUP\AUTOMATIC BACKUP[1].RMB
* C:\PROGRAM FILES\REGISTRY MECHANIC\BACKUP\AUTOMATIC BACKUP[2].RMB
* C:\PROGRAM FILES\REGISTRY MECHANIC\BACKUP\AUTOMATIC BACKUP[3].RMB
* C:\PROGRAM FILES\REGISTRY MECHANIC\BACKUP\AUTOMATIC BACKUP[4].RMB
* C:\DOCUMENTS AND SETTINGS\LOCALS~1.LOG
* C:\DOCUMENTS AND SETTINGS\NETWOR~1.LOG
* C:\DOCUMENTS AND SETTINGS\MDG\NTUSER.DAT.LOG
* C:\DOCUMENTS AND SETTINGS\MDG\NTUSER.DAT
* C:\Documents and Settings\Mdg\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 12-21-2007 - 23-48-18.SBU\{F8808D98-FC90-4BE9-8BF4-ED50966A8A6D}
* C:\DOCUMENTS AND SETTINGS\MDG\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\PARENT.LOCK
* C:\DOCUMENTS AND SETTINGS\MDG\DESKTOP\MUSIC\THE ALL-AMERICAN REJECTS - DIRTY LITTLE SECRET.MP3
* C:\DOCUMENTS AND SETTINGS\MDG\DESKTOP\MUSIC\VIDEO\LOST 0X1.6138C0P-984T (null)EA-YOU'REDENYINGTHEREFINE,WORDLESSWONDER.RAR
* C:\DOCUMENTS AND SETTINGS\MDG\MY DOCUMENTS\MY PICTURES\IPOD PHOTO CACHE\F37\T492.ITHMB
* C:\DOCUMENTS AND SETTINGS\MDG\MY DOCUMENTS\MY PICTURES\IPOD PHOTO CACHE\F36\T491.ITHMB
* C:\DOCUMENTS AND SETTINGS\MDG\MY DOCUMENTS\MY PICTURES\IPOD PHOTO CACHE\F35\T286.ITHMB
* C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\TEMP\~DF57FC.TMP
* C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\TEMP\~DFEE4.TMP
* C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE(2)\_CACHE_001_
* C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE(2)\_CACHE_002_
* C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE(2)\_CACHE_003_
* C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE\_CACHE_001_
* C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE\_CACHE_002_
* C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE\_CACHE_003_
* C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE(7)\_CACHE_001_
* C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE(7)\_CACHE_002_
* C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE(7)\_CACHE_003_
* C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE(6)\_CACHE_001_
* C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE(6)\_CACHE_002_
* C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE(6)\_CACHE_003_
* C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE(5)\_CA��L
* C:\PAGEFILE.SYS
* C:\PROGRAM FILES\MAXIS\THE SIMS\USERDATA\PHOTOALBUM\_
* C:\PROGRAM FILES\MAXIS\THE SIMS\USERDATA\IMPORT\_
* C:\PROGRAM FILES\MAXIS\THE SIMS\USERDATA\EXPORT\_
* C:\PROGRAM FILES\MAXIS\THE SIMS\GAMEDATA\SCENARIO.TDS
* C:\PROGRAM FILES\MAXIS\THE SIMS\GAMEDATA\WALLS\_
* C:\PROGRAM FILES\MAXIS\THE SIMS\GAMEDATA\USEROBJECTS\_
* C:\PROGRAM FILES\�STxzxzAMEDATA\SKINS\_
* C:\PROGRAM FILES\MAXIS\THE SIMS\GAMEDATA\FLOORS\_
* C:\PROGRAM FILES\MAXIS\THE SIMS\DOWNLOADS\_
* C:\PROGRAM FILES\B'S CLIP\WIN2K\GAA.BIN
* C:\PROGRAM FILES\B'S RECORDER GOLD7\RAMCHECK.DAT
* C:\PROGRAM FILES\B'S RECORDER GOLD7\SSECMODE1.BIN
* C:\PROGRAM FILES\B'S RECORDER GOLD7\SSECMODE2.BIN
* C:\PROGRAM FILES\REGISTRY MECHANIC\BACKUP\AUTOMATIC BACKUP[1].RMB
* C:\PROGRAM FILES\REGISTRY MECHANIC\BACKUP\AUTOMATIC BACKUP[2].RMB
* C:\PROGRAM FILES\REGISTRY MECHANIC\BACKUP\AUTOMATIC BACKUP[3].RMB
* C:\PROGRAM FILES\REGISTRY MECHANIC\BACKUP\AUTOMATIC BACKUP[4].RMB
* C:\DOCUMENTS AND SETTINGS\LOCALS~1.LOG
* C:\DOCUMENTS AND SETTINGS\NETWOR~1.LOG
* C:\DOCUMENTS AND SETTINGS\MDG\NTUSER.DAT.LOG
* C:\DOCUMENTS AND SETTINGS\MDG\NTUSER.DAT
* C:\Documents and Settings\Mdg\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 12-21-2007 - 23-48-18.SBU\{F8808D98-FC90-4BE9-8BF4-ED50966A8A6D}
* C:\DOCUMENTS AND SETTINGS\MDG\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\PARENT.LOCK
* C:\DOCUMENTS AND SETTINGS\MDG\DESKTOP\MUSIC\THE ALL-AMERICAN REJECTS - DIRTY LITTLE SECRET.MP3
* C:\DOCUMENTS AND SETTINGS\MDG\DESKTOP\MUSIC\VIDEO\LOST 0X1.6138C0P-984T (null)EA-YOU'REDENYINGTHEREFINE,WORDLESSWONDER.RAR
* C:\DOCUMENTS AND SETTINGS\MDG\MY DOCUMENTS\MY PICTURES\IPOD PHOTO CACHE\F37\T492.ITHMB
* C:\DOCUMENTS AND SETTINGS\MDG\MY DOCUMENTS\MY PICTURES\IPOD PHOTO CACHE\F36\T491.ITHMB
* C:\DOCUMENTS AND SETTINGS\MDG\MY DOCUMENTS\MY PICTURES\IPOD PHOTO CACHE\F35\T286.ITHMB
* C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\TEMP\~DF57FC.TMP
* C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\TEMP\~DFEE4.TMP
* C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE(2)\_CACHE_001_
* C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE(2)\_CACHE_002_
* C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE(2)\_CACHE_003_
* C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE\_CACHE_001_
* C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE\_CACHE_002_
* C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE\_CACHE_003_
* C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE(7)\_CACHE_001_
* C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE(7)\_CACHE_002_
* C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE(7)\_CACHE_003_
* C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE(6)\_CACHE_001_
* C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE(6)\_CACHE_002_
* C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE(6)\_CACHE_003_
* C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE(5)\_CACHE_001_
* C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE(5)\_��{
* C:\PAGEFILE.SYS
* C:\PROGRAM FILES\MAXIS\THE SIMS\USERDATA\PHOTOALBUM\_
* C:\PROGRAM FILES\MAXIS\THE SIMS\USERDATA\IMPORT\_
* C:\PROGRAM FILES\MAXIS\THE SIMS\USERDATA\EXPORT\_
* C:\PROGRAM FILES\MAXIS\THE SIMS\GAMEDATA\SCENARIO.TDS
* C:\PROGRAM FILES\MAXIS\THE SIMS\GAMEDATA\WALLS\_
* C:\PROGRAM FILES\MAXIS\THE SIMS\GAMEDATA\USEROBJECTS\_
* C:\PROGRAM FILES\MAXIS\THE SIMS\GAMEDATA\SKINS\_
* C:\PROGRAM FILES\MAXIS\THE SIMS\GAMEDATA\FLOORS\_
* C:\PROGRAM FILES\MAXIS\THE SIMS\DOWNLOADS\_
* C:\PROGRAM FILES\B'S CLIP\WIN2K\GAA.BIN
* C:\PROGRAM FILES\B'S RECORDER GOLD7\RAMCHECK.DAT
* C:\PROGRAM FILES\B'S RECORDER GOLD7\SSECMODE1.BIN
* C:\PROGRAM FILES\B'S RECORDER GOLD7\SSECMODE2.BIN
* C:\PROGRAM FILES\REGISTRY MECHANIC\BACKUP\AUTOMATIC BACKUP[1].RMB
* C:\PROGRAM FILES\REGISTRY MECHANIC\BACKUP\AUTOMATIC BACKUP[2].RMB
* C:\PROGRAM FILES\REGISTRY MECHANIC\BACKUP\AUTOMATIC BACKUP[3].RMB
* C:\PROGRAM FILES\REGISTRY MECHANIC\BACKUP\AUTOMATIC BACKUP[4].RMB
* C:\DOCUMENTS AND SETTINGS\LOCALS~1.LOG
* C:\DOCUMENTS AND SETTINGS\NETWOR~1.LOG
* C:\DOCUMENTS AND SETTINGS\MDG\NTUSER.DAT.LOG
* C:\DOCUMENTS AND SETTINGS\MDG\NTUSER.DAT
* C:\Documents and Settings\Mdg\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 12-21-2007 - 23-48-18.SBU\{F8808D98-FC90-4BE9-8BF4-ED50966A8A6D}
* C:\DOCUMENTS AND SETTINGS\MDG\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\PARENT.LOCK
* C:\DOCUMENTS AND SETTINGS\MDG\DESKTOP\MUSIC\THE ALL-AMERICAN REJECTS - DIRTY LITTLE SECRET.MP3
* C:\DOCUMENTS AND SETTINGS\MDG\DESKTOP\MUSIC\VIDEO\LOST 0X1.6138C0P-984T (null)EA-YOU'REDENYINGTHEREFINE,WORDLESSWONDER.RAR
* C:\DOCUMENTS AND SETTINGS\MDG\MY DOCUMENTS\MY PICTURES\IPOD PHOTO CACHE\F37\T492.ITHMB
* C:\DOCUMENTS AND SETTINGS\MDG\MY DOCUMENTS\MY PICTURES\IPOD PHOTO CACHE\F36\T491.ITHMB
* C:\DOCUMENTS AND SETTINGS\MDG\MY DOCUMENTS\MY PICTURES\IPOD PHOTO CACHE\F35\T286.ITHMB
* C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\TEMP\~DF57FC.TMP
* C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\TEMP\~DFEE4.TMP
* C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE(2)\_CACHE_001_
* C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE(2)\_CACHE_002_
* C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE(2)\_CACHE_003_
* C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE\_CACHE_001_
* C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE\_CACHE_002_
* C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE\_CACHE_003_
* C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE(7)\_CACHE_001_
* C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE(7)\_CACHE_002_
* C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE(7)\_CACHE_003_
* C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE(6)\_CACHE_001_
* C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE(6)\_CACHE_002_
* C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE(6)\_CACHE_003_
* C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE(5)\_CACHE_001_
* C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE(5)\_CACHE_002_
* C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE(5)\PPLICAT0 �DTxzxz\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE(2)\_CACHE_002_C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE(2)\_CACHE_003_C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE\_CACHE_001_C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE\_CACHE_002_C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE\_CACHE_003_C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE(7)\_CACHE_001_C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE(7)\_CACHE_002_C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE(7)\_CACHE_003_C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE(6)\_CACHE_001_C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE(6)\_CACHE_002_C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE(6)\_CACHE_003_C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE(5)\_CACHE_001_C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE(5)\_CACHE_002_C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE(5)\_CACHE_003_C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE(4)\_CACHE_001_C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE(4)\_CACHE_002_C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE(4)\_CACHE_003_C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE(2).TRASH\TRASH(2)\CACHE(2)\_CACHE_001_C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE(2).TRASH\TRASH(2)\CACHE(2)\_CACHE_002_C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE(2).TRASH\TRASH(2)\CACHE(2)\_CACHE_003_C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE(3)\_CACHE_001_C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE(3)\_CACHE_002_C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\U9750LOM.DEFAULT\CACHE(3)\_CACHE_003_C:\DOCUMENTS AND SETTINGS\MDG\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT.LOGC:\DOCUMENTS AND SETTINGS\LOCALSERVICE\NTUSER.DAT.LOGC:\DOCUMENTS AND SETTINGS\LOCALSERVICE\NTUSER.DATC:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT.LOGC:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\NTUSER.DAT.LOGC:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\NTUSER.DATC:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT.LOGC:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterAntiVirusDisableNotify.zip\sbRecovery.regC:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterFirewallDisableNotify.zip\sbRecovery.regC:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterUpdateDisableNotify.zip\sbRecovery.regC:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterAntiVirusOverride.zip\sbRecovery.regC:\WINDOWS\SYSTEM32\BIOS1.ROMC:\WINDOWS\SYSTEM32\CATROOT2\EDB.LOGC:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOGC:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOGC:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

Options
Scanning engines:

* F-Secure Libra: 2.4.2, 2007-12-20
* F-Secure AVP: 7.0.171, 2007-12-21
* F-Secure Orion: 1.2.37, 2007-12-21
* F-Secure Blacklight: 1.0.64
* F-Secure Draco: 1.0.35, 2007-11-28
* F-Secure Pegasus: 1.19.0, 2007-11-18

Scanning options:

* Scan all files
* Scan inside archives
* Use Advanced heuristics

#9 cichlidnut

cichlidnut
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 22 December 2007 - 10:36 PM

Just got another popup window, however it contained no ad, just the words...

"hash verification failed:"

Here's my latest Hijack this log.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:37:19 PM, on 12/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\MediaLife\MediaLifeService.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Microsoft Works\WkDStore.exe
C:\Downloads\Installation Programs\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MediaLifeService] "C:\Program Files\Logitech\MediaLife\MediaLifeService.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk.disabled
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by127fd.bay127.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase4009.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8EF9AA4A-3F82-461A-B765-BBCFE7F31A2E}: NameServer = 192.168.2.1
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware Sandra Lite XIb\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware Sandra Lite XIb\RpcSandraSrv.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

--
End of file - 9225 bytes

Edited by cichlidnut, 22 December 2007 - 10:38 PM.


#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 23 December 2007 - 05:31 AM

Download\unzip to your desktop AVG Anti-Rootkit:
http://free.grisoft.com/softw/70free/setup...up-1.1.0.42.exe

Double click avgarkt-setup-1.1.0.42.exe to install,by default it will install to C:\Program Files\GRISOFT\AVG Anti-Rootkit
Accept the license and follow the prompts to install.
You will be asked to reboot to finish the installation so click "Finish".
After rebooting,launch AVG by double clicking on the icon for AVG Anti-Rootkit on your desktop,click on the 'Search for Rootkits' tab.
Then click on 'Perform in-depth search'.
You will see the progress bar moving from left to right.
The scan will take some time so be patient and let it finish.
When the scan has finished, a small window will open so you can view the results.
Right click over those results and select "Save Result To File".
By default the file will be saved with a .csv extension. (You can use Notepad to open the .cvs file)
Copy and paste those results into your next reply.
If anything was found, click "Remove selected items"
Note:
Close all open windows,programs,DO NOT USE the computer while scanning.
If the scan is performed while the computer is in use,false positives may appear in the scan results.


Run this online virus/spyware scan using Internet Explorer:
Kaspersky WebScanner
Next click Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make that the following are selected:
• Scan using the following Anti-Virus database:
• Standard
• Scan Options:
• Scan Archives
• Scan Mail Bases
• Click OK
• Now under select a target to scan:
• Select My Computer
• This will start the program and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
• Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste the contents of that file into your next reply.

Also post a new Hijackthis log.
Posted Image
Posted Image

#11 cichlidnut

cichlidnut
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 23 December 2007 - 12:31 PM

AVG claims

No Rootkits found.

Log for Kaspersky



KASPERSKY ONLINE SCANNER REPORT
Sunday, December 23, 2007 12:28:26 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 23/12/2007
Kaspersky Anti-Virus database records: 460388
Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
E:\
Scan Statistics
Total number of scanned objects 105213
Number of viruses found 0
Number of infected objects 0
Number of suspicious objects 0
Duration of the scan process 02:28:21

Infected Object Name Virus Name Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{077D7031-6202-44A7-9669-EA4216D23647}.crmlog Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{956CB4D8-F0E0-40EA-A7DA-888E3DB64850}.bin Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Mdg\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mdg\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mdg\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Mdg\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Mdg\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Mdg\Local Settings\Application Data\Mozilla\Firefox\Profiles\u9750lom.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Mdg\Local Settings\Application Data\Mozilla\Firefox\Profiles\u9750lom.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Mdg\Local Settings\Application Data\Mozilla\Firefox\Profiles\u9750lom.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Mdg\Local Settings\Application Data\Mozilla\Firefox\Profiles\u9750lom.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Mdg\Local Settings\Temp\~WRF0000.tmp Object is locked skipped
C:\Documents and Settings\Mdg\Local Settings\Temp\~DFA524.tmp Object is locked skipped
C:\Documents and Settings\Mdg\Local Settings\Temp\~DF26C5.tmp Object is locked skipped
C:\Documents and Settings\Mdg\Local Settings\Temp\~WRS0004.tmp Object is locked skipped
C:\Documents and Settings\Mdg\Local Settings\Temp\~DFB79A.tmp Object is locked skipped
C:\Documents and Settings\Mdg\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Mdg\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped
C:\Documents and Settings\Mdg\Application Data\Microsoft\Word\AutoRecovery save of Document1.asd Object is locked skipped
C:\Documents and Settings\Mdg\Application Data\Microsoft\Word\AutoRecovery save of Normal.as$ Object is locked skipped
C:\Documents and Settings\Mdg\Application Data\Mozilla\Firefox\Profiles\u9750lom.default\history.dat Object is locked skipped
C:\Documents and Settings\Mdg\Application Data\Mozilla\Firefox\Profiles\u9750lom.default\cert8.db Object is locked skipped
C:\Documents and Settings\Mdg\Application Data\Mozilla\Firefox\Profiles\u9750lom.default\key3.db Object is locked skipped
C:\Documents and Settings\Mdg\Application Data\Mozilla\Firefox\Profiles\u9750lom.default\parent.lock Object is locked skipped
C:\Documents and Settings\Mdg\Application Data\Mozilla\Firefox\Profiles\u9750lom.default\webappsstore.sqlite Object is locked skipped
C:\Documents and Settings\Mdg\Application Data\Mozilla\Firefox\Profiles\u9750lom.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Mdg\Application Data\Mozilla\Firefox\Profiles\u9750lom.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Mdg\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
C:\Documents and Settings\Mdg\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Mdg\ntuser.dat Object is locked skipped
C:\Program Files\Sygate\SPF\debug.log Object is locked skipped
C:\Program Files\Sygate\SPF\syslog.log Object is locked skipped
C:\Program Files\Sygate\SPF\seclog.log Object is locked skipped
C:\Program Files\Sygate\SPF\tralog.log Object is locked skipped
C:\Program Files\Sygate\SPF\rawlog.log Object is locked skipped
C:\System Volume Information\_restore{F561161F-9CF0-4A5B-BD2A-6BCEC1178E07}\RP453\change.log Object is locked skipped
Scan process completed.


Latest Hijackthis log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:30:20 PM, on 12/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Logitech\MediaLife\MediaLifeService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Microsoft Works\WkDStore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Downloads\Installation Programs\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MediaLifeService] "C:\Program Files\Logitech\MediaLife\MediaLifeService.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk.disabled
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by127fd.bay127.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase4009.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8EF9AA4A-3F82-461A-B765-BBCFE7F31A2E}: NameServer = 192.168.2.1
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware Sandra Lite XIb\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware Sandra Lite XIb\RpcSandraSrv.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

--
End of file - 9513 bytes

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 23 December 2007 - 04:15 PM

Your log looks clean,hows your pc running now.
Posted Image
Posted Image

#13 cichlidnut

cichlidnut
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 23 December 2007 - 04:38 PM

So far, so good. The popups seemed to happen when I searched for something on google. I did a bunch of random searches and no popups have happened. I'll update back if another one occurs.

Thanks for your help, it's very much appreciated. A very Merry Christmas to you and your family!

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 23 December 2007 - 04:54 PM

Great,please do the following:

Click on Start/Run,copy and paste ComboFix /u into the 'Open:' space,then press Ok.

Posted Image

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

You should take the time to read and follow the information found in the links below,to help you prevent any possible future infections and stay safe and secure while online:

Simple and easy ways to keep your computer safe and secure on the Internet:
http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

How to prevent Malware:
http://users.telenet.be/bluepatchy/miekiem...prevention.html

So how did I get infected in the first place:
http://forums.spybot.info/showthread.php?t=279

Malware Cleanup Programs and Preventative Procedures:
http://russelltexas.com/malware/allclear.htm

Happy Holidays/Merry Christmas to you and yours too :thumbsup:
Posted Image
Posted Image

#15 cichlidnut

cichlidnut
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 23 December 2007 - 05:43 PM

Yikes... because of the nature of the ComboFix software and my kids, I deleted it.

Should I download it again? Or is there another procedure to follow?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users