Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Cid


  • Please log in to reply
12 replies to this topic

#1 k3ya231

k3ya231

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:04 PM

Posted 21 December 2007 - 06:50 AM

I keep getting pop-ups appearing on my screen most of them beginning with CiD. These pop ups contain adverts from some reputable companies and some not. I've tried removing it using various scanners such as Spybot and Superantivirus etc but nothing seems to work - I've removed the CiD Help thing from control panel and I haven't downloaded anything like Messenger Plus or smiley central.

Please help! I haven't done this before and I'm not very experienced in computers as I'm quite young.

Thank you.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:40:52, on 21/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\AOL\1185833113\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AOL 9.0\waol.exe
c:\program files\common files\aol\1185833113\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1185833113\ee\aolsoftware.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1185833113\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [64 inter flaw hold] C:\Documents and Settings\All Users\Application Data\Mode Rule 64 Inter\Flaw Byte.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [PrevxCSI] "C:\Program Files\PrevxCSI\prevxcsi.exe" -boot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ISO DUPE] C:\DOCUME~1\sufi\APPLIC~1\BLUEID~1\Bodyviewsite.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/p...IEGetPlugin.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1183229081687
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game07.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{500DD38C-D7FD-4207-9DCF-734FFACBAEE2}: NameServer = 192.168.0.254
O17 - HKLM\System\CCS\Services\Tcpip\..\{76B222D5-C3EC-45E8-8250-4B7B6467A02F}: NameServer = 205.188.146.145
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 10966 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:04 PM

Posted 22 December 2007 - 10:13 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum k3ya231
My name is Richie and i'll be helping you to fix your problems.

Download Deljob.exe and save it on your desktop.
Double click on Deljob.exe.
A log,(logit.txt) should open afterwards.
This log will be present on your desktop.
Post the contents of the logfile into your next reply.


If you have previously downloaded ComboFix,please delete that version now.
Warning
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert,not for private use.
Using this tool incorrectly could render your system/pc inoperable.

Now download Combofix and save to your desktop:
Note
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 k3ya231

k3ya231
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:04 PM

Posted 22 December 2007 - 11:50 AM

Thanks richie

Heres the log from deljob

--------------------------------------------------------
File(s) moved to C:\deljob

AF7ED8C793654AFB.job
--------------------------------------------------------
Files remaining after cleaning

AppleSoftwareUpdate.job
MP Scheduled Scan.job
--------------------------------------------------------
App data folders

Volume in drive C has no label.
Volume Serial Number is ACB7-235B

Directory of C:\Documents and Settings\sufi\Application Data

20/12/2007 17:15 <DIR> .
20/12/2007 17:15 <DIR> ..
31/07/2007 11:39 <DIR> Adobe
04/08/2007 17:43 <DIR> AOL
27/11/2007 21:00 <DIR> APPLEC~1 Apple Computer
02/09/2007 14:04 <DIR> AVG7
09/08/2007 11:58 <DIR> Azureus
20/12/2007 17:15 <DIR> DivX
18/11/2007 20:54 <DIR> dvdcss
31/07/2007 08:31 <DIR> Google
29/06/2007 23:48 <DIR> IDENTI~1 Identities
10/11/2007 23:20 <DIR> INSTAL~1 InstallShield
30/06/2007 17:04 <DIR> Intel
10/11/2007 21:14 <DIR> LEADER~1 Leadertech
15/12/2007 14:31 <DIR> LimeWire
02/08/2007 18:17 <DIR> MACROM~1 Macromedia
19/12/2007 18:12 <DIR> MCAFEE~1.COM McAfee.com Personal Firewall
21/11/2007 18:29 <DIR> MICROS~1 Microsoft
31/07/2007 11:22 <DIR> Opera
21/12/2007 18:43 <DIR> PrevxCSI
31/07/2007 08:31 <DIR> Sun
21/12/2007 17:07 <DIR> SUPERA~1.COM SUPERAntiSpyware.com
30/07/2007 21:57 <DIR> vlc
04/11/2007 16:57 <DIR> YOU'VE~1 You've Got Pictures Screensaver
0 File(s) 0 bytes
24 Dir(s) 42,368,647,168 bytes free
Volume in drive C has no label.
Volume Serial Number is ACB7-235B

Directory of C:\Documents and Settings\All Users\Application Data

21/12/2007 21:35 <DIR> .
21/12/2007 21:35 <DIR> ..
18/12/2007 19:28 <DIR> Adobe
04/11/2007 17:28 <DIR> AOL
10/07/2007 15:08 <DIR> AOLDOW~1 AOL Downloads
07/11/2007 17:17 <DIR> Apple
27/11/2007 20:59 <DIR> APPLEC~1 Apple Computer
20/12/2007 15:43 <DIR> avg7
31/07/2007 09:21 <DIR> Google
30/06/2007 17:20 <DIR> Grisoft
30/06/2007 17:03 <DIR> Intel
30/06/2007 17:19 <DIR> Lavasoft
10/07/2007 15:22 <DIR> MACROM~1 Macromedia
19/12/2007 22:59 <DIR> MICROS~1 Microsoft
18/12/2007 11:37 <DIR> MODERU~1 Mode Rule 64 Inter
19/12/2007 18:37 <DIR> Prevx
30/06/2007 18:50 <DIR> SPYBOT~1 Spybot - Search & Destroy
20/12/2007 16:31 <DIR> SUPERA~1.COM SUPERAntiSpyware.com
21/12/2007 21:35 <DIR> VIEWPO~1 Viewpoint
30/06/2007 18:47 <DIR> WINDOW~1 Windows Genuine Advantage
22/08/2007 22:09 <DIR> Zylom
0 File(s) 0 bytes
21 Dir(s) 42,368,647,168 bytes free
--------------------------------------------------------

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:04 PM

Posted 22 December 2007 - 11:56 AM

Thanks,follow the ComboFix instructions now please if you will.
Posted Image
Posted Image

#5 k3ya231

k3ya231
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:04 PM

Posted 22 December 2007 - 12:01 PM

Heres the combofix log

ComboFix 07-12-22.1 - sufi 2007-12-22 16:53:12.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.186 [GMT 0:00]
Running from: C:\Documents and Settings\sufi\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\sufi\Application Data\macromedia\Flash Player\#SharedObjects\FZ3TBP7B\iforex.com
C:\Documents and Settings\sufi\Application Data\macromedia\Flash Player\#SharedObjects\FZ3TBP7B\iforex.com\Emerp\Events\flash_object.swf\user_data.sol
C:\Documents and Settings\sufi\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\Documents and Settings\sufi\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol
C:\WINDOWS\system32\drivers\ETNADiag.exe

.
((((((((((((((((((((((((( Files Created from 2007-11-22 to 2007-12-22 )))))))))))))))))))))))))))))))
.

2007-12-22 16:45 . 2007-12-22 16:45 <DIR> d-------- C:\deljob
2007-12-21 22:34 . 2007-12-21 22:34 <DIR> d-------- C:\Program Files\MetaStream
2007-12-21 21:35 . 2007-12-21 21:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-21 11:39 . 2007-12-21 11:39 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-20 18:56 . 2007-12-20 18:56 <DIR> d-------- C:\NoLopBackups
2007-12-20 18:51 . 2007-12-20 18:51 106 --a------ C:\delete.bat
2007-12-20 18:01 . 2007-12-21 18:43 10,624 --a------ C:\WINDOWS\system32\drivers\pxark.sys
2007-12-20 17:15 . 2007-12-20 17:15 <DIR> d-------- C:\Documents and Settings\sufi\Application Data\DivX
2007-12-20 16:31 . 2007-12-21 17:15 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-20 16:31 . 2007-12-21 17:07 <DIR> d-------- C:\Documents and Settings\sufi\Application Data\SUPERAntiSpyware.com
2007-12-20 16:31 . 2007-12-20 16:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-20 16:16 . 2007-12-20 16:16 <DIR> d-------- C:\Documents and Settings\sufi\Contacts
2007-12-19 22:59 . 2007-12-19 22:59 <DIR> d-------- C:\Program Files\Windows Defender
2007-12-19 22:36 . 2007-12-19 20:37 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-19 20:37 . 2007-12-19 22:37 <DIR> d-------- C:\Documents and Settings\sufi\.housecall6.6
2007-12-19 18:43 . 2007-12-19 18:43 <DIR> d-------- C:\Program Files\PrevxCSI
2007-12-19 18:37 . 2007-12-21 18:43 <DIR> d-------- C:\Documents and Settings\sufi\Application Data\PrevxCSI
2007-12-19 18:37 . 2007-12-19 18:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-19 18:06 . 2007-12-19 18:12 <DIR> d-------- C:\Documents and Settings\sufi\Application Data\McAfee.com Personal Firewall
2007-12-19 18:05 . 2007-12-22 16:53 27,520 --a------ C:\WINDOWS\system32\Status.MPF
2007-12-19 18:02 . 2007-12-19 18:02 <DIR> d-------- C:\Program Files\McAfee.com
2007-12-19 18:02 . 2002-12-06 10:21 55,936 --a------ C:\WINDOWS\system32\drivers\MpFirewall.sys
2007-12-19 18:02 . 2002-11-27 13:47 25,225 --a------ C:\WINDOWS\system32\MpFireWl.VXD
2007-12-19 18:02 . 2002-07-01 14:17 20,480 --a------ C:\WINDOWS\system32\MpfApi.dll
2007-12-18 20:18 . 2007-12-18 20:18 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-18 11:47 . 2007-12-11 22:34 120,056 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-12-18 11:47 . 2007-12-11 22:34 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-12-18 11:46 . 2007-12-18 11:47 <DIR> d-------- C:\Program Files\DivX
2007-12-18 11:37 . 2007-12-18 11:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Mode Rule 64 Inter
2007-12-18 11:36 . 2007-12-18 11:36 <DIR> d-------- C:\Program Files\blue idle poke
2007-12-11 22:35 . 2007-12-11 22:35 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-12-11 22:35 . 2007-12-11 22:35 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2007-12-11 22:34 . 2007-12-11 22:34 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-12-11 22:34 . 2007-12-11 22:34 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-12-11 22:34 . 2007-12-11 22:34 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-12-11 22:32 . 2007-12-11 22:32 352,401 --a------ C:\WINDOWS\system32\DivXMedia.ax
2007-12-11 22:32 . 2007-12-11 22:32 156,992 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-12-11 22:32 . 2007-12-11 22:32 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-12-11 20:14 . 2007-12-21 22:28 <DIR> d-------- C:\Program Files\Serif
2007-12-11 20:14 . 1998-12-08 20:53 212,480 --------- C:\WINDOWS\pcdlib32.dll
2007-12-11 19:52 . 2007-12-11 19:52 <DIR> d-------- C:\Documents and Settings\sufi\.thumbnails
2007-11-27 21:56 . 2002-09-21 15:33 65,536 --a------ C:\WINDOWS\system32\cpvslider.ocx
2007-11-27 21:56 . 2002-09-13 17:09 45,056 --a------ C:\WINDOWS\system32\BPM_Control.ocx
2007-11-27 21:00 . 2007-11-27 21:00 <DIR> d-------- C:\Program Files\iPod
2007-11-27 21:00 . 2007-12-21 18:24 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-11-27 21:00 . 2007-11-27 21:01 1,409 --a------ C:\WINDOWS\QTFont.for
2007-11-27 20:59 . 2007-11-27 21:00 <DIR> d-------- C:\Program Files\iTunes
2007-11-27 20:57 . 2007-11-27 20:58 <DIR> d-------- C:\Program Files\QuickTime
2007-11-27 20:57 . 2007-11-27 20:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-27 20:53 . 2007-11-27 20:53 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-11-23 18:58 . 2007-11-23 18:58 <DIR> d-------- C:\Documents and Settings\Anyone\Application Data\Corel

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-21 22:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-21 17:07 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-20 15:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-12-20 15:14 --------- d-----w C:\Program Files\Common Files\aol
2007-12-19 20:46 --------- d-----w C:\Program Files\AOL 9.0
2007-12-15 14:31 --------- d-----w C:\Documents and Settings\sufi\Application Data\LimeWire
2007-12-11 22:34 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-12-11 22:33 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-12-11 22:33 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-12-11 22:33 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-12-11 22:33 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-12-11 22:33 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2007-12-11 22:33 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-12-11 22:33 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-12-11 22:33 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-12-11 22:33 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-12-11 22:33 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-12-11 22:33 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-12-11 22:33 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-12-11 17:47 3,140 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-12-04 18:01 --------- d-----w C:\Program Files\Java
2007-11-27 21:00 --------- d-----w C:\Documents and Settings\sufi\Application Data\Apple Computer
2007-11-18 20:54 --------- d-----w C:\Documents and Settings\sufi\Application Data\dvdcss
2007-11-14 19:40 --------- d-----w C:\Program Files\LimeWire
2007-11-13 21:11 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-11 16:23 --------- d-----w C:\Program Files\VoyagerTest
2007-11-11 16:23 --------- d-----w C:\Program Files\Common Files\FTL Shared
2007-11-11 16:23 --------- d-----w C:\Program Files\BT Voyager 105 ADSL Modem
2007-11-11 16:16 --------- d-----w C:\Program Files\VoyagerModemDrivers
2007-11-10 23:20 --------- d-----w C:\Documents and Settings\sufi\Application Data\InstallShield
2007-11-10 21:14 --------- d-----w C:\Documents and Settings\sufi\Application Data\Leadertech
2007-11-07 17:17 --------- d-----w C:\Program Files\Apple Software Update
2007-11-07 17:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-11-04 17:39 --------- d-----w C:\Program Files\Opera
2007-11-04 17:29 --------- d-----w C:\Program Files\Common Files\Scanner
2007-11-04 17:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-11-04 17:02 --------- d-----w C:\Program Files\AOL Companion
2007-11-04 16:57 --------- d-----w C:\Program Files\Learn2.com
2007-11-04 16:57 --------- d-----w C:\Documents and Settings\sufi\Application Data\You've Got Pictures Screensaver
2007-11-04 16:56 8,552 ----a-w C:\WINDOWS\system32\drivers\asctrm.sys
2007-11-04 16:56 --------- d-----w C:\Program Files\Real
2007-11-04 16:56 --------- d-----w C:\Program Files\Common Files\Real
2007-11-04 16:56 --------- d-----w C:\Program Files\Common Files\aolshare
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 17:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-23 21:07 --------- d-----w C:\Documents and Settings\Anyone\Application Data\dvdcss
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-01 17:04]
"ISO DUPE"="C:\DOCUME~1\sufi\APPLIC~1\BLUEID~1\Bodyviewsite.exe" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-07-23 05:46]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-07-23 05:47]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-11-07 12:20]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-09-15 23:53]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-09-15 23:50]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-09-15 23:54]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-05 17:13]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 00:30 C:\WINDOWS\stsystra.exe]
"HostManager"="C:\Program Files\Common Files\AOL\1185833113\ee\AOLSoftware.exe" [2006-11-14 14:01]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-14 22:22]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 12:00 C:\WINDOWS\system32\bthprops.cpl]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2007-11-04 16:56]
"DSLSTATEXE"="C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe" [2003-06-28 15:10]
"DSLAGENTEXE"="C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe" [2003-08-19 12:47]
"%FP%Friendly fts.exe"="C:\Program Files\VoyagerTest\fts.exe" [2003-05-06 09:28]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-14 23:43]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11]
"64 inter flaw hold"="C:\Documents and Settings\All Users\Application Data\Mode Rule 64 Inter\Flaw Byte.exe" [2007-12-21 18:29]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2003-08-18 18:57]
"PrevxCSI"="C:\Program Files\PrevxCSI\prevxcsi.exe" [2007-12-19 18:37]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 12:00]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-05 17:13]

C:\Documents and Settings\sufi\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2007-09-17 14:19:14]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2005-07-23 05:46 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

R3 lanusb;GlobeSpan USB ADSL LAN Modem;C:\WINDOWS\system32\DRIVERS\glausb.sys [2003-08-15 12:56]
R3 PPPoEWin;PPPoEWin Miniport;C:\WINDOWS\system32\DRIVERS\PPPoEWin.SYS [2003-09-25 16:52]
R3 pxark;pxark;C:\WINDOWS\system32\drivers\pxark.sys [2007-12-21 18:43]
S3 RTLWUSB;802.11g USB2.0 WLAN Dongle;C:\WINDOWS\system32\DRIVERS\RTL8187.sys [2006-04-12 14:43]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ddb6ebf9-2e3e-11dc-a250-001422925600}]
\Shell\AutoRun\command - E:\AUTORUN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ddb6ebfa-2e3e-11dc-a250-001422925600}]
\Shell\AutoRun\command - E:\AUTORUN.EXE

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2007-12-18 20:19:11 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-21 18:29:13 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-22 16:56:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-22 16:56:55
.
2007-12-12 03:04:54 --- E O F ---

#6 k3ya231

k3ya231
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:04 PM

Posted 22 December 2007 - 12:04 PM

do i make a new post for the hijackthis log or do i just reply to this post? and do i have to go through the preparation again?

#7 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:04 PM

Posted 22 December 2007 - 12:13 PM

Disable Windows Defender's real-time protection,as it may interfere.
* Open Microsoft Windows Defender. Click Start>All Programs>Windows Defender.
* Click on 'Tools'>'Options'.
* Under 'Real-time protection options', unselect the 'Turn on real-time protection' check box
* Click 'Save'.

Disable Prevx,as it may interfere.
* Right click on the Prevx icon in your system tray and choose Show Management Console.
* On the Management Console click the Protection Level drop-down menu.
* You will see three levels:
o Maximum
o Off
o User Defined
* To disable all protection set the level to Off.
* You will receive a prompt asking "You are about to change your security settings. Do you wish to continue?" Click Yes.
* Click the X on the upper right hand corner to exit the Management console.


Please download OTMoveIt by OldTimer,save it to your desktop:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Documents and Settings\All Users\Application Data\Mode Rule 64 Inter
C:\Program Files\blue idle poke

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image
Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt.
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.


Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktopPosted Imageand agree to merge the information into the registry,then restart your pc.

REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISO DUPE"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"64 inter flaw hold"=-


Also post a new Hijackthis log,let me know how your pc is running now.
Posted Image
Posted Image

#8 k3ya231

k3ya231
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:04 PM

Posted 22 December 2007 - 12:25 PM

Results from OTMoveIt!

C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\UserShell\AOL9Plus moved successfully.
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\UserShell moved successfully.
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03 moved successfully.
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02 moved successfully.
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01 moved successfully.
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00 moved successfully.
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources moved successfully.
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology moved successfully.
C:\Documents and Settings\All Users\Application Data\Viewpoint\AxMetaStream_Win moved successfully.
C:\Documents and Settings\All Users\Application Data\Viewpoint moved successfully.
C:\Documents and Settings\All Users\Application Data\Mode Rule 64 Inter moved successfully.
C:\Program Files\blue idle poke moved successfully.

Created on 12222007_171934

#9 k3ya231

k3ya231
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:04 PM

Posted 22 December 2007 - 12:26 PM

Hijackthis log. I was unsure about where to post this..sorry

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:23:02, on 22/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\stsystra.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\VoyagerTest\fts.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\common files\aol\1185833113\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Common Files\AOL\1185833113\ee\aolsoftware.exe
c:\program files\common files\aol\1185833113\ee\aolsoftware.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1185833113\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [64 inter flaw hold] C:\Documents and Settings\All Users\Application Data\Mode Rule 64 Inter\Flaw Byte.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [PrevxCSI] "C:\Program Files\PrevxCSI\prevxcsi.exe" -boot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ISO DUPE] C:\DOCUME~1\sufi\APPLIC~1\BLUEID~1\Bodyviewsite.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/p...IEGetPlugin.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1183229081687
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game07.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{500DD38C-D7FD-4207-9DCF-734FFACBAEE2}: NameServer = 192.168.0.254
O17 - HKLM\System\CCS\Services\Tcpip\..\{76B222D5-C3EC-45E8-8250-4B7B6467A02F}: NameServer = 205.188.146.145
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 11242 bytes

#10 k3ya231

k3ya231
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:04 PM

Posted 22 December 2007 - 12:27 PM

My computers running fine, haven't had a single pop up so far

Thank you for helping me

#11 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:04 PM

Posted 22 December 2007 - 01:03 PM

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [64 inter flaw hold] C:\Documents and Settings\All Users\Application Data\Mode Rule 64 Inter\Flaw Byte.exe
O4 - HKCU\..\Run: [ISO DUPE] C:\DOCUME~1\sufi\APPLIC~1\BLUEID~1\Bodyviewsite.exe


Your log is clean :thumbsup: ,please do the following:

Please double-click OTMoveIt.exe to run it.
Click on the 'Cleanup' button Posted Image
When you do this a text file named cleanup.txt will be downloaded from the internet.
If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so.
When the 'Confirm' box appears click 'Yes'.
Restart your pc when prompted.

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Make sure you enable Prevx and Windows Defender.

You should take the time to read and follow the information found in the links below,to help you prevent any possible future infections and stay safe and secure while online:

Simple and easy ways to keep your computer safe and secure on the Internet:
http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

How to prevent Malware:
http://users.telenet.be/bluepatchy/miekiem...prevention.html

So how did I get infected in the first place:
http://forums.spybot.info/showthread.php?t=279

Malware Cleanup Programs and Preventative Procedures:
http://russelltexas.com/malware/allclear.htm
Posted Image
Posted Image

#12 k3ya231

k3ya231
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:04 PM

Posted 22 December 2007 - 01:43 PM

I couldn't find;
O4 - HKLM\..\Run: [64 inter flaw hold] C:\Documents and Settings\All Users\Application Data\Mode Rule 64 Inter\Flaw Byte.exe
O4 - HKCU\..\Run: [ISO DUPE] C:\DOCUME~1\sufi\APPLIC~1\BLUEID~1\Bodyviewsite.exe


Thank you so so much for your help!

Can I delete Deljob, Combifix and HijackThis? Or do you think I should keep them?

Thanks again! :thumbsup:

Keya

#13 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:04 PM

Posted 22 December 2007 - 01:49 PM

Can I delete Deljob, Combifix and HijackThis? Or do you think I should keep them?

Go ahead and delete those Keya,we've done with them :thumbsup:
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users