Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Where To Begin...


  • Please log in to reply
5 replies to this topic

#1 ever_looking_up

ever_looking_up

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 26 December 2007 - 09:22 PM

I've got (I say I, personally I'm a proud Mac owner, this is my parents computer) a custom built desktop thats a couple of years old. When I built the computer, I was personally responsible for maintainence and operation of it. since I've moved away, it's become the family computer. That means that there are aslot of people doing alot of things on it, and so it's overall health is slowly decreasing. It's become my personal duty to try and get it back up to muster in the next couple of days.

I'm not sure the total sum of everything wrong with it. I know one thing that stands out is that when you try and open various programs, such as help and system info, it brings up an error that says msvcrtdm.dll could not be found. you click ok about four times and then it will open up the program, so it's a bit wierd. anywho, i'll leave a complete diagnosis up to you, heres my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:21:38 PM, on 12/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.imesh.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\Program Files\RXToolBar\sfcont.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [EarthLink Installer] " /C
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [BearFlix] "C:\Program Files\BearFlix\BearFlix.exe" /pause
O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P39 "EPSON Stylus Photo R220 Series (Copy 1)" /O6 "USB001" /M "Stylus Photo R220"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3527C5BD-4A46-4362-94B6-12341D087A4B} - http://echospin.com/wizard/files/esWizard.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1182712817250
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173744052031
O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Program Files\RXToolBar\sfcont.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 5289 bytes


Thanks for your help

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:20 AM

Posted 27 December 2007 - 09:06 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum ever_looking_up
My name is Richie and i'll be helping you to fix your problems.

Click Start/Control Panel/Add or Remove Programs and remove RXToolBar,then restart your pc.

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6 update 3'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java version.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.


If you have previously downloaded ComboFix,please delete that version now.
Warning
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert,not for private use.
Using this tool incorrectly could render your system/pc inoperable.

Now download Combofix and save to your desktop:
Note
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 ever_looking_up

ever_looking_up
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 28 December 2007 - 11:52 AM

here are those 2 logs:

ComboFix 07-12-28.1 - David 2007-12-28 10:44:10.1 - NTFSx86
Running from: C:\Documents and Settings\David\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Shelly\Application Data\FunWebProducts
C:\Documents and Settings\Shelly\Application Data\FunWebProducts\Data\Shelly\avatar.dat
C:\Documents and Settings\Shelly\Application Data\MCROSO~1
C:\Documents and Settings\Shelly\Application Data\ShoppingReport
C:\Documents and Settings\Shelly\Application Data\ShoppingReport\cs\Config.xml
C:\Documents and Settings\Shelly\Application Data\ShoppingReport\cs\db\Aliases.dbs
C:\Documents and Settings\Shelly\Application Data\ShoppingReport\cs\db\Sites.dbs
C:\Documents and Settings\Shelly\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
C:\Documents and Settings\Shelly\Application Data\ShoppingReport\cs\report\aggr_storage.xml
C:\Documents and Settings\Shelly\Application Data\ShoppingReport\cs\report\send_storage.xml
C:\Documents and Settings\Shelly\Application Data\ShoppingReport\cs\res1\WhiteList.dbs
C:\Documents and Settings\Shelly\Application Data\YSTEM3~1
C:\Documents and Settings\Shelly\err.log
C:\Documents and Settings\Shelly\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Shelly\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Shelly\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\Shelly\Start Menu\Programs\Startup\ta_start.lnk
C:\WINDOWS\system32\help.txt
C:\WINDOWS\system32\ps.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_FOPN
-------\windev-318d-7371


((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-28 )))))))))))))))))))))))))))))))
.

2007-12-28 10:38 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-28 10:37 . 2007-12-28 10:37 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-25 11:38 . 2007-12-25 11:38 <DIR> d-------- C:\Documents and Settings\Shelly\Application Data\Talkback
2007-12-22 00:54 . 2007-12-22 00:55 <DIR> d-------- C:\Documents and Settings\David\Application Data\U3
2007-12-11 18:13 . 2007-12-11 18:15 <DIR> d-------- C:\Program Files\Morpheus Ultra
2007-12-11 18:13 . 2007-12-11 18:13 0 --ah----- C:\WINDOWS\SwSys2.bmp
2007-12-11 18:13 . 2007-12-11 18:13 0 --ah----- C:\WINDOWS\SwSys1.bmp
2007-12-11 16:34 . 2007-12-11 16:34 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-12-11 16:34 . 2007-12-11 16:34 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-12-11 15:25 . 2007-12-11 15:25 <DIR> d-------- C:\Documents and Settings\Shelly\Application Data\Yahoo!
2007-12-10 22:34 . 2007-12-10 22:34 <DIR> d-------- C:\Documents and Settings\David\Application Data\Yahoo!
2007-12-04 20:34 . 2007-12-27 16:46 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-04 20:34 . 2007-12-04 20:34 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-03 16:32 . 2007-12-03 16:36 <DIR> d-------- C:\Program Files\StripSaver2
2007-12-03 16:32 . 2007-12-03 16:36 <DIR> d-------- C:\Program Files\Common Files\Totem Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-28 16:38 --------- d-----w C:\Program Files\Java
2007-12-28 16:21 --------- d-----w C:\Documents and Settings\David\Application Data\AVG7
2007-12-28 15:59 --------- d-----w C:\Documents and Settings\Shelly\Application Data\AVG7
2007-12-27 01:46 --------- d-----w C:\Program Files\Yahoo!
2007-12-27 01:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-25 18:47 --------- d-----w C:\Documents and Settings\Shelly\Application Data\MEGAUPLOADTOOLBAR
2007-12-22 15:41 --------- d-----w C:\Program Files\Google
2007-12-18 21:48 --------- d-----w C:\Documents and Settings\David\Application Data\iMesh
2007-12-14 23:05 --------- d-----w C:\Program Files\DivX
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2006-12-25 05:37 382 -c--a-w C:\Documents and Settings\David\Application Data\internaldb1942.dat
2006-12-16 21:14 179,200 -c--a-w C:\Documents and Settings\David\Application Data\internaldb4827.dat
2006-12-16 21:14 151 -c--a-w C:\Documents and Settings\David\Application Data\internaldb6500.dat
2006-12-16 21:14 13,046 -c--a-w C:\Documents and Settings\David\Application Data\internaldb5436.dat
2006-12-16 21:14 0 -c--a-w C:\Documents and Settings\David\Application Data\internaldb4604.dat
2006-12-14 23:41 379 -c--a-w C:\Documents and Settings\Shelly\Application Data\internaldb1942.dat
2006-12-14 23:15 151 -c--a-w C:\Documents and Settings\Shelly\Application Data\internaldb7969.dat
2006-12-14 23:15 13,046 -c--a-w C:\Documents and Settings\Shelly\Application Data\internaldb2585.dat
2006-12-14 23:15 0 -c--a-w C:\Documents and Settings\Shelly\Application Data\internaldb2802.dat
2006-12-14 22:55 177,152 -c--a-w C:\Documents and Settings\Shelly\Application Data\internaldb8376.dat
2006-11-26 22:44 49 -c--a-w C:\Documents and Settings\David\Application Data\internaldb41.dat
2006-11-18 23:49 0 -c--a-w C:\Documents and Settings\Shelly\Application Data\internaldb1497.dat
2006-11-18 04:18 0 -c--a-w C:\Documents and Settings\David\Application Data\internaldb2391.dat
2006-11-16 17:52 0 -c--a-w C:\Documents and Settings\Shelly\Application Data\internaldb678.dat
2006-11-16 00:14 0 -c--a-w C:\Documents and Settings\David\Application Data\internaldb153.dat
2006-11-13 23:24 0 -c--a-w C:\Documents and Settings\David\Application Data\internaldb8253.dat
2006-11-13 23:24 0 -c--a-w C:\Documents and Settings\David\Application Data\internaldb3902.dat
2006-11-12 22:06 0 -c--a-w C:\Documents and Settings\Shelly\Application Data\internaldb8163.dat
2006-11-12 22:06 0 -c--a-w C:\Documents and Settings\Shelly\Application Data\internaldb1480.dat
2006-10-16 17:04 6,144 -c--a-w C:\Documents and Settings\Shelly\Application Data\internaldb8402.dat
2006-10-15 18:13 9,216 -c--a-w C:\Documents and Settings\David\Application Data\internaldb8467.dat
2006-10-15 18:13 0 -c--a-w C:\Documents and Settings\David\Application Data\internaldb6334.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59879FA4-4790-461c-A1CC-4EC4DE4CA483}]
2006-07-04 21:48 206552 --a------ C:\Program Files\RXToolBar\sfcont.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 09:58]
"EarthLink Installer"=" /C" []
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24]
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe" [2007-03-14 18:03]
"BearFlix"="C:\Program Files\BearFlix\BearFlix.exe" []
"EPSON Stylus Photo R220 Series (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.exe" [2005-03-09 04:00]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-22 08:59]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cb7a6c4e-aba3-11dc-9306-00508d653824}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-12-17 12:34:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-28 10:49:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-28 10:49:54 - machine was rebooted
.
2007-12-22 07:04:59 --- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:50:48 AM, on 12/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\Program Files\RXToolBar\sfcont.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [EarthLink Installer] " /C
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [BearFlix] "C:\Program Files\BearFlix\BearFlix.exe" /pause
O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P39 "EPSON Stylus Photo R220 Series (Copy 1)" /O6 "USB001" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3527C5BD-4A46-4362-94B6-12341D087A4B} - http://echospin.com/wizard/files/esWizard.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1182712817250
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173744052031
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 5308 bytes

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:20 AM

Posted 28 December 2007 - 01:08 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\SwSys2.bmp
C:\WINDOWS\SwSys1.bmp
C:\Documents and Settings\David\Application Data\internaldb1942.dat
C:\Documents and Settings\David\Application Data\internaldb4827.dat
C:\Documents and Settings\David\Application Data\internaldb6500.dat
C:\Documents and Settings\David\Application Data\internaldb5436.dat
C:\Documents and Settings\David\Application Data\internaldb4604.dat
C:\Documents and Settings\Shelly\Application Data\internaldb1942.dat
C:\Documents and Settings\Shelly\Application Data\internaldb7969.dat
C:\Documents and Settings\Shelly\Application Data\internaldb2585.dat
C:\Documents and Settings\Shelly\Application Data\internaldb2802.dat
C:\Documents and Settings\Shelly\Application Data\internaldb8376.dat
C:\Documents and Settings\David\Application Data\internaldb41.dat
C:\Documents and Settings\Shelly\Application Data\internaldb1497.dat
C:\Documents and Settings\David\Application Data\internaldb2391.dat
C:\Documents and Settings\Shelly\Application Data\internaldb678.dat
C:\Documents and Settings\David\Application Data\internaldb153.dat
C:\Documents and Settings\David\Application Data\internaldb8253.dat
C:\Documents and Settings\David\Application Data\internaldb3902.dat
C:\Documents and Settings\Shelly\Application Data\internaldb8163.dat
C:\Documents and Settings\Shelly\Application Data\internaldb1480.dat
C:\Documents and Settings\Shelly\Application Data\internaldb8402.dat
C:\Documents and Settings\David\Application Data\internaldb8467.dat
C:\Documents and Settings\David\Application Data\internaldb6334.dat
Folder::
C:\Program Files\Common Files\Totem Shared
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59879FA4-4790-461c-A1CC-4EC4DE4CA483}]

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#5 ever_looking_up

ever_looking_up
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 29 December 2007 - 01:43 AM

what next cap'n?

ComboFix 07-12-28.1 - David 2007-12-29 0:39:18.2 - NTFSx86
Running from: C:\Documents and Settings\David\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\David\Desktop\CFScript.txt

FILE
C:\Documents and Settings\David\Application Data\internaldb153.dat
C:\Documents and Settings\David\Application Data\internaldb1942.dat
C:\Documents and Settings\David\Application Data\internaldb2391.dat
C:\Documents and Settings\David\Application Data\internaldb3902.dat
C:\Documents and Settings\David\Application Data\internaldb41.dat
C:\Documents and Settings\David\Application Data\internaldb4604.dat
C:\Documents and Settings\David\Application Data\internaldb4827.dat
C:\Documents and Settings\David\Application Data\internaldb5436.dat
C:\Documents and Settings\David\Application Data\internaldb6334.dat
C:\Documents and Settings\David\Application Data\internaldb6500.dat
C:\Documents and Settings\David\Application Data\internaldb8253.dat
C:\Documents and Settings\David\Application Data\internaldb8467.dat
C:\Documents and Settings\Shelly\Application Data\internaldb1480.dat
C:\Documents and Settings\Shelly\Application Data\internaldb1497.dat
C:\Documents and Settings\Shelly\Application Data\internaldb1942.dat
C:\Documents and Settings\Shelly\Application Data\internaldb2585.dat
C:\Documents and Settings\Shelly\Application Data\internaldb2802.dat
C:\Documents and Settings\Shelly\Application Data\internaldb678.dat
C:\Documents and Settings\Shelly\Application Data\internaldb7969.dat
C:\Documents and Settings\Shelly\Application Data\internaldb8163.dat
C:\Documents and Settings\Shelly\Application Data\internaldb8376.dat
C:\Documents and Settings\Shelly\Application Data\internaldb8402.dat
C:\WINDOWS\SwSys1.bmp
C:\WINDOWS\SwSys2.bmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\David\Application Data\internaldb153.dat
C:\Documents and Settings\David\Application Data\internaldb1942.dat
C:\Documents and Settings\David\Application Data\internaldb2391.dat
C:\Documents and Settings\David\Application Data\internaldb3902.dat
C:\Documents and Settings\David\Application Data\internaldb41.dat
C:\Documents and Settings\David\Application Data\internaldb4604.dat
C:\Documents and Settings\David\Application Data\internaldb4827.dat
C:\Documents and Settings\David\Application Data\internaldb5436.dat
C:\Documents and Settings\David\Application Data\internaldb6334.dat
C:\Documents and Settings\David\Application Data\internaldb6500.dat
C:\Documents and Settings\David\Application Data\internaldb8253.dat
C:\Documents and Settings\David\Application Data\internaldb8467.dat
C:\Documents and Settings\Shelly\Application Data\internaldb1480.dat
C:\Documents and Settings\Shelly\Application Data\internaldb1497.dat
C:\Documents and Settings\Shelly\Application Data\internaldb1942.dat
C:\Documents and Settings\Shelly\Application Data\internaldb2585.dat
C:\Documents and Settings\Shelly\Application Data\internaldb2802.dat
C:\Documents and Settings\Shelly\Application Data\internaldb678.dat
C:\Documents and Settings\Shelly\Application Data\internaldb7969.dat
C:\Documents and Settings\Shelly\Application Data\internaldb8163.dat
C:\Documents and Settings\Shelly\Application Data\internaldb8376.dat
C:\Documents and Settings\Shelly\Application Data\internaldb8402.dat
C:\Program Files\Common Files\Totem Shared
C:\Program Files\Common Files\Totem Shared\Update\Advertising.dll.053
C:\Program Files\Common Files\Totem Shared\Update\Bpk.dll.143
C:\Program Files\Common Files\Totem Shared\Update\Distribution.dll.056
C:\Program Files\Common Files\Totem Shared\Update\FavoriteLinks.dll.076
C:\Program Files\Common Files\Totem Shared\Update\FreeSamples.dll.048
C:\Program Files\Common Files\Totem Shared\Update\msvcr70.dll.010
C:\Program Files\Common Files\Totem Shared\Update\music.dll.027
C:\Program Files\Common Files\Totem Shared\Update\Network.dll.068
C:\Program Files\Common Files\Totem Shared\Update\Newsletters.dll.023
C:\Program Files\Common Files\Totem Shared\Update\ScreenSaver2.dll.025
C:\Program Files\Common Files\Totem Shared\Update\System.dll.094
C:\Program Files\Common Files\Totem Shared\Update\TotemDx.dll.020
C:\Program Files\Common Files\Totem Shared\Update\Update.dll.074
C:\Program Files\Common Files\Totem Shared\Update\Windows.dll.082
C:\Program Files\Common Files\Totem Shared\Update\WindowsEx.dll.051
C:\WINDOWS\SwSys1.bmp
C:\WINDOWS\SwSys2.bmp

.
((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-29 )))))))))))))))))))))))))))))))
.

2007-12-28 15:38 . 2007-12-28 15:38 <DIR> d-------- C:\Program Files\iTunes
2007-12-28 15:38 . 2007-12-28 15:38 <DIR> d-------- C:\Program Files\iPod
2007-12-28 15:31 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-12-28 15:31 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-12-28 15:31 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2007-12-28 15:31 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2007-12-28 10:38 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-28 10:37 . 2007-12-28 10:37 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-25 11:38 . 2007-12-25 11:38 <DIR> d-------- C:\Documents and Settings\Shelly\Application Data\Talkback
2007-12-22 00:54 . 2007-12-22 00:55 <DIR> d-------- C:\Documents and Settings\David\Application Data\U3
2007-12-11 18:13 . 2007-12-11 18:15 <DIR> d-------- C:\Program Files\Morpheus Ultra
2007-12-11 16:34 . 2007-12-11 16:34 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-12-11 16:34 . 2007-12-11 16:34 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-12-11 15:25 . 2007-12-11 15:25 <DIR> d-------- C:\Documents and Settings\Shelly\Application Data\Yahoo!
2007-12-11 10:57 . 2007-12-11 10:57 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-12-11 10:57 . 2007-12-11 10:57 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts
2007-12-10 22:34 . 2007-12-10 22:34 <DIR> d-------- C:\Documents and Settings\David\Application Data\Yahoo!
2007-12-04 20:34 . 2007-12-28 21:40 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-04 20:34 . 2007-12-28 15:31 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-03 16:32 . 2007-12-03 16:36 <DIR> d-------- C:\Program Files\StripSaver2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-28 21:37 --------- d-----w C:\Program Files\QuickTime
2007-12-28 16:38 --------- d-----w C:\Program Files\Java
2007-12-28 16:21 --------- d-----w C:\Documents and Settings\David\Application Data\AVG7
2007-12-28 15:59 --------- d-----w C:\Documents and Settings\Shelly\Application Data\AVG7
2007-12-27 01:46 --------- d-----w C:\Program Files\Yahoo!
2007-12-27 01:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-25 18:47 --------- d-----w C:\Documents and Settings\Shelly\Application Data\MEGAUPLOADTOOLBAR
2007-12-22 15:41 --------- d-----w C:\Program Files\Google
2007-12-18 21:48 --------- d-----w C:\Documents and Settings\David\Application Data\iMesh
2007-12-14 23:05 --------- d-----w C:\Program Files\DivX
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-31 20:09 30,464 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
.

((((((((((((((((((((((((((((( snapshot@2007-12-28_10.49.27.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-28 21:38:44 102,400 ----a-r C:\WINDOWS\Installer\{18388EF8-E0A3-442B-8BFE-E2F1B3D05C91}\iTunesIco.exe
+ 2006-09-19 20:44:04 15,664 ----a-w C:\WINDOWS\system32\drivers\GEARAspiWDM.sys
+ 2007-10-31 20:09:14 30,464 -c--a-w C:\WINDOWS\system32\DRVSTORE\usbaapl_4351B7DAFF62FD33510D77DFAE3CF8CC82517571\usbaapl.sys
+ 2006-10-04 01:47:52 109,360 ----a-w C:\WINDOWS\system32\GEARAspi.dll
+ 2007-06-28 09:06:50 25,984 ----a-w C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\usbaapl.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 09:58]
"EarthLink Installer"=" /C" []
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe" [2007-03-14 18:03]
"BearFlix"="C:\Program Files\BearFlix\BearFlix.exe" []
"EPSON Stylus Photo R220 Series (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.exe" [2005-03-09 04:00]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-22 08:59]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cb7a6c4e-aba3-11dc-9306-00508d653824}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-12-17 12:34:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-29 00:41:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-29 0:42:11
C:\ComboFix2.txt ... 2007-12-28 10:49
.
2007-12-22 07:04:59 --- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:42:45 AM, on 12/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [EarthLink Installer] " /C
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [BearFlix] "C:\Program Files\BearFlix\BearFlix.exe" /pause
O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P39 "EPSON Stylus Photo R220 Series (Copy 1)" /O6 "USB001" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3527C5BD-4A46-4362-94B6-12341D087A4B} - http://echospin.com/wizard/files/esWizard.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1182712817250
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173744052031
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 5442 bytes

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:20 AM

Posted 29 December 2007 - 05:34 AM

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1
Do not run it just yet.

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.
Do not run it just yet.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O4 - HKLM\..\Run: [EarthLink Installer] " /C

Exit Hijackthis.

Now double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.

Now Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users