Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Files-secure Smitfraud


  • This topic is locked This topic is locked
38 replies to this topic

#1 Hajduk

Hajduk

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States
  • Local time:10:18 AM

Posted 20 January 2008 - 05:31 PM

I have the ‘Files-Secure’ SmitFraud, and a tenacious son-of-a-bleep it is.

I am running Windows XP.

On various occasions I get the phony warning message:

“System error! Your computer was infected by unknown trojan. It’s dangerous for your system (critical files can be lost)! Click OK to download the anti-spyware program to clean your system! (Recommended)”

I cannot access Control Panel > Fonts; when I click on ‘Fonts’, I get the above message. When I cancel it, Fonts opens, but then I get a popup with the message:

“Windows Explorer has encountered an error and needs to close. We are sorry for the inconvenience. If you were in the middle of something, the information you were working on might be lost.”

A link on the dialog box takes me to a second box, which in turn takes me to a third showing a report about the error that apparently is submitted to someone, but without result. It contains among a lot of other stuff the notice:

“The following files will be included in the report:
C\DOCUME~1\LOCALS~1\Temp\271_appcomput.txt”

In the end I have to click OK and Fonts closes; I can open it, but then access is cut off.

Checking e-mail, I get a popup with a link to download an unidentified plug-in, which obviously I do not do.

And I observe that Dr Watson is taking an inordinate amount of memory.

* * * * * * * * * * * *

I found on-line instructions for getting rid of this infection, and was able to delete
4E7BD74F-2B8D-469E-A0E8-F479B685FA7D and toprates.dll, but the problem persists. I have been able to identify one remaining baddy in the registry:
113F2B42-FD88-45F6-9DEB-2D3463A8FC71. What else may remain in the computer I don’t know.

To prepare for HiJack This, I have run the following:

Ad-Aware; SpybotS&D; McAfee Stinger; AVG; A-Squared; Bit Defender; and Spyware Terminator. The last of these, a little-known program, alerted me to the presence of 113F2B42-FD88-45F6-9DEB-2D3463A8FC71, which it did not recognize as a threat but noted as an oddity. All the rest ignored it.

And I have downloaded and installed Sygate firewall (I was relying on MS’s firewall, which seems to have been a mistake).

That’s where I am now; and here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:19:19 PM, on 1/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Dialer\a2service.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\ABC Chaos decrypt\mainserv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\D4\D4.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\D4\D4.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HiJack This Install.exe
C:\Program Files\HiJack This Install.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F1 - win.ini: load=c:\01comm32\bin\01comm32.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {113F2B42-FD88-45F6-9DEB-2D3463A8FC71} - (no file)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Office toolbar - {5BD5FE32-1DB9-48E1-BEDF-3CC304D98B46} - C:\WINDOWS\sysosa.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Dimension4] C:\Program Files\D4\D4.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Dialer\a2adguard.exe"
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] C:\Program Files\Softwin\BitDefender8\bdnagent.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h20264.www2.hp.com/ediags/dd/instal...llMgr_v01_5.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.cyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9602.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1158647531553
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1158647481591
O17 - HKLM\System\CCS\Services\Tcpip\..\{23978555-F043-4D6A-B0C1-37CFF6B396F0}: NameServer = 216.99.193.2 216.99.193.19
O17 - HKLM\System\CS1\Services\Tcpip\..\{23978555-F043-4D6A-B0C1-37CFF6B396F0}: NameServer = 216.99.193.2 216.99.193.19
O23 - Service: a-squared Anti-Dialer Service (a2AntiDialer) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Dialer\a2service.exe
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\ABC Chaos decrypt\mainserv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Dimension4 - Thinking Man Software - C:\Program Files\D4\D4.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\system32\IomegaAccess.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Spyware Terminator Clam Service (sp_clamsrv) - Crawler.com - C:\Program Files\WinClamAVShield\sp_clamsrv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\system32\ZipToA.exe

--
End of file - 9624 bytes

I look forward to instructions on how to kill this thing once and for all.

Hajduk

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:18 PM

Posted 26 January 2008 - 04:13 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum.
My name is Richie and i'll be helping you to fix your problems.

Apologies for the late response,as i'm sure you can appreciate we are extremely busy.

If you've already recieved help at another forum and your issues have been resolved,or you're presently recieving help elsewhere then please let us know.

If you have not followed the info in the link below prior to posting your log then please do so now:
Preparation Guide for use before posting a HijackThis Log:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

If you still require help,please post a new Hijackthis log into this topic in your next reply.

Also post a detailed description of the issues you're experiencing.

*Note*
Post all reports/logs directly into this topic,not as attachments,thanks.
Posted Image
Posted Image

#3 Hajduk

Hajduk
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States
  • Local time:10:18 AM

Posted 26 January 2008 - 03:01 PM

Richie, it's good to hear from you. I'm now doing the full deep scan with A-Squared, and I don't want to go online while it's running, so I am using the library computer. When I get the results, I will do another HiJack This report and send it to you.

Meanwhile, I ran the SpySweeper demo, which says that I have a keylogger; and A-Squared Anti-Hijack, that found a number of baddies, which I am hoping the A-Squared program will remove (this is the first time I have used it, and I don't know what to expect.

What is disturbing here is that AVG, AdAware, SpybotS&D, and McAfee Stinger all failed to detect any of this.

Hajduk

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:18 PM

Posted 26 January 2008 - 06:45 PM

Please visit this webpage for instructions for downloading and running ComboFix.
This includes installing the Windows XP Recovery Console in case you have not installed it yet.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the entire contents of C:\ComboFix.txt into your next reply.
Also post a new Hijackthis log.
Posted Image
Posted Image

#5 Hajduk

Hajduk
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States
  • Local time:10:18 AM

Posted 28 January 2008 - 02:19 PM

Richie, I'm sorry to report that over the weekend the situation became *MUCH* worse. My computer is now essentially useless except in Safe Mode. I can connect to the internet as usual, but the bad guys are using all the CPU, so I can't access any site, cannot upload or download anything, etc.

I had spywareremover quarentine the SmitFraud file that only it detected. I began to run A-Squared anti-hijack again, but had to interrupt before I had recorded all of it, and by the time I got back to it the internet was already blockaded and I couldn't complete noting it down. I will post the last HiJack
This log I was able to do and what I do have from A-Squared anti-hijack.

As I mentioned before, I tried to do a full deep scan with A-Squared. I stopped it when it became apparent that it would take several days to complete. A-Squared "smart scan" misses everything that their anti-hijack scan picks up; whether the full scan would find it I don't know.

As for ComboFix, I will have to try to download it to a disk and install it from there; obviously can't download it or anything else directly to my computer.

Here is the last HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:11:01 AM, on 1/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F1 - win.ini: load=c:\01comm32\bin\01comm32.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Dimension4] C:\Program Files\D4\D4.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Dialer\a2adguard.exe"
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\Run: [SmcService] "C:\PROGRA~1\Sygate\SPF\smc.exe" -startgui
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [Iomega Drive Icons] "C:\Program Files\Iomega\DriveIcons\ImgIcon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h20264.www2.hp.com/ediags/dd/instal...llMgr_v01_5.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.cyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9602.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1158647531553
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1158647481591
O23 - Service: a-squared Anti-Dialer Service (a2AntiDialer) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Dialer\a2service.exe
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\ABC Chaos decrypt\mainserv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Dimension4 - Thinking Man Software - C:\Program Files\D4\D4.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\system32\IomegaAccess.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Spyware Terminator Clam Service (sp_clamsrv) - Crawler.com - C:\Program Files\WinClamAVShield\sp_clamsrv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Webroot Spy Sweeper-Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\system32\ZipToA.exe

--
End of file - 7917 bytes



And here is the keylogger detected by SpySweeper and what I was able to copy down of the bad stuff A-Squared anti-hijack found:

Baddies on computer

Detected by Spy Sweeper: Rebrand Keylogger:

C:\Documents and Settings\Stephen\Application Data\Microsoft\Installer\
{D3DCC04E-2DA1-4280-A9E3-F3BD395C397F}\-2b2b7fc6.exe
{D3DCC04E-2DA1-4280-A9E3-F3BD395C397F}\-2b2f29c2.exe


Detected by A-Squared HiJack Free:

KernelFaultCheck ptool32.exe (added by Legmir-BN trojan)
Ctfmon.exe ctfmon32.exe CoolWebSearch Ctfmon parasite variant
Ctfmon.exe ctfmon.exe added by RAIDYS trojan
(don’t confuse with valid ctfmon.exe)
Ctfmon.exe msupdate32.exe SpySheriff/SpywareNO = Spyhoax-A


explorer.exe %systempath% Trojan.Zapchas.ac

csrss.exe Supremtic “Beyond Keylogger”
smss.exe EmailWorm.Win32.Sober.o
smss.exe EmailWorm.Win32.Sober.p
smss.exe EmailWorm.Win32.Sober.z
wuauclt.exe Backdoor.Win32.Cult
svchost.exe LogiGuard LLC
svchost.exe Win32.Jeefo.a

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
113F2B42-45F6-9DEB-2D3463A8FC71 = toprates.dll
761497BB-D6F0-462C-B6EB-D4DAF1D92D43


Explorer.exe (%systempath%) Trojan Zapchas.ac

smss.exe EmailWorm.Win32.Sober.o
EmailWorm.Win32.Sober.p
E mailWorm.Win32.Sober.z

csrss.exe Supremtic “Beyond Keylogger”
Winlogon.exe Win32.Netskyd
Services.exe SentryPC
XP-Tools
EmailWorm.Win32.Sober.z
wuault.exe Backdoor.Win32.Cult

c:\documents and settings\stephen\services\stephen@nextag[1].txt
svchost LogiGuard, Win32.Jeefo.a

C:\Windows\system32\svchost.exe (Process 820)
Port 1042 TCP Bla1.1
Port 1047 TCP Gatecrasher.b, Gatecrasher.c
Port 1050 TCP MiniCommand
Port 1080 TCP WinHole, Wingate, Bagle.A1
Port 1081 TCP Winhole
Port 1082 TCP Winhole
Port 1083 TCP Winhole
Port 1090 TCP Xtreme
Port 1095 TCP Rat
Port 1097 TCP Rat
Port 1098 TCP Rat
Port 1099 TCP Bfevolution, Rat
Port 1100 TCP Cafelni0.9 (1010:1100)
Port 1137 TCP MTX
Port 1170 TCP Psyber Stream Server, Streaming Audio Trojan, Voice
Port 1207 TCP SoftWAR
Port 1208 TCP/UDP Infector1.3 + 1.4.1
Port 1212 TCP Kaos
Port 3456 TCP Teror Trojan
Port 3459 TCP Eclipse 2000, Sanctuary

That's all I have at present.

Hajduk

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:18 PM

Posted 28 January 2008 - 02:53 PM

As for ComboFix, I will have to try to download it to a disk and install it from there; obviously can't download it or anything else directly to my computer.

Combofix will run in Safe Mode ok if that helps.
Posted Image
Posted Image

#7 Hajduk

Hajduk
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States
  • Local time:10:18 AM

Posted 04 February 2008 - 07:34 PM

OK, Richie, I just ran the scans. Here are the reports. ComboFix reports that RecoveryConsole is *not* installed; why this is I don't know, because I did follow the instructions, downloading the file from Microsoft and dropping the desktop icon on the ComboFix icon, which ran a progress bar in response. I will go home and try to install directly from the MS download.

Also I see that if I go to the A-Squared web page they give instructions on *removing* malware using their Anti-Hijack scan. In the future I expect this program to be useful.

Stephen

Security Scan Reports 2008-02-04

ComboFix 08-01-29.3 - Stephen 2008-02-04 15:07:15.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.41.1033.18.305 [GMT -8:00]
Running from: C:\Documents and Settings\Stephen\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-01-04 to 2008-02-04 )))))))))))))))))))))))))))))))
.
2008-01-28 03:11 . 2008-01-28 03:11 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-01-25 18:31 . 2008-01-27 07:14 106 --a------ C:\index.ini
2008-01-25 06:52 . 2008-01-25 08:25 14,912,184 --a------ C:\Program Files\Kaspersky antivirus.exe
2008-01-25 00:41 . 2008-01-25 00:41 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-01-25 00:40 . 2008-01-25 00:40 <DIR> d-------- C:\Program Files\Webroot
2008-01-25 00:40 . 2008-01-25 00:40 <DIR> d-------- C:\Documents and Settings\Stephen\Application Data\Webroot
2008-01-25 00:40 . 2008-01-25 00:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-01-25 00:40 . 2008-01-04 20:56 1,526,640 --a------ C:\WINDOWS\WRSetup.dll
2008-01-25 00:40 . 2008-01-04 20:34 163,696 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-01-25 00:40 . 2008-01-04 20:34 23,920 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-01-25 00:40 . 2008-01-04 20:34 21,872 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-01-25 00:40 . 2008-01-04 20:34 20,336 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2008-01-24 23:40 . 2008-01-25 00:26 15,070,144 --a------ C:\Program Files\ssftrialsnrsetup1_26338613.exe
2008-01-20 14:18 . 2008-01-20 14:18 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-20 14:14 . 2008-01-20 14:16 812,344 --a------ C:\Program Files\HiJack This Install.exe
2008-01-19 12:39 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2008-01-19 12:39 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2008-01-19 12:39 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2008-01-19 12:39 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2008-01-19 12:39 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2008-01-19 12:39 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2008-01-19 12:38 . 2008-01-19 12:38 <DIR> d-------- C:\Program Files\Sygate
2008-01-19 12:38 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2008-01-19 12:16 . 2008-01-19 12:33 <DIR> d-------- C:\Program Files\Sygate Firewall
2008-01-18 20:32 . 2008-01-18 21:34 <DIR> d-------- C:\Program Files\SpyWareDoctor
2008-01-18 12:57 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-01-18 12:57 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-01-18 12:57 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-01-18 12:57 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-01-18 12:57 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-01-18 12:57 . 2008-01-18 12:57 3,174 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-17 05:57 . 2008-01-29 21:57 <DIR> d-------- C:\Program Files\SpywareGuard
2008-01-17 05:54 . 2008-01-17 05:54 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-17 05:35 . 2008-01-17 05:36 <DIR> d-------- C:\Program Files\Ewido Micro
2008-01-17 05:29 . 2008-01-17 06:13 <DIR> d-------- C:\Program Files\Windows Malicious Software Removal Tool
2008-01-17 05:25 . 2008-01-17 05:51 <DIR> d-------- C:\Program Files\Spyware Guard
2008-01-17 05:23 . 2008-01-17 05:50 <DIR> d-------- C:\Program Files\Spyware Blaster
2008-01-16 19:53 . 2008-01-16 19:53 <DIR> d-------- C:\Program Files\a-squared HiJackFree
2008-01-16 19:30 . 2008-01-25 19:07 <DIR> d-------- C:\Program Files\a-squared Anti-Dialer
2008-01-16 19:29 . 2008-01-27 05:02 <DIR> d-------- C:\Program Files\a-squared Free
2008-01-16 15:39 . 2008-01-16 17:06 <DIR> d-------- C:\Program Files\ASquaredFree
2008-01-16 14:40 . 2008-01-16 14:40 <DIR> d-------- C:\Program Files\SmitfraudFix
2008-01-16 14:40 . 2008-01-27 05:03 <DIR> d-------- C:\Documents and Settings\Stephen\SmitfraudFix
2008-01-15 20:06 . 2008-01-15 20:07 226,816 --a------ C:\WINDOWS\foundbadfile1.dll
2008-01-15 20:01 . 2008-01-15 20:06 48 --a------ C:\tmp.bat
2008-01-15 18:23 . 2008-01-15 18:24 <DIR> d-------- C:\Program Files\Powerarciver 1021
2008-01-11 09:57 . 2007-01-18 04:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-01-10 18:41 . 2008-01-11 10:17 <DIR> d-------- C:\Program Files\HDD Health
2008-01-10 18:37 . 2008-01-10 18:39 <DIR> d-------- C:\Program Files\HDHealth
2008-01-10 17:50 . 2008-01-10 17:50 <DIR> d-------- C:\Program Files\PDFCreator Toolbar
2008-01-10 17:50 . 2008-01-10 17:50 253,116 --a------ C:\WINDOWS\PDFCreator_Toolbar_Uninstaller_1874.exe
2008-01-10 17:50 . 2008-01-10 17:50 14,290 --a------ C:\Program Files\settings.dat
2008-01-10 17:48 . 2005-10-15 12:32 196,608 --a------ C:\WINDOWS\system32\pdfcmnnt.dll
2008-01-10 17:48 . 1998-06-24 00:00 137,000 --a------ C:\WINDOWS\system32\MSMAPI32.OCX
2008-01-10 17:48 . 1998-07-06 00:00 23,552 --a------ C:\WINDOWS\system32\MSMPIDE.DLL
2008-01-10 16:27 . 2008-01-10 17:52 <DIR> d-------- C:\Program Files\WinMerge
2008-01-10 16:12 . 2008-01-10 22:47 <DIR> d-------- C:\Program Files\PDFCreator
2008-01-09 14:07 . 2008-01-09 14:07 <DIR> d-------- C:\Program Files\Coptic Fonts
2008-01-09 14:03 . 2008-01-09 14:14 <DIR> d-------- C:\Documents and Settings\Fonts\Coptic

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-04 22:51 --------- d-----w C:\Program Files\Spyware Terminator
2008-02-04 04:43 --------- d-----w C:\Program Files\Mozilla Sunbird
2008-01-31 23:35 --------- d-----w C:\Program Files\Lavasoft
2008-01-31 23:35 --------- d-----w C:\Documents and Settings\Stephen\Application Data\Lavasoft
2008-01-28 12:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-01-28 11:38 --------- d-----w C:\Program Files\Font Xplorer
2008-01-28 11:14 --------- d-----w C:\Documents and Settings\Stephen\Application Data\Spyware Terminator
2008-01-28 05:19 --------- d-----w C:\Program Files\CallWave
2008-01-28 01:54 --------- d-----w C:\Documents and Settings\Stephen\Application Data\AVG7
2008-01-27 16:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-01-27 15:24 14 ----a-w C:\Documents and Settings\Stephen\getfile.dat
2008-01-20 15:48 138,368 ----a-w C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-01-20 15:25 --------- d-----w C:\Program Files\WinClamAVShield
2008-01-16 17:42 --------- d-----w C:\Program Files\Flash Player
2008-01-16 03:20 --------- d-----w C:\Program Files\PowerArchiver
2008-01-14 02:53 --------- d-----w C:\Program Files\NoteWorthy Composer
2008-01-09 00:03 --------- d-----w C:\Program Files\MacAfeeStinger
2008-01-08 13:47 --------- d-----w C:\Program Files\Weather Watcher
2008-01-05 15:15 --------- d-----w C:\Program Files\QuickTime
2008-01-01 23:40 --------- d-----w C:\Program Files\MSECache
2007-12-14 15:50 --------- d-----w C:\Program Files\VS Revo Group
2007-12-14 15:46 --------- d-----w C:\Program Files\Revo Uninstaller
2007-12-06 21:22 --------- d-----w C:\Program Files\Yahoo Instant Messenger
2007-12-06 19:49 --------- d-----w C:\Program Files\KGallery Kaleidoscope
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-09-23 14:12 19,753 ----a-w C:\Documents and Settings\Fonts\aungsan.zip
2007-09-23 14:10 18,881 ----a-w C:\Documents and Settings\Fonts\suukyi.zip
2007-09-10 16:49 17 ----a-w C:\Program Files\stng260.opt
2007-09-04 18:35 479,881 ----a-w C:\Documents and Settings\Pebleepta\mur.exe
2007-06-24 06:16 228,934 ----a-w C:\Documents and Settings\Fonts\New Athena Unicode--ttf.zip
2007-04-24 00:29 29,401 ----a-w C:\Documents and Settings\Fonts\phaedri.zip
2007-04-24 00:28 42,869 ----a-w C:\Documents and Settings\Fonts\phaedru1.zip
2007-04-24 00:28 42,852 ----a-w C:\Documents and Settings\Fonts\phaedrus.zip
2007-04-24 00:14 6,645 ----a-w C:\Documents and Settings\Fonts\Pilot.zip
2007-04-24 00:13 31,001 ----a-w C:\Documents and Settings\Fonts\ornament.zip
2007-04-24 00:11 391,718 ----a-w C:\Documents and Settings\Fonts\QuillPerpendicularWidenormal53.zip
2007-04-24 00:11 389,435 ----a-w C:\Documents and Settings\Fonts\QuillPerpendicularRegularnormal49.zip
2007-04-24 00:10 388,712 ----a-w C:\Documents and Settings\Fonts\QuillPerpendicularCondensednormal85.zip
2007-04-24 00:09 390,888 ----a-w C:\Documents and Settings\Fonts\QuillObliquenormal42.zip
2007-04-23 23:58 25,906 ----a-w C:\Documents and Settings\Fonts\niederwald.zip
2007-04-23 23:54 27,385 ----a-w C:\Documents and Settings\Fonts\mouth.zip
2007-04-23 23:49 20,301 ----a-w C:\Documents and Settings\Fonts\lotharuswidetop.zip
2007-04-23 23:48 37,171 ----a-w C:\Documents and Settings\Fonts\lotharus.zip
2007-04-20 02:37 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2007-03-22 06:32 10,159,744 ----a-w C:\Program Files\iTunesSetup.exe
2007-03-17 07:51 1,144,839 ----a-w C:\Program Files\stng260.exe
2007-02-20 22:46 823,015 ----a-w C:\Documents and Settings\Fonts\antioch13b.exe
2007-02-20 22:36 170,610 ----a-w C:\Documents and Settings\Fonts\bwfonts.exe
2007-02-17 14:40 5,007,104 ----a-w C:\Program Files\GoogleVideoPlayerSetup.exe
2007-01-14 23:42 322,951 ----a-w C:\Documents and Settings\Fonts\l2ttf003.zip
2007-01-14 04:43 1,188,722 ----a-w C:\Documents and Settings\Fonts\freefont-ttf.zip
2007-01-14 04:08 38,511 ----a-w C:\Documents and Settings\Fonts\rackhamho.sit.bin
2007-01-14 04:06 182,656 ----a-w C:\Documents and Settings\Fonts\InternationalSymbols.sit.bin
2007-01-10 03:53 856,047 ----a-w C:\Program Files\EFRCSetup.exe
2007-01-10 03:43 870,464 ----a-w C:\Documents and Settings\Fonts\Font_Xplorer_122_Free.exe
2007-01-10 03:37 40,718 ----a-w C:\Documents and Settings\Fonts\marvosym.zip
2007-01-02 16:16 461,993 ----a-w C:\Documents and Settings\Fonts\tierkreis3.zip
2007-01-02 16:16 123,981 ----a-w C:\Documents and Settings\Fonts\roman_antique.zip
2007-01-02 16:14 269,287 ----a-w C:\Documents and Settings\Fonts\monats_vignetten1.zip
2007-01-02 16:11 43,032 ----a-w C:\Documents and Settings\Fonts\schwabacher.zip
2007-01-02 16:11 242,170 ----a-w C:\Documents and Settings\Fonts\jahreskreis.zip
2007-01-02 16:11 110,070 ----a-w C:\Documents and Settings\Fonts\eisenbahn.zip
2007-01-02 16:09 97,262 ----a-w C:\Documents and Settings\Fonts\powell_antique.zip
2007-01-02 16:08 132,756 ----a-w C:\Documents and Settings\Fonts\kleist_fraktur.zip
2007-01-02 16:07 71,020 ----a-w C:\Documents and Settings\Fonts\packard_antique.zip
2007-01-02 16:07 25,095 ----a-w C:\Documents and Settings\Fonts\moderne_fraktur.zip
2007-01-02 16:06 41,873 ----a-w C:\Documents and Settings\Fonts\gebetbuch_fraktur.zip
2007-01-02 16:03 39,577 ----a-w C:\Documents and Settings\Fonts\kanzlei.zip
2007-01-02 16:03 155,833 ----a-w C:\Documents and Settings\Fonts\schluss_vignetten.zip
2007-01-02 16:01 65,109 ----a-w C:\Documents and Settings\Fonts\attic_antique.zip
2007-01-02 16:01 16,863 ----a-w C:\Documents and Settings\Fonts\art_nouveau_caps.zip
2007-01-02 16:00 87,485 ----a-w C:\Documents and Settings\Fonts\kaiserzeit_gotisch.zip
2006-12-31 14:21 504,632 ----a-w C:\Program Files\WindowsXP-KB926247-x86-ENU.exe
2006-12-31 14:18 739,640 ----a-w C:\Program Files\WindowsXP-KB926255-x86-ENU.exe
2006-12-31 14:17 5,186,048 ----a-w C:\Program Files\WindowsDefender.msi
2006-12-31 14:15 518,888 ----a-w C:\Program Files\WindowsXP-KB884020-x86-enu.exe
2006-12-31 14:07 701,752 ----a-w C:\Program Files\WindowsXP-KB921883-x86-ENU.exe
2006-12-21 21:26 4,723,109 ----a-w C:\Program Files\Bible-Discovery-Setup.exe
2006-12-21 21:01 601,488 ----a-w C:\Program Files\Bible-Pebleepta.exe
2006-12-01 20:53 180 ----a-w C:\Program Files\ecm.ini
2006-11-25 00:38 3,088,108 ----a-w C:\Program Files\LATEST-IS-1.8.0
2006-11-21 02:51 590 ------w C:\Documents and Settings\Pebleepta\layout.bin
2006-11-21 02:51 450 ------w C:\Documents and Settings\Pebleepta\os.dat
2006-11-21 02:51 4,679 ------w C:\Documents and Settings\Pebleepta\lang.dat
2006-11-21 02:51 308,700 ------w C:\Documents and Settings\Pebleepta\data.zip
2006-11-13 04:16 359,112 ----a-w C:\Program Files\LimeWireWin.exe
2006-11-13 01:55 50,932 ----a-w C:\Documents and Settings\Fonts\AnaxiWin.exe
2006-11-07 20:14 12,490,317 ----a-w C:\Program Files\install_advance.exe
2006-11-01 21:07 621,368 ----a-w C:\Program Files\autoruns.exe
2006-11-01 21:07 527,160 ----a-w C:\Program Files\autorunsc.exe
2006-10-28 04:16 10,120,112 ----a-w C:\Program Files\SkypeSetup.exe
2006-10-25 13:29 222 ----a-w C:\Program Files\chmap.ini
2006-10-21 02:24 166,144 ----a-w C:\Program Files\DECCHECKSetup.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Iomega Drive Icons"="C:\Program Files\Iomega\DriveIcons\ImgIcon.exe" [2000-06-13 07:48 36864]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dimension4"="C:\Program Files\D4\D4.exe" [2004-02-04 00:26 200704]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-01-20 07:48 2736128]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 22:46 57344]
"a-squared"="C:\Program Files\a-squared Anti-Dialer\a2adguard.exe" [2008-01-16 19:35 1329152]
"BDMCon"="C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe" [2005-06-20 11:10 421888]
"BDNewsAgent"="C:\Program Files\Softwin\BitDefender8\bdnagent.exe" [2005-05-09 11:19 8192]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40 2577632]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2003-11-10 10:52 34832]

C:\Documents and Settings\Stephen\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35 360448]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WebrootSpySweeperService"=2 (0x2)
"WinDefend"=2 (0x2)

R0 UBHelper;UBHelper;C:\WINDOWS\system32\drivers\UBHelper.sys [2004-12-17 15:14]
R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2007-02-16 18:36]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-01-20 07:48]
R2 a2AntiDialer;a-squared Anti-Dialer Service;"C:\Program Files\a-squared Anti-Dialer\a2service.exe" [2008-01-25 19:06]
S3 3dfxvs;3dfxvs;C:\WINDOWS\system32\DRIVERS\3dfxvsm.sys [2003-02-11 10:56]
S3 ctencwdm;Creative PC-DVD Encore ( WDM );C:\WINDOWS\system32\drivers\ctencwdm.sys [1999-06-21 00:00]
S3 HSFHWCD2;HSFHWCD2;C:\WINDOWS\system32\DRIVERS\HSFHWCD2.sys [2005-01-24 22:26]
S3 nv3;nv3;C:\WINDOWS\system32\DRIVERS\nv3.sys [2001-08-17 12:50]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-23 17:50:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-05-18 16:50:26 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-02-04 22:51:58 C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe&/ScheduleSweep=wrSpySweeperTrialSweep
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- A:\
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-04 15:15:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\a-squared Anti-Dialer\a2service.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\ABC Chaos decrypt\mainserv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\D4\D4.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\D4\D4.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\a-squared Anti-Dialer\a2adguard.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
.
**************************************************************************
.
Completion time: 2008-02-04 15:24:49 - machine was rebooted [Stephen]
ComboFix-quarantined-files.txt 2008-02-04 23:23:17
.
2008-01-09 15:07:03 --- E O F ---

******************************************************************************************************************************************************************************************************************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:29:56 PM, on 2/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Dialer\a2service.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\ABC Chaos decrypt\mainserv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\D4\D4.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\D4\D4.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\a-squared Anti-Dialer\a2adguard.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F1 - win.ini: load=c:\01comm32\bin\01comm32.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O4 - HKLM\..\Run: [Dimension4] "C:\Program Files\D4\D4.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Dialer\a2adguard.exe"
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\Run: [SmcService] "C:\PROGRA~1\Sygate\SPF\smc.exe" -startgui
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [Iomega Drive Icons] "C:\Program Files\Iomega\DriveIcons\ImgIcon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h20264.www2.hp.com/ediags/dd/instal...llMgr_v01_5.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.cyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9602.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1158647531553
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1158647481591
O23 - Service: a-squared Anti-Dialer Service (a2AntiDialer) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Dialer\a2service.exe
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\ABC Chaos decrypt\mainserv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Dimension4 - Thinking Man Software - C:\Program Files\D4\D4.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\system32\IomegaAccess.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Spyware Terminator Clam Service (sp_clamsrv) - Crawler.com - C:\Program Files\WinClamAVShield\sp_clamsrv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Webroot Spy Sweeper-Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\system32\ZipToA.exe

--
End of file - 9545 bytes

#8 Hajduk

Hajduk
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States
  • Local time:10:18 AM

Posted 14 February 2008 - 01:55 PM

Hello? Anybody there?

I submitted these reports ten (10) days ago.

Hajduk

#9 Hajduk

Hajduk
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States
  • Local time:10:18 AM

Posted 20 February 2008 - 01:42 PM

Well, friends, that's over two weeks, and it looks as though I am just going to have to find another forum to get help. Thanks, I guess.

Hajduk

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:18 PM

Posted 21 February 2008 - 07:47 PM

Apologies for the late response,i somehow missed the email notification of your reply.

If you did recieve help at another forum and your issues have been resolved,or you're presently recieving help elsewhere then please let me know.

If you still require help,post a new Hijackthis log into this topic in your next reply.

Also post a detailed description of any issues you still may be experiencing.
Posted Image
Posted Image

#11 Hajduk

Hajduk
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States
  • Local time:10:18 AM

Posted 25 February 2008 - 12:17 PM

Hello, Richie,

No, I was going to look for another forum today, so I have not done so yet.

New problems? I cannot get on line at all now; the shortcut does not work at all and I haven't had time to try to get it working again. Also my printer is uninstalled.

I have been working only in safe mode, and did not even attempt to go online until this morning, when I tried to get another ComboFix report. I got a notice that ComboFix had expired and I would have to download again. But since it turns out that I have no Internet connection any more, that is impossible.

Here is this morning's Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:25:53 AM, on 2/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F1 - win.ini: load=c:\01comm32\bin\01comm32.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O4 - HKLM\..\Run: [Dimension4] "C:\Program Files\D4\D4.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Dialer\a2adguard.exe"
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\Run: [SmcService] "C:\PROGRA~1\Sygate\SPF\smc.exe" -startgui
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [Iomega Drive Icons] "C:\Program Files\Iomega\DriveIcons\ImgIcon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h20264.www2.hp.com/ediags/dd/instal...llMgr_v01_5.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.cyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9602.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1158647531553
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1158647481591
O23 - Service: a-squared Anti-Dialer Service (a2AntiDialer) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Dialer\a2service.exe
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\ABC Chaos decrypt\mainserv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Dimension4 - Thinking Man Software - C:\Program Files\D4\D4.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\system32\IomegaAccess.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Spyware Terminator Clam Service (sp_clamsrv) - Crawler.com - C:\Program Files\WinClamAVShield\sp_clamsrv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Webroot Spy Sweeper-Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\system32\ZipToA.exe

--
End of file - 7807 bytes


Hope you can tell me how to get rid of these buggers. I still have the ReBrand Key Logger, too.

Hajduk

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:18 PM

Posted 25 February 2008 - 12:45 PM

You have AVG7 and Avast4 and BitDefender and WinClamAVShield installed.
Its not a good idea to have more than one antivirus program installed on your computer.
Each program may interpret the actions of the other as viral, therefore giving you false virus warnings about virus-related activities.
It could also lead to system slowdowns and other problems within the operating system,due to them conflicting with each other.
You should uninstall three of them now,then restart your pc.

Remove/uninstall the following programs,we can reinstall one of them later,you just don't need them all,its complete overkill and could be causing problems:
SpywareTerminator
SpywareGuard
a-squared Free
SpySweeper


Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
F1 - win.ini: load=c:\01comm32\bin\01comm32.exe

Click on Start/Run,type CMD then press Ok.
At the command prompt copy and paste NETSH WINSOCK RESET then press Enter.
At the command prompt copy and paste IPCONFIG /FLUSHDNS then press Enter.
At the command prompt copy and paste NETSH WINSOCK RESET CATALOG then press Enter.
Type EXIT press Enter again,restart your pc.
Now try connecting to the internet.

Post a new Hijackthis log please.
Posted Image
Posted Image

#13 Hajduk

Hajduk
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States
  • Local time:10:18 AM

Posted 25 February 2008 - 04:38 PM

OK, Richie, I had Hijack This remove F1 - win.ini: load=c:\01comm32\bin\01comm32.exe and went through the command prompts. I can now go on line (although I had to go to Control Panel--the links didn't work), but it does no good because everything times out.

Several processes are using big amounts of CPU, and I suspect this is the baddies at work. Worst of them is something called drwtsn32.exe; others are bdss.exe, ashServ.exe, Smc.exe, and svchost.exe (system); the last of these I understand is a MS program that causes some trouble by eating memory. The rest I never heard of.

Overkill, I'm not so sure. SpywareTerminator only identified one of the bad guys; SpywareSweeper only identified the ReBrand KeyLogger, but as I have only the demo, I couldn't use it to remove it. These and most of the others anyhow I am not running with any always-on component; I only use them for scans, like SpyBotS&D and AdAware. SpywareGuard is supposed to work well with other programs. However, I did uninstall them as you suggested.

Here's the new log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:54:56 PM, on 2/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Dialer\a2service.exe
C:\Program Files\ABC Chaos decrypt\mainserv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\D4\D4.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\D4\D4.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\a-squared Anti-Dialer\a2adguard.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O4 - HKLM\..\Run: [Dimension4] C:\Program Files\D4\D4.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Dialer\a2adguard.exe"
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\Run: [SmcService] "C:\PROGRA~1\Sygate\SPF\smc.exe" -startgui
O4 - HKCU\..\Run: [Iomega Drive Icons] "C:\Program Files\Iomega\DriveIcons\ImgIcon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h20264.www2.hp.com/ediags/dd/instal...llMgr_v01_5.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.cyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9602.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1158647531553
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1158647481591
O23 - Service: a-squared Anti-Dialer Service (a2AntiDialer) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Dialer\a2service.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\ABC Chaos decrypt\mainserv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Dimension4 - Thinking Man Software - C:\Program Files\D4\D4.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\system32\IomegaAccess.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\system32\ZipToA.exe

--
End of file - 8197 bytes

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:18 PM

Posted 25 February 2008 - 05:00 PM

drwtsn32.exe
drwtsn32.exe is a process belonging to Microsoft's Dr Watson program error debug utility.

bdss.exe
bdss.exe is a vital component of the BitDefender antivirus protection.

ashserv.exe
ashserv.exe is part of the Avast Anti-virus Suite.

Smc.exe
Smc.exe is part of Sygate Personal Firewall.


You still have AVG7 Antivirus and Avast4 and BitDefender installed,this is almost certainly your problem.
Its not a good idea to have more than one antivirus program installed on your computer.
Each program may interpret the actions of the other as viral, therefore giving you false virus warnings about virus-related activities.
It could also lead to system slowdowns and other problems within the operating system,due to the two conflicting with each other.
You should uninstall two of them now,then restart your pc.

Post a new Hijackthis log when you've removed two of those antivirus programs.
Let me know whats happening now.
Posted Image
Posted Image

#15 Hajduk

Hajduk
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States
  • Local time:10:18 AM

Posted 25 February 2008 - 05:50 PM

OK, but I have had these installed for many months, and there was never a problem. I use them only for scans.

Hajduk




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users