Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Possessed With Infections


  • This topic is locked This topic is locked
16 replies to this topic

#1 Victoria

Victoria

  • Members
  • 126 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:49 AM

Posted 28 February 2008 - 09:04 PM

Here is my log. I wasn't able to fix many of the problems that were revealed with scans because my computer would freeze. I am also posting the scan from the SuperAntiSpyware scan. Good luck with this mess. And many many thanks!!!

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/04/2008 at 07:52 PM

Application Version : 3.9.1008

Core Rules Database Version : 3394
Trace Rules Database Version: 1386

Scan type : Complete Scan
Total Scan Time : 01:29:21

Memory items scanned : 354
Memory threats detected : 3
Registry items scanned : 4474
Registry threats detected : 15
File items scanned : 39714
File threats detected : 171

Adware.Vundo Variant
C:\WINDOWS\SYSTEM32\FCCCAAA.DLL
C:\WINDOWS\SYSTEM32\FCCCAAA.DLL
C:\WINDOWS\SYSTEM32\DDAYX.DLL
C:\WINDOWS\SYSTEM32\DDAYX.DLL
HKLM\Software\Classes\CLSID\{105F7208-CB70-4DA2-AE84-FB15C1513456}
HKCR\CLSID\{105F7208-CB70-4DA2-AE84-FB15C1513456}
HKCR\CLSID\{105F7208-CB70-4DA2-AE84-FB15C1513456}\InprocServer32
HKCR\CLSID\{105F7208-CB70-4DA2-AE84-FB15C1513456}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{A051B1FF-8D7E-418B-AABE-4FF82F4280A2}
HKCR\CLSID\{A051B1FF-8D7E-418B-AABE-4FF82F4280A2}
HKCR\CLSID\{A051B1FF-8D7E-418B-AABE-4FF82F4280A2}\InprocServer32
HKCR\CLSID\{A051B1FF-8D7E-418B-AABE-4FF82F4280A2}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{105F7208-CB70-4DA2-AE84-FB15C1513456}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A051B1FF-8D7E-418B-AABE-4FF82F4280A2}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{A051B1FF-8D7E-418B-AABE-4FF82F4280A2}
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\fcccaaa
HKCR\CLSID\{A051B1FF-8D7E-418B-AABE-4FF82F4280A2}
C:\WINDOWS\SYSTEM32\KHFCAXY.DLL
C:\WINDOWS\SYSTEM32\PMNNLLL.DLL

Adware.ClickSpring/Resident
C:\WINDOWS\system32\CROSOF~1\TSKMGR~1.EXE
C:\WINDOWS\system32\CROSOF~1\TSKMGR~1.EXE

Adware.Tracking Cookie
C:\Documents and Settings\user\Cookies\user@statcounter[1].txt
C:\Documents and Settings\user\Cookies\user@adultadworld[2].txt
C:\Documents and Settings\user\Cookies\user@angleinteractive.directtrack[2].txt
C:\Documents and Settings\user\Cookies\user@288_[2].txt
C:\Documents and Settings\user\Cookies\user@ex=1_[2].txt
C:\Documents and Settings\user\Cookies\user@cgi-bin[3].txt
C:\Documents and Settings\user\Cookies\user@secure.advancedcleaner[2].txt
C:\Documents and Settings\user\Cookies\user@indiads[2].txt
C:\Documents and Settings\user\Cookies\user@4.adbrite[2].txt
C:\Documents and Settings\user\Cookies\user@adecn[1].txt
C:\Documents and Settings\user\Cookies\user@a[1].txt
C:\Documents and Settings\user\Cookies\user@webpower[1].txt
C:\Documents and Settings\user\Cookies\user@adbrite[2].txt
C:\Documents and Settings\user\Cookies\user@fastclick[2].txt
C:\Documents and Settings\user\Cookies\user@www.burstbeacon[3].txt
C:\Documents and Settings\user\Cookies\user@ads.crakmedia[1].txt
C:\Documents and Settings\user\Cookies\user@ehg-netquote.hitbox[1].txt
C:\Documents and Settings\user\Cookies\user@trafficmp[1].txt
C:\Documents and Settings\user\Cookies\user@3.adbrite[2].txt
C:\Documents and Settings\user\Cookies\user@counter9.sextracker[1].txt
C:\Documents and Settings\user\Cookies\user@da-tracking[2].txt
C:\Documents and Settings\user\Cookies\user@www.burstnet[2].txt
C:\Documents and Settings\user\Cookies\user@advancedcleaner[2].txt
C:\Documents and Settings\user\Cookies\user@2o7[3].txt
C:\Documents and Settings\user\Cookies\user@hornymatches[2].txt
C:\Documents and Settings\user\Cookies\user@adrevolver[1].txt
C:\Documents and Settings\user\Cookies\user@incentaclick[2].txt
C:\Documents and Settings\user\Cookies\user@37343836[1].txt
C:\Documents and Settings\user\Cookies\user@www.incentaclick[1].txt
C:\Documents and Settings\user\Cookies\user@ads.adbrite[1].txt
C:\Documents and Settings\user\Cookies\user@apmebf[1].txt
C:\Documents and Settings\user\Cookies\user@lynxtrack[1].txt
C:\Documents and Settings\user\Cookies\user@sales.liveperson[1].txt
C:\Documents and Settings\user\Cookies\user@www.findit-quick[2].txt
C:\Documents and Settings\user\Cookies\user@ad.yieldmanager[1].txt
C:\Documents and Settings\user\Cookies\user@eas.apm.emediate[2].txt
C:\Documents and Settings\user\Cookies\user@tribalfusion[2].txt
C:\Documents and Settings\user\Cookies\user@adopt.specificclick[1].txt
C:\Documents and Settings\user\Cookies\user@spamblockerutility[3].txt
C:\Documents and Settings\user\Cookies\user@adultfriendfinder[1].txt
C:\Documents and Settings\user\Cookies\user@burstnet[2].txt
C:\Documents and Settings\user\Cookies\user@questionmarket[2].txt
C:\Documents and Settings\user\Cookies\user@atdmt[2].txt
C:\Documents and Settings\user\Cookies\user@advertisersclearinghouse.aavalue[1].txt
C:\Documents and Settings\user\Cookies\user@sextracker[1].txt
C:\Documents and Settings\user\Cookies\user@adredired[1].txt
C:\Documents and Settings\user\Cookies\user@partner2profit[1].txt
C:\Documents and Settings\user\Cookies\user@spyguardpro[1].txt
C:\Documents and Settings\user\Cookies\user@findwhat[1].txt
C:\Documents and Settings\user\Cookies\user@sex-video[1].txt
C:\Documents and Settings\user\Cookies\user@ad2networks.advertserve[2].txt
C:\Documents and Settings\user\Cookies\user@media.adrevolver[3].txt
C:\Documents and Settings\user\Cookies\user@anad.tacoda[1].txt
C:\Documents and Settings\user\Cookies\user@ads.pointroll[1].txt
C:\Documents and Settings\user\Cookies\user@podshow.112.2o7[1].txt
C:\Documents and Settings\user\Cookies\user@ad.outerinfoads[1].txt
C:\Documents and Settings\user\Cookies\user@ads.monster[2].txt
C:\Documents and Settings\user\Cookies\user@zedo[3].txt
C:\Documents and Settings\user\Cookies\user@doubleclick[1].txt
C:\Documents and Settings\user\Cookies\user@directtrack[1].txt
C:\Documents and Settings\user\Cookies\user@mediaplex[2].txt
C:\Documents and Settings\user\Cookies\user@rotator.adjuggler[3].txt
C:\Documents and Settings\user\Cookies\user@bizadverts[2].txt
C:\Documents and Settings\user\Cookies\user@protect.spyguardpro[2].txt
C:\Documents and Settings\user\Cookies\user@specificclick[3].txt
C:\Documents and Settings\user\Cookies\user@atlas.entrepreneur[2].txt
C:\Documents and Settings\user\Cookies\user@login.revenueloop[2].txt
C:\Documents and Settings\user\Cookies\user@bleeparoo[1].txt
C:\Documents and Settings\user\Cookies\user@eyewonder[1].txt
C:\Documents and Settings\user\Cookies\user@1072588370[2].txt
C:\Documents and Settings\user\Cookies\user@interclick[2].txt
C:\Documents and Settings\user\Cookies\user@hitbox[1].txt
C:\Documents and Settings\user\Cookies\user@adlegend[1].txt
C:\Documents and Settings\user\Cookies\user@advertising[1].txt
C:\Documents and Settings\user\Cookies\user@tacoda[2].txt
C:\Documents and Settings\user\Cookies\user@www.bleeparoo[2].txt
C:\Documents and Settings\user\Cookies\user@www.bleepbot[2].txt
C:\Documents and Settings\user\Cookies\user@www.thedegreefinder[2].txt

Adware.ClickSpring/Outer Info Network
C:\Documents and Settings\user\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\user\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\user\Start Menu\Programs\Outerinfo

Malware.LocusSoftware Inc/SpyGuardPro
C:\Documents and Settings\user\Application Data\SpyGuardPro\Logs\threats.log
C:\Documents and Settings\user\Application Data\SpyGuardPro\Logs
C:\Documents and Settings\user\Application Data\SpyGuardPro

RootKit.TnCore/Trace
C:\WINDOWS\system32\drivers\core.cache.dsk

Rogue.ErrorFighter
HKLM\Software\ugac
HKLM\Software\ugac#DomainName

Adware.ClickSpring-Variant
C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\!UPDATE.EXE
C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\WNG1OBGB\!UPDATE-4495[1].0000

Malware.LocusSoftware Inc/BestSellerAntivirus
C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\NI.UGA6P_0001_N122M2210\SETUP.EXE
C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\TMP9B.TMP

Trojan.Downloader-Gen/MROFIN
C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\TMP98.TMP
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CDB24CF7-420B-4626-BE26-7B7CE0D32075}\RP98\A0016329.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CDB24CF7-420B-4626-BE26-7B7CE0D32075}\RP98\A0016332.EXE
C:\WINDOWS\MROFINU1000106.EXE
C:\WINDOWS\MROFINU572.EXE.TMP

Rogue.NoWayVirus-PTask
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CDB24CF7-420B-4626-BE26-7B7CE0D32075}\RP100\A0019469.EXE

Rogue.LocusSoftware/Component
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CDB24CF7-420B-4626-BE26-7B7CE0D32075}\RP100\A0019478.OLD
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CDB24CF7-420B-4626-BE26-7B7CE0D32075}\RP100\A0019479.OLD

Trojan.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CDB24CF7-420B-4626-BE26-7B7CE0D32075}\RP112\A0026192.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CDB24CF7-420B-4626-BE26-7B7CE0D32075}\RP115\A0027166.VBS

Adware.Vundo-Variant/Small-A
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CDB24CF7-420B-4626-BE26-7B7CE0D32075}\RP112\A0026194.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CDB24CF7-420B-4626-BE26-7B7CE0D32075}\RP112\A0026198.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CDB24CF7-420B-4626-BE26-7B7CE0D32075}\RP112\A0026199.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CDB24CF7-420B-4626-BE26-7B7CE0D32075}\RP112\A0026200.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CDB24CF7-420B-4626-BE26-7B7CE0D32075}\RP112\A0026202.DLL
C:\WINDOWS\SYSTEM32\KJMJBTSC.DLL
C:\WINDOWS\SYSTEM32\NLIPNQOA.DLL
C:\WINDOWS\SYSTEM32\VBQUVSPM.DLL

Adware.Vundo-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CDB24CF7-420B-4626-BE26-7B7CE0D32075}\RP115\A0027167.DLL

Rogue.StorageProtector/Trace
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CDB24CF7-420B-4626-BE26-7B7CE0D32075}\RP99\A0017308.EXE

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\IJJLM.INI
C:\WINDOWS\SYSTEM32\XYADD.INI
C:\WINDOWS\SYSTEM32\YCCDD.INI
C:\WINDOWS\SYSTEM32\YCCDD.INI2

Trace.Known Threat Sources
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\RR0NC3UN\errorhandler[1].htm
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\0B6DEB4H\browserdetect[1].js
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\4J4P67KJ\fileslist[1].js
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\WNG1OBGB\pbmarker[1].gif
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\WNG1OBGB\AC_RunActiveContent[1].htm
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\0B6DEB4H\closebutton[1].gif
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\0B6DEB4H\index[1].htm
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\0B6DEB4H\shieldred[1].gif
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\4J4P67KJ\CALGI1X7.htm
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\4J4P67KJ\flash_detect[1].htm
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\4J4P67KJ\bleep2[1].gif
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\0B6DEB4H\progressbar[1].js
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\RR0NC3UN\[1].htm
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\4J4P67KJ\common[1].js
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\0B6DEB4H\secpanel[1].gif
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\0B6DEB4H\9_swp[1].htm
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\4J4P67KJ\bleep[1].gif
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\0B6DEB4H\window[1].js
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\0B6DEB4H\buttonbg[1].gif
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\WNG1OBGB\styles[1].css
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\RR0NC3UN\activex[1].gif
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\RR0NC3UN\pbbg[1].gif
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\0B6DEB4H\AC_ActiveX[1].htm
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\RR0NC3UN\fullresize[1].htm
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\WNG1OBGB\ajax[1].htm
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\WNG1OBGB\flash[1].swf
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\0B6DEB4H\disc-cd[1].gif
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\WNG1OBGB\scan[1].htm
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\RR0NC3UN\shld[1].gif
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\RR0NC3UN\stats[1].jpg
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\4J4P67KJ\alert[1].gif
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\4J4P67KJ\spacer[2].gif
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\RR0NC3UN\common[1].js
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\0B6DEB4H\progressbar[2].js
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\0B6DEB4H\bg[1].gif
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\WNG1OBGB\fileslist[1].js
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\0B6DEB4H\14_swp[1].htm
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\WNG1OBGB\stats[1].jpg
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\RR0NC3UN\sh[1].gif
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\RR0NC3UN\shkaladelenie[1].gif
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\0B6DEB4H\secstat[1].gif
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\4J4P67KJ\closebutton[1].gif
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\0B6DEB4H\acx[1].gif
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\0B6DEB4H\CAG1QV85.htm
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\NENP5TF7\styles[1].css
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\NENP5TF7\minilogo[1].gif
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\LRBDVL3W\ban_1[1].swf
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\EZWVLYZ6\ax[1].gif
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\IWIPN10C\flash[1].js
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\NENP5TF7\header_bg[1].gif
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\LRBDVL3W\window[1].js
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\NENP5TF7\popup[1].gif
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\EZWVLYZ6\scan[1].htm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:58:17 PM, on 2/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wildblue.net
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {105F7208-CB70-4DA2-AE84-FB15C1513456} - (no file)
O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
--
End of file - 5982 bytes

Edited by Victoria, 28 February 2008 - 09:12 PM.


BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:49 AM

Posted 29 February 2008 - 11:01 PM

Hello Victoria,



We will run ComboFix. :thumbsup:

You need to disable your AVAST Antivirus, Spyware Doctor, STOPzilla! and Spybot Teatimer before running ComboFix, as they will prevent it from running.


to disable avast antivirus:
Right click on the avast! icon in system tray (looks like this: Posted Image) and choose (Stop On-Access Protection)

To disable Spybot's Teatimer:
Run Spybot-S&D
Go to the Mode menu, and make sure "Advanced Mode" is selected
On the left hand side, choose Tools -> Resident
Uncheck "Resident TeaTimer" and OK any prompts

To disable Spyware Doctor from running on your system startup:
1. First, disable the OnGuard Tools. This way, when you exit Spyware Doctor, these tools won't stay resident in the background.
2. Click the "Settings" button on the left side.
3. Click the "Startup Settings" link.
4. Uncheck "Run at Windows Startup".
5. Click the "Apply" button.





You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Be sure to install the Windows XP Recovery Console in case you have not installed it yet. <== IMPORTANT

We need Recovery Console because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged.
Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read here what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.


Post the ComboFix log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Victoria

Victoria
  • Topic Starter

  • Members
  • 126 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:49 AM

Posted 01 March 2008 - 07:42 AM

I don't have the avast icon in my system tray. I only have the desk top icon. Will that work. I doesn't give me the option to stop on access protection. Is the fact that the avast icon is missing from the system tray the reason my system is getting so messed up?

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:49 AM

Posted 01 March 2008 - 12:34 PM

Hi Victoria,

It may be your antivirus has previously been turned off by malware.

Uninstall AVAST,
then resinstall it. Here is the download link: Avast


Now you should have the avast icon in the system tray. Now you should be able to disable it.

Edited by SifuMike, 01 March 2008 - 12:34 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Victoria

Victoria
  • Topic Starter

  • Members
  • 126 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:49 AM

Posted 03 March 2008 - 06:45 PM

I run into one problem after another! I just realized I don't have a windows xp CD. I took my computer in for repair a while back and the repair man installed "XP" so I don't have a CD. Am I screwed. (also my cd drive only works when it wants to. Most of the time it doesn't even notice a cd is in it ) :thumbsup:

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:49 AM

Posted 03 March 2008 - 11:31 PM

Hi Victoria,

I just realized I don't have a windows xp CD.


You dont need the Windows XP CD to install Recovery Console.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

If on the other hand, you use Windows XP and do not have the Windows CD, ComboFix includes a method of installing the Windows Recovery console by downloading a file from Microsoft. To install the Windows Recovery Console when you do not have the Windows XP CD, please follow these instructions:



For windows XP2 home edition :
If Recovery Console installs correctly, ComboFix will give you a log like this:

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons


Then you can run ComboFix.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Victoria

Victoria
  • Topic Starter

  • Members
  • 126 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:49 AM

Posted 04 March 2008 - 05:33 PM

Here is the log. Also when I make a donation does it go directly to you or is it divided amongst everyone?

ComboFix 08-03-04.2 - user 2008-03-04 4:52:40.1 - NTFSx86
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\user\Application Data\ASEMBL~1
C:\Documents and Settings\user\Application Data\ASEMBL~1\a?sembly\
C:\Documents and Settings\user\ResErrors.log
C:\Program Files\Helper
C:\temp\tn3
C:\WINDOWS\system32\agfvvqif.ini
C:\WINDOWS\system32\crosof~1
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\rdbsss.sys
C:\WINDOWS\system32\ghoirouu.ini
C:\WINDOWS\system32\ijjlm.ini2
C:\WINDOWS\system32\mmllm.ini
C:\WINDOWS\system32\mmllm.ini2
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\nGpxx01\nGpxx011065.exe
C:\WINDOWS\system32\qqpmdvnx.ini
C:\WINDOWS\system32\uufnyovp.ini
C:\WINDOWS\system32\xyadd.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_RDBSSS
-------\rdbsss


((((((((((((((((((((((((( Files Created from 2008-02-04 to 2008-03-04 )))))))))))))))))))))))))))))))
.

2008-03-03 07:38 . 2008-03-03 07:38 419 --a------ C:\WINDOWS\BRWMARK.INI
2008-03-03 07:38 . 2008-03-03 07:38 184 --a------ C:\WINDOWS\system32\brsvc01a.bsi
2008-03-03 07:38 . 2008-03-03 07:38 30 --a------ C:\WINDOWS\system32\brss01a.ini
2008-03-03 07:38 . 2008-03-03 07:38 27 --a------ C:\WINDOWS\BRPP2KA.INI
2008-03-01 22:31 . 2007-12-04 04:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-03-01 22:31 . 2007-12-04 06:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-01 22:31 . 2007-12-04 06:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-03-01 22:31 . 2007-12-04 06:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-01 22:31 . 2007-12-04 06:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-01 22:31 . 2007-12-04 06:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-01 22:30 . 2007-12-04 05:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-03-01 22:30 . 2004-01-09 01:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-02-28 17:57 . 2008-02-28 17:57 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-28 15:46 . 2008-02-28 15:47 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-28 15:46 . 2008-02-28 15:47 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-28 15:46 . 2008-02-28 15:47 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-28 15:45 . 2008-03-02 14:22 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-26 20:20 . 2008-03-03 05:03 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-02-26 17:15 . 2008-02-26 17:15 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Share-to-Web Upload Folder
2008-02-26 16:48 . 2008-03-03 04:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-02-26 16:40 . 2008-02-26 16:40 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-02-26 16:39 . 2008-03-03 04:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-02-18 02:50 . 2008-03-02 16:26 376 --a------ C:\WINDOWS\wininit.ini
2008-02-17 23:02 . 2008-02-28 16:42 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-17 23:02 . 2008-02-28 15:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-17 22:21 . 2008-02-17 22:21 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-17 19:52 . 2008-02-17 17:40 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-02-17 17:39 . 2008-02-17 19:52 <DIR> d-------- C:\Documents and Settings\user\.housecall6.6
2008-02-17 07:39 . 2008-02-17 07:39 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-02-07 04:56 . 2008-02-07 04:57 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-07 04:42 . 2008-02-25 15:14 <DIR> d-------- C:\SDFix
2008-02-05 06:02 . 2008-02-05 06:02 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\StarOffice8
2008-02-04 22:30 . 2008-02-04 22:33 <DIR> d-------- C:\Documents and Settings\user\Application Data\StarOffice8
2008-02-04 17:04 . 2008-02-04 17:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-02-04 16:53 . 2008-02-04 16:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-04 16:46 . 2008-03-02 16:28 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-04 16:46 . 2008-02-04 16:46 <DIR> d-------- C:\Documents and Settings\user\Application Data\SUPERAntiSpyware.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-04 13:02 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-03 23:27 --------- d-----w C:\Program Files\Spyware Doctor
2008-03-02 11:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-03-02 00:09 --------- d-----w C:\Program Files\CallWave
2008-02-29 00:28 --------- d-----w C:\Program Files\Google
2008-02-18 05:09 --------- d-----w C:\Documents and Settings\user\Application Data\OpenOffice.org2
2008-02-05 00:45 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-01 02:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-21 21:23 --------- d-----w C:\Program Files\WildBlue
2008-01-21 04:41 --------- d-----r C:\Documents and Settings\All Users\Application Data\SalesMon
2007-12-14 19:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-07 01:07 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
.
<pre>
----a-w			68,856 2008-01-21 05:10:18  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{105F7208-CB70-4DA2-AE84-FB15C1513456}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [ ]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 05:00 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-18 17:47 8720384]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Auto Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Auto Detect.lnk
backup=C:\WINDOWS\pss\Auto Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CallWave.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CallWave.lnk
backup=C:\WINDOWS\pss\CallWave.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
backup=C:\WINDOWS\pss\hp psc 2000 Series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^officejet 6100.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk
backup=C:\WINDOWS\pss\officejet 6100.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^OpenOffice.org 2.2.lnk]
path=C:\Documents and Settings\user\Start Menu\Programs\Startup\OpenOffice.org 2.2.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 2.2.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 12:47 57344 C:\WINDOWS\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
--a------ 2007-12-04 05:00 79224 C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dtnt]
C:\DOCUME~1\user\APPLIC~1\ASEMBL~1\csrss.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2004-08-20 15:51 118784 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2004-08-20 15:55 155648 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 08:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2007-12-18 17:47 8720384 C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 02:50 155648 C:\WINDOWS\system32\\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
C:\Program Files\Spyware Doctor\SDTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a------ 2002-04-11 03:19 69632 C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 00:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-10-18 09:44 185632 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vkgrejdy]
C:\WINDOWS\system32\??crosoft\t?skmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2004-12-20 10:41 33792 C:\Program Files\Winamp\winampa.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=


.
Contents of the 'Scheduled Tasks' folder
"2008-01-20 09:57:36 C:\WINDOWS\Tasks\ashQuick.job"
- C:\Program Files\Alwil Software\Avast4\ashQuick.exe
"2008-02-25 07:58:03 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.5.30.2.sxt _RegistrationOffer@16
"2008-01-19 21:05:51 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1192824293.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-04 05:05:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-03-04 5:12:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-04 13:11:57
.
2008-02-13 11:09:29 --- E O F ---

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:49 AM

Posted 04 March 2008 - 07:44 PM

Hi Victoria,

Also when I make a donation does it go directly to you or is it divided amongst everyone?


It goes directly to me. :thumbsup:


You have some suspicious files we need to check.

Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'


Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\BRWMARK.INI

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.

Perform the same for next files:

C:\WINDOWS\system32\brss01a.ini
C:\WINDOWS\BRPP2KA.INI


Once scanned, copy and paste the results also in your next reply.


*****************************


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\WINDOWS\wininit.ini
C:\WINDOWS\system32\??crosoft\t?skmgr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\DOCUME~1\user\APPLIC~1\ASEMBL~1\csrss.exe

Registry:: 
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dtnt]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vkgrejdy]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

RenV:: 
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Victoria

Victoria
  • Topic Starter

  • Members
  • 126 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:49 AM

Posted 04 March 2008 - 09:36 PM

I'm trying not to be too bothersome BUT I just noticed the recovery console didn't install.

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

should I try installing it again? I am currently running the scans and I just wonder if I should stop and try to reinstall the recovery console

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:49 AM

Posted 04 March 2008 - 10:03 PM

Yes, try to install Recovery Console. It quite easy to do. Follow the instructions in the ComboFix thread:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Then run the CFscript I gave you. Then post the ComboFix log and a fresh Hijackthis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Victoria

Victoria
  • Topic Starter

  • Members
  • 126 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:49 AM

Posted 04 March 2008 - 10:58 PM

I hope this is right :thumbsup:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:49:51 PM, on 3/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wildblue.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {105F7208-CB70-4DA2-AE84-FB15C1513456} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 5115 bytes





ComboFix 08-03-04.2 - user 2008-03-04 19:39:22.3 - NTFSx86
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\user\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\DOCUME~1\user\APPLIC~1\ASEMBL~1\csrss.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\wininit.ini
.

((((((((((((((((((((((((( Files Created from 2008-02-05 to 2008-03-05 )))))))))))))))))))))))))))))))
.

2008-03-04 18:51 . 2004-08-12 05:56 388,608 --a------ C:\CF980.exe
2008-03-03 07:38 . 2008-03-03 07:38 419 --a------ C:\WINDOWS\BRWMARK.INI
2008-03-03 07:38 . 2008-03-03 07:38 184 --a------ C:\WINDOWS\system32\brsvc01a.bsi
2008-03-03 07:38 . 2008-03-03 07:38 30 --a------ C:\WINDOWS\system32\brss01a.ini
2008-03-03 07:38 . 2008-03-03 07:38 27 --a------ C:\WINDOWS\BRPP2KA.INI
2008-03-01 22:31 . 2007-12-04 04:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-03-01 22:31 . 2007-12-04 06:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-01 22:31 . 2007-12-04 06:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-03-01 22:31 . 2007-12-04 06:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-01 22:31 . 2007-12-04 06:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-01 22:31 . 2007-12-04 06:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-01 22:30 . 2007-12-04 05:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-03-01 22:30 . 2004-01-09 01:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-02-28 17:57 . 2008-02-28 17:57 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-28 15:46 . 2008-02-28 15:47 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-28 15:46 . 2008-02-28 15:47 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-28 15:46 . 2008-02-28 15:47 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-28 15:45 . 2008-03-02 14:22 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-26 20:20 . 2008-03-03 05:03 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-02-26 17:15 . 2008-02-26 17:15 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Share-to-Web Upload Folder
2008-02-26 16:48 . 2008-03-03 04:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-02-26 16:40 . 2008-02-26 16:40 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-02-26 16:39 . 2008-03-03 04:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-02-17 23:02 . 2008-02-28 16:42 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-17 23:02 . 2008-02-28 15:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-17 22:21 . 2008-02-17 22:21 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-17 19:52 . 2008-02-17 17:40 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-02-17 17:39 . 2008-02-17 19:52 <DIR> d-------- C:\Documents and Settings\user\.housecall6.6
2008-02-17 07:39 . 2008-02-17 07:39 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-02-07 04:56 . 2008-02-07 04:57 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-07 04:42 . 2008-02-25 15:14 <DIR> d-------- C:\SDFix
2008-02-05 06:02 . 2008-02-05 06:02 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\StarOffice8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-05 03:24 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-05 02:53 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-04 13:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-03-03 23:27 --------- d-----w C:\Program Files\Spyware Doctor
2008-03-02 00:09 --------- d-----w C:\Program Files\CallWave
2008-02-29 00:28 --------- d-----w C:\Program Files\Google
2008-02-18 05:09 --------- d-----w C:\Documents and Settings\user\Application Data\OpenOffice.org2
2008-02-05 06:33 --------- d-----w C:\Documents and Settings\user\Application Data\StarOffice8
2008-02-05 01:04 --------- d-----w C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-02-05 00:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-05 00:46 --------- d-----w C:\Documents and Settings\user\Application Data\SUPERAntiSpyware.com
2008-02-05 00:45 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-01 02:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-21 21:23 --------- d-----w C:\Program Files\WildBlue
2008-01-21 04:41 --------- d-----r C:\Documents and Settings\All Users\Application Data\SalesMon
2007-12-14 19:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-07 01:07 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{105F7208-CB70-4DA2-AE84-FB15C1513456}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [ ]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 05:00 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-18 17:47 8720384]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Auto Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Auto Detect.lnk
backup=C:\WINDOWS\pss\Auto Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CallWave.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CallWave.lnk
backup=C:\WINDOWS\pss\CallWave.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
backup=C:\WINDOWS\pss\hp psc 2000 Series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^officejet 6100.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk
backup=C:\WINDOWS\pss\officejet 6100.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^OpenOffice.org 2.2.lnk]
path=C:\Documents and Settings\user\Start Menu\Programs\Startup\OpenOffice.org 2.2.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 2.2.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 12:47 57344 C:\WINDOWS\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
--a------ 2007-12-04 05:00 79224 C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2004-08-20 15:51 118784 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2004-08-20 15:55 155648 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 08:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2007-12-18 17:47 8720384 C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 02:50 155648 C:\WINDOWS\system32\\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
C:\Program Files\Spyware Doctor\SDTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a------ 2002-04-11 03:19 69632 C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-01-20 21:10 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-10-18 09:44 185632 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2004-12-20 10:41 33792 C:\Program Files\Winamp\winampa.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=


.
Contents of the 'Scheduled Tasks' folder
"2008-01-20 09:57:36 C:\WINDOWS\Tasks\ashQuick.job"
- C:\Program Files\Alwil Software\Avast4\ashQuick.exe
"2008-02-25 07:58:03 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.5.30.2.sxt _RegistrationOffer@16
"2008-01-19 21:05:51 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1192824293.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-04 19:44:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-04 19:47:04
ComboFix-quarantined-files.txt 2008-03-05 03:46:57
ComboFix2.txt 2008-03-05 03:09:01
ComboFix3.txt 2008-03-04 13:12:10
.
2008-02-13 11:09:29 --- E O F ---

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:49 AM

Posted 04 March 2008 - 11:57 PM

Hi Victoria,

Good job. :thumbsup:

Did you run the Virus Total scans on those three files?

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Sun Java Runtime Environment 6 Update 5.
  • Scroll down to where it says "Sun Java Runtime Environment 6 Update 5".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6u5-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 2 Runtime Environment, SE v1.4.2
    J2SE Runtime Environment 5.0
    J2SE Runtime Environment 5.0 Update 6
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u5-windows-i586-p.exe to install the newest version.


Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

O2 - BHO: (no name) - {105F7208-CB70-4DA2-AE84-FB15C1513456} - (no file)


Reboot your computer and post a fresh Hijackthis log.

Edited by SifuMike, 05 March 2008 - 12:03 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 Victoria

Victoria
  • Topic Starter

  • Members
  • 126 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:49 AM

Posted 05 March 2008 - 07:53 PM

here is the newest HJT log :thumbsup:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:50:58 PM, on 3/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wildblue.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} (Java Plug-in 1.6.0) -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 5806 bytes

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:49 AM

Posted 05 March 2008 - 11:00 PM

Hi Victoria,


Your log looks clean! :thumbsup: Good job on the cleanup!

Uninstall ComboFix, go to to Start > Run & type in ComboFix /u
Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete any of its related folders and files (Qoobox
VundoFix Backups, Avenger, Deckard, _OTMoveIt), reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.


Please read and follow How did I get infected?, With steps so it does not happen again!
as well as
How to prevent Malware' by miekiemoes


If you want to improve speed/system performance after malware removal, take a look here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 Victoria

Victoria
  • Topic Starter

  • Members
  • 126 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:49 AM

Posted 06 March 2008 - 07:22 AM

You're my hero! My computer is running smoothly after weeks of pop ups. (I'm going to blame my husband for those popups!)
Check your paypal account. Thanks so much!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users