Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacked Ads And Lots Of Them


  • This topic is locked This topic is locked
19 replies to this topic

#1 mp2002

mp2002

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 10 March 2008 - 09:49 PM

I had Vundo and other trojan issues and moderator had me run SAS and a cleaner and it found lots of stuff and quarantined it. I am being attacked by ads (not new pop up pages but ads within my pages) and they are either flashing beeping type ads or flashing as regular ads for only a few seconds and then turning into adult content ads. They are on every page including this one I am typing on right now. I read on your site that Google was having hijack probs so I deleted my Google toolbar & desktop and it went away for a day and a half but it is back. In addition, I can no longer send out e-mails as I get a error message: mailcenter3.comcast.net/?cmd=composeManage&sid=c0&popup=yes - Internet explorer cannot d - Windows Internet Explorer

Computer is also very slow. Moderator advised me to post this log as badly infected. Please advise if any other info. is needed. Thx. very much.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:25:13 PM, on 3/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {E82C2A91-BDEB-4B3F-BAC9-B9932D82FCCE} - C:\Program Files\Online Services\hopetexy83122.dll (file missing)
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SansaDispatch] C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [BMffe08c59] Rundll32.exe "C:\WINDOWS\system32\ekuuhkam.dll",s
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\AiO\HPis\bin\matcli.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup161.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\MSN\proky.html

--
End of file - 8675 bytes

BC AdBot (Login to Remove)

 


m

#2 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:03:45 PM

Posted 12 March 2008 - 05:39 AM

Hi, Wellcome to Bleeping Computer Forums!

You might want to save this page on your favorites, so you can find it again when you return.


Please take note of the following:
  • I will be handling your log and helping you, please do not make any system changes yet.
  • The process is not instant. Please continue to review my answers until I tell you that your computer is clean. Be patience.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • If there's anything that you don't understand, please ask your question(s) before proceeding with the fixes.
  • Please reply to this thread. Do not start a new topic.
Please give me some time to look over your log and I will get back to you as soon as possible.

:thumbsup:
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#3 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:03:45 PM

Posted 13 March 2008 - 01:52 PM

Hello mp2002

I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto‑updating for the Viewpoint Manager ‑‑ the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.

To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.

Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware.
I recommend that you remove the Viewpoint products; however, decide for yourself. Let me know about your decision in your next reply.


Download ComboFix from Here or Here to your Desktop. Read first: "How to download and use ComboFix"
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Extra-Note: Please, DO NOT use ComboFix on your own. It is a very powerful tool designed to deal with sophisticated infections and if something goes wrong or you use it incorrectly, you could possibly lose the use of your computer. It is ONLY meant to be used under the direct supervision of a malware removal specialist.



Regards
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#4 mp2002

mp2002
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 13 March 2008 - 07:11 PM

I have no problem deleting the Viewpoint stuff...didn't even know it was on there or what it was. I am not very well versed w/this kind of stuff so I have to ask a stupid question. I'm not sure how to get rid of it. I went into the control panel to the add/remove programs and removed the Viewpoint Media Player but did not get the disable screen you talked about. I think the Viewpoint Mgr. is somewhere else and I don't know how to get there. I see a Viewpoint and View22 folder in program files but don't think that is where you want me to disable is it? Can you tell me exactly how to get where I need to in order to do what you indicated. Sorry I am being a computer geek. Thanks very much for your help. Once I do this I will do the Combo fix.

#5 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:03:45 PM

Posted 14 March 2008 - 07:00 AM

Hey mp2002,

We will take care about Viewpoint later. :thumbsup:

Now please run ComboFix.

Thanks
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#6 mp2002

mp2002
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 16 March 2008 - 02:20 PM

Hi, Sorry taking so long to get back to you. I have been trying to find my Windows XP disc to run the recovery console as noted in the Combo fix instructions. Found it today but it says it is an older version of XP than on my computer and I have looked all over the house for the disc. I wasn't sure if I should run the Combofix without the recovery console. Sorry I am being so dense about this. Should I still run the fix w/o the recovery? Thanks for any insight.

#7 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:03:45 PM

Posted 16 March 2008 - 03:29 PM

Yes, please run ComboFix :thumbsup:
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#8 mp2002

mp2002
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 16 March 2008 - 07:17 PM

Hopefully I did this correctly!

ComboFix 08-03-13.4 - Margaret Burt 2008-03-16 19:20:22.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.211 [GMT -4:00]
Running from: C:\Documents and Settings\Margaret Burt\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\ClientMan
C:\Program Files\Common Files\oe
C:\Program Files\orbit
C:\temp\0b9
C:\temp\0b9\tmpTF.log
C:\temp\iee
C:\temp\iee\tmpZTF.log
C:\WINDOWS\BMffe08c59.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\AutoRun.inf
C:\WINDOWS\system32\lcwuotiy.dll
C:\WINDOWS\system32\o02PrEz
C:\WINDOWS\system32\win
C:\WINDOWS\system32\wiuffrsi.dll
C:\WINDOWS\system32\wvvwa.bak1
C:\WINDOWS\system32\wvvwa.bak2
C:\WINDOWS\system32\wvvwa.ini
C:\WINDOWS\system32\wvvwa.ini2
C:\WINDOWS\system32\wvvwa.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\LEGACY_DOMAINSERVICE
-------\LEGACY_FOPN
-------\LEGACY_TNIDRIVER
-------\TnIDriver


((((((((((((((((((((((((( Files Created from 2008-02-16 to 2008-03-16 )))))))))))))))))))))))))))))))
.

2008-03-10 22:24 . 2008-03-10 22:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-10 22:06 . 2008-03-16 19:36 14,217,248 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-03-10 22:06 . 2008-03-16 19:34 167,636 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-03-10 21:55 . 2008-03-10 21:55 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\MailFrontier
2008-03-10 21:55 . 2008-03-10 22:04 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-03-10 21:54 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-03-10 21:54 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-03-08 22:56 . 2008-03-08 22:56 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-08 22:56 . 2008-03-08 22:56 <DIR> d-------- C:\Documents and Settings\Margaret Burt\Application Data\Malwarebytes
2008-03-08 22:56 . 2008-03-08 22:56 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-03-08 22:54 . 2008-03-08 22:54 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-03-08 05:28 . 2008-03-08 05:28 1,307,561 ---hs---- C:\WINDOWS\system32\selrdkef.ini
2008-03-08 05:07 . 2008-03-08 05:08 1,307,561 ---hs---- C:\WINDOWS\system32\dahxhyhy.ini
2008-03-08 03:22 . 2008-03-08 03:22 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2008-03-08 03:21 . 2008-03-08 03:21 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-08 03:21 . 2008-03-08 03:21 <DIR> d-------- C:\Documents and Settings\Margaret Burt\Application Data\SUPERAntiSpyware.com
2008-03-08 02:10 . 2008-02-22 03:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-08 00:14 . 2008-03-08 00:14 1,307,561 ---hs---- C:\WINDOWS\system32\itlxnyeu.ini
2008-03-07 20:56 . 2008-03-07 21:00 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2008-02-29 23:55 . 2008-02-29 23:55 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\PlayFirst
2008-02-29 23:18 . 2008-02-29 23:54 <DIR> d-------- C:\Program Files\Nick Arcade
2008-02-20 00:34 . 2008-02-20 00:34 <DIR> d-------- C:\Documents and Settings\Margaret Burt\Application Data\iWin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-16 12:00 --------- d-----w C:\Documents and Settings\Margaret Burt\Application Data\AVG7
2008-03-13 23:53 --------- d-----w C:\Program Files\Viewpoint
2008-03-13 23:53 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Viewpoint
2008-03-10 13:39 --------- d-----w C:\Program Files\Vacation Countdown v1
2008-03-08 17:25 --------- d-----w C:\Program Files\Lavasoft
2008-03-08 17:25 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-08 07:48 --------- d-----w C:\Program Files\Google
2008-03-08 06:10 --------- d-----w C:\Program Files\Java
2008-03-07 20:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-07 20:06 --------- d-----w C:\Documents and Settings\Margaret Burt\Application Data\Desperate Housewives
2008-03-07 20:00 --------- d-----w C:\Program Files\Best Buy Rhapsody
2008-03-01 03:55 --------- d---a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-03-01 03:55 --------- d-----w C:\Documents and Settings\Margaret Burt\Application Data\PlayFirst
2008-02-12 20:07 --------- d-----w C:\Program Files\Electronic Arts
2008-02-01 02:19 --------- d-----w C:\Program Files\Common Files\xing shared
2008-01-26 22:38 --------- d-----w C:\Program Files\Common Files\AOL
2008-01-26 21:57 --------- d-----w C:\Documents and Settings\Margaret Burt\Application Data\Musicmatch
2008-01-26 21:56 --------- d-----w C:\Program Files\MUSICMATCH
2008-01-20 23:26 --------- d-----w C:\Documents and Settings\Margaret Burt\Application Data\Lionhead Studios
2008-01-20 22:53 --------- d-----w C:\Program Files\Lionhead Studios Ltd
2008-01-20 22:53 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Lionhead Studios
2008-01-20 17:52 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-18 08:54 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\HipSoft
2008-01-16 08:39 --------- d-----w C:\Documents and Settings\Margaret Burt\Application Data\Eyeblaster
2006-09-12 04:07 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E82C2A91-BDEB-4B3F-BAC9-B9932D82FCCE}]
C:\Program Files\Online Services\hopetexy83122.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-03-07 22:30 67128]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 17:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTPreset"="VTPreset.exe" [2004-02-24 20:17 45056 C:\WINDOWS\system32\VTPreset.exe]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24 286720]
"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 05:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-07-21 00:07 7110656]
"nwiz"="nwiz.exe" [2005-07-21 00:07 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-07-21 00:07 86016]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 10:19 579072]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"SansaDispatch"="C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe" [2007-05-02 19:00 55368]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 21:34 49152]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-31 22:09 185896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-25 10:21 219136]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
pow.lnk - C:\Program Files\AnalogX\POW\pow.exe [2003-10-17 21:49:42 78852]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 21:26:24 210520]
hp instant support.lnk - C:\Program Files\Hewlett-Packard\AiO\HPis\bin\matcli.exe [2002-12-27 11:30:06 204800]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2004-12-20 17:17:31 114688]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-03-07 22:30:37 67128]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\MSN\proky.html
FriendlyName=

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Abacast\\Abaclient.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

S3 scsiprnt;Microsoft SCSI/1394 Generic Printer Class;C:\WINDOWS\system32\DRIVERS\scsiprnt.sys [2001-08-17 14:52]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.
Contents of the 'Scheduled Tasks' folder
"2008-03-16 23:36:20 C:\WINDOWS\Tasks\POW!.job"
- C:\PROGRA~1\AnalogX\POW\pow.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-16 19:36:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-03-16 19:56:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-16 23:56:36
.
2008-03-12 07:03:41 --- E O F ---

#9 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:03:45 PM

Posted 17 March 2008 - 12:45 PM

Hello,

:) Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab
Uncheck and delete everything you find in there. (except for "My current home page")


:wacko: Please uninstall any of the following program(s) using Add/Remove Programs if they are present. To do this, go to Start > Settings > Control Panel and double-click on Add/Remove Programs. From within Add/Remove Programs highlight each one and select Remove:

Viewpoint
Viewpoint Manager
Viewpoint Media Player
Viewpoit Toolbar



:) Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.


:) Now copy/paste the entire content of the codebox below into the Notepad window:

http://www.bleepingcomputer.com/forums/t/135670/hijacked-ads-and-lots-of-them/
Collect::
C:\WINDOWS\system32\selrdkef.ini
C:\WINDOWS\system32\dahxhyhy.ini
C:\WINDOWS\system32\itlxnyeu.ini
Suspect::
C:\Program Files\Online Services\hopetexy83122.dll
Folder::
C:\Program Files\Viewpoint
C:\Documents and Settings\All Users.WINDOWS\Application Data\Viewpoint
File::
C:\Program Files\MSN\proky.html
IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
  • Save the above as CFScript.txt
  • Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
  • Posted Image
  • This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
  • When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed, and read it carefully.
  • With the above script, ComboFix will capture a file to submit for analysis.
  • Ensure you are connected to the internet and click OK.
  • A browser will open. Simply follow the instructions to copy/paste/send the requested file.
:thumbsup: Jotti File Submission:
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
    • C:\Program Files\Online Services\hopetexy83122.dll
  • Click on the submit button
  • Please post the results in your next reply.
:blink: In your next reply, please post:
- The results from ComboFix (step nş 4)
- The results from Jotti's (step nş 5)
- And a new HijackThis log.

Regards
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#10 mp2002

mp2002
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 17 March 2008 - 06:41 PM

Hi, I am going to post these in pieces to make sure I get it all posted correctly:

Results from step 4 (submitted file for analysis as indicated also). Completed steps 1-3.

ComboFix 08-03-13.4 - Margaret Burt 2008-03-17 18:59:09.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.293 [GMT -4:00]
Running from: C:\Documents and Settings\Margaret Burt\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Margaret Burt\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Program Files\MSN\proky.html
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users.WINDOWS\Application Data\Viewpoint
C:\Program Files\Viewpoint
C:\Program Files\Viewpoint\Viewpoint Experience Technology\AxMetaStream.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\AxMetaStream_03000F10.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\ClassIDs.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\ComponentMgr.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\ComponentMgr_03000F11.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\AOLArt.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\AOLUserShell.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\BlueStreak.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\Cursors.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\DataTracking.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\GifReader.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\JpegReader.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\LensFlares.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\Mts2Reader.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\Mts3Reader.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\ObjectMovie.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\SceneComponent.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\SreeDMMX.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\SWFView.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VMPAudio.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VMPExtras.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VMPVideo.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\WaveletReader.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\ZoomView.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\DownLoadHist.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\HostRegistry.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\MetaStreamConfig.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\MetaStreamID.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\MtsAxInstaller.exe
C:\Program Files\Viewpoint\Viewpoint Experience Technology\MTSDownloadSites.txt
C:\Program Files\Viewpoint\Viewpoint Experience Technology\NewClassID.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\NewComponents\SceneComponent.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\URLCache.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\496458925.mtz
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\URLCache.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\-1203266128.MTZ
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\683464257.MTZ
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\URLCache.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\325080828.MTZ
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\URLCache.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Resources\UpdateVersionList_v2.mtx
C:\WINDOWS\system32\dahxhyhy.ini
C:\WINDOWS\system32\itlxnyeu.ini
C:\WINDOWS\system32\selrdkef.ini

.
((((((((((((((((((((((((( Files Created from 2008-02-17 to 2008-03-17 )))))))))))))))))))))))))))))))
.

2008-03-10 22:24 . 2008-03-10 22:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-10 22:06 . 2008-03-17 19:08 16,228,384 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-03-10 22:06 . 2008-03-16 20:01 167,708 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-03-10 21:55 . 2008-03-10 21:55 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\MailFrontier
2008-03-10 21:55 . 2008-03-10 22:04 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-03-10 21:54 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-03-10 21:54 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-03-08 22:56 . 2008-03-08 22:56 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-08 22:56 . 2008-03-08 22:56 <DIR> d-------- C:\Documents and Settings\Margaret Burt\Application Data\Malwarebytes
2008-03-08 22:56 . 2008-03-08 22:56 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-03-08 22:54 . 2008-03-08 22:54 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-03-08 03:22 . 2008-03-08 03:22 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2008-03-08 03:21 . 2008-03-08 03:21 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-08 03:21 . 2008-03-08 03:21 <DIR> d-------- C:\Documents and Settings\Margaret Burt\Application Data\SUPERAntiSpyware.com
2008-03-08 02:10 . 2008-02-22 03:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-07 20:56 . 2008-03-07 21:00 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2008-02-29 23:55 . 2008-02-29 23:55 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\PlayFirst
2008-02-29 23:18 . 2008-02-29 23:54 <DIR> d-------- C:\Program Files\Nick Arcade
2008-02-20 00:34 . 2008-02-20 00:34 <DIR> d-------- C:\Documents and Settings\Margaret Burt\Application Data\iWin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-17 22:42 --------- d-----w C:\Documents and Settings\Margaret Burt\Application Data\AVG7
2008-03-10 13:39 --------- d-----w C:\Program Files\Vacation Countdown v1
2008-03-08 17:25 --------- d-----w C:\Program Files\Lavasoft
2008-03-08 17:25 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-08 07:48 --------- d-----w C:\Program Files\Google
2008-03-08 06:10 --------- d-----w C:\Program Files\Java
2008-03-07 20:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-07 20:06 --------- d-----w C:\Documents and Settings\Margaret Burt\Application Data\Desperate Housewives
2008-03-07 20:00 --------- d-----w C:\Program Files\Best Buy Rhapsody
2008-03-01 03:55 --------- d---a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-03-01 03:55 --------- d-----w C:\Documents and Settings\Margaret Burt\Application Data\PlayFirst
2008-02-12 20:45 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-02-12 20:07 --------- d-----w C:\Program Files\Electronic Arts
2008-02-01 02:19 --------- d-----w C:\Program Files\Common Files\xing shared
2008-02-01 02:11 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-01-26 22:38 --------- d-----w C:\Program Files\Common Files\AOL
2008-01-26 21:57 --------- d-----w C:\Documents and Settings\Margaret Burt\Application Data\Musicmatch
2008-01-26 21:56 --------- d-----w C:\Program Files\MUSICMATCH
2008-01-20 23:26 --------- d-----w C:\Documents and Settings\Margaret Burt\Application Data\Lionhead Studios
2008-01-20 22:53 --------- d-----w C:\Program Files\Lionhead Studios Ltd
2008-01-20 22:53 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Lionhead Studios
2008-01-20 17:52 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-18 08:54 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\HipSoft
2006-09-12 04:07 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E82C2A91-BDEB-4B3F-BAC9-B9932D82FCCE}]
C:\Program Files\Online Services\hopetexy83122.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-03-07 22:30 67128]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTPreset"="VTPreset.exe" [2004-02-24 20:17 45056 C:\WINDOWS\system32\VTPreset.exe]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24 286720]
"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 05:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-07-21 00:07 7110656]
"nwiz"="nwiz.exe" [2005-07-21 00:07 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-07-21 00:07 86016]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 10:19 579072]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"SansaDispatch"="C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe" [2007-05-02 19:00 55368]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 21:34 49152]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-31 22:09 185896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-25 10:21 219136]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
pow.lnk - C:\Program Files\AnalogX\POW\pow.exe [2003-10-17 21:49:42 78852]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 21:26:24 210520]
hp instant support.lnk - C:\Program Files\Hewlett-Packard\AiO\HPis\bin\matcli.exe [2002-12-27 11:30:06 204800]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2004-12-20 17:17:31 114688]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-03-07 22:30:37 67128]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Abacast\\Abaclient.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

S3 scsiprnt;Microsoft SCSI/1394 Generic Printer Class;C:\WINDOWS\system32\DRIVERS\scsiprnt.sys [2001-08-17 14:52]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-03-17 00:03:45 C:\WINDOWS\Tasks\POW!.job"
- C:\PROGRA~1\AnalogX\POW\pow.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-17 19:09:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-17 19:23:45
ComboFix-quarantined-files.txt 2008-03-17 23:23:40
ComboFix2.txt 2008-03-16 23:56:43
.
2008-03-12 07:03:41 --- E O F ---

#11 mp2002

mp2002
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 17 March 2008 - 06:47 PM

When I did step 5 I received the following message:

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

I believe I have all the antivirus, firewalls, etc. disabled. I must be doing something incorrectly but not sure what that is. Any ideas what I have done wrong for this one?

Thanks.

#12 mp2002

mp2002
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 17 March 2008 - 06:59 PM

New HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:56:32 PM, on 3/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\QuickTime\QTTask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {E82C2A91-BDEB-4B3F-BAC9-B9932D82FCCE} - C:\Program Files\Online Services\hopetexy83122.dll (file missing)
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SansaDispatch] C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\AiO\HPis\bin\matcli.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup161.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7902 bytes

#13 mp2002

mp2002
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 18 March 2008 - 12:36 PM

Hi, Just fyi, when I tried to get on the internet today I was not able to connect and the message screen said it was missing the Winsock catalog and it prompted me to add back the default to do this. I did that and am now able to get on the internet. Just thought I should tell you this since I know I am not to make any system changes while going through this process but it was the only way to be able to get on the internet since I don't have access to any other computer to ask before I did that.

Thanks.

#14 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:03:45 PM

Posted 18 March 2008 - 01:57 PM

Hello mp2002,

I believe I have all the antivirus, firewalls, etc. disabled. I must be doing something incorrectly but not sure what that is. Any ideas what I have done wrong for this one?]

Dont worry about this step, HijackThis and ComboFix both report the file as missing.


:blink: Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below,"if still present":

O2 - BHO: (no name) - {E82C2A91-BDEB-4B3F-BAC9-B9932D82FCCE} - C:\Program Files\Online Services\hopetexy83122.dll (file missing)

Click on Posted Image button. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



:thumbsup: Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


:wacko: Please do an online scan with Kaspersky WebScanner

Click on Posted Image

You will be prompted to install an ActiveX component from Kaspersky, Click Posted Image
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on Posted Image
  • Now click on Posted Image
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click Posted Image
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post, along whit a new HijackThis log. Also let me know how i your computer its running.
Regards
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#15 mp2002

mp2002
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 18 March 2008 - 10:46 PM

Hi, computer is running much better and I can now send e-mails. Thanks for all this help. Kaspersky log as follows:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, March 18, 2008 11:42:40 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 18/03/2008
Kaspersky Anti-Virus database records: 639178
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 209546
Number of viruses found: 2
Number of infected objects: 3
Number of suspicious objects: 0
Duration of the scan process: 04:19:41

Infected Object Name / Virus Name / Last Action
C:\14ecc028589af81e9d99773583\$shtdwn$.req Object is locked skipped
C:\14ecc028589af81e9d99773583\common\Eula.txt Object is locked skipped
C:\14ecc028589af81e9d99773583\common\spcustom.dll Object is locked skipped
C:\14ecc028589af81e9d99773583\common\spmsg.dll Object is locked skipped
C:\14ecc028589af81e9d99773583\common\spuninst.exe Object is locked skipped
C:\14ecc028589af81e9d99773583\common\update.exe Object is locked skipped
C:\14ecc028589af81e9d99773583\sp1\msgsvc.dll Object is locked skipped
C:\14ecc028589af81e9d99773583\sp1\spmsg.dll Object is locked skipped
C:\14ecc028589af81e9d99773583\sp1\spuninst.exe Object is locked skipped
C:\14ecc028589af81e9d99773583\sp1\update\eula.txt Object is locked skipped
C:\14ecc028589af81e9d99773583\sp1\update\KB828035.cat Object is locked skipped
C:\14ecc028589af81e9d99773583\sp1\update\spcustom.dll Object is locked skipped
C:\14ecc028589af81e9d99773583\sp1\update\update.exe Object is locked skipped
C:\14ecc028589af81e9d99773583\sp1\update\update.inf Object is locked skipped
C:\14ecc028589af81e9d99773583\sp1\update\update.ver Object is locked skipped
C:\14ecc028589af81e9d99773583\sp1\wkssvc.dll Object is locked skipped
C:\14ecc028589af81e9d99773583\sp2\msgsvc.dll Object is locked skipped
C:\14ecc028589af81e9d99773583\sp2\spmsg.dll Object is locked skipped
C:\14ecc028589af81e9d99773583\sp2\spuninst.exe Object is locked skipped
C:\14ecc028589af81e9d99773583\sp2\update\eula.txt Object is locked skipped
C:\14ecc028589af81e9d99773583\sp2\update\KB828035.cat Object is locked skipped
C:\14ecc028589af81e9d99773583\sp2\update\spcustom.dll Object is locked skipped
C:\14ecc028589af81e9d99773583\sp2\update\update.exe Object is locked skipped
C:\14ecc028589af81e9d99773583\sp2\update\update.inf Object is locked skipped
C:\14ecc028589af81e9d99773583\sp2\update\update.ver Object is locked skipped
C:\14ecc028589af81e9d99773583\sp2\wkssvc.dll Object is locked skipped
C:\14ecc028589af81e9d99773583\xpsp1hfm.exe Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Margaret Burt\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-3-18-2008( 13-27-29 ).LOG Object is locked skipped
C:\Documents and Settings\Margaret Burt\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Margaret Burt\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Margaret Burt\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Margaret Burt\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Margaret Burt\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Margaret Burt\Local Settings\History\History.IE5\MSHist012008031820080319\index.dat Object is locked skipped
C:\Documents and Settings\Margaret Burt\Local Settings\temp\~DF917A.tmp Object is locked skipped
C:\Documents and Settings\Margaret Burt\Local Settings\temp\~DF91A2.tmp Object is locked skipped
C:\Documents and Settings\Margaret Burt\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Margaret Burt\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Margaret Burt\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Margaret Burt\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Margaret Burt\Data\chandir.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Margaret Burt\Data\chandir.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Margaret Burt\Data\chn.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Margaret Burt\Data\chn.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Margaret Burt\Data\D0000000.FCS Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Margaret Burt\Data\inuse.txt Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Margaret Burt\Data\L0000002.FCS Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Margaret Burt\Data\main.log Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Margaret Burt\Data\prs.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Margaret Burt\Data\prs.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Margaret Burt\Data\prs_die.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Margaret Burt\Data\prs_die.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Margaret Burt\Data\prs_dnd.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Margaret Burt\Data\prs_dnd.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Margaret Burt\Data\prs_ext.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Margaret Burt\Data\prs_ext.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Margaret Burt\Data\prs_rcv.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Margaret Burt\Data\prs_rcv.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Margaret Burt\Data\storydb.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Margaret Burt\Data\storydb.idx Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{B1908A88-BCD2-416A-8FA3-53766C19522C}\RP1098\A0243416.dll Object is locked skipped
C:\System Volume Information\_restore{B1908A88-BCD2-416A-8FA3-53766C19522C}\RP1127\A0266694.exe/data0000.bin Infected: Trojan-Downloader.Win32.Agent.dte skipped
C:\System Volume Information\_restore{B1908A88-BCD2-416A-8FA3-53766C19522C}\RP1127\A0266694.exe EmbeddedEXE: infected - 1 skipped
C:\System Volume Information\_restore{B1908A88-BCD2-416A-8FA3-53766C19522C}\RP1129\A0267023.dll Infected: not-a-virus:AdWare.Win32.FastSeeker skipped
C:\System Volume Information\_restore{B1908A88-BCD2-416A-8FA3-53766C19522C}\RP1131\A0268043.dll Object is locked skipped
C:\System Volume Information\_restore{B1908A88-BCD2-416A-8FA3-53766C19522C}\RP1135\A0268740.dll Object is locked skipped
C:\System Volume Information\_restore{B1908A88-BCD2-416A-8FA3-53766C19522C}\RP1135\A0268801.dll Object is locked skipped
C:\System Volume Information\_restore{B1908A88-BCD2-416A-8FA3-53766C19522C}\RP1135\A0268920.dll Object is locked skipped
C:\System Volume Information\_restore{B1908A88-BCD2-416A-8FA3-53766C19522C}\RP1143\A0269983.dll Object is locked skipped
C:\System Volume Information\_restore{B1908A88-BCD2-416A-8FA3-53766C19522C}\RP1143\A0269984.dll Object is locked skipped
C:\System Volume Information\_restore{B1908A88-BCD2-416A-8FA3-53766C19522C}\RP1143\A0269985.dll Object is locked skipped
C:\System Volume Information\_restore{B1908A88-BCD2-416A-8FA3-53766C19522C}\RP1144\A0270149.dll Object is locked skipped
C:\System Volume Information\_restore{B1908A88-BCD2-416A-8FA3-53766C19522C}\RP1144\A0270150.dll Object is locked skipped
C:\System Volume Information\_restore{B1908A88-BCD2-416A-8FA3-53766C19522C}\RP1144\A0270151.dll Object is locked skipped
C:\System Volume Information\_restore{B1908A88-BCD2-416A-8FA3-53766C19522C}\RP1144\A0270152.dll Object is locked skipped
C:\System Volume Information\_restore{B1908A88-BCD2-416A-8FA3-53766C19522C}\RP1144\A0270153.dll Object is locked skipped
C:\System Volume Information\_restore{B1908A88-BCD2-416A-8FA3-53766C19522C}\RP1144\A0270154.dll Object is locked skipped
C:\System Volume Information\_restore{B1908A88-BCD2-416A-8FA3-53766C19522C}\RP1144\A0270155.dll Object is locked skipped
C:\System Volume Information\_restore{B1908A88-BCD2-416A-8FA3-53766C19522C}\RP1144\A0270156.dll Object is locked skipped
C:\System Volume Information\_restore{B1908A88-BCD2-416A-8FA3-53766C19522C}\RP1144\A0270157.dll Object is locked skipped
C:\System Volume Information\_restore{B1908A88-BCD2-416A-8FA3-53766C19522C}\RP1144\A0270158.dll Object is locked skipped
C:\System Volume Information\_restore{B1908A88-BCD2-416A-8FA3-53766C19522C}\RP1144\A0270159.dll Object is locked skipped
C:\System Volume Information\_restore{B1908A88-BCD2-416A-8FA3-53766C19522C}\RP1147\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\MATTHEW.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edbtmp.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\Windows_OneCare_Evt.evt Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT018e9.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT018ec.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users