Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Troj/fursto-a (found By Sophos) Can Only Get To Safe Mode


  • This topic is locked This topic is locked
12 replies to this topic

#1 WSULib

WSULib

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:58 PM

Posted 04 April 2008 - 01:07 PM

Hello,

The file trogan found by Sophos is Troj/Fursto-A. Also a program called "Bonjour" is in the programs list. I tried to uninstall it, but it did not even contain a uninstall when clicked. Also, it shows another language. Looks a little like Spanish or maybe Italian, but don't think it is French. I believe this is NOT the Bonjour that everyone else is talking about. When the pc was still in good shape the instruction popups for OK or Cancel would be in the language I am talking about.

I do not have a HiJackThis file yet to show you, but I wanted to get this out so that I could begin getting help for this problem. On 4/3/08 a computer was booted up for the day, but froze before the Desktop Items could load. I worked on it 8 hours that day and have spent half a day today on it.

I ran Adaware and Spybot and they removed some things (didn't make note of what they found on either of the programs at that time).

I am at the point that I have spent too much time, so we are beginning to backup the pc before we lose all control of it. I plan in to go ahead and DBAN it as soon as we get all the files needed. So about an hour from now. (1:00p.m. CSDT right now).

If anyone can post quickly what we can do before I begin the redo process, I would really appreciate it. Luckily we do have a Ghost image of the basics of the pc, so that will speed things up.

Thanks if anyone sees this in the next hour or two.

Madeline
------------
------------
April 7
Hello,

I previously posted a topic for the same trojan. I decided to post it again since in my post I said that I would not need help after a few hours, but now regret that since it may be overlooked.

This trojan will not allow the user to get beyond the background of the desktop. Freezes at that point.

I have decided to see if the trojan Fursto A- can be removed and not redo the pc, yet. I have added the information as requested from the Deckard's System Scanner including Hijackthis that DSS created. Since we cannot get past Safe Mode this is all I can do.

I have run Spybot, but could not install Adaware in Safe Mode. I did not make print screens or noted what they found. But did remove what they found.

Here is what I have from the DSS Scan (including HiJackThis):

Main.txt

Deckard's System Scanner v20071014.68
Run by basquez on 2008-04-07 11:38:19
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
12: 2008-04-07 16:38:24 UTC - RP12 - Deckard's System Scanner Restore Point
11: 2008-04-07 16:24:54 UTC - RP11 - Advanced Registry Optimizer Mon, Apr 07, 08 11:24
10: 2008-04-07 15:53:31 UTC - RP10 - Installed AVG 7.5
9: 2008-04-07 15:39:57 UTC - RP9 - ADVANCED REGISTRY OPTIMIZER - FIRST RUN
8: 2008-04-07 14:37:24 UTC - RP8 - System Checkpoint


-- First Restore Point --
1: 2008-04-01 22:19:22 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-07 11:42:53
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:WINDOWSsystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
C:Program FilesBonjourmDNSResponder.exe
C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGmdm.exe
C:Program Fileslotusnotesntmulti.exe
C:oracleora92binomtsreco.exe
C:Program FilesSophosSophos Anti-VirusSAVAdminService.exe
C:Program FilesSophosRemote Management SystemManagementAgentNT.exe
C:Program FilesSophosAutoUpdateALsvc.exe
C:Program FilesSophosRemote Management SystemRouterNT.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSexplorer.exe
C:Program FilesAnalog DevicesCoresmax4pnp.exe
C:WINDOWSsystem32hkcmd.exe
C:WINDOWSsystem32igfxpers.exe
C:WINDOWSsystem32dpmw32.exe
C:WINDOWSsystem32nwtray.exe
C:Program FilesCommon FilesInstallShieldUpdateServiceissch.exe
C:Program FilesJavajre1.6.0_03binjusched.exe
C:Program FilesCyberLinkPowerDVDDVDLauncher.exe
C:WINDOWSsystem32dlatfswctrl.exe
C:Program FilesCommon FilesRealUpdate_OBrealsched.exe
C:Program FilesAdobePhotoshop Album Starter Edition3.2Appsapdproxy.exe
C:Program FilesiTunesiTunesHelper.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesMessengermsmsgs.exe
C:Program FilesWeather Watcherww.exe
C:Program FilesCentraClientbincentraSystray.exe
C:Program FilesSophosAutoUpdateALMon.exe
C:Program FilesKodakKodak EasyShare softwarebinEasyShare.exe
C:Program FilesMacro Express3MacExp.exe
C:Program FilesWebshotsWebshots.scr
C:Program FilesYahoo!MessengerYmsgr_tray.exe
C:Program FilesiPodbiniPodService.exe
C:Program FilesGrisoftAVG7avgamsvr.exe
C:Program FilesGrisoftAVG7avgupsvc.exe
C:Program FilesGrisoftAVG7avgcc.exe
C:Documents and SettingsbasquezApplication DataU30000181B3C613DB7LaunchPad.exe
G:Software 07Connie's Trojan Virus 4_08dss.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://www.msn.com/access/allinone.asp
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://my.yahoo.com/
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Local Page = blank.htm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:Program FilesYahoo!CompanionInstallscpnyt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:Program FilesYahoo!CompanionInstallscpnyt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:Program FilesSpybot - Search & DestroySDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:WINDOWSsystem32dlatfswshx.dll
O2 - BHO: (no name) - {6215EBB0-7660-4D8D-9626-86E00BEACAA5} - C:WINDOWSsystem32dppwin32j.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre1.6.0_03binssv.dll
O2 - BHO: (no name) - {FF322FC9-CB96-4D88-AB04-11C48E8C8C17} - c:windowssystem32avwavk.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:Program FilesYahoo!CompanionInstallscpnyt.dll
O3 - Toolbar: (no name) - ID - (no file)
O4 - HKLM..Run: [SoundMAXPnP] C:Program FilesAnalog DevicesCoresmax4pnp.exe
O4 - HKLM..Run: [igfxtray] C:WINDOWSsystem32igfxtray.exe
O4 - HKLM..Run: [igfxhkcmd] C:WINDOWSsystem32hkcmd.exe
O4 - HKLM..Run: [igfxpers] C:WINDOWSsystem32igfxpers.exe
O4 - HKLM..Run: [NDPS] C:WINDOWSsystem32dpmw32.exe
O4 - HKLM..Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM..Run: [ISUSPM Startup] C:PROGRA~1COMMON~1INSTAL~1UPDATE~1ISUSPM.exe -startup
O4 - HKLM..Run: [ISUSScheduler] "C:Program FilesCommon FilesInstallShieldUpdateServiceissch.exe" -start
O4 - HKLM..Run: [SunJavaUpdateSched] "C:Program FilesJavajre1.6.0_03binjusched.exe"
O4 - HKLM..Run: [DVDLauncher] "C:Program FilesCyberLinkPowerDVDDVDLauncher.exe"
O4 - HKLM..Run: [dla] C:WINDOWSsystem32dlatfswctrl.exe
O4 - HKLM..Run: [TkBellExe] "C:Program FilesCommon FilesRealUpdate_OBrealsched.exe" -osboot
O4 - HKLM..Run: [Adobe Photo Downloader] "C:Program FilesAdobePhotoshop Album Starter Edition3.2Appsapdproxy.exe"
O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime
O4 - HKLM..Run: [iTunesHelper] "C:Program FilesiTunesiTunesHelper.exe"
O4 - HKLM..Run: [Adobe Reader Speed Launcher] "C:Program FilesAdobeReader 8.0ReaderReader_sl.exe"
O4 - HKLM..Run: [AVG7_CC] C:PROGRA~1GrisoftAVG7avgcc.exe /STARTUP
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKCU..Run: [MSMSGS] "C:Program FilesMessengermsmsgs.exe" /background
O4 - HKCU..Run: [WeatherWatcher] C:Program FilesWeather Watcherww.exe
O4 - HKCU..Run: [Yahoo! Pager] "C:Program FilesYahoo!MessengerYahooMessenger.exe" -quiet
O4 - HKCU..Run: [Centra Launcher] C:Program FilesCentraClientbincentraSystray.exe /startup
O4 - HKCU..Run: [AROReminder] C:Program FilesAdvanced Registry OptimizerARO.exe -rem
O4 - HKUSS-1-5-19..Run: [AVG7_Run] C:PROGRA~1GrisoftAVG7avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-20..Run: [AVG7_Run] C:PROGRA~1GrisoftAVG7avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUSS-1-5-18..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe (User 'SYSTEM')
O4 - HKUSS-1-5-18..Run: [AVG7_Run] C:PROGRA~1GrisoftAVG7avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS.DEFAULT..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe (User 'Default user')
O4 - HKUS.DEFAULT..Run: [AVG7_Run] C:PROGRA~1GrisoftAVG7avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Webshots.lnk = C:Program FilesWebshotsLauncher.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:Program FilesSophosAutoUpdateALMon.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:Program FilesKodakKodak EasyShare softwarebinEasyShare.exe
O4 - Global Startup: Macro Express 3.lnk = C:Program FilesMacro Express3MacExp.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2Office12EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_03binssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_03binssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:Program FilesMicrosoft OfficeOffice12ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:Program FilesMicrosoft OfficeOffice12ONBttnIE.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:Program FilesSpybot - Search & DestroySDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:Program FilesSpybot - Search & DestroySDHelper.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:Program FilesYahoo!MessengerYahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:Program FilesYahoo!MessengerYahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O15 - Trusted Zone: rhap:////rhap-app-4-o.real.com (HKCU)
O15 - Trusted Zone: rhap:////rhapp.real.com (HKCU)
O15 - Trusted Zone: *.listen.com (HKCU)
O15 - Trusted Zone: *.llnwd.net (HKCU)
O15 - Trusted Zone: *.real.com (HKCU)
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:Program FilesYahoo!Commonyinsthelper.dll
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:Program FilesCommon FilesMicrosoft SharedHelphxds.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:Program FilesCommon FilesMicrosoft SharedInformation RetrievalMSITSS.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:Program FilesCommon FilesMicrosoft SharedWeb Components10OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:Program FilesCommon FilesMicrosoft SharedWeb Components11OWC11.DLL
O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:Program FilesCommon FilesMicrosoft SharedOFFICE12MSOXMLMF.DLL
O20 - AppInit_DLLs: C:PROGRA~1SophosSOPHOS~1SOPHOS~1.DLL
O20 - Winlogon Notify: uzzpvlwl - C:WINDOWSsystem32avwavk.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:Program FilesGrisoftAVG7avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:Program FilesGrisoftAVG7avgupsvc.exe
O23 - Service: Servicio Bonjour (Bonjour Service) - Apple Computer, Inc. - C:Program FilesBonjourmDNSResponder.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:WINDOWSsystem32cusrvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver11Intel 32IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:Program FilesiPodbiniPodService.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:Program Fileslotusnotesntmulti.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:oracleora92binomtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:oracleora92binONRSD.EXE
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:Program FilesSophosSophos Anti-VirusSAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:Program FilesSophosSophos Anti-VirusSavService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:Program FilesSpyware DoctorpctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:Program FilesSpyware DoctorpctsSvc.exe
O23 - Service: Sophos Agent - Sophos Plc - C:Program FilesSophosRemote Management SystemManagementAgentNT.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:Program FilesSophosAutoUpdateALsvc.exe
O23 - Service: Sophos Message Router - Sophos Plc - C:Program FilesSophosRemote Management SystemRouterNT.exe


--
End of file - 11923 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 NICM (Novell InterService Communication Driver) - c:windowssystem32driversnicm.sys <Not Verified; Novell, Inc.; Novell XTier for Windows>
R0 NWFILTER (Novell UNC Path Filter) - c:windowssystem32netwarenwfilter.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R0 vxmcxepy - c:windowssystem32driversywcyqqek.dat
R2 MCSTRM - c:windowssystem32driversmcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager® (32-bit)>
R2 NetwareWorkstation (Novell Client for Windows) - c:windowssystem32netwarenwfs.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R2 NWDHCP (Novell DHCP Inform Client) - c:windowssystem32netwarenwdhcp.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R2 RESMGR (Novell NetWare Resource Manager) - c:windowssystem32netwareresmgr.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R2 SRVLOC (Novell Service Location) - c:windowssystem32netwaresrvloc.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R3 NWDNS (Novell DNS Name Space Service Provider) - c:windowssystem32netwarenwdns.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R3 NWHOST (Novell Host File Name Space Service Provider) - c:windowssystem32netwarenwhost.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R3 NWSLP (Novell SLP Name Space Service Provider) - c:windowssystem32netwarenwslp.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R3 NWSNS (Novell Simple Naming Services) - c:windowssystem32netwarenwsns.sys <Not Verified; Novell, Inc.; Novell Client for Windows>

S2 NWSIPX32 (Novell NetWare IPX/SPX Transport Interface) - c:windowssystem32netwarenwsipx32.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
S3 NWSAP (Novell SAP Name Space Provider) - c:windowssystem32netwarenwsap.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:program filescommon filesapplemobile device supportbinapplemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service (Servicio Bonjour) - "c:program filesbonjourmdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>
R2 Multi-user Cleanup Service - "c:program fileslotusnotesntmulti.exe" <Not Verified; IBM Corp; IBM Lotus Notes/Domino>
R2 OracleMTSRecoveryService - c:oracleora92binomtsreco.exe "oraclemtsrecoveryservice" <Not Verified; Oracle Corporation; Oracle MTS Recovery Service>
R2 SAVAdminService (Sophos Anti-Virus status reporter) - "c:program filessophossophos anti-virussavadminservice.exe" <Not Verified; Sophos Plc; Sophos Anti-Virus>
R2 SAVService (Sophos Anti-Virus) - "c:program filessophossophos anti-virussavservice.exe" <Not Verified; Sophos Plc; Sophos Anti-Virus>
R2 Sophos Agent - "c:program filessophosremote management systemmanagementagentnt.exe" -service -name agent <Not Verified; Sophos Plc; Sophos Messaging System>
R2 Sophos AutoUpdate Service - "c:program filessophosautoupdatealsvc.exe" <Not Verified; Sophos Plc; Sophos AutoUpdate>
R2 Sophos Message Router - "c:program filessophosremote management systemrouternt.exe" -service -name router -orblistenendpoints iiop://:8193/ssl_port=8194 <Not Verified; Sophos Plc; Sophos Messaging System>

S3 cusrvc (Client Update Service for Novell) - c:windowssystem32cusrvc.exe <Not Verified; Novell, Inc.; Novell Client for Windows>
S3 OracleOraHome92ClientCache - c:oracleora92binonrsd.exe


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-04-03 10:00:19 432 --a------ C:WINDOWSTasksAt1.job
2008-04-02 12:15:01 530 --a------ C:WINDOWSTasksWeekly Scan.job


-- Files created between 2008-03-07 and 2008-04-07 -----------------------------

2008-04-07 10:54:21 0 d-------- C:Documents and SettingsbasquezApplication DataAVG7
2008-04-07 10:53:47 0 d-------- C:Documents and SettingsLocalServiceApplication DataAVG7
2008-04-07 10:53:32 0 d-------- C:Documents and SettingsAll UsersApplication DataGrisoft
2008-04-07 10:53:32 0 d-------- C:Documents and SettingsAll UsersApplication Dataavg7
2008-04-07 10:39:49 0 d-------- C:Documents and SettingsbasquezApplication DataSammsoft
2008-04-07 10:39:27 0 d-------- C:Program FilesAdvanced Registry Optimizer
2008-04-03 16:07:56 0 d-a------ C:Documents and SettingsAll UsersApplication DataTEMP
2008-04-03 16:06:52 0 d-------- C:Program FilesSpyware Doctor
2008-04-03 16:06:52 0 d-------- C:Documents and SettingsbasquezApplication DataPC Tools
2008-04-01 17:29:29 0 d-------- C:Program FilesCommon FilesCisco Systems
2008-04-01 17:29:26 17920 --a------ C:WINDOWSsystem32sophosboottasks.exe <Not Verified; Sophos Plc; Sophos Anti-Virus>
2008-04-01 09:27:51 35072 --a------ C:WINDOWSsystem32nrwzzcgf.dat
2008-04-01 09:27:51 6454528 --a------ C:WINDOWSsystem32jczmugfk.dat
2008-04-01 09:27:51 0 d-------- C:Program FilesCommon FilesMozilla Shared
2008-04-01 09:27:50 638208 --a------ C:WINDOWSsystem32xsyydtgk.dat
2008-04-01 09:27:50 120576 --a------ C:WINDOWSsystem32mgclfydi.dat
2008-04-01 09:27:50 36608 --a------ C:WINDOWSsystem32lxiuegjb.dat
2008-04-01 09:27:50 42752 --a------ C:WINDOWSsystem32jucfujrz.dat
2008-04-01 09:27:50 19712 --a------ C:WINDOWSsystem32driversywcyqqek.dat
2008-03-31 17:17:41 0 d-------- C:Documents and SettingsDefault UserLocal Settings
2008-03-31 17:17:26 0 d-------- C:Documents and SettingsAll UsersApplication DataSophos
2008-03-31 17:14:51 0 d-------- C:Program FilesSophos
2008-03-31 17:14:20 0 d-------- C:WINDOWSsystem32AppCert
2008-03-31 17:13:59 88064 --a------ C:WINDOWSsystem32dppwin32j.dll
2008-03-31 17:07:32 0 d-------- C:Program FilesMSBuild
2008-03-31 17:04:26 0 d-------- C:Program FilesMicrosoft Visual Studio 8
2008-03-26 19:46:03 691545 --a------ C:WINDOWSunins000.exe
2008-03-26 19:46:03 2544 --a------ C:WINDOWSunins000.dat


-- Find3M Report ---------------------------------------------------------------

2008-04-07 11:37:24 0 d-------- C:Program FilesCommon FilesAdobe
2008-04-07 11:37:00 0 d-------- C:Documents and SettingsbasquezApplication DataU3
2008-04-07 09:21:03 0 d-------- C:Program FilesMacro Express3
2008-04-04 10:33:38 0 d-------- C:Program FilesCommon FilesWise Installation Wizard
2008-04-03 10:54:45 0 d-------- C:Program FilesWeather Watcher
2008-04-02 22:03:51 4 --a------ C:WINDOWSsystem3264CCA5
2008-04-01 17:29:29 0 d-------- C:Program FilesCommon Files
2008-03-31 17:07:49 0 d-------- C:Program FilesMicrosoft Works
2008-03-11 16:43:32 0 d-------- C:Program FilesRhapsody
2008-02-29 13:09:59 0 d-------- C:Program FilesMarcEdit 5.0
2008-02-20 11:31:52 0 d-------- C:Documents and SettingsbasquezApplication DataReal
2008-01-30 10:19:22 73216 --a------ C:WINDOWSST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE~Browser Helper Objects{6215EBB0-7660-4D8D-9626-86E00BEACAA5}]

[HKEY_LOCAL_MACHINE~Browser Helper Objects{FF322FC9-CB96-4D88-AB04-11C48E8C8C17}]
c:windowssystem32avwavk.dll

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"SoundMAXPnP"="C:Program FilesAnalog DevicesCoresmax4pnp.exe" [10/14/2004 02:42 PM]
"igfxtray"="C:WINDOWSsystem32igfxtray.exe" [09/20/2005 10:35 AM]
"igfxhkcmd"="C:WINDOWSsystem32hkcmd.exe" [09/20/2005 10:32 AM]
"igfxpers"="C:WINDOWSsystem32igfxpers.exe" [09/20/2005 10:36 AM]
"NDPS"="C:WINDOWSsystem32dpmw32.exe" [05/17/2004 02:27 PM]
"NWTRAY"="NWTRAY.EXE" [03/12/2002 10:37 AM C:WINDOWSsystem32nwtray.exe]
"ISUSPM Startup"="C:PROGRA~1COMMON~1INSTAL~1UPDATE~1ISUSPM.exe" [02/16/2005 04:15 PM]
"ISUSScheduler"="C:Program FilesCommon FilesInstallShieldUpdateServiceissch.exe" [02/16/2005 04:15 PM]
"SunJavaUpdateSched"="C:Program FilesJavajre1.6.0_03binjusched.exe" [09/25/2007 01:11 AM]
"DVDLauncher"="C:Program FilesCyberLinkPowerDVDDVDLauncher.exe" [04/06/2006 10:51 AM]
"dla"="C:WINDOWSsystem32dlatfswctrl.exe" [05/31/2005 05:33 AM]
"TkBellExe"="C:Program FilesCommon FilesRealUpdate_OBrealsched.exe" [05/26/2006 01:01 PM]
"Adobe Photo Downloader"="C:Program FilesAdobePhotoshop Album Starter Edition3.2Appsapdproxy.exe" [03/09/2007 11:09 AM]
"QuickTime Task"="C:Program FilesQuickTimeqttask.exe" [06/29/2007 06:24 AM]
"iTunesHelper"="C:Program FilesiTunesiTunesHelper.exe" [07/10/2007 09:18 AM]
"Adobe Reader Speed Launcher"="C:Program FilesAdobeReader 8.0ReaderReader_sl.exe" [01/11/2008 11:16 PM]
"AVG7_CC"="C:PROGRA~1GrisoftAVG7avgcc.exe" [04/07/2008 10:53 AM]

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"ctfmon.exe"="C:WINDOWSsystem32ctfmon.exe" [08/12/2004 08:18 AM]
"MSMSGS"="C:Program FilesMessengermsmsgs.exe" [10/13/2004 11:24 AM]
"WeatherWatcher"="C:Program FilesWeather Watcherww.exe" [05/21/2006 01:08 PM]
"Yahoo! Pager"="C:Program FilesYahoo!MessengerYahooMessenger.exe" [11/30/2006 10:49 PM]
"Centra Launcher"="C:Program FilesCentraClientbincentraSystray.exe" [09/10/2007 07:54 PM]
"AROReminder"="C:Program FilesAdvanced Registry OptimizerARO.exe" [07/23/2007 09:34 AM]

C:Documents and SettingsbasquezStart MenuProgramsStartup
Webshots.lnk - C:Program FilesWebshotsLauncher.exe [6/6/2006 12:20:29 PM]

C:Documents and SettingsAll UsersStart MenuProgramsStartup
AutoUpdate Monitor.lnk - C:Program FilesSophosAutoUpdateALMon.exe [4/1/2008 5:28:39 PM]
Kodak EasyShare software.lnk - C:Program FilesKodakKodak EasyShare softwarebinEasyShare.exe [6/14/2006 11:11:40 PM]
Macro Express 3.lnk - C:Program FilesMacro Express3MacExp.exe [6/2/2006 3:40:31 PM]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversionpoliciessystem]
"CompatibleRUPSecurity"=1 (0x1)

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwinlogonnotifyuzzpvlwl]
avwavk.dll

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwindows]
"appinit_dlls"=C:PROGRA~1SophosSOPHOS~1SOPHOS~1.DLL

[HKEY_LOCAL_MACHINEsystemcurrentcontrolsetcontrollsa]
"Authentication Packages"= msv1_0 nwv1_0

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalSAVService]
@="service"

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalsdauxservice"

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalsdcoreservice"

HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionSvchost - NetSvcs
jtxyabbx


[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2F]
AutoRuncommand- F:LaunchU3.exe -a

*Newly Created Service* - AVG7ALRT
*Newly Created Service* - AVG7CORE
*Newly Created Service* - AVG7RSNT
*Newly Created Service* - AVG7RSW
*Newly Created Service* - AVG7UPDSVC
*Newly Created Service* - AVGCLEAN



-- Hosts -----------------------------------------------------------------------

127.0.0.1 .supercocklol.com
127.0.0.1 www..webloyalty.com
127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 00hq.com
127.0.0.1 www.00hq.com
127.0.0.1 010402.com

8118 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-04-07 11:43:34 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.00GHz
Percentage of Memory in Use: 32%
Physical Memory (total/avail): 2038.07 MiB / 1378.39 MiB
Pagefile Memory (total/avail): 3934.51 MiB / 3343.99 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1934.25 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 97.66 GiB total, 70.56 GiB free.
D: is Fixed (NTFS) - 51.31 GiB total, 31.64 GiB free.
E: is CDROM (No Media)
F: is CDROM (CDFS)
G: is Removable (FAT32)
H: is Fixed (NTFS) - 195.38 GiB total, 181.49 GiB free.
I: is Fixed (NTFS) - 102.67 GiB total, 74.64 GiB free.

.PHYSICALDRIVE0 - WDC WD1600JS-75NCB2 - 149.01 GiB - 3 partitions
PARTITION0 - Unknown - 39.19 MiB
PARTITION1 (bootable) - Installable File System - 97.66 GiB - C:
PARTITION2 - Extended w/Extended Int 13 - 51.31 GiB - D:

.PHYSICALDRIVE1 - Maxtor 3200 USB Device - 298.09 GiB - 3 partitions
PARTITION0 - Unknown - 39.19 MiB
PARTITION1 (bootable) - Installable File System - 195.38 GiB - H:
PARTITION2 - Extended w/Extended Int 13 - 102.67 GiB - I:

.PHYSICALDRIVE2 - SanDisk U3 Cruzer Micro USB Device - 3.81 GiB - 1 partition
PARTITION0 - Unknown - 3.81 GiB - G:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.

AV: Sophos Anti-Virus v ()
AV: AVG 7.5.519 v7.5.519 (Grisoft) Outdated

[HKLMSystemCurrentControlSetServicesSharedAccessParametersFirewallPolicyDomainProfileAuthorizedApplicationsList]
"%windir%system32sessmgr.exe"="%windir%system32sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLMSystemCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList]
"%windir%system32sessmgr.exe"="%windir%system32sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:WINDOWSsystem32dpmw32.exe"="C:WINDOWSsystem32dpmw32.exe:*:Enabled:NDPS RPM & Notification Listener"
"C:Program FilesYahoo!MessengerYahooMessenger.exe"="C:Program FilesYahoo!MessengerYahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:Program FilesYahoo!MessengerYServer.exe"="C:Program FilesYahoo!MessengerYServer.exe:*:Enabled:Yahoo! FT Server"
"C:Program FilesBonjourmDNSResponder.exe"="C:Program FilesBonjourmDNSResponder.exe:*:Enabled:Bonjour"
"C:Program FilesKodakKodak EasyShare softwarebinEasyShare.exe"="C:Program FilesKodakKodak EasyShare softwarebinEasyShare.exe:*:Enabled:EasyShare"
"C:Program FilesLunaImagingjresSun1.4.2_05binjavaw.exe"="C:Program FilesLunaImagingjresSun1.4.2_05binjavaw.exe:*:Enabled:javaw"
"C:Program FilesInternet ExplorerIEXPLORE.EXE"="C:Program FilesInternet ExplorerIEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:Program FilesiTunesiTunes.exe"="C:Program FilesiTunesiTunes.exe:*:Enabled:iTunes"
"C:Program FilesMicrosoft OfficeOffice12OUTLOOK.EXE"="C:Program FilesMicrosoft OfficeOffice12OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:Program FilesMicrosoft OfficeOffice12ONENOTE.EXE"="C:Program FilesMicrosoft OfficeOffice12ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:WINDOWSsystem32f06r2jzjv.exe"="C:WINDOWSsystem32f06r2jzjv.exe:*:Enabled:f06r2jzjv"
"C:Program FilesGrisoftAVG7avginet.exe"="C:Program FilesGrisoftAVG7avginet.exe:*:Enabled:avginet.exe"
"C:Program FilesGrisoftAVG7avgamsvr.exe"="C:Program FilesGrisoftAVG7avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:Program FilesGrisoftAVG7avgcc.exe"="C:Program FilesGrisoftAVG7avgcc.exe:*:Enabled:avgcc.exe"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:Documents and SettingsAll Users
APPDATA=C:Documents and SettingsbasquezApplication Data
CLASSPATH=.;C:Program FilesJavajre1.6.0_01libextQTJava.zip
CommonProgramFiles=C:Program FilesCommon Files
COMPUTERNAME=BASQUEZ
ComSpec=C:WINDOWSsystem32cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=
LOGONSERVER=BASQUEZ
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:oracleora92bin;C:Program FilesOraclejre1.3.1bin;C:Program FilesOraclejre1.1.8bin;C:WINDOWSsystem32;C:WINDOWS;C:WINDOWSSystem32Wbem;C:WINDOWSsystem32nls;C:WINDOWSsystem32nlsENGLISH;C:Program FilesQuickTimeQTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0403
ProgramFiles=C:Program Files
PROMPT=$P$G
QTJAVA=C:Program FilesJavajre1.6.0_01libextQTJava.zip
SonicCentral=C:Program FilesCommon FilesSonic SharedSonic Central
SystemDrive=C:
SystemRoot=C:WINDOWS
TEMP=C:DOCUME~1basquezLOCALS~1Temp
TMP=C:DOCUME~1basquezLOCALS~1Temp
USERDOMAIN=BASQUEZ
USERNAME=basquez
USERPROFILE=C:Documents and Settingsbasquez
windir=C:WINDOWS


-- User Profiles ---------------------------------------------------------------

staffclone (admin)
basquez (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:Program FilesCommon FilesRealUpdate_OBr1puninst.exe RealNetworks|RealPlayer|6.0
--> C:WINDOWSsystem32MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
--> C:WINDOWSsystem32MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:WINDOWSsystem32MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
--> C:WINDOWSsystem32MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
--> C:WINDOWSUNINST.EXE -f"C:Program FilesAdobePhotoshop 5.0DeIsL1.isu" -c"C:Program FilesAdobePhotoshop 5.0Uninst.dll"
--> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {E5F42F75-E399-43BD-85FA-8D21DDDAAFC0}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:WINDOWSINFPCHealth.inf
Ad-Aware SE Personal --> C:PROGRA~1LavasoftAD-AWA~1UNWISE.EXE C:PROGRA~1LavasoftAD-AWA~1INSTALL.LOG
Adobe Flash Player ActiveX --> C:WINDOWSsystem32MacromedFlashuninstall_activeX.exe
Adobe Photoshop v4.0 --> C:WINDOWSuninst.exe -fC:AdobePhotoshopDeIsL1.isu
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe® Photoshop® Album Starter Edition 3.2 --> MsiExec.exe /I{A654A805-41D9-40C7-AA46-4AF04F044D61}
Advanced Registry Optimizer --> "C:Program FilesAdvanced Registry Optimizerunins000.exe" /silent
Apple Mobile Device Support --> MsiExec.exe /I{A43B2A2F-1DB5-47F9-A608-F11A4835D7CB}
Apple Software Update --> MsiExec.exe /I{74EC78BC-B379-4E29-9006-8F161DCAABA6}
AVG 7.5 --> C:Program FilesGrisoftAVG7setup.exe /UNINSTALL
Bonjour --> C:Program FilesCommon FilesInstallShieldDriver8Intel 32IDriver.exe /M{E0A96F36-D546-4A2A-BDAA-2A2A578B2C0D} /l1034
Broadcom Gigabit Integrated Controller --> MsiExec.exe /X{B7F54262-AB66-44B3-88BF-9FC69941B643}
CCScore --> MsiExec.exe /I{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}
Centra Client --> C:PROGRA~1CentraClientbinupdater.exe -uninstall
Dell Resource CD --> MsiExec.exe /X{FCD9CD52-7222-4672-94A0-A722BA702FD0}
eMusic Remote 1.0 --> C:Program FileseMusic Remoteuninst.exe
ESSBrwr --> MsiExec.exe /I{643EAE81-920C-4931-9F0B-4B343B225CA6}
ESSCDBK --> MsiExec.exe /I{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}
ESScore --> MsiExec.exe /I{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}
ESSgui --> MsiExec.exe /I{91517631-A9F3-4B7C-B482-43E0068FD55A}
ESShelp --> MsiExec.exe /I{87843A41-7808-4F2E-B13F-25C1E67CF2FD}
ESSini --> MsiExec.exe /I{8E92D746-CD9F-4B90-9668-42B74C14F765}
ESSPCD --> MsiExec.exe /I{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}
ESSSONIC --> MsiExec.exe /I{073F22CE-9A5B-4A40-A604-C7270AC6BF34}
ESSTOOLS --> MsiExec.exe /I{8A502E38-29C9-49FA-BCFA-D727CA062589}
essvatgt --> MsiExec.exe /I{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}
essvcpt --> MsiExec.exe /I{D1973749-F5E7-40EB-B528-F2B78685B9FF}
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:WINDOWS$NtUninstallKB929399$spuninstspuninst.exe"
Intel® Graphics Media Accelerator Driver --> RUNDLL32.EXE C:WINDOWSsystem32ialmrem.dll,UninstallW2KIGfx2ID PCIVEN_8086&DEV_2776 PCIVEN_8086&DEV_2772
iTunes --> MsiExec.exe /I{9357AE3A-B2ED-4138-BB9B-0564352C3F0A}
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
kgcbase --> MsiExec.exe /I{F22C222C-3CE2-4A4B-A83F-AF4681371ABE}
Kodak EasyShare software --> C:Documents and SettingsAll UsersApplication DataKodakEasyShareSetup$SETUP_1e0010_2e7fcfSetup.exe /APR-REMOVE
KSU --> MsiExec.exe /I{B997C2A0-4383-41BF-B76E-9B8B7ECFB267}
Label Program --> RunDll32 C:PROGRA~1COMMON~1INSTAL~1engine6INTEL3~1Ctor.dll,LaunchSetup "C:Program FilesInstallShield Installation Information{551A1E2A-F1BA-4214-9554-CD9EC1616102}Setup.exe" OCLCUNINSTALLSTRING
LocationChanger --> C:WINDOWSst6unst.exe -n "C:Program FilesLocationChangerST6UNST.LOG"
LocationChanger (C:Program FilesLocationChanger) --> C:WINDOWSst6unst.exe -n "C:Program FilesLocationChangerST6UNST.000"
LocationChanger (C:Program FilesLocationChanger) #3 --> C:WINDOWSst6unst.exe -n "C:Program FilesLocationChangerST6UNST.001"
Lotus Notes 7.0.1 --> MsiExec.exe /I{C5C10BD4-49AA-4C25-ACE6-902A37ED51FF}
Macro Express 3 --> C:PROGRA~1MACROE~1UNWISE.EXE C:PROGRA~1MACROE~1INSTALL.LOG
MarcEdit 5.1 --> C:Program FilesMarcEdit 5.0uninst.exe
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:WINDOWS$NtUninstallMSCompPackV1$spuninstspuninst.exe"
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007 --> "C:Program FilesCommon FilesMicrosoft SharedOFFICE12Office Setup Controllersetup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007 --> MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office FrontPage 2003 --> MsiExec.exe /I{90170409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Groove MUI (English) 2007 --> MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007 --> MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:WINDOWS$NtUninstallWudf01000$spuninstspuninst.exe"
Microsoft Web Publishing Wizard 1.52 --> RunDll32 ADVPACK.DLL,LaunchINFSection C:WINDOWSINFwpie4x86.inf,WebPostUninstall
MSN Music Assistant --> rundll32 advpack.dll,LaunchINFSection C:WINDOWSINFmsninst.inf,Uninstall
Notifier --> MsiExec.exe /I{0008546E-DF6E-4CC1-AFD0-2CB8E16C95A2}
Novell Client for Windows --> %SystemRoot%system32rundll32 nwsetup.dll NWUninstallClient
OCLC Connexion client --> MsiExec.exe /I{CF9D9E19-F5D1-4A68-A676-8DAA0862C33C}
OfotoXMI --> MsiExec.exe /I{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}
OTtBP --> MsiExec.exe /I{F71760CD-0F8B-4DCC-B7B7-6B223CC3843C}
OTtBPSDK --> MsiExec.exe /I{3CA39B0C-BA85-4D42-AC0F-1FF5F60C3353}
PowerDVD 5.9 --> RunDll32 C:PROGRA~1COMMON~1INSTAL~1engine6INTEL3~1Ctor.dll,LaunchSetup "C:Program FilesInstallShield Installation Information{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}Setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
RealPlayer --> C:Program FilesCommon FilesRealUpdate_OBr1puninst.exe RealNetworks|RealPlayer|6.0
Rhapsody --> C:PROGRA~1RhapsodyUnwise32.exe /A C:PROGRA~1Rhapsodyinstall.log
Rhapsody Player Engine --> MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
Security Update for Excel 2007 (KB936509) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {A00724F5-82C4-4924-B707-0E5A84B52471}
Security Update for Office 2007 (KB934062) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {305D509B-F194-4638-9F0F-D9E4C05F9D33}
Security Update for Office 2007 (KB936514) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {C7A78F7F-EF32-4477-BAD7-3439EA7571BF}
Security Update for Publisher 2007 (KB936646) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {A32E4BAF-6477-45FA-B8AB-E743FA8D63FF}
SFR --> MsiExec.exe /I{DB02F716-6275-42E9-B8D2-83BA2BF5100B}
SHASTA --> MsiExec.exe /I{605A4E39-613C-4A12-B56F-DEFBE6757237}
Shockwave --> C:WINDOWSsystem32MacromedSHOCKW~1UNWISE.EXE C:WINDOWSsystem32MacromedSHOCKW~1Install.log
SKIN0001 --> MsiExec.exe /I{FDF9943A-3D5C-46B3-9679-586BD237DDEE}
SKINXSDK --> MsiExec.exe /I{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}
Sonic Audio module --> MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Sonic Copy Module --> MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic Express Labeler --> MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Sonic RecordNow Data --> MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Sonic Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Sophos Anti-Virus --> MsiExec.exe /X{034759DA-E21A-4795-BFB3-C66D17FAD183}
Sophos AutoUpdate --> MsiExec.exe /X{15C418EB-7675-42BE-B2B3-281952DA014D}
Sophos Remote Management System --> MsiExec.exe /X{FF11005D-CBC8-45D5-A288-25C7BB304121}
SoundMAX --> RunDll32 C:PROGRA~1COMMON~1INSTAL~1PROFES~1RunTime1000Intel32Ctor.dll,LaunchSetup "C:Program FilesInstallShield Installation Information{F0A37341-D692-11D4-A984-009027EC0A9C}SETUP.exe" -l0x9 -removeonly
Spybot - Search & Destroy --> "C:Program FilesSpybot - Search & Destroyunins001.exe"
Spybot - Search & Destroy 1.5.2.20 --> "C:WINDOWSunins000.exe"
Spyware Doctor 5.5 --> C:Program FilesSpyware Doctorunins000.exe /LOG
staticcr --> MsiExec.exe /I{8943CE61-53BD-475E-90E1-A580869E98A2}
The Print Shop 20 --> MsiExec.exe /I{863DCE5B-D6CA-4DC5-9F95-7DCFED15DE8F}
Update for Office 2007 (KB932080) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {EDC9CA29-6BC1-471C-828C-7A36109005D7}
Update for Office 2007 (KB934391) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {B3091818-7C56-4C45-BE7D-CA23027A5EA5}
Update for Office 2007 (KB934393) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {92FBAD46-E7F6-49FA-89B5-C39FC5BFAD15}
Update for Outlook 2007 (KB937608) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {CBB2454D-193F-4523-8A31-FEB343B7C30E}
Update for Outlook 2007 Junk Email Filter (kb936558) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {B6B2802B-6631-4EBE-A062-44AE0C1F0BED}
Update for Word 2007 (KB934173) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {C6A89125-5473-45E3-B413-ED8186437475}
URGE --> MsiExec.exe /I{8BBF6DFD-0AD9-43A7-9FBD-BF065E3866AF}
Vger Spine Labels --> C:WINDOWSst6unst.exe -n "C:Program FilesVgerSpinST6UNST.LOG"
Vger Spine Labels (C:Program FilesVgerSpin) --> C:WINDOWSst6unst.exe -n "C:Program FilesVgerSpinST6UNST.000"
Vger Spine Labels (C:Program FilesVgerSpin) #3 --> C:WINDOWSst6unst.exe -n "C:Program FilesVgerSpinST6UNST.001"
Voyager 5.0.1 Build 1818 --> MsiExec.exe /I{DF600662-21A2-4CD2-82A6-C59FEF8BD6A8}
Voyager 6.1.1 Build 0705 --> MsiExec.exe /I{6EAB287A-2ECC-4D0B-87E0-4F81F8FE26A4}
Voyager 6.5.3 Build 1025 --> MsiExec.exe /I{040CCDE6-DA22-4B6B-98C7-918F621EBA64}
VPRINTOL --> MsiExec.exe /I{999D43F4-9709-4887-9B1A-83EBB15A8370}
Weather Watcher --> "C:Program FilesWeather Watcherunins000.exe"
Webshots Desktop --> "C:Program FilesWebshotsunins000.exe"
Windows Media Format 11 runtime --> "C:WINDOWS$NtUninstallWMFDist11$spuninstspuninst.exe"
WIRELESS --> MsiExec.exe /I{F9593CFB-D836-49BC-BFF1-0E669A411D9F}
WordPerfect Office 12 --> MsiExec.exe /I{20BFD848-897A-48BB-97A7-CDB5A8D4719E}
Yahoo! Install Manager --> C:WINDOWSsystem32regsvr32 /u C:PROGRA~1Yahoo!CommonYINSTH~1.DLL
Yahoo! Messenger --> C:PROGRA~1Yahoo!MESSEN~1UNWISE.EXE /U C:PROGRA~1Yahoo!MESSEN~1INSTALL.LOG
Yahoo! Toolbar --> C:PROGRA~1Yahoo!Commonunyt.exe
ZebraDesigner --> "C:Program FilesZebraDesignerunins000.exe"
ZebraNet Utilities --> MsiExec.exe /I{3D3C6E58-7BAA-11D5-8F8F-0010A4EC0ADE}


-- Application Event Log -------------------------------------------------------

Event Record #/Type3812 / Warning
Event Submitted/Written: 04/07/2008 11:43:34 AM
Event ID/Source: 32 / Sophos Anti-Virus
Event Description:
Archivo "C:WINDOWSsystem32AppCertwsil32.dll" belongs to virus/spyware 'Troj/Fursto-A'.

Event Record #/Type3811 / Warning
Event Submitted/Written: 04/07/2008 11:43:27 AM
Event ID/Source: 32 / Sophos Anti-Virus
Event Description:
Archivo "C:WINDOWSsystem32AppCertwsil32.dll" belongs to virus/spyware 'Troj/Fursto-A'.

Event Record #/Type3810 / Warning
Event Submitted/Written: 04/07/2008 11:43:22 AM
Event ID/Source: 32 / Sophos Anti-Virus
Event Description:
Archivo "C:WINDOWSsystem32AppCertwsil32.dll" belongs to virus/spyware 'Troj/Fursto-A'.

Event Record #/Type3809 / Warning
Event Submitted/Written: 04/07/2008 11:43:21 AM
Event ID/Source: 32 / Sophos Anti-Virus
Event Description:
Archivo "C:WINDOWSsystem32AppCertwsil32.dll" belongs to virus/spyware 'Troj/Fursto-A'.

Event Record #/Type3808 / Warning
Event Submitted/Written: 04/07/2008 11:43:20 AM
Event ID/Source: 32 / Sophos Anti-Virus
Event Description:
Archivo "C:WINDOWSsystem32AppCertwsil32.dll" belongs to virus/spyware 'Troj/Fursto-A'.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type13860 / Error
Event Submitted/Written: 04/07/2008 10:38:57 AM
Event ID/Source: 63 / SAVOnAccessFilter
Event Description:
Failed to obtain volume information from mount manager.

Event Record #/Type13850 / Error
Event Submitted/Written: 04/07/2008 09:18:29 AM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Computer Browser service terminated with the following error:
%%1460

Event Record #/Type13845 / Error
Event Submitted/Written: 04/07/2008 09:18:29 AM
Event ID/Source: 7022 / Service Control Manager
Event Description:
The Servicio Bonjour service hung on starting.

Event Record #/Type13844 / Error
Event Submitted/Written: 04/07/2008 09:18:29 AM
Event ID/Source: 55 / SAVOnAccessControl
Event Description:
The on-access driver failed to perform a user action on file DeviceHarddiskVolume2WINDOWSsystem32AppCertws.

Event Record #/Type13843 / Error
Event Submitted/Written: 04/07/2008 09:17:51 AM
Event ID/Source: 55 / SAVOnAccessControl
Event Description:
The on-access driver failed to perform a user action on file DeviceHarddiskVolume2WINDOWSsystem32AppCertws.



-- End of Deckard's System Scanner: finished at 2008-04-07 11:43:34 ------------



Bonjour is found in the installed files and cannot be removed. It uses another language and affects the screens with "Cancel" and "OK". Cancel and OK is in English, but not the rest of it. It myseriously showed up at the same time the trojan hit.

WSUlib

Merged topics and posts. ~ OB

Edited by Orange Blossom, 07 April 2008 - 04:46 PM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:58 PM

Posted 15 April 2008 - 06:07 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:
I apologize for the delay getting to your log, the helpers here are very busy.

If you still need help, please post a fresh Hijackthis log, in this thread, so I can help you with your malware problems.
If you have resolved this issue please let us know.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 WSULib

WSULib
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:58 PM

Posted 15 April 2008 - 09:13 AM

Hi Buckey_Sam,

Yes, we are still having a problem. The user can get to her desktop, but the trojan virus still lingers. Here is the HiJackThis report that you requested.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:08:01 AM, on 4/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Weather Watcher\ww.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Macro Express3\MacExp.exe
C:\PROGRA~1\Webshots\Webshots.scr
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\printerswitcher.exe
C:\Program Files\Rhapsody\rhapsody.exe
C:\Program Files\Rhapsody\rhaphlpr.exe
C:\Voyager\Catalog.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Documents and Settings\basquez\Application Data\U3\0000181B3C613DB7\LaunchPad.exe
C:\Program Files\Internet Explorer\iexplore.exe
G:\Software 07\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6215EBB0-7660-4D8D-9626-86E00BEACAA5} - C:\WINDOWS\system32\dppwin32j.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {FF322FC9-CB96-4D88-AB04-11C48E8C8C17} - c:\windows\system32\avwavk.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Macro Express 3.lnk = C:\Program Files\Macro Express3\MacExp.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.listen.com
O15 - Trusted Zone: *.llnwd.net
O15 - Trusted Zone: rhapapp.real.com
O15 - Trusted Zone: *.real.com
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: uzzpvlwl - avwavk.dll (file missing)
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Sophos Agent - Sophos Plc - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sophos Message Router - Sophos Plc - C:\Program Files\Sophos\Remote Management System\RouterNT.exe

--
End of file - 10233 bytes


Thank you,

WSULib

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:58 PM

Posted 15 April 2008 - 11:10 AM

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O2 - BHO: (no name) - {6215EBB0-7660-4D8D-9626-86E00BEACAA5} - C:\WINDOWS\system32\dppwin32j.dll
O2 - BHO: (no name) - {FF322FC9-CB96-4D88-AB04-11C48E8C8C17} - c:\windows\system32\avwavk.dll (file missing)
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe
O20 - Winlogon Notify: uzzpvlwl - avwavk.dll (file missing)



Reboot your computer.




Please download ComboFix and save it to your desktop.
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 WSULib

WSULib
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:58 PM

Posted 15 April 2008 - 01:10 PM

COMBO FIX LOG

ComboFix 08-04-14.2 - basquez 2008-04-15 12:55:26.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.34.1033.18.1513 [GMT -5:00]
Running from: C:\Documents and Settings\basquez\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\dppwin32j.dll
C:\WINDOWS\system32\drivers\ywcyqqek.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_VXMCXEPY
-------\Service_vxmcxepy


((((((((((((((((((((((((( Files Created from 2008-03-15 to 2008-04-15 )))))))))))))))))))))))))))))))
.

2008-04-15 12:52 . 2008-04-15 12:52 <DIR> d--h----- C:\WINDOWS\PIF
2008-04-08 11:18 . 2007-12-06 21:21 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-04-08 11:18 . 2007-06-30 22:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-04-08 11:18 . 2007-06-30 22:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-04-08 11:18 . 2007-12-06 21:21 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-04-08 11:18 . 2007-12-06 21:21 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-04-08 11:18 . 2007-12-06 21:21 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-04-08 11:18 . 2007-12-06 21:21 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-04-08 11:18 . 2007-12-06 21:21 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-04-08 11:18 . 2007-12-06 06:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-08 11:08 . 2008-04-08 11:08 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-04-08 11:07 . 2008-04-08 11:07 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-04-08 11:06 . 2008-04-08 11:06 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-04-08 11:06 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-04-08 11:04 . 2006-11-13 01:02 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2008-04-08 11:04 . 2006-11-13 01:02 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2008-04-08 11:04 . 2006-11-13 01:02 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2008-04-07 21:07 . 2008-04-07 21:07 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-04-07 16:30 . 2008-04-07 16:30 <DIR> d-------- C:\Documents and Settings\basquez\Application Data\SUPERAntiSpyware.com
2008-04-07 14:44 . 2008-04-07 14:44 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-07 14:44 . 2008-04-07 14:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-07 14:44 . 2008-04-07 14:44 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-04-07 14:42 . 2008-04-07 14:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-04-07 14:42 . 2008-04-07 14:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-04-07 14:28 . 2008-04-07 14:28 <DIR> d-------- C:\Documents and Settings\basquez\Application Data\Malwarebytes
2008-04-07 14:27 . 2008-04-07 14:27 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-07 14:27 . 2008-04-07 14:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-07 11:37 . 2008-04-07 11:37 <DIR> d-------- C:\Deckard
2008-04-07 10:54 . 2008-04-09 12:32 <DIR> d-------- C:\Documents and Settings\basquez\Application Data\AVG7
2008-04-07 10:53 . 2008-04-07 10:53 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-07 10:53 . 2008-04-07 10:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-07 10:53 . 2008-04-07 15:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-04-07 10:53 . 2008-04-07 10:53 26,944 --a------ C:\WINDOWS\system32\drivers\avg7rsnt.sys
2008-04-07 09:21 . 2008-04-08 11:25 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-07 09:21 . 2008-04-07 09:21 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-03 16:07 . 2008-04-04 12:14 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-03 16:07 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-04-03 16:07 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-04-03 16:07 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-04-03 16:07 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-04-03 16:06 . 2008-04-03 16:09 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-04-03 16:06 . 2008-04-03 16:06 <DIR> d-------- C:\Documents and Settings\basquez\Application Data\PC Tools
2008-04-02 15:05 . 2008-04-02 15:05 4,419,584 --a------ C:\WINDOWS\system32\ValidItUtf8.dll
2008-04-01 17:29 . 2008-04-01 17:29 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2008-04-01 17:29 . 2008-04-01 17:27 17,920 --a------ C:\WINDOWS\system32\sophosboottasks.exe
2008-04-01 17:27 . 2008-04-01 17:27 101,120 --a------ C:\WINDOWS\system32\drivers\savonaccesscontrol.sys
2008-04-01 17:27 . 2008-04-01 17:27 33,408 --a------ C:\WINDOWS\system32\drivers\savonaccessfilter.sys
2008-04-01 09:27 . 2008-04-01 09:27 <DIR> d-------- C:\Program Files\Common Files\Mozilla Shared
2008-04-01 09:27 . 2008-04-01 09:27 6,454,528 --a------ C:\WINDOWS\system32\jczmugfk.dat
2008-04-01 09:27 . 2008-04-01 09:27 1,015,808 --a------ C:\WINDOWS\system32\libeay32.dll
2008-04-01 09:27 . 2008-04-01 09:27 638,208 --a------ C:\WINDOWS\system32\xsyydtgk.dat
2008-04-01 09:27 . 2008-04-01 09:27 196,608 --a------ C:\WINDOWS\system32\libssl32.dll
2008-04-01 09:27 . 2008-04-01 09:27 120,576 --a------ C:\WINDOWS\system32\mgclfydi.dat
2008-04-01 09:27 . 2008-04-01 09:27 42,752 --a------ C:\WINDOWS\system32\jucfujrz.dat
2008-04-01 09:27 . 2008-04-01 09:27 36,608 --a------ C:\WINDOWS\system32\lxiuegjb.dat
2008-04-01 09:27 . 2008-04-01 09:27 35,072 --a------ C:\WINDOWS\system32\nrwzzcgf.dat
2008-03-31 17:17 . 2008-04-01 17:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sophos
2008-03-31 17:14 . 2008-04-01 17:29 <DIR> d-------- C:\Program Files\Sophos
2008-03-31 17:14 . 2004-08-12 08:17 80,384 --a------ C:\WINDOWS\system32\avwavk.dll.bak
2008-03-31 17:08 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-03-31 17:07 . 2008-03-31 17:07 <DIR> d-------- C:\Program Files\MSBuild
2008-03-31 17:04 . 2008-03-31 17:04 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-03-26 19:46 . 2008-03-26 19:43 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-26 19:46 . 2008-03-26 19:46 2,544 --a------ C:\WINDOWS\unins000.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-15 18:00 --------- d-----w C:\Program Files\Macro Express3
2008-04-15 17:48 --------- d-----w C:\Program Files\Weather Watcher
2008-04-15 17:36 --------- d-----w C:\Documents and Settings\basquez\Application Data\U3
2008-04-11 14:24 --------- d-----w C:\Program Files\LocationChanger
2008-04-11 14:23 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-04-11 14:23 249,856 ------w C:\WINDOWS\Setup1.exe
2008-04-08 02:07 --------- d-----w C:\Program Files\Yahoo!
2008-04-07 19:43 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-07 16:37 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-04 15:35 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-31 22:07 --------- d-----w C:\Program Files\Microsoft Works
2008-03-31 22:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-27 00:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-11 21:43 --------- d-----w C:\Program Files\Rhapsody
2008-02-29 18:09 --------- d-----w C:\Program Files\MarcEdit 5.0
2008-02-20 21:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\FRISK Software
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 08:18 15360]
"WeatherWatcher"="C:\Program Files\Weather Watcher\ww.exe" [2006-05-21 13:08 946176]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 22:49 4662776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 14:42 1404928]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36 114688]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 10:37 28672 C:\WINDOWS\system32\nwtray.exe]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 16:15 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 16:15 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2006-04-06 10:51 49152]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 05:33 122941]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-05-26 13:01 180269]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 08:18 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-07 10:53 219136]

C:\Documents and Settings\basquez\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2006-06-06 12:20:29 157008]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - C:\Program Files\Sophos\AutoUpdate\ALMon.exe [2008-04-01 17:28:39 245760]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-06-14 23:11:40 180224]
Macro Express 3.lnk - C:\Program Files\Macro Express3\MacExp.exe [2006-06-02 15:40:31 2865664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AROReminder]
C:\Program Files\Advanced Registry Optimizer\ARO.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2008-04-07 10:53 579072 C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Centra Launcher]
--a------ 2007-09-10 19:54 241664 C:\Program Files\Centra\Client\bin\centraSystray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-07-10 09:18 270648 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\dpmw32.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\LunaImaging\\jres\\Sun\\1.4.2_05\\bin\\javaw.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8193:TCP"= 8193:TCP:156.26.1.0/255.255.255.0,156.26.180.0/255.255.255.0:Enabled:TCP_8193_Sophos
"8194:TCP"= 8194:TCP:156.26.1.0/255.255.255.0,156.26.180.0/255.255.255.0:Enabled:TCP_8194_Sophos

R1 Avg7RsNT;AVG7 Resident Driver NT;C:\WINDOWS\system32\Drivers\avg7rsnt.sys [2008-04-07 10:53]
R1 SAVOnAccessControl;SAVOnAccessControl;C:\WINDOWS\system32\DRIVERS\savonaccesscontrol.sys [2008-04-01 17:27]
R1 SAVOnAccessFilter;SAVOnAccessFilter;C:\WINDOWS\system32\DRIVERS\savonaccessfilter.sys [2008-04-01 17:27]
S2 jtxyabbx;Keyboard Class Helper;C:\WINDOWS\System32\svchost.exe [2004-08-12 08:30]
S3 OracleOraHome92ClientCache;OracleOraHome92ClientCache;C:\oracle\ora92\BIN\ONRSD.EXE [2002-04-26 19:34]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
jtxyabbx

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60043d07-53be-11db-bb49-001372188416}]
\Shell\AutoRun\command - F:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-15 13:20:16 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\rundll32.exe
"2008-04-09 17:15:01 C:\WINDOWS\Tasks\Weekly Scan.job"
- C:\Program Files\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe'{7B86624D-A4FA-4456-8A1D-4BDE7FB12944}
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-15 13:00:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Sophos Message Router]
"ImagePath"="\"C:\Program Files\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
C:\WINDOWS\system32\scardsvr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\PROGRA~1\Webshots\Webshots.scr
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-04-15 13:06:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-15 18:06:37

Pre-Run: 73,498,390,528 bytes free
Post-Run: 73,433,305,088 bytes free
.
2008-04-02 02:38:15 --- E O F ---

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:58 PM

Posted 15 April 2008 - 04:01 PM

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 WSULib

WSULib
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:58 PM

Posted 16 April 2008 - 01:45 PM

Here is the report from F-Secure:

Scanning Report
Wednesday, April 16, 2008 09:56:08 - 13:42:39
Computer name: BASQUEZ
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\


--------------------------------------------------------------------------------

Result: 1 malware found
Tracking Cookie (spyware)
System

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 54281
System: 4554
Not scanned: 6
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 1
Submitted: 0
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 2.30.0
F-Secure Hydra: 2.8.8110, 2008-04-16
F-Secure AVP: 7.0.171, 2008-04-16
F-Secure Pegasus: 1.20.0, 2008-02-28
F-Secure Blacklight: 1.0.64
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:58 PM

Posted 16 April 2008 - 05:20 PM

How is your computer behaving now?
Does Sophos still indicate a virus?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 WSULib

WSULib
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:58 PM

Posted 17 April 2008 - 09:53 AM

Hello,

I have attached 2 screenshots with the latest report (4-17-08) from Sophos. It found something.

I appreciate all your help.

WSULib

Attached Files



#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:58 PM

Posted 17 April 2008 - 06:59 PM

Those are actually false positives. It's detecting Combofix.
Nothing to worry about there.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 WSULib

WSULib
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:58 PM

Posted 18 April 2008 - 09:56 AM

Ok, Buckeye_Sam,

Then I guess we are clean! Yeah! Thank you for all your expert help to remove the Trojan. We are quite pleased. Donations are coming to Bleepingcomputer.com soon.

WSULib

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:58 PM

Posted 19 April 2008 - 07:37 AM

Sounds good! :blink:

Just a few last things and you should be good to go! :wacko:


First, your log shows that you don't have the recovery console installed.
Check this link for more info on the recovery console and how to get it installed.

How to install and use the Windows XP Recovery Console



===================



Next, let's remove Combofix now that we're done with it and clean up a few other things.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

    • Posted Image
  • When shown the disclaimer, Select "2"
The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.


==================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:thumbsup: :)
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:58 PM

Posted 13 May 2008 - 09:21 AM

Now that your problem appears to be resolved, this thread will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users