Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud-c And Other Infectons - Help With Hj Logfile, Please


  • This topic is locked This topic is locked
8 replies to this topic

#1 TimmyDP

TimmyDP

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 10 April 2008 - 04:29 PM

Hello,
My problems all started in the last week of March when I was hit with numerous fake security warnings. I managed to get rid of that problem by installing Spybot S and D, Windows Defender, and Adaware.

Now, Spybot S and D tells me that I have Smitfraud-C, and wikipedia tels me that Spybot S and D can't actually remove Smitfraud-C.

I have assiduously followed all of the steps in the "I'm Smitten With Smitfraud-c, It won't go away. I've done all I can." post by Aaflac (3/29/08), and now I need someone with more knowledge to take a look at my HijackThis logfile and let me know if there's anything else that needs to be done.

I seem to be symptom-free since following the steps offered by Aaflac in the "I'm Smitten With Smitfraud-c, It won't go away. I've done all I can." post (SDFix, COmboFix, WIndows Recovery Console, HijackThis), but I'm nervous that something might be lingering. My symptoms were never as intense as those in that post...

Thanks,

Tim

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:54:24 PM, on 4/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Digital Media Reader\shwicon2k.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\WINDOWS\LOGI_MWX.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.x96.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {15421B84-3488-49A7-AD18-CBF84A3EFAF6} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunKist] C:\Program Files\Digital Media Reader\shwicon2k.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E3E02F12-2ADB-478C-8742-5F0819F9F0F4} (Quantum Streaming IE VersionManager Class) - http://qmedia.xlontech.net/100170/sdk/late...2ie06041001.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 9515 bytes

BC AdBot (Login to Remove)

 


#2 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:07:28 AM

Posted 12 April 2008 - 03:16 PM

HI

Your hijackthis log is clean, but that doesn't mean your computer is.

Disconnect from the internet Close ALL browser windows (including this one) - run hijackthis and tick to fix (check the box next to) the list below.........when all are ticked (checked) click the Fix Checked button at the bottom. :-

O2 - BHO: (no name) - {15421B84-3488-49A7-AD18-CBF84A3EFAF6} - (no file)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)


Do you have a link to the thread by Aaflac, to which you refer ?

Please post the spybot log showing Smitfraud-C ...

I would like to see these logs as well, if you still have them ? SDFix, COmboFix

& ...

Please run a Kaspersky Online Scan

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

Click Accept

You will be promted to install an ActiveX component from Kaspersky,
Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives Scan Mail Bases
  • Click OK
  • Now under select a target to scan: Select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Once finished, save the log to your Desktop as filename KAV.txt
steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#3 TimmyDP

TimmyDP
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 14 April 2008 - 06:30 PM

Thanks Steam.

It took all day, but I followed your advice and ran a Kaspersky scan. It tells me my system is infected. The Kaspersky log is at the end of this post

Here's the rest of the info you asked for:

link to Aaflac thread:
http://www.bleepingcomputer.com/forums/ind...9&hl=Aaflac

Spybot log:


10.04.2008 11:57:52 - ##### check started #####
10.04.2008 11:57:52 - ### Version: 1.5.2
10.04.2008 11:57:52 - ### Date: 4/10/2008 11:57:52 AM
10.04.2008 11:57:54 - ##### checking bots #####
10.04.2008 12:09:10 - found: Smitfraud-C. Settings
10.04.2008 12:09:10 - found: Smitfraud-C. Settings
10.04.2008 12:09:10 - found: Smitfraud-C. Settings
10.04.2008 12:09:10 - found: Smitfraud-C. Settings
10.04.2008 12:09:10 - found: Smitfraud-C. Settings
10.04.2008 12:09:10 - found: Smitfraud-C. Settings
10.04.2008 12:09:10 - found: Smitfraud-C. Settings
10.04.2008 12:09:10 - found: Smitfraud-C. Browser helper object
10.04.2008 12:09:10 - found: Smitfraud-C. Browser helper object
10.04.2008 12:09:10 - found: Smitfraud-C. Browser helper object
10.04.2008 12:09:10 - found: Smitfraud-C. Browser helper object
10.04.2008 12:09:10 - found: Smitfraud-C. Type library
10.04.2008 12:09:10 - found: Smitfraud-C. Type library
10.04.2008 12:09:10 - found: Smitfraud-C. Settings
10.04.2008 12:09:10 - found: Smitfraud-C. Class ID
10.04.2008 12:09:10 - found: Smitfraud-C. Class ID
10.04.2008 12:09:10 - found: Smitfraud-C. Program directory
10.04.2008 12:09:11 - found: Smitfraud-C. Program directory
10.04.2008 12:09:11 - found: Smitfraud-C. Executable
10.04.2008 12:09:12 - found: Smitfraud-C. Data
10.04.2008 12:09:12 - found: Smitfraud-C. Temporary file
10.04.2008 12:09:12 - found: Smitfraud-C. Data
10.04.2008 12:09:12 - found: Smitfraud-C. Executable
10.04.2008 12:09:12 - found: Smitfraud-C. Executable
10.04.2008 12:09:12 - found: Smitfraud-C. Executable
10.04.2008 12:09:12 - found: Smitfraud-C. Library
10.04.2008 12:09:12 - found: Smitfraud-C. Library
10.04.2008 12:09:12 - found: Smitfraud-C. Library
10.04.2008 12:09:12 - found: Smitfraud-C. Library
10.04.2008 12:09:12 - found: Smitfraud-C. Library
10.04.2008 12:09:13 - found: Smitfraud-C. Library
10.04.2008 12:09:13 - found: Smitfraud-C. Library
10.04.2008 12:09:13 - found: Smitfraud-C. Library
10.04.2008 12:09:13 - found: Smitfraud-C. Library
10.04.2008 12:09:13 - found: Smitfraud-C. Library
10.04.2008 12:09:13 - found: Smitfraud-C. Library
10.04.2008 12:09:13 - found: Smitfraud-C. Library
10.04.2008 12:09:13 - found: Smitfraud-C. Library
10.04.2008 12:09:13 - found: Smitfraud-C. Library
10.04.2008 12:09:13 - found: Smitfraud-C. Library
10.04.2008 12:09:13 - found: Smitfraud-C. Executable
10.04.2008 12:09:13 - found: Smitfraud-C. Executable
10.04.2008 12:09:13 - found: Smitfraud-C. Executable
10.04.2008 12:09:13 - found: Smitfraud-C. Executable
10.04.2008 12:09:13 - found: Smitfraud-C. Executable
10.04.2008 12:09:13 - found: Smitfraud-C. Executable
10.04.2008 12:09:13 - found: Smitfraud-C. Executable
10.04.2008 12:09:13 - found: Smitfraud-C. Executable
10.04.2008 12:09:13 - found: Smitfraud-C. Executable
10.04.2008 12:09:13 - found: Smitfraud-C. Executable
10.04.2008 12:09:13 - found: Smitfraud-C. Executable
10.04.2008 12:09:13 - found: Smitfraud-C. Executable
10.04.2008 12:09:13 - found: Smitfraud-C. Executable
10.04.2008 12:09:13 - found: Smitfraud-C. Executable
10.04.2008 12:09:13 - found: Smitfraud-C. Executable
10.04.2008 12:09:13 - found: Smitfraud-C. Executable
10.04.2008 12:09:13 - found: Smitfraud-C. Executable
10.04.2008 12:09:13 - found: Smitfraud-C. Executable
10.04.2008 12:09:13 - found: Smitfraud-C. Executable
10.04.2008 12:09:13 - found: Smitfraud-C. Executable
10.04.2008 12:09:13 - found: Smitfraud-C. Executable
10.04.2008 12:09:13 - found: Smitfraud-C. Executable
10.04.2008 12:09:13 - found: Smitfraud-C. Executable
10.04.2008 12:09:13 - found: Smitfraud-C. Library
10.04.2008 12:09:13 - found: Smitfraud-C. Executable
10.04.2008 12:09:13 - found: Smitfraud-C. Temporary file
10.04.2008 12:09:13 - found: Smitfraud-C. Temporary file
10.04.2008 12:09:13 - found: Smitfraud-C. Temporary file
10.04.2008 12:09:13 - found: Smitfraud-C. Temporary file
10.04.2008 12:34:32 - found: AdRevolver Tracking cookie (Firefox: default)
10.04.2008 12:34:32 - found: AdRevolver Tracking cookie (Firefox: default)
10.04.2008 12:34:32 - found: AdRevolver Tracking cookie (Firefox: default)
10.04.2008 12:34:32 - found: AdRevolver Tracking cookie (Firefox: default)
10.04.2008 12:34:32 - found: AdRevolver Tracking cookie (Firefox: default)
10.04.2008 12:34:32 - found: AdRevolver Tracking cookie (Firefox: default)
10.04.2008 12:34:32 - found: MediaPlex Tracking cookie (Firefox: default)
10.04.2008 12:34:33 - found: MediaPlex Tracking cookie (Firefox: default)
10.04.2008 12:34:33 - found: BurstMedia Tracking cookie (Firefox: default)
10.04.2008 12:34:33 - found: BurstMedia Tracking cookie (Firefox: default)
10.04.2008 12:34:33 - found: BurstMedia Tracking cookie (Firefox: default)
10.04.2008 12:34:33 - found: CasaleMedia Tracking cookie (Firefox: default)
10.04.2008 12:34:33 - found: CasaleMedia Tracking cookie (Firefox: default)
10.04.2008 12:34:33 - found: CasaleMedia Tracking cookie (Firefox: default)
10.04.2008 12:34:33 - found: CasaleMedia Tracking cookie (Firefox: default)
10.04.2008 12:34:33 - found: CasaleMedia Tracking cookie (Firefox: default)
10.04.2008 12:34:33 - found: CasaleMedia Tracking cookie (Firefox: default)
10.04.2008 12:34:33 - found: DoubleClick Tracking cookie (Firefox: default)
10.04.2008 12:34:33 - found: HitBox Tracking cookie (Firefox: default)
10.04.2008 12:34:33 - found: HitBox Tracking cookie (Firefox: default)
10.04.2008 12:34:33 - found: HitBox Tracking cookie (Firefox: default)
10.04.2008 12:34:33 - found: HitBox Tracking cookie (Firefox: default)
10.04.2008 12:34:33 - found: HitBox Tracking cookie (Firefox: default)
10.04.2008 12:34:33 - found: HitBox Tracking cookie (Firefox: default)
10.04.2008 12:34:33 - found: MediaPlex Tracking cookie (Firefox: default)
10.04.2008 12:34:33 - found: MediaPlex Tracking cookie (Firefox: default)
10.04.2008 12:34:33 - found: FastClick Tracking cookie (Firefox: default)
10.04.2008 12:34:33 - found: FastClick Tracking cookie (Firefox: default)
10.04.2008 12:34:33 - found: FastClick Tracking cookie (Firefox: default)
10.04.2008 12:34:33 - found: FastClick Tracking cookie (Firefox: default)
10.04.2008 12:34:33 - found: FastClick Tracking cookie (Firefox: default)
10.04.2008 12:34:33 - found: FastClick Tracking cookie (Firefox: default)
10.04.2008 12:34:34 - found: HitBox Tracking cookie (Firefox: default)
10.04.2008 12:34:34 - found: HitBox Tracking cookie (Firefox: default)
10.04.2008 12:34:34 - found: MediaPlex Tracking cookie (Firefox: default)
10.04.2008 12:34:34 - found: Statcounter Tracking cookie (Firefox: default)
10.04.2008 12:34:34 - found: Statcounter Tracking cookie (Firefox: default)
10.04.2008 12:34:34 - found: Statcounter Tracking cookie (Firefox: default)
10.04.2008 12:34:34 - found: Statcounter Tracking cookie (Firefox: default)
10.04.2008 12:34:34 - found: Statcounter Tracking cookie (Firefox: default)
10.04.2008 12:34:34 - found: Statcounter Tracking cookie (Firefox: default)
10.04.2008 12:34:34 - found: Statcounter Tracking cookie (Firefox: default)
10.04.2008 12:34:35 - found: Zedo Tracking cookie (Firefox: default)
10.04.2008 12:34:35 - found: Zedo Tracking cookie (Firefox: default)
10.04.2008 12:34:35 - found: Zedo Tracking cookie (Firefox: default)
10.04.2008 12:34:35 - found: Zedo Tracking cookie (Firefox: default)
10.04.2008 12:34:35 - found: Zedo Tracking cookie (Firefox: default)
10.04.2008 12:34:35 - found: Zedo Tracking cookie (Firefox: default)
10.04.2008 12:34:35 - found: Zedo Tracking cookie (Firefox: default)
10.04.2008 12:34:35 - found: Zedo Tracking cookie (Firefox: default)
10.04.2008 12:34:35 - found: Zedo Tracking cookie (Firefox: default)
10.04.2008 12:34:35 - found: Zedo Tracking cookie (Firefox: default)
10.04.2008 12:34:35 - found: HitsLink Tracking cookie (Firefox: default)
10.04.2008 12:34:35 - found: CoreMetrics Tracking cookie (Firefox: default)
10.04.2008 12:34:35 - found: AdRevolver Tracking cookie (Firefox: default)
10.04.2008 12:34:35 - found: AdRevolver Tracking cookie (Firefox: default)
10.04.2008 12:34:35 - found: AdRevolver Tracking cookie (Firefox: default)
10.04.2008 12:34:35 - found: AdRevolver Tracking cookie (Firefox: default)
10.04.2008 12:34:35 - found: AdRevolver Tracking cookie (Firefox: default)
10.04.2008 12:34:35 - found: AdRevolver Tracking cookie (Firefox: default)
10.04.2008 12:34:35 - found: WebTrends live Tracking cookie (Firefox: default)
10.04.2008 12:34:36 - found: BurstMedia Tracking cookie (Firefox: default)
10.04.2008 12:35:06 - ##### check finished #####



SDFix log:


SDFix: Version 1.168
Run by Owner on Thu 04/10/2008 at 01:27 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\pac.txt - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1351.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-10 13:38:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\ArcGIS\\Bin\\ArcMap.exe"="C:\\Program Files\\ArcGIS\\Bin\\ArcMap.exe:*:Enabled:ArcMap"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Disabled:Internet Explorer"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client\\SmartFTP.exe:*:Enabled:SmartFTP Client 2.5"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Disabled:RealPlayer"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 8 Apr 2008 6,104,632 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Tue 21 Jun 2005 45,568 A.SHR --- "C:\Program Files\Replay AV 8\cygz.dll"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Tue 26 Jun 2007 80 ..SHR --- "C:\WINDOWS\system32\FAA2360CA7.dll"
Wed 23 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f7db876e78b88fd8276fd7d29cb7e4eb\BIT1AA.tmp"

Finished!


ComboFix Log:



ComboFix 08-04-09.9 - Owner 2008-04-10 14:35:15.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.522 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\CPV.stt
C:\WINDOWS\system32\iDlo01
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-03-10 to 2008-04-10 )))))))))))))))))))))))))))))))
.

2008-04-10 14:04 . 2008-04-10 14:04 <DIR> d-------- C:\temp
2008-04-10 13:22 . 2008-04-10 13:22 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-10 13:21 . 2008-04-10 13:42 <DIR> d-------- C:\SDFix
2008-04-10 12:45 . 2008-04-10 12:45 96,577 --a------ C:\WINDOWS\hpqins16.dat
2008-04-09 12:20 . 2008-04-09 12:20 71,672 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-04-03 10:25 . 2008-04-03 10:25 <DIR> d-------- C:\Program Files\iPod
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-03-27 13:59 . 2008-04-10 12:36 135 --a------ C:\WINDOWS\wininit.ini
2008-03-27 12:50 . 2008-03-27 12:50 <DIR> d-------- C:\Program Files\Windows Defender
2008-03-27 12:33 . 2008-03-27 12:33 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-27 12:33 . 2008-03-27 14:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-27 11:12 . 2008-03-27 11:10 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-03-27 11:10 . 2008-03-27 11:17 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2008-03-26 14:42 . 2008-03-26 14:42 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-26 14:42 . 2008-03-26 14:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-26 13:36 . 2008-03-26 13:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\byvsrehy
2008-03-17 20:19 . 2008-03-17 21:30 <DIR> d-------- C:\My Web Sites
2008-03-13 15:15 . 2008-03-17 22:01 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Audacity
2008-03-13 15:14 . 2008-03-13 15:14 <DIR> d-------- C:\Program Files\Audacity 1.3 Beta (Unicode)
2008-03-13 12:27 . 2008-03-17 19:45 <DIR> d-------- C:\My Recordings
2008-03-13 12:19 . 2008-03-13 12:19 <DIR> d-------- C:\Program Files\FREE Hi-Q Recorder
2008-03-13 11:50 . 2007-03-04 05:55 1,936,528 --a------ C:\WINDOWS\system32\ltmm15.dll
2008-03-13 11:50 . 2007-03-04 05:55 135,168 --a------ C:\WINDOWS\system32\DSKernel2.dll
2008-03-13 11:49 . 2008-03-13 11:49 <DIR> d-------- C:\Program Files\Replay Converter
2008-03-13 11:47 . 2008-03-13 12:53 <DIR> d-------- C:\Program Files\Replay AV 8
2008-03-13 11:40 . 2008-03-13 11:48 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\GetRightToGo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-10 18:44 --------- d-----w C:\Program Files\HP
2008-04-10 16:00 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
2008-04-09 21:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-04-08 20:34 --------- d-----w C:\Program Files\Picasa2
2008-04-04 16:15 --------- d-----w C:\Documents and Settings\Owner\Application Data\U3
2008-04-03 16:26 --------- d-----w C:\Program Files\iTunes
2008-04-03 16:15 --------- d-----w C:\Program Files\QuickTime
2008-03-27 20:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-03-26 20:41 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-13 18:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-23 02:38 43,872 ----a-w C:\WINDOWS\system32\drivers\pxhelp20.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-14 22:06 --------- d-----w C:\Program Files\Common Files\ESRI
2008-02-14 00:56 --------- d-----w C:\Documents and Settings\Owner\Application Data\Move Networks
2008-02-12 22:49 --------- d-----w C:\Program Files\DataEast
2008-02-12 20:17 --------- d-----w C:\Program Files\dnrgarmin
2008-02-12 20:11 --------- d-----w C:\Program Files\gpsbabel-1.3.4
2008-01-29 18:02 107,368 ----a-w C:\WINDOWS\system32\GEARAspi.dll
2007-02-27 18:45 2,437 ----a-w C:\Program Files\INSTALL.LOG
2006-02-19 09:28 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
1998-06-19 19:23 270,848 ----a-w C:\Program Files\UNWISE.EXE
2007-06-26 21:19 80 --sh--r C:\WINDOWS\system32\FAA2360CA7.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 14:00 200704]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 14:42 212992]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 13:50 155648]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-03-26 12:20 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-03-26 12:20 499712]
"SunKist"="C:\Program Files\Digital Media Reader\shwicon2k.exe" [2004-05-26 19:57 139264]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-07-09 21:25 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-07-09 21:13 114688]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 21:42 32768]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 08:55 61440]
"Logitech Utility"="LOGI_MWX.EXE" [2003-12-17 10:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 15:48 479232]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-20 12:23 579072]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 19:51 233472]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2006-01-13 01:14 188416]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 09:29 219136]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
BigFix.lnk - C:\Program Files\BigFix\BigFix.exe [2007-01-15 12:03:26 1742384]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-01-26 10:18:18 124912]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 07:56:20 73728]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\ArcGIS\\Bin\\ArcMap.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1766:UDP"= 1766:UDP:Windows Media Format SDK (iexplore.exe)
"1767:UDP"= 1767:UDP:Windows Media Format SDK (iexplore.exe)
"1779:UDP"= 1779:UDP:Windows Media Format SDK (iexplore.exe)

S3 APLMp50;APLMp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\APLMp50.sys [2006-11-28 22:46]
S3 DLKRCB;D-Link DFE-690TXD CardBus PC Card;C:\WINDOWS\system32\DRIVERS\DLKRCB.SYS [2001-10-15 21:38]
S3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys [2003-12-17 10:50]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{260a5299-025e-11dd-b82f-000325126c1b}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2b5f0efa-c8f8-11db-b6db-000325126c1b}]
\Shell\AutoRun\command - rundll32.exe url.dll,FileProtocolHandler LapNetWizard.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f6ccb371-a4c3-11db-8270-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2007-09-26 00:37:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-01-18 16:07:37 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2007-01-18 16:07:38 C:\WINDOWS\Tasks\ISP signup reminder 2.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2008-04-10 20:00:33 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-10 14:38:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-10 14:39:46
ComboFix-quarantined-files.txt 2008-04-10 20:39:40
Pre-Run: 47,751,077,888 bytes free
Post-Run: 47,736,111,104 bytes free
.
2008-04-10 19:16:41 --- E O F ---


Finally, KAV.txt:


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, April 14, 2008 5:15:33 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 14/04/2008
Kaspersky Anti-Virus database records: 704086
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 203519
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 04:55:24

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-03272008-125143.log Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\temp\MpCmdRun-1A-421CFC91-A93E-42AB-A35C-F06F127FCC44.lock Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\temp\MpCmdRun.log Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2vq4oexd.default\cert8.db Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2vq4oexd.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2vq4oexd.default\history.dat Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2vq4oexd.default\key3.db Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2vq4oexd.default\parent.lock Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2vq4oexd.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2vq4oexd.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\ApplicationHistory\hpqimzone.exe.3204510e.ini.inuse Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\2vq4oexd.default\Cache\9DE49028d01 Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\2vq4oexd.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\2vq4oexd.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\2vq4oexd.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\2vq4oexd.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012008041420080415\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DFB0CF.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DFF90B.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DFFED8.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~WRC0000.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Gateway_Specific.dat Object is locked skipped
C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Gateway_Specific_UK.dat Object is locked skipped
C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Gateway_Specific_Vista.dat Object is locked skipped
C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Gateway_Specific_Vista_UK.dat Object is locked skipped
C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Microsoft_Security.dat Object is locked skipped
C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Microsoft_Security_UK.dat Object is locked skipped
C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Urgent.dat Object is locked skipped
C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Welcome.dat Object is locked skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP168\A0030428.exe Infected: not-a-virus:Downloader.Win32.Agent.ak skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP172\A0031223.dll Object is locked skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP180\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{0DB86898-5476-4318-8E7F-B942960E17C9}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\TMP00000001E2565E5667EFC1C2 Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\work\GOBs\BHLP\Guides\Volunteer Guide\BHLP_Volunteer_Guide_2007.doc Object is locked skipped

Scan process completed.


Thanks for any additional help.

Kaspersky wants me to buy to fix - should I do so?

Thanks,


TIm

#4 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:07:28 AM

Posted 15 April 2008 - 04:04 PM

Hi

Kaspersky wants me to buy to fix - should I do so?


NO ... we can easily fix that ...

This will clear all your infected restore points...

Turn off (Disable) System Restore in XP :-

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer.

Then...

Turn on (enable) System Restore :-

Follow the same procedure, but this time uncheck Turn off System Restore

if you have any problem with this... here's a link to instructions :-


Disabling or enabling Windows XP System Restore >

http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

-
Did you ask spybot to fix those entries ?

Some entries in wikipedia are not to be taken seriously ...

Download Superantispyware.

http://www.superantispyware.com/

Once downloaded and installed update the definitions
and then run a full system scan quarantine what it finds!

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)

http://www.superantispyware.com/definitions.html

* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#5 TimmyDP

TimmyDP
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 16 April 2008 - 12:45 PM

Thanks Steam,

I did ask spybot to fix those entries.

I hear ya on wikipedia...

I followed your instructions on the system restore points, and I installed and ran superantispyware.
The log is below.

A ? - Is one of these spyware detectors enough to use on its own, or should I be running all 3, superantispyware, adaware and spybot S and D, every day?

Thanks so much for your help!

Tim

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/16/2008 at 11:07 AM

Application Version : 4.0.1154

Core Rules Database Version : 3439
Trace Rules Database Version: 1431

Scan type : Complete Scan
Total Scan Time : 01:05:53

Memory items scanned : 618
Memory threats detected : 0
Registry items scanned : 15435
Registry threats detected : 0
File items scanned : 22168
File threats detected : 22

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt
C:\Documents and Settings\Owner\Cookies\owner@imrworldwide[2].txt
C:\Documents and Settings\Owner\Cookies\owner@media.adrevolver[1].txt
C:\Documents and Settings\Owner\Cookies\owner@tacoda[2].txt
C:\Documents and Settings\Owner\Cookies\owner@realmedia[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.revsci[1].txt
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[2].txt
C:\Documents and Settings\Owner\Cookies\owner@specificclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@zedo[1].txt
C:\Documents and Settings\Owner\Cookies\owner@apmebf[2].txt
C:\Documents and Settings\Owner\Cookies\owner@fastclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
C:\Documents and Settings\Owner\Cookies\owner@adbrite[2].txt
C:\Documents and Settings\Owner\Cookies\owner@3.adbrite[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adopt.euroclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@adrevolver[2].txt
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@anad.tacoda[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@apmebf[1].txt

Trojan.Unclassified/Multi-Dropper (Packed)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\BYVSREHY\VGJOVQTE.EXE

#6 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:07:28 AM

Posted 16 April 2008 - 02:15 PM

HI

Everything looks OK ..

Please Download CCleaner from :-

http://www.filehippo.com/download_ccleaner/ (click the download tab)

During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it.

doubleclick the ccsetup.exe file and install the program...

After installing, go to Start > programs > CCleaner > Options > Advanced > UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

Make sure the "windows" tab is selected

Under "internet explorer" tick...

Temporary internet files
Cookies* > see Note below
History
Recently typed URL's
(leave this unticked if you DON'T want to clear the drop down list in the address window of IE)
Delete index.dat files
Last download location
Autocomplete form history


under "Windows explorer" these are optional, but you can safely tick them all if you wish, they are only "most recently used lists"

Other explorer MRU's
(leave this unticked if you DON'T want to clear lists such as the start\run list)

under "System"

Tick ALL these ...


under "Advanced"

no need to tick any of these (but you can if you want, and realise what they do)


Applications tab...

These will mostly clean out old log files for these applications...

Clean:- (if you use them)

Firefox/Mozilla (optional - leave the cookies - see note)
Opera
Sun Java
ZoneAlarm

...
Personally I clean everything in the applications tab... but you tick what you want...

Note: *If there are any cookies you want to keep (if you remove the cookie for a site you require a password for, you will need to re-enter your password when you next visit that site) ... click options > cookies > then keep the cookies you want.

click "analyse" if you want to see a list of what is going to be removed, before it is removed.

Or

click "run cleaner" to let it get on with it's work... clicking this will result in the following pop-up

"This process will permanently delete files from your system. Are you sure you wish to proceed?"

click OK.

When Ccleaner has finished - run spybot again & post the log if it still shows anything it can't delete

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#7 TimmyDP

TimmyDP
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 16 April 2008 - 07:04 PM

Steam,

I followed your instructions on Ccleaner, and ran spybot again. The log looks fine - nothing it couldn't fix.

I have two more questions.

1) Is one of these spyware detectors enough to use on its own, or should I be running all 3, superantispyware, adaware and spybot S and D, every day?

2) What is a typical/average or appropriate donation for your help? I am in the US and I notice you're set up for British Pounds... Sorry my nation's policies have wrecked our currency's value.

Thanks again for all your help!

Tim

Edited by TimmyDP, 16 April 2008 - 07:14 PM.


#8 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:07:28 AM

Posted 17 April 2008 - 02:38 PM

Hi

Is one of these spyware detectors enough to use on its own, or should I be running all 3, superantispyware, adaware and spybot S and D, every day?


I would keep all 3 programs (in fact I do have all 3) just have one of them running realtime protection (I use spybots teatimer) I update all the programs & run a scan once a week, (or when there may be a problem) I think running them daily is overkill, There are other programs you can install to improve your computers security ...

Have a look here :-

Simple steps to keep your computer secure! By Grinler > http://www.bleepingcomputer.com/forums/t/1628/simple-steps-to-keep-your-computer-secure/

& here :-

So how did I get infected in the first place? By TonyKlein > http://forums.spybot.info/showthread.php?t=279

-
You can donate in any currency, it will be converted to British Pounds, I don't like to set an amount for a donation, My help is free & always will be, however a small donation helps me to spend more time helping in the forums, what is an appropriate amount for one person, may not be for another, so I must leave that up to you.

As for "Sorry my nation's policies have wrecked our currency's value." our present government has totally wrecked our economy, The British Pound is worth 20% less against the Euro than it was at this time last year ...

Happy surfing

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#9 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:07:28 AM

Posted 24 June 2008 - 03:38 PM

Hi

You're very welcome :thumbsup:

As this thread is resolved, :blink: it is now locked.

If the original poster would like it re-opened, please send me a PM with a link to this thread.

cheers

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users