Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winfixer Ad Popup / Virtumonde Infection I Think!


  • This topic is locked This topic is locked
14 replies to this topic

#1 paulreden

paulreden

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:40 PM

Posted 06 July 2008 - 06:35 AM

My Avast anti-virus seemed to detect the problem but not before some changes had been made to my computer. Firstly, Windows Automatic Update has been disabled and I can't enable it ether via the Control Panel or via services.msc (It just defaults to disabled). It also removed all the System Restore points prior to the infection. Now getting all sorts of annoying pop-ups and attacks from virus/trojan. Can anyone help? I'm running XP Professional and am moderately computer literate. I have tried Vundofix which detected a ouple of infections but problems remain.
Deckard's System Scanner v20071014.68
Run by Paul on 2008-07-06 12:06:36
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
85: 2008-07-06 11:06:55 UTC - RP618 - Deckard's System Scanner Restore Point
84: 2008-07-06 09:21:51 UTC - RP617 - Installed Windows Internet Explorer 7.
83: 2008-07-06 09:19:23 UTC - RP616 - Installed Windows IDNMitigationAPIs.
82: 2008-07-06 09:18:11 UTC - RP615 - Installed Windows NLSDownlevelMapping.
81: 2008-07-06 09:16:37 UTC - RP614 - Installed Windows XP KB915865.


-- First Restore Point --
1: 2008-07-03 19:34:39 UTC - RP534 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Paul.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:08:10, on 06/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\windows\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_productsvc.exe
C:\Program Files\Kontiki\KService.exe
C:\windows\system32\svchost.exe
C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe
C:\windows\system32\wscntfy.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe
C:\windows\system32\rundll32.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe
C:\Program Files\Belkin\F5D7050v5\Belkinwcui.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\eAcceleration\Station\station_bk.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\windows\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Paul\Desktop\dss.exe
C:\DOCUME~1\Paul\LOCALS~1\TEMPOR~1\Content.IE5\2ZONQLKJ\Paul.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
F2 - REG:system.ini: UserInit=C:\windows\system32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5D72C2A4-9AC6-4727-A705-CEA1F0220B78} - C:\windows\system32\mlJdcBUm.dll
O2 - BHO: (no name) - {768A33CA-285E-42FF-B94B-EDE77D5AE6D7} - C:\windows\system32\tuvUNFwx.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B14393D6-7F50-40B1-B376-CB67FC7B5874} - C:\windows\system32\wvUMGVmk.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SoftwareStation] "C:\Program Files\eAcceleration\Station\station.exe" /b Startup
O4 - HKLM\..\Run: [StopSignSsTsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll",VerifyStatus
O4 - HKLM\..\Run: [StopSignSsSsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\ssssmon.dll",VerifyStatus
O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k
O4 - HKLM\..\Run: [3cb37b9a] rundll32.exe "C:\windows\system32\xrgyykda.dll",b
O4 - HKLM\..\RunOnce: [StopSignSsSsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\ssssmon.dll",VerifyStatus /ro
O4 - HKCU\..\Run: [CTFMON.EXE] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Belkin Wireless G USB Adapter Client Utility.lnk = ?
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5036.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - D:\Player\__CDS2.dll (file missing)
O20 - Winlogon Notify: mlJdcBUm - C:\windows\SYSTEM32\mlJdcBUm.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - ALWIL Software - (no file)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - (no file)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: eAcceleration Notification Service (eac_notifysvc) - eAcceleration Corp - C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe
O23 - Service: eAcceleration Product Manager Service (eac_productsvc) - eAcceleration Corp - C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_productsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8678 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - shell\open\command - NOTEPAD.EXE %1
.reg - regfile - shell\open\command - NOTEPAD.EXE %1
.scr - scrfile - shell\open\command - NOTEPAD.EXE %1
.vbs - VBSFile - shell\open\command - NOTEPAD.EXE %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.4.5.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.4.5.0>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>

S3 e8500e25-8367-45c9-8705-ff7d05682541 - d:\player\cds300.dll (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; >

S3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-07-06 12:09:01 256 --a------ C:\windows\Tasks\Check Updates for Windows Live Toolbar.job
2008-07-06 10:29:29 436 --a------ C:\windows\Tasks\RegCure Program Check.job
2008-07-06 09:33:47 370 --a------ C:\windows\Tasks\RegCure.job
2008-06-05 10:18:00 262 --a------ C:\windows\Tasks\Uniblue SpyEraser Nag.job
2008-06-04 10:02:05 284 --a------ C:\windows\Tasks\AppleSoftwareUpdate.job
2007-06-21 10:18:37 336 --a------ C:\windows\Tasks\Uniblue SpyEraser.job


-- Files created between 2008-06-06 and 2008-07-06 -----------------------------

2008-07-06 11:10:38 0 d-------- C:\!KillBox
2008-07-06 11:00:01 0 d-------- C:\Program Files\Windows Live Safety Center
2008-07-06 10:59:54 0 d-------- C:\windows\LastGood
2008-07-06 09:59:20 0 d--h----- C:\windows\system32\GroupPolicy
2008-07-06 09:33:34 0 d-------- C:\Program Files\RegCure
2008-07-06 09:21:20 0 d--h----- C:\Program Files\WindowsUpdate
2008-07-06 08:53:06 89088 --a------ C:\windows\system32\xrgyykda.dll
2008-07-05 12:02:01 0 d-------- C:\Documents and Settings\sam\Application Data\eAcceleration
2008-07-04 20:00:31 0 d-------- C:\Documents and Settings\Hope\SecurityScans
2008-07-04 18:20:59 0 d-------- C:\Documents and Settings\Hope\Application Data\eAcceleration
2008-07-04 18:15:03 0 d-------- C:\Documents and Settings\Mercy\Application Data\eAcceleration
2008-07-04 17:29:37 89088 --a------ C:\windows\system32\tnphouhy.dll
2008-07-04 17:28:55 224605 --ahs---- C:\windows\system32\kmVGMUvw.ini2
2008-07-04 17:28:47 318720 --a------ C:\windows\system32\wvUMGVmk.dll
2008-07-04 16:59:23 0 d-------- C:\VundoFix Backups
2008-07-04 16:02:33 0 d-------- C:\Program Files\Acceleration Software
2008-07-04 16:01:32 0 d-------- C:\Documents and Settings\Paul\Application Data\eAcceleration
2008-07-04 16:00:04 0 d-------- C:\Documents and Settings\All Users\Application Data\eAcceleration
2008-07-04 15:59:36 0 d-------- C:\Program Files\eAcceleration
2008-07-04 15:59:06 0 d-------- C:\Program Files\Common Files\eAcceleration
2008-07-04 12:12:53 4388 --a------ C:\windows\smflt.dll
2008-07-04 11:25:03 0 d-------- C:\Documents and Settings\Paul\SecurityScans
2008-07-04 11:24:11 0 d-------- C:\Program Files\Microsoft Baseline Security Analyzer 2
2008-07-03 20:39:40 2633728 --a------ C:\Documents and Settings\Hope\ntuser.dat
2008-07-03 20:39:36 3276800 --a------ C:\Documents and Settings\sam\ntuser.dat
2008-07-03 20:28:45 28800 --a------ C:\windows\system32\mlJdcBUm.dll
2008-07-03 20:24:00 0 d-------- C:\Program Files\Antivirus 2008 PRO
2008-06-15 13:27:18 0 d-------- C:\Documents and Settings\Mercy\Application Data\ZoomBrowser EX
2008-06-07 13:18:48 0 d-------- C:\Documents and Settings\Mercy\Application Data\PC Suite
2008-06-07 12:09:49 0 d-------- C:\Documents and Settings\sam\Application Data\Nokia Multimedia Player


-- Find3M Report ---------------------------------------------------------------

2008-07-06 11:56:49 0 d-------- C:\Program Files\Mozilla Thunderbird
2008-07-04 15:59:06 0 d-------- C:\Program Files\Common Files
2008-06-07 11:26:46 0 d-------- C:\Documents and Settings\Paul\Application Data\ZoomBrowser EX
2008-06-06 19:41:48 0 d-------- C:\Documents and Settings\Paul\Application Data\OpenOffice.org2
2008-05-30 15:16:20 0 d-------- C:\Documents and Settings\Paul\Application Data\PC Suite
2008-05-29 17:37:29 0 d-------- C:\Program Files\Common Files\Nokia
2008-05-29 17:37:26 0 d-------- C:\Program Files\Common Files\PCSuite
2008-05-29 17:36:47 0 d-------- C:\Program Files\DIFX
2008-05-29 17:36:10 0 d-------- C:\Program Files\PC Connectivity Solution
2008-04-07 10:06:21 4212 ---h----- C:\windows\system32\zllictbl.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5D72C2A4-9AC6-4727-A705-CEA1F0220B78}]
03/07/2008 20:28 28800 --a------ C:\windows\system32\mlJdcBUm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{768A33CA-285E-42FF-B94B-EDE77D5AE6D7}]
C:\windows\system32\tuvUNFwx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B14393D6-7F50-40B1-B376-CB67FC7B5874}]
04/07/2008 17:28 318720 --a------ C:\windows\system32\wvUMGVmk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
20/02/2008 11:01 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [20/02/2008 11:01 262144]

[-HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"adiras"="adiras.exe" []
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [16/05/2008 00:19]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [13/03/2008 23:11]
"SoftwareStation"="C:\Program Files\eAcceleration\Station\station.exe" [16/04/2008 00:30]
"StopSignSsTsMon"="C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll" [21/04/2008 18:20]
"StopSignSsSsMon"="C:\Program Files\Acceleration Software\Anti-Virus\ssssmon.dll" [21/04/2008 18:20]
"webscan"="C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" [15/05/2008 00:06]
"3cb37b9a"="C:\windows\system32\xrgyykda.dll" [06/07/2008 08:53]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\windows\system32\ctfmon.exe" [04/08/2004 00:56]
"SMSystemAnalyzer"="C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe" [20/12/2006 12:38]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"StopSignSsSsMon"=Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\ssssmon.dll",VerifyStatus /ro

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" /background

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless G USB Adapter Client Utility.lnk - C:\Program Files\Belkin\F5D7050v5\Belkinwcui.exe [11/03/2008 18:23:56]
DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [03/11/2006 10:33:02]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5D72C2A4-9AC6-4727-A705-CEA1F0220B78}"= C:\windows\system32\mlJdcBUm.dll [03/07/2008 20:28 28800]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlJdcBUm]
mlJdcBUm.dll 03/07/2008 20:28 28800 C:\WINDOWS\system32\mlJdcBUm.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\windows\system32\wvUMGVmk

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"




-- Hosts -----------------------------------------------------------------------

127.0.0.1 bin.errorprotector.com ## added by CiD
127.0.0.1 br.errorsafe.com ## added by CiD
127.0.0.1 br.winantivirus.com ## added by CiD
127.0.0.1 br.winfixer.com ## added by CiD
127.0.0.1 cdn.drivecleaner.com ## added by CiD
127.0.0.1 cdn.errorsafe.com ## added by CiD
127.0.0.1 cdn.winsoftware.com ## added by CiD
127.0.0.1 de.errorsafe.com ## added by CiD
127.0.0.1 de.winantivirus.com ## added by CiD
127.0.0.1 download.cdn.drivecleaner.com ## added by CiD

60 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-07-06 12:12:01 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® CPU 2.30GHz
Percentage of Memory in Use: 59%
Physical Memory (total/avail): 766.8 MiB / 313.21 MiB
Pagefile Memory (total/avail): 1237.36 MiB / 703.45 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1922.71 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 76.33 GiB total, 32.96 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - Maxtor 4R080J0 - 76.33 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 76.33 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: ZoneAlarm Firewall v7.0.470.000 (Check Point, LTD.)
AV: StopSign Antivirus FREE TRIAL diagnostic version v1.0.0.1 (eAcceleration Corp)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Morpheus\\Morpheus.exe"="C:\\Program Files\\Morpheus\\Morpheus.exe:*:Enabled:Morpheus"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Kontiki\\KService.exe"="C:\\Program Files\\Kontiki\\KService.exe:*:Enabled:Delivery Manager Service"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Paul\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=COMP1
ComSpec=C:\windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Paul
LOGONSERVER=\\COMP1
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\PC Connectivity Solution\;C:\windows\system32;C:\windows;C:\windows\System32\Wbem;"C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier";C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0207
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\windows
TEMP=C:\DOCUME~1\Paul\LOCALS~1\Temp
TMP=C:\DOCUME~1\Paul\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=COMP1
USERNAME=Paul
USERPROFILE=C:\Documents and Settings\Paul
windir=C:\windows


-- User Profiles ---------------------------------------------------------------

sam (admin)
Paul (admin)
Kate (admin)
Mercy (admin)
Hope (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\Acceleration Software\Anti-Virus\ws_uninst.exe" -s
--> "C:\Program Files\eAcceleration\Station\station.exe" /UnRegister
--> C:\PROGRA~1\ACCELE~1\ANTI-V~1\regsvr32.exe /u /s C:\PROGRA~1\ACCELE~1\ANTI-V~1\ssupload.dll
--> C:\PROGRA~1\ACCELE~1\ANTI-V~1\regsvr32.exe /u /s C:\PROGRA~1\ACCELE~1\ANTI-V~1\vclnr.dll
--> C:\PROGRA~1\COMMON~1\EACCEL~1\SysSnap\syssnap.exe -UnregServer
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0B095086-7205-4D48-90DF-DCD16613C6D4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{103BCDA0-E063-46AC-8028-64E78722ABA7}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2616B36E-38CE-4357-8AB5-8B3EE9B1C117}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{836612F0-1571-4C65-A4B7-58A39AA578EE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9B7A778E-AF38-4341-9EA0-1FC981106ADA}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9E54F486-CD4A-44A5-B041-16D4E1E56A53}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A82F10CB-18B5-4EAC-AEF2-FA49CD565626}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CB99E420-8071-48F9-9567-4A53BE7569C4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D524239C-FD5C-4183-A49C-7930915A9C0A}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D9A812DA-143D-4780-BEDC-FD6D41386317}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DAB2EE2E-EF1F-4410-BA50-C3BFBE651F92}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DD2D9012-E5A1-4717-8EE9-8DB3F36E2F8C}\setup.exe" -l0x9
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
4oD --> MsiExec.exe /I {8B7443F5-E141-42A0-AB61-ED2331AAD606}
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Age of Mythology --> "C:\Program Files\Microsoft Games\Age of Mythology\UNINSTAL.EXE" /runtemp /addremove
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Arthur's Pet Chase --> C:\WINDOWS\TLCUninstall.exe -f "C:\Program Files\GSP\Arthur\Arthur's Pet Chase\Uninstall.xml"
AudibleManager --> C:\Program Files\Audible\Bin\Upgrade.exe /Uninstall
avast! Antivirus --> C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
BBC iPlayer Download Manager --> MsiExec.exe /I {D466F3D9-510C-4729-B7D4-2E70490E4CDF}
Belkin Wireless G USB Adapter Software --> C:\Program Files\InstallShield Installation Information\{D593C72C-435B-4171-8106-9CA8AA34D716}\SETUP.EXE -v"ISSCRIPTCMDLINE=\"-d -zREMOVE\"" -l0x0009 -removeonly
BRATZ - Rock Angelz --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9C92937F-7E79-4A32-AB80-BD7637146308}\setup.exe" -l0x9 -uninst
Canon Camera Access Library --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CAL\Uninst.ini"
Canon Camera Support Core Library --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CSCLIB\Uninst.ini"
Canon Camera Window DC_DV 5 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC\Uninst.ini"
Canon Camera Window DC_DV 6 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC6\Uninst.ini"
Canon Camera Window MC 6 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowMC\Uninst.ini"
Canon G.726 WMP-Decoder --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\G726Decoder\G726DecUnInstall.ini"
CANON iMAGE GATEWAY Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\CRWUnInstall.ini"
Canon Internet Library for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\CIGUnInstall.ini"
Canon iP1800 series --> "C:\WINDOWS\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_iP1800_series\DelDrv.exe" /U:{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_iP1800_series /L0x0009
Canon MovieEdit Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\MVWUninst.ini"
Canon RAW Image Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\RAW Image Task\Uninst.ini"
Canon RemoteCapture Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\RemoteCaptureTask DC\Uninst.ini"
Canon Utilities Easy-LayoutPrint --> C:\Program Files\Canon\Easy-LayoutPrint\uninst.exe uninst.ini
Canon Utilities Easy-PhotoPrint --> C:\Program Files\Canon\Easy-PhotoPrint\uninst.exe uninst.ini
Canon Utilities Easy-PrintToolBox --> C:\Program Files\Canon\Easy-PrintToolBox\uninst.exe uninst.ini
Canon Utilities EOS Utility --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\EOS Utility\Uninst.ini"
Canon Utilities PhotoStitch --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\PhotoStitch\Uninst.ini"
Canon Utilities ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\Uninst.ini"
CD Burning 4 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{31BBD146-CCC2-4E3F-B560-4D3906E2B041}\setup.exe" -l0x9 -removeonly
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Dogz (remove only) --> "C:\Program Files\Ubisoft\Dogz\uninstall.exe" 1033
Free Window Registry Repair --> C:\PROGRA~1\FREEWI~1\UNWISE.EXE C:\PROGRA~1\FREEWI~1\INSTALL.LOG
HijackThis 2.0.2 --> "C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\2ZONQLKJ\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\windows\$NtUninstallKB929399$\spuninst\spuninst.exe"
InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
iolo technologies' System Mechanic 6 --> "C:\Program Files\iolo\System Mechanic 6\unins000.exe"
IrfanView (remove only) --> C:\Program Files\IrfanView\iv_uninstall.exe
J2SE Runtime Environment 5.0 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
LimeWire 4.16.6 --> "C:\Program Files\LimeWire\uninstall.exe"
Map Button (Windows Live Toolbar) --> MsiExec.exe /X{7745B7A9-F323-4BB9-9811-01BF57A028DA}
Messenger Plus! Live & Sponsor (CiD) --> "C:\Program Files\Messenger Plus! Live\Uninstall.exe"
Microsoft Age of Empires II --> "C:\Program Files\Microsoft Games\Age of Empires II\UNINSTAL.EXE" /runtemp /uninstall
Microsoft Baseline Security Analyzer 2.1 --> MsiExec.exe /I{6AF5CAB9-FD0A-494F-8AA6-784D4B5D06C5}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\windows\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 --> "C:\windows\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft User-Mode Driver Framework Feature Pack 1.5 --> "C:\windows\$NtUninstallWudf01005$\spuninst\spuninst.exe"
Microsoft Zoo Tycoon --> "C:\Program Files\Microsoft Games\Zoo Tycoon\UNINSTAL.EXE" /runtemp /addremove
Mozilla Firefox (2.0.0.15) --> C:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe
Mozilla Thunderbird (2.0.0.14) --> C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
MSVC80_x86 --> MsiExec.exe /I{212748BB-0DA5-46DE-82A1-403736DC9F27}
MSXML4 Parser --> MsiExec.exe /I{01501EBA-EC35-4F9F-8889-3BE346E5DA13}
Nokia Connectivity Cable Driver --> MsiExec.exe /X{4F1DCA42-2030-437C-A94E-736692A499C1}
Nokia PC Suite --> C:\Documents and Settings\All Users\Application Data\Installations\{0FC76B71-2534-4354-B255-3468578E3F47}\Nokia_PC_Suite_rel_6_86_9_0_eng.exe
Nokia PC Suite --> MsiExec.exe /I{0FC76B71-2534-4354-B255-3468578E3F47}
OpenOffice.org 2.1 --> MsiExec.exe /I{65D36658-B897-4119-814E-60C7D7907B5E}
PC Connectivity Solution --> MsiExec.exe /I{AC599724-5755-48C1-ABE7-ABB857652930}
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
QuickTime --> MsiExec.exe /I{6EC874C2-F950-4B7E-A5B7-B1066D6B74AA}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
RegCure 1.5.0.1 --> C:\Program Files\RegCure\uninst.exe
SAGEM F@st 800-840 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4AE3A0CB-87B0-4F51-BECD-3D1F8DFDD62F}\setup.exe" -l0x9
SAMSUNG CDMA Modem Driver Set --> C:\WINDOWS\system32\Samsung_USB_Drivers\3\SSCDUninstall.exe
SAMSUNG Mobile USB Modem ^^ --> C:\WINDOWS\system32\Samsung_USB_Drivers\4\SSVDUninstall.exe
SAMSUNG Mobile USB Modem 1.0 Software --> C:\WINDOWS\system32\Samsung_USB_Drivers\1\SS_Uninstall.exe
SAMSUNG Mobile USB Modem Software --> C:\WINDOWS\system32\Samsung_USB_Drivers\2\SSM_Uninstall.exe
Samsung PC Studio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C4A4722E-79F9-417C-BD72-8D359A090C97}\setup.exe" -l0x9 -removeonly
Samsung PC Studio 3 USB Driver Installer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EBA29752-DDD2-4B62-B2E3-9841F92A3E3A}\setup.exe" -l0x9 -removeonly
Smart Menus (Windows Live Toolbar) --> MsiExec.exe /X{F084395C-40FB-4DB3-981C-B51E74E1E83D}
StopSign by eAcceleration --> C:\PROGRA~1\COMMON~1\EACCEL~1\INSTAL~1\eaccelsetup.exe -AddRemove
Top 30 Games 4 Kids --> C:\windows\uninst.exe -f"C:\Program Files\Cosmi\Games 4 Kids\DeIsL2.isu" -c"C:\Program Files\Cosmi\Games 4 Kids\_ISREG32.DLL"
Virtual DJ - Atomix Productions --> C:\PROGRA~1\VIRTUA~1\UNWISE.EXE C:\PROGRA~1\VIRTUA~1\INSTALL.LOG
Windows Driver Package - Nokia Modem (03/05/2008 3.7) --> C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\windows\system32\DRVSTORE\nokia_blue_635B28EFCFA9395123BB1C251595CB16129E2560\nokia_bluetooth.inf
Windows Driver Package - Nokia Modem (03/13/2008 6.86.0.1) --> C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\windows\system32\DRVSTORE\nokbtmdm_28F2EAC406838DA65AFF6C6886FE9FE96AEF5186\nokbtmdm.inf
Windows Driver Package - Nokia pccsmcfd (10/12/2007 6.85.4.0) --> C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\windows\system32\DRVSTORE\pccsmcfd_4A1E30386F4D0DEC8F5DF262CFBD8845EEBAB175\pccsmcfd.inf
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live Sign-in Assistant --> MsiExec.exe /I{22B3CC30-77B8-419C-AA4B-F571FDF5D66D}
Windows Live Toolbar --> "C:\Program Files\Windows Live Toolbar\UnInstall.exe" {D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Windows Live Toolbar --> MsiExec.exe /X{D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Windows Media Format 11 runtime --> "C:\windows\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
ZoneAlarm --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe
ZoneAlarm Spy Blocker --> rundll32 C:\PROGRA~1\ZONEAL~1\bar\1.bin\SpyBlock.dll,O
Zoom ADSL Modem --> C:\Program Files\Zoom\Adsl\uninstall.exe
Zoom ADSL Modem --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{52C8CFE4-7C7C-11D7-A021-0060979CE4D3}\Setup.exe" -l0x9


-- Application Event Log -------------------------------------------------------

Event Record #/Type14927 / Error
Event Submitted/Written: 07/06/2008 00:02:41 PM
Event ID/Source: 1001 / Application Error
Event Description:
Fault bucket 831636085.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication. The current setting has been marked as failed and the Wireless connection will be disconnected.

Event Record #/Type14926 / Error
Event Submitted/Written: 07/06/2008 00:02:28 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application firefox.exe, version 1.8.20080.62306, faulting module unknown, version 0.0.0.0, fault address 0x44913c6d.
Processing media-specific event for [firefox.exe!ws!]

Event Record #/Type14925 / Error
Event Submitted/Written: 07/06/2008 00:00:27 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application firefox.exe, version 1.8.20080.62306, faulting module unknown, version 0.0.0.0, fault address 0x518da1d0.
Processing media-specific event for [firefox.exe!ws!]

Event Record #/Type14920 / Error
Event Submitted/Written: 07/06/2008 10:39:06 AM
Event ID/Source: 11 / crypt32
Event Description:
Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Event Record #/Type14919 / Error
Event Submitted/Written: 07/06/2008 10:38:44 AM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type61738 / Error
Event Submitted/Written: 07/06/2008 00:09:01 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}

Event Record #/Type61733 / Error
Event Submitted/Written: 07/06/2008 11:13:55 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}

Event Record #/Type61732 / Error
Event Submitted/Written: 07/06/2008 11:09:08 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}

Event Record #/Type61729 / Error
Event Submitted/Written: 07/06/2008 10:47:48 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}

Event Record #/Type61728 / Error
Event Submitted/Written: 07/06/2008 10:47:32 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}



-- End of Deckard's System Scanner: finished at 2008-07-06 12:12:01 ------------

BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:40 PM

Posted 06 July 2008 - 09:51 AM

Hello. I am PropagandaPanda (Panda or PP for short) and I will be helping you with your log.

I will need some time to look over your computer's log(s). You may want to keep the link to this topic in your favourites so it doesn't get lost. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic, where you can choose email notifications. You can find the topics that you are tracking here.

Please take note of the following guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
With Regards,
The Panda

#3 paulreden

paulreden
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:40 PM

Posted 06 July 2008 - 10:32 AM

Hi PP and thanks for your help.

Unfortunately between my post and your reply I have made one or two changes of the type you are asking me not to do - run tools and removing items. Does this mean that I should run the dss.exe again? By the way the Automatic Update now appears to be functioning again. I ran VundoFix and also VirtumundoBegone amongst other things.

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:40 PM

Posted 11 July 2008 - 03:15 PM

Hello.

Very sorry for the delay. There was a bit of a mixup. If you are now being helped elsewhere, or the problem has since been resolved, please let us know.

Peer-to-Peer Programs Warning
Your log shows that you are using so called peer-to-peer or file-sharing programs (in your case LimeWire). These programs allow to share files between users as the name(s) suggest. In today's world cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

It is your decision whether or not you wish to keep your program(s). However, please refrain from using them until your computer has been declared clean.

Registry Cleaner(s) Warning
The following is referring to RegCure

Please be aware that Bleeping Computer staff do not recommend the usage of registry cleaners/tools[/i] due to the following facts:
  • Registry tools can cause irreparable damage to your Operating System. This could include making your computer inoperatable.
  • These programs generally only delete "orphaned" or "dead" entries. This merely removes entries that point to files that no longer exist on your computer. Registry entries do not take up a significant amount of hardrive space. The program itself (and its own registry entries) likely occupy relatively more space.
  • The amount of improvement in performance you gain is minimal.
This is done, assuming that the major audience here at this board may be inexperienced users and thus a suggested safeguard from our side.
If you feel that your have sufficient knowledge to use such tools safely, then you are welcome to keep them.

Questionable Program/Multiple Anti-Viruses
I see that you are using Acceleration Software's Anti-virus StopSign. This vendor has a bad reputation. Please read here.

Furthermore, you are running more than one antivirus program. It is not recommended that you do so. In addition to wasting resources, the programs may detect virus signatures in the other and cause false positives. The different drivers used by the programs can cause crashes.

Uninstall it using Add/Remove Programs.

Disable Realtime Protection
We need to disable your realtime protection before running any tools.

Disable Avast!'s realtime protection by right clicking on the try icon beside your clock that looks like Posted Image and selecting Stop On-Access Protection.

Disable Adware's realtime protection.
  • Right click on the Ad-Watch icon in the system tray.
  • At the bottom of the screen there will be two checkable items called "Active" and "Automatic".
    • Active: This will turn Ad-Watch On\Off without closing it.
    • Automatic: Suspicious activity will be blocked automatically.
  • Uncheck both of those boxes.
Reset Hosts File
An infection has put malicious lines into your hosts files. We will reset your hosts file with HostsXpert.
  • Please down load HostsXpert.zip to your desktop and unzip the contents.
  • A folder named HostsXpert will be created. Open it and run HostsXpert.exe by double clicking it.
  • Click on the botton Make Writeable? .
  • Click Restore Microsoft's Hosts File.
  • Close out of the window.
If you have added modifications to your hosts file, they will need to be re-added

Download and run MalwareBytes Anti-Malware
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

You can refer to this page which has a visual of the instructions above.


Download and Run ComboFix
Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2
Link 3

For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
It is important that ComboFix is saved directly to your desktop.
  • Close any open windows.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt.
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Install HijackThis in Proper Location and Run Scan
I see that you are running HijackThis from a temporary folder. The backups created may get deleted. Please delete your current one and follow these instructions to install it properly.
  • Download the installer for the new version HERE onto your desktop.
  • Double click it.
  • You may be asked for confirmation for running an executable file. Select Run.
  • You will be asked choose the install location. Please leave it at the default:
    C:\Program Files\Trend Micro\HijackThis.
  • Select Install.
  • The installation process should only take a few seconds. A shortcut named HijackThis will be created on your desktop so there will be no need to access the HijackThis program directly. The HijackThis window will pop-up after the installation.
  • Click Do a System Scan and Save a Log File.
  • The scan will complete in a moment and the log will pop-up.
  • Copy the contents of the log into your next post.
I will need to see the MBAM log, the ComboFix log, and a new HJT log.

#5 paulreden

paulreden
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:40 PM

Posted 13 July 2008 - 02:00 PM

Hi PP

I've done what you asked and include the three logfiles you asked for. Thanks again for your time and expertise!

Paul

Please help us improve HijackThis by reporting this error

Click 'Yes' to submit

Error Details:

An unexpected error has occurred at procedure: modRegistry_IniGetString(sFile=system.ini, sSection=boot, sValue=Shell)
Error #5 - Invalid procedure call or argument

Windows version: Windows NT 5.01.2600
MSIE version: 7.0.5730.13
HijackThis version: 2.0.2



Malwarebytes' Anti-Malware 1.20
Database version: 945
Windows 5.1.2600 Service Pack 2

18:08:03 13/07/2008
mbam-log-7-13-2008 (18-08-03).txt

Scan type: Quick Scan
Objects scanned: 53891
Time elapsed: 31 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 20

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{5d72c2a4-9ac6-4727-a705-cea1f0220b78} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Antivirus 2008 PRO (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Program Files\Antivirus 2008 PRO\Infected (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Program Files\Antivirus 2008 PRO\Suspicious (Rogue.Antivirus2008) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\tnphouhy.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yhuohpnt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mlJdcBUm.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-682003330-436374069-839522115-1003\Dc287.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-682003330-436374069-839522115-1003\Dc288.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-682003330-436374069-839522115-1003\Dc289.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\sam\Local Settings\Temp\dssec.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\sam\Local Settings\Temp\ac8zt2\enwa.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\sam\Local Settings\Temp\nsj149.tmp\blowfish.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\sam\Local Settings\Temp\nsk14F.tmp\blowfish.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\sam\Local Settings\Temp\nst14C.tmp\blowfish.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\sam\Local Settings\Temp\nsu152.tmp\blowfish.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\sam\Local Settings\Temp\nsy155.tmp\blowfish.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\Antivirus 2008 PRO\vscan.tsi (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Program Files\Antivirus 2008 PRO\zlib.dll (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\sam\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus-2008pro.lnk (Rogue.Antivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\sam\Local Settings\Temp\media.php (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\sam\Local Settings\Temp\ac8zt2\mrvtdpqe.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\sam\Local Settings\Temp\ac8zt2\nqgpedlr.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

ComboFix 08-07-12.6 - Paul 2008-07-13 18:14:11.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.447 [GMT 1:00]
Running from: C:\Documents and Settings\Paul\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

\Program Files\iolo\System Mechanic 6\SMSystC:\windows\system32\adkyygrx.ini
C:\Program Files\Instant Messenger Names
C:\Program Files\newdotnet
C:\windows\system32\mcrh.tmp
C:\windows\system32\uyxapoyg.ini

.
((((((((((((((((((((((((( Files Created from 2008-06-13 to 2008-07-13 )))))))))))))))))))))))))))))))
.

2008-07-13 17:34 . 2008-07-13 17:34 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-13 17:34 . 2008-07-13 17:34 <DIR> d-------- C:\Documents and Settings\Paul\Application Data\Malwarebytes
2008-07-13 17:34 . 2008-07-13 17:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-13 17:34 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-13 17:34 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-07 11:48 . 2008-07-07 11:48 <DIR> d-------- C:\Program Files\iTunes
2008-07-07 11:48 . 2008-07-07 11:48 <DIR> d-------- C:\Program Files\iPod
2008-07-07 11:47 . 2008-07-07 11:47 <DIR> d-------- C:\Program Files\Bonjour
2008-07-07 11:35 . 2008-02-18 11:16 30,464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2008-07-07 11:34 . 2008-07-07 11:34 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-07-07 10:46 . 2008-07-07 10:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-07-06 16:06 . 2008-04-23 05:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-07-06 16:06 . 2007-04-17 10:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-07-06 16:06 . 2007-03-08 06:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-07-06 16:06 . 2008-04-23 05:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-07-06 16:06 . 2008-04-23 05:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-07-06 16:06 . 2008-04-23 05:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-07-06 16:06 . 2008-04-23 05:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-07-06 16:06 . 2008-04-23 05:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-07-06 16:06 . 2008-04-22 08:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-07-06 12:06 . 2008-07-06 12:06 <DIR> d-------- C:\Deckard
2008-07-06 11:10 . 2008-07-06 11:10 <DIR> d-------- C:\!KillBox
2008-07-06 11:00 . 2008-07-06 11:00 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-07-06 09:59 . 2008-07-06 09:59 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-07-06 08:53 . 2008-07-13 17:00 1,773,902 ---hs---- C:\WINDOWS\system32\adkyygrx.ini
2008-07-05 12:02 . 2008-07-05 12:02 <DIR> d-------- C:\Documents and Settings\sam\Application Data\eAcceleration
2008-07-04 20:00 . 2008-07-04 20:00 <DIR> d-------- C:\Documents and Settings\Hope\SecurityScans
2008-07-04 18:20 . 2008-07-04 18:21 <DIR> d-------- C:\Documents and Settings\Hope\Application Data\eAcceleration
2008-07-04 18:15 . 2008-07-04 18:15 <DIR> d-------- C:\Documents and Settings\Mercy\Application Data\eAcceleration
2008-07-04 16:59 . 2008-07-06 15:10 <DIR> d-------- C:\VundoFix Backups
2008-07-04 12:12 . 2008-07-04 12:12 4,388 --a------ C:\WINDOWS\smflt.dll
2008-07-04 12:12 . 2008-07-04 12:12 114 --a------ C:\WINDOWS\smflt.inf
2008-07-04 11:25 . 2008-07-04 11:25 <DIR> d-------- C:\Documents and Settings\Paul\SecurityScans
2008-07-04 11:24 . 2008-07-04 11:24 <DIR> d-------- C:\Program Files\Microsoft Baseline Security Analyzer 2
2008-06-15 13:27 . 2008-07-02 20:15 <DIR> d-------- C:\Documents and Settings\Mercy\Application Data\ZoomBrowser EX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-13 17:29 43,036,704 --sha-w C:\windows\system32\drivers\fidbox.dat
2008-07-13 17:24 505,220 --sha-w C:\windows\system32\drivers\fidbox.idx
2008-07-13 17:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-07-13 16:27 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-07-13 16:16 --------- d-----w C:\Program Files\Free Window Registry Repair
2008-07-07 19:31 --------- d-----w C:\Documents and Settings\Hope\Application Data\OpenOffice.org2
2008-07-07 18:12 --------- d-----w C:\Documents and Settings\sam\Application Data\OpenOffice.org2
2008-07-07 10:49 --------- d-----w C:\Documents and Settings\sam\Application Data\Apple Computer
2008-07-07 10:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-07 10:46 --------- d-----w C:\Program Files\QuickTime
2008-07-07 09:46 --------- d-----w C:\Program Files\Apple Software Update
2008-07-04 19:03 --------- d-----w C:\Documents and Settings\Mercy\Application Data\OpenOffice.org2
2008-07-02 19:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-06-30 13:55 --------- d-----w C:\Documents and Settings\sam\Application Data\Nokia
2008-06-17 17:56 --------- d-----w C:\Documents and Settings\Kate\Application Data\OpenOffice.org2
2008-06-13 13:10 272,128 ------w C:\windows\system32\drivers\bthport.sys
2008-06-07 12:18 --------- d-----w C:\Documents and Settings\Mercy\Application Data\PC Suite
2008-06-07 11:09 --------- d-----w C:\Documents and Settings\sam\Application Data\Nokia Multimedia Player
2008-06-07 10:26 --------- d-----w C:\Documents and Settings\Paul\Application Data\ZoomBrowser EX
2008-06-06 18:41 --------- d-----w C:\Documents and Settings\Paul\Application Data\OpenOffice.org2
2008-05-30 14:16 --------- d-----w C:\Documents and Settings\Paul\Application Data\PC Suite
2008-05-30 14:14 --------- d-----w C:\Documents and Settings\Hope\Application Data\Thunderbird
2008-05-30 12:27 --------- d-----w C:\Documents and Settings\Hope\Application Data\PC Suite
2008-05-29 16:43 --------- d-----w C:\Documents and Settings\sam\Application Data\PC Suite
2008-05-29 16:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-05-29 16:41 0 ---ha-w C:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-05-29 16:41 0 ---ha-w C:\windows\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2008-05-29 16:37 --------- d-----w C:\Program Files\Common Files\PCSuite
2008-05-29 16:37 --------- d-----w C:\Program Files\Common Files\Nokia
2008-05-29 16:36 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-05-29 16:36 --------- d-----w C:\Program Files\DIFX
2008-05-29 16:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2007-05-19 19:14 774,144 -c--a-w C:\Program Files\RngInterstitial.dll
2007-06-21 08:27 23 -csha-w C:\windows\system32\bbeedbc8_r.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\windows\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"SMSystemAnalyzer"="C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe" [2006-12-20 12:38 557056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-06-02 11:13 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:56 15360]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54 5674352]

C:\Documents and Settings\sam\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe [2006-11-27 16:45:48 393216]
OpenOffice.org 2.1.lnk - C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe [2006-11-27 16:45:48 393216]

C:\Documents and Settings\Hope\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe [2006-11-27 16:45:48 393216]
OpenOffice.org 2.1.lnk - C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe [2006-11-27 16:45:48 393216]

C:\Documents and Settings\Kate\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe [2006-11-27 16:45:48 393216]
OpenOffice.org 2.1.lnk - C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe [2006-11-27 16:45:48 393216]

C:\Documents and Settings\Mercy\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe [2006-11-27 16:45:48 393216]
OpenOffice.org 2.1.lnk - C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe [2006-11-27 16:45:48 393216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless G USB Adapter Client Utility.lnk - C:\Program Files\Belkin\F5D7050v5\Belkinwcui.exe [2008-03-11 18:23:56 1564672]
DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2006-11-03 10:33:02 962660]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R1 aswSP;avast! Self Protection;C:\windows\system32\drivers\aswSP.sys [2008-05-16 00:20]
R2 aswFsBlk;aswFsBlk;C:\windows\system32\DRIVERS\aswFsBlk.sys [2008-05-16 00:16]
R2 EAPPkt;Realtek EAPPkt Protocol;C:\windows\system32\DRIVERS\EAPPkt.sys [2006-11-15 17:23]
R3 BELKIN;Belkin Wireless G USB Network Adapter;C:\windows\system32\DRIVERS\BLKWGU.sys [2007-06-01 06:13]
S3 e8500e25-8367-45c9-8705-ff7d05682541;e8500e25-8367-45c9-8705-ff7d05682541;D:\Player\cds300.dll []

.
Contents of the 'Scheduled Tasks' folder
"2008-07-07 09:46:30 C:\windows\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-13 17:09:05 C:\windows\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-06-05 09:18:00 C:\windows\Tasks\Uniblue SpyEraser Nag.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
"2007-06-21 09:18:37 C:\windows\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{768A33CA-285E-42FF-B94B-EDE77D5AE6D7} - C:\windows\system32\tuvUNFwx.dll
BHO-{7FF2A014-B6AF-432E-80C2-F7B833C80871} - C:\windows\system32\wvUMGVmk.dll
HKLM-Run-adiras - adiras.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-13 18:26:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-07-13 18:39:28 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-13 17:39:11

Pre-Run: 30,844,137,472 bytes free
Post-Run: 31,068,942,336 bytes free

184 --- E O F --- 2008-07-06 15:10:23
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:47:28, on 13/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Kontiki\KService.exe
C:\windows\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe
C:\Program Files\Belkin\F5D7050v5\Belkinwcui.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\windows\explorer.exe
C:\windows\system32\notepad.exe
C:\windows\System32\svchost.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Paul\Desktop\HijackThis.exe
C:\PROGRA~1\MOZILL~4\FIREFOX.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Belkin Wireless G USB Adapter Client Utility.lnk = ?
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5036.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - D:\Player\__CDS2.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - ALWIL Software - (no file)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - (no file)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7401 bytes

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:40 PM

Posted 14 July 2008 - 07:33 AM

Hello. The error while running HJT didn't seem to change the log. Probably nothing.

Your computer is looking much better :thumbsup: . Just a bit left to do.

Do you know what this program is?
C:\Program Files\Free Window Registry Repair
----------------------------------
Send File to Scanner
There is an unidentified file that I would like you to check out for me using Jotti.
  • Open Jotti Online Scanner.
  • At the top of the page you'll see a box. Beside it, click Browse....
  • Navigate and find the following file:
    C:\Program Files\RngInterstitial.dll
    C:\windows\system32\bbeedbc8_r.dll
  • Double click on the file to select it.
  • Click Submit.
    If more than one file was listed, repeat for each of them.
  • Wait for the scan to finish.
  • Copy Scanner Results into your next reply.
Run ComboFix with CFScript
We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad and copy/paste the text in the quotebox below into it:


    File::

    C:\WINDOWS\system32\adkyygrx.ini
    C:\windows\system32\kmVGMUvw.ini2

    Folder::
    C:\Documents and Settings\sam\Local Settings\Temp\ac8zt2
    C:\Documents and Settings\sam\Local Settings\Temp\nsj149.tmp
    C:\Documents and Settings\sam\Local Settings\Temp\nsk14F.tmp
    C:\Documents and Settings\sam\Local Settings\Temp\nst14C.tmp
    C:\Documents and Settings\sam\Local Settings\Temp\nsu152.tmp
    C:\Documents and Settings\sam\Local Settings\Temp\nsy155.tmp
    C:\PROGRA~1\Grisoft\AVGFRE~1

    Driver::
    Avg7Alrt
    Avg7UpdSvc
    AVGEMS

    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt" Post back with it.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Put HijackThis In Proper Location
Looking at this:
C:\Documents and Settings\Paul\Desktop\HijackThis.exe
,you did not install HijackThis in the proper location.

Please either delete the one and follow the instructions in my previous post for installing HJT, or create the following folder and put HJT in it.
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
(I should see the above line in your next HJT log).

This is not to be picky, but for safety of the backups created when HJT removes entries.

Fix HijackThis Entries
Some orphan HijackThis entries to fix.
  • Double click the HijackThis icon on your desktop.
  • Close all other open windows.
  • Select Do a System Scan Only.
  • Wait a few moments for the list to be compiled.
  • To the left of each entry you will see a check box. Check the box next to the following entries:

    O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - D:\Player\__CDS2.dll (file missing)
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - ALWIL Software - (no file)
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - (no file)

    If you no longer see some of the entries, don't worry. It is possible that the uninstaller or removal tool already took care of it. If it is marked " (file missing) ", put a check mark next to its box anyways.
  • Close all open windows except HijackThis.
  • Click Fix Checked and OK at the prompt.
  • The screen will clear itself.
  • Close out of HijackThis.

Kaspersky Online Scan
I would like to check for anything we may have missed.

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

This scanner is for Internet Explorer only.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.

----------------------------------
Post back with the ComboFix Log, the Kaspersky log, and a new HJT log.

Also comment on how your computer is running now

With Regards,
The Panda

#7 paulreden

paulreden
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:40 PM

Posted 14 July 2008 - 02:33 PM

Hi PP

Everything running faster and smoother. The Free Window Registry Repair is another tool that I downloaded because I thought I had some problems before. Having read your advice on tinkering with Registry I removed it along with RegCure. Only other problem I have is that the Avast icon has disappeared from the system tray although the Security Center says all is running ok. As a result I'm not sure how to disable Avast so cannot run CombiFix so will post the 2 Jotti's malware results for now.

Regards Paul


Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1
File to upload & scan: Virus

Service
Service load:
0% 100%
File: RngInterstitial.dll
Status:
OK
MD5: 77d3a60b2e838e1cc6a682bd9761da63
Packers detected:
-
Scanner results
Scan taken on 14 Jul 2008 19:15:49 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

Powered by
images/asquared.png images/antivir.png images/arcabit.png images/avast.png images/avg.gif images/bitdefender.png images/clamav-logo1.png images/cpsecure.gif images/drweb.gif images/f-prot.png images/f-secure_logo.gif images/fortinet.gif images/ikarus.gif images/kaspersky.png images/nod32.gif images/norman.png images/panda.gif images/sophos.gif images/virusbuster.gif images/vba32.png
Disclaimer
This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, We cannot and will not be held responsible for any damage caused by results presented by this non-profit online service.

Also, we are aware of the implications of a setup like this. We are sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). We are aware, in spite of efforts to proactively counter these, false positives might occur, for example. We do not consider this a very big issue, so please do not e-mail us about it. This is a simple online scan service, not the university of Wichita.

Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware.

Virus definitions are updated every hour. There is a 10Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample.

Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception. Read more about this in our privacy policy. If you do not want your files to be distributed, please do not send them at all.

Sponsored by HotelScraper.com.
Statistics
Last file scanned at least one scanner reported something about: 系统钩子.exe (MD5: db22a87914dc94ab81ae8d6b81663d8c, size: 709184 bytes), detected by:

Scanner Malware name
A-Squared X
AntiVir X
ArcaVir Trojan.Spy.Radkey.10
Avast X
AVG Antivirus X
BitDefender MemScan:Trojan.Spy.Radkey.10
ClamAV X
CPsecure X
Dr.Web Trojan.PWS.Banker.4269
F-Prot Antivirus X
F-Secure Anti-Virus Trojan-Spy.Win32.RadKey.10
Fortinet X
Ikarus X
Kaspersky Anti-Virus Trojan-Spy.Win32.RadKey.10
NOD32 X
Norman Virus Control X
Panda Antivirus X
Sophos Antivirus X
VirusBuster X
VBA32 Trojan-Spy.Win32.RadKey.10


You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives
We are not affiliated with any third parties that conduct tests using this service.



Frequently asked questions - Feedback - Privacy policy

Debian

Page generated by JTPL

© 2004-2008 Jotti <jotti@jotti.org>



Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1
File to upload & scan: Virus

Service
Service load:
0% 100%
File: bbeedbc8_r.dll
Status:
OK
MD5: 44d8dc0ccffb46d832c08ea991a03132
Packers detected:
-
Scanner results
Scan taken on 14 Jul 2008 19:19:25 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

Powered by
images/asquared.png images/antivir.png images/arcabit.png images/avast.png images/avg.gif images/bitdefender.png images/clamav-logo1.png images/cpsecure.gif images/drweb.gif images/f-prot.png images/f-secure_logo.gif images/fortinet.gif images/ikarus.gif images/kaspersky.png images/nod32.gif images/norman.png images/panda.gif images/sophos.gif images/virusbuster.gif images/vba32.png
Disclaimer
This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, We cannot and will not be held responsible for any damage caused by results presented by this non-profit online service.

Also, we are aware of the implications of a setup like this. We are sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). We are aware, in spite of efforts to proactively counter these, false positives might occur, for example. We do not consider this a very big issue, so please do not e-mail us about it. This is a simple online scan service, not the university of Wichita.

Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware.

Virus definitions are updated every hour. There is a 10Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample.

Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception. Read more about this in our privacy policy. If you do not want your files to be distributed, please do not send them at all.

Sponsored by HotelScraper.com.
Statistics
Last file scanned at least one scanner reported something about: KPT_Funny_WH_Wireframe.zip (MD5: cc7f8875ff8635f0b925d2b510695d93, size: 38762 bytes), detected by:

Scanner Malware name
A-Squared X
AntiVir X
ArcaVir X
Avast X
AVG Antivirus Obfustat.OL
BitDefender X
ClamAV X
CPsecure X
Dr.Web X
F-Prot Antivirus W32/Injector.A.gen!Eldorado
F-Secure Anti-Virus X
Fortinet X
Ikarus X
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control X
Panda Antivirus X
Sophos Antivirus X
VirusBuster X
VBA32 X


You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives
We are not affiliated with any third parties that conduct tests using this service.



Frequently asked questions - Feedback - Privacy policy

Debian

Page generated by JTPL

© 2004-2008 Jotti <jotti@jotti.org>

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:40 PM

Posted 15 July 2008 - 08:24 AM

Hello.

My Coach wanted to have a look at
C:\windows\system32\bbeedbc8_r.dll

Click on this link. In the topic box, just copy the URL for this topic. Paste in the file path above. In the comments say that I asked for it to be sent. Thanks.

Regarding the Tray Icon
Below is how we usually get the users to disable Avast!.

Disable Avast!'s realtime protection by right clicking on the try icon beside your clock that looks like Posted Image and selecting Stop On-Access Protection.

You say that your tray icon is no longer present. I notice that the following line:
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
is missing from your log. ashDisp.exe is the tray icon for Avast!. If you have fixed this entry, please follow the steps below to restore it. If you don't have a backup (or just didn't fix it yourself,) follow the steps to rebuild the registry entry.

It is possible that you disabled this with MSConfig. If so, simply re-enable it that way.

Restore From HijackThis Backup
The backups are stored in a subfolder, backups, of where your HijackThis.exe was when the entry was deleted. If the backup is not there, restore the entry using the other instructions below.
  • Double click the HijackThis icon on your desktop to start the program. If you see a white screen, click Main Menu.
  • Select View the list of Backups.
  • Place a check mark next to the following entries if found:
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
  • Click Restore, then Yes.
  • Restart your computer and post a fresh HijackThis log.
If the entry was listed in the backups, your tray icon should re-appear after your restart.

Restore Entry Using Registry File
  • Copy the following into a notepad. Do not copy the word "quote".


    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe"

  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input fix.reg.
  • Hit OK.
When done properly, the icon should look like Posted Image for a .reg.

Double click fix.reg and answer Yes to the prompts. You will recieve a message saying the entries have been successfully merged. Restart your computer to get the icon back.

Complete Steps from Previous Post
Do from my previous post (regardless of if your security centre says Avast! is running): ComboFix with CFScript, the HJT (putting in proper place and fix entries), and the Kaspersky scan. Instead of a new HijackThis log, please get a new DSS log by double clicking the icon on your desktop.

With Regards,
The Panda

Edited by PropagandaPanda, 15 July 2008 - 08:42 AM.


#9 paulreden

paulreden
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:40 PM

Posted 15 July 2008 - 05:36 PM

Hi PP

I sent the requested link to your coach. I couldn't find any backup for Avast system icon in HJT. I did the Registry Fix as described and restarted but still no Avast icon. Should I uninstall/reinstall?

The HJT.exe should now be in the right place I hope and the HJT orphans fixed as you described.

Ran Combofix anyway. Log is here.

ComboFix 08-07-12.6 - Paul 2008-07-15 19:08:06.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.476 [GMT 1:00]
Running from: C:\Documents and Settings\Paul\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Paul\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\adkyygrx.ini
C:\windows\system32\kmVGMUvw.ini2
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\PROGRA~1\Grisoft\AVGFRE~1
C:\PROGRA~1\Grisoft\AVGFRE~1\avg6cmpt.dll
C:\PROGRA~1\Grisoft\AVGFRE~1\avg7log.log
C:\PROGRA~1\Grisoft\AVGFRE~1\avgse.dll
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\adkyygrx.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AVG7ALRT
-------\Legacy_AVG7UPDSVC
-------\Legacy_AVGEMS
-------\Service_Avg7Alrt
-------\Service_Avg7UpdSvc
-------\Service_AVGEMS


((((((((((((((((((((((((( Files Created from 2008-06-15 to 2008-07-15 )))))))))))))))))))))))))))))))
.

2008-07-15 18:49 . <DIR> C:\WINDOWS\LastGood.Tmp
2008-07-13 19:29 . 2008-07-13 19:29 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-13 17:34 . 2008-07-13 17:34 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-13 17:34 . 2008-07-13 17:34 <DIR> d-------- C:\Documents and Settings\Paul\Application Data\Malwarebytes
2008-07-13 17:34 . 2008-07-13 17:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-13 17:34 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-13 17:34 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-07 11:48 . 2008-07-07 11:48 <DIR> d-------- C:\Program Files\iTunes
2008-07-07 11:48 . 2008-07-07 11:48 <DIR> d-------- C:\Program Files\iPod
2008-07-07 11:47 . 2008-07-07 11:47 <DIR> d-------- C:\Program Files\Bonjour
2008-07-07 11:35 . 2008-02-18 11:16 30,464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2008-07-07 11:34 . 2008-07-07 11:34 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-07-07 10:46 . 2008-07-07 10:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-07-06 16:06 . 2008-04-23 05:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-07-06 16:06 . 2007-04-17 10:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-07-06 16:06 . 2007-03-08 06:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-07-06 16:06 . 2008-04-23 05:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-07-06 16:06 . 2008-04-23 05:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-07-06 16:06 . 2008-04-23 05:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-07-06 16:06 . 2008-04-23 05:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-07-06 16:06 . 2008-04-23 05:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-07-06 16:06 . 2008-04-22 08:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-07-06 12:06 . 2008-07-06 12:06 <DIR> d-------- C:\Deckard
2008-07-06 11:10 . 2008-07-06 11:10 <DIR> d-------- C:\!KillBox
2008-07-06 11:00 . 2008-07-06 11:00 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-07-06 09:59 . 2008-07-06 09:59 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-07-05 12:02 . 2008-07-05 12:02 <DIR> d-------- C:\Documents and Settings\sam\Application Data\eAcceleration
2008-07-04 20:00 . 2008-07-04 20:00 <DIR> d-------- C:\Documents and Settings\Hope\SecurityScans
2008-07-04 18:20 . 2008-07-04 18:21 <DIR> d-------- C:\Documents and Settings\Hope\Application Data\eAcceleration
2008-07-04 18:15 . 2008-07-04 18:15 <DIR> d-------- C:\Documents and Settings\Mercy\Application Data\eAcceleration
2008-07-04 16:59 . 2008-07-06 15:10 <DIR> d-------- C:\VundoFix Backups
2008-07-04 12:12 . 2008-07-04 12:12 4,388 --a------ C:\WINDOWS\smflt.dll
2008-07-04 12:12 . 2008-07-04 12:12 114 --a------ C:\WINDOWS\smflt.inf
2008-07-04 11:25 . 2008-07-04 11:25 <DIR> d-------- C:\Documents and Settings\Paul\SecurityScans
2008-07-04 11:24 . 2008-07-04 11:24 <DIR> d-------- C:\Program Files\Microsoft Baseline Security Analyzer 2
2008-06-15 13:27 . 2008-07-02 20:15 <DIR> d-------- C:\Documents and Settings\Mercy\Application Data\ZoomBrowser EX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-15 18:15 507,572 --sha-w C:\windows\system32\drivers\fidbox.idx
2008-07-15 18:15 43,276,320 --sha-w C:\windows\system32\drivers\fidbox.dat
2008-07-15 18:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-07-15 17:49 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-07-14 18:46 1,653,248 ----a-w C:\windows\Internet Logs\xDB3.tmp
2008-07-14 18:39 611,328 ----a-w C:\windows\Internet Logs\xDB1.tmp
2008-07-14 18:39 1,652,736 ----a-w C:\windows\Internet Logs\xDB2.tmp
2008-07-13 17:25 20,253,595 -c--a-w C:\windows\Internet Logs\tvDebug.zip
2008-07-13 16:16 --------- d-----w C:\Program Files\Free Window Registry Repair
2008-07-07 19:31 --------- d-----w C:\Documents and Settings\Hope\Application Data\OpenOffice.org2
2008-07-07 18:12 --------- d-----w C:\Documents and Settings\sam\Application Data\OpenOffice.org2
2008-07-07 10:49 --------- d-----w C:\Documents and Settings\sam\Application Data\Apple Computer
2008-07-07 10:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-07 10:46 --------- d-----w C:\Program Files\QuickTime
2008-07-07 09:46 --------- d-----w C:\Program Files\Apple Software Update
2008-07-04 19:03 --------- d-----w C:\Documents and Settings\Mercy\Application Data\OpenOffice.org2
2008-07-02 19:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-06-30 13:55 --------- d-----w C:\Documents and Settings\sam\Application Data\Nokia
2008-06-17 17:56 --------- d-----w C:\Documents and Settings\Kate\Application Data\OpenOffice.org2
2008-06-13 13:10 272,128 ------w C:\windows\system32\drivers\bthport.sys
2008-06-07 12:18 --------- d-----w C:\Documents and Settings\Mercy\Application Data\PC Suite
2008-06-07 11:09 --------- d-----w C:\Documents and Settings\sam\Application Data\Nokia Multimedia Player
2008-06-07 10:26 --------- d-----w C:\Documents and Settings\Paul\Application Data\ZoomBrowser EX
2008-06-06 18:41 --------- d-----w C:\Documents and Settings\Paul\Application Data\OpenOffice.org2
2008-05-30 14:16 --------- d-----w C:\Documents and Settings\Paul\Application Data\PC Suite
2008-05-30 14:14 --------- d-----w C:\Documents and Settings\Hope\Application Data\Thunderbird
2008-05-30 12:27 --------- d-----w C:\Documents and Settings\Hope\Application Data\PC Suite
2008-05-29 16:43 --------- d-----w C:\Documents and Settings\sam\Application Data\PC Suite
2008-05-29 16:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-05-29 16:41 0 ---ha-w C:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-05-29 16:41 0 ---ha-w C:\windows\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2008-05-29 16:37 --------- d-----w C:\Program Files\Common Files\PCSuite
2008-05-29 16:37 --------- d-----w C:\Program Files\Common Files\Nokia
2008-05-29 16:36 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-05-29 16:36 --------- d-----w C:\Program Files\DIFX
2008-05-29 16:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2007-05-19 19:14 774,144 -c--a-w C:\Program Files\RngInterstitial.dll
2007-06-21 08:27 23 -csha-w C:\windows\system32\bbeedbc8_r.dll
.

((((((((((((((((((((((((((((( snapshot@2008-07-13_18.38.04.40 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-13 17:25:18 2,048 --s-a-w C:\windows\bootstat.dat
+ 2008-07-15 18:17:00 2,048 --s-a-w C:\windows\bootstat.dat
+ 2008-07-15 18:18:01 16,384 ----atw C:\windows\Temp\Perflib_Perfdata_2b8.dat
+ 2008-07-15 18:18:50 16,384 ----atw C:\windows\Temp\Perflib_Perfdata_418.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\windows\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"SMSystemAnalyzer"="C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe" [2006-12-20 12:38 557056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-06-02 11:13 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:56 15360]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54 5674352]

C:\Documents and Settings\sam\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe [2006-11-27 16:45:48 393216]
OpenOffice.org 2.1.lnk - C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe [2006-11-27 16:45:48 393216]

C:\Documents and Settings\Hope\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe [2006-11-27 16:45:48 393216]
OpenOffice.org 2.1.lnk - C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe [2006-11-27 16:45:48 393216]

C:\Documents and Settings\Kate\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe [2006-11-27 16:45:48 393216]
OpenOffice.org 2.1.lnk - C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe [2006-11-27 16:45:48 393216]

C:\Documents and Settings\Mercy\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe [2006-11-27 16:45:48 393216]
OpenOffice.org 2.1.lnk - C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe [2006-11-27 16:45:48 393216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless G USB Adapter Client Utility.lnk - C:\Program Files\Belkin\F5D7050v5\Belkinwcui.exe [2008-03-11 18:23:56 1564672]
DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2006-11-03 10:33:02 962660]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R1 aswSP;avast! Self Protection;C:\windows\system32\drivers\aswSP.sys [2008-05-16 00:20]
R2 aswFsBlk;aswFsBlk;C:\windows\system32\DRIVERS\aswFsBlk.sys [2008-05-16 00:16]
R2 EAPPkt;Realtek EAPPkt Protocol;C:\windows\system32\DRIVERS\EAPPkt.sys [2006-11-15 17:23]
R3 BELKIN;Belkin Wireless G USB Network Adapter;C:\windows\system32\DRIVERS\BLKWGU.sys [2007-06-01 06:13]
S3 e8500e25-8367-45c9-8705-ff7d05682541;e8500e25-8367-45c9-8705-ff7d05682541;D:\Player\cds300.dll []

.
Contents of the 'Scheduled Tasks' folder
"2008-07-07 09:46:30 C:\windows\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-15 18:09:21 C:\windows\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-06-05 09:18:00 C:\windows\Tasks\Uniblue SpyEraser Nag.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
"2007-06-21 09:18:37 C:\windows\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-15 19:18:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-07-15 19:30:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-15 18:29:42
ComboFix2.txt 2008-07-13 17:39:31

Pre-Run: 34,688,786,432 bytes free
Post-Run: 34,644,602,880 bytes free

204 --- E O F --- 2008-07-06 15:10:23

Kaspersky

KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, July 15, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, July 15, 2008 19:30:26
Records in database: 957023
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
A:\
C:\
D:\
E:\
Scan statistics
Files scanned 63159
Threat name 3
Infected objects 3
Suspicious objects 1
Duration of the scan 03:02:52

File name Threat name Threats count
C:\Documents and Settings\Kate\Application Data\Thunderbird\Profiles\ftvu74uz.default\Mail\Local Folders-1\Trash Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\sam\Desktop\dj embo.mp3 Infected: Trojan-Downloader.WMA.Wimad.n 1
C:\Documents and Settings\sam\My Documents\dj embo.mp3 Infected: Trojan-Downloader.WMA.Wimad.n 1
C:\VundoFix Backups\wvUMGVmk.dll.bad Infected: Trojan.Win32.Monderb.gen 1
The selected area was scanned.


DSS

Deckard's System Scanner v20071014.68
Run by Paul on 2008-07-15 23:30:49
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Paul.exe) ------------------------------------------------

logfile has no content; running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-15 23:31:32
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe
C:\Program Files\Belkin\F5D7050v5\Belkinwcui.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Paul\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Global Startup: Belkin Wireless G USB Adapter Client Utility.lnk = ?
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5036.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


--
End of file - 8075 bytes

-- Files created between 2008-06-15 and 2008-07-15 -----------------------------

2008-07-15 19:50:06 0 d-------- C:\Program Files\Common Files\Java
2008-07-13 19:29:37 0 d-------- C:\Program Files\Trend Micro
2008-07-13 18:11:48 68096 --a------ C:\windows\zip.exe
2008-07-13 18:11:48 49152 --a------ C:\windows\VFind.exe
2008-07-13 18:11:48 212480 --a------ C:\windows\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-13 18:11:48 136704 --a------ C:\windows\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-13 18:11:48 161792 --a------ C:\windows\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-13 18:11:48 98816 --a------ C:\windows\sed.exe
2008-07-13 18:11:48 80412 --a------ C:\windows\grep.exe
2008-07-13 18:11:48 89504 --a------ C:\windows\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-13 17:34:13 0 d-------- C:\Documents and Settings\Paul\Application Data\Malwarebytes
2008-07-13 17:34:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-13 17:34:06 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-07 12:41:40 0 d-------- C:\windows\system32\ReinstallBackups
2008-07-07 11:48:27 0 d-------- C:\Program Files\iPod
2008-07-07 11:48:09 0 d-------- C:\Program Files\iTunes
2008-07-07 11:47:32 0 d-------- C:\Program Files\Bonjour
2008-07-07 11:34:18 0 d-------- C:\Program Files\Common Files\Apple
2008-07-07 10:46:18 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-07-06 12:59:49 0 d-------- C:\windows\CSC
2008-07-06 11:10:38 0 d-------- C:\!KillBox
2008-07-06 11:00:01 0 d-------- C:\Program Files\Windows Live Safety Center
2008-07-06 09:59:20 0 d--h----- C:\windows\system32\GroupPolicy
2008-07-06 09:21:20 0 d--h----- C:\Program Files\WindowsUpdate
2008-07-05 12:02:01 0 d-------- C:\Documents and Settings\sam\Application Data\eAcceleration
2008-07-04 20:00:31 0 d-------- C:\Documents and Settings\Hope\SecurityScans
2008-07-04 18:20:59 0 d-------- C:\Documents and Settings\Hope\Application Data\eAcceleration
2008-07-04 18:15:03 0 d-------- C:\Documents and Settings\Mercy\Application Data\eAcceleration
2008-07-04 16:59:23 0 d-------- C:\VundoFix Backups
2008-07-04 12:12:53 4388 --a------ C:\windows\smflt.dll
2008-07-04 11:25:03 0 d-------- C:\Documents and Settings\Paul\SecurityScans
2008-07-04 11:24:11 0 d-------- C:\Program Files\Microsoft Baseline Security Analyzer 2
2008-07-03 20:39:40 2633728 --a------ C:\Documents and Settings\Hope\ntuser.dat
2008-07-03 20:39:36 4194304 --a------ C:\Documents and Settings\sam\ntuser.dat
2008-06-15 13:27:18 0 d-------- C:\Documents and Settings\Mercy\Application Data\ZoomBrowser EX


-- Find3M Report ---------------------------------------------------------------

2008-07-15 19:56:05 0 d-------- C:\Program Files\Java
2008-07-15 19:50:06 0 d-------- C:\Program Files\Common Files
2008-07-15 18:49:50 0 d-------- C:\Program Files\Mozilla Thunderbird
2008-07-13 17:16:01 0 d-------- C:\Program Files\Free Window Registry Repair
2008-07-07 11:46:17 0 d-------- C:\Program Files\QuickTime
2008-07-07 10:46:22 0 d-------- C:\Program Files\Apple Software Update
2008-06-07 11:26:46 0 d-------- C:\Documents and Settings\Paul\Application Data\ZoomBrowser EX
2008-06-06 19:41:48 0 d-------- C:\Documents and Settings\Paul\Application Data\OpenOffice.org2
2008-05-30 15:16:20 0 d-------- C:\Documents and Settings\Paul\Application Data\PC Suite
2008-05-29 17:37:29 0 d-------- C:\Program Files\Common Files\Nokia
2008-05-29 17:37:26 0 d-------- C:\Program Files\Common Files\PCSuite
2008-05-29 17:36:47 0 d-------- C:\Program Files\DIFX
2008-05-29 17:36:10 0 d-------- C:\Program Files\PC Connectivity Solution


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
20/02/2008 11:01 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [20/02/2008 11:01 262144]

[-HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [13/03/2008 23:11]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [27/05/2008 10:50]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [02/06/2008 11:13]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [10/06/2008 04:27]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\windows\system32\ctfmon.exe" [04/08/2004 00:56]
"SMSystemAnalyzer"="C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe" [20/12/2006 12:38]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" /background

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless G USB Adapter Client Utility.lnk - C:\Program Files\Belkin\F5D7050v5\Belkinwcui.exe [11/03/2008 18:23:56]
DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [03/11/2006 10:33:02]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"




-- End of Deckard's System Scanner: finished at 2008-07-15 23:33:26 ------------

Thats all I think.

Regards

Paul

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:40 PM

Posted 16 July 2008 - 08:48 AM

Your logs are Clean :thumbsup: . Great job. I would like to thank the Team Coach Blender for supervising our work.

Just some leftovers Kaspersky picked up.

Kaspersky had detected the following files as malware:
C:\Documents and Settings\sam\Desktop\dj embo.mp3
C:\Documents and Settings\sam\My Documents\dj embo.mp3

Please delete them.

Also:
C:\Documents and Settings\Kate\Application Data\Thunderbird\Profiles\ftvu74uz.default\Mail\Local Folders-1\Trash
Emptying your ThunderBird trash bin will take care of that.

About the Avast!: Sorry, I had made a mistake on the previous registry script. My coach wanted to check over that part of the fix before I posted it again.

Now for some final cleanup.

Uninstall ComboFix
Remove Combofix now that we're done with it.
  • Click on your Start Menu, then Run....
  • Now type combofix /u in the runbox and click OK. Notice the space between the "x" and "/".
    Posted Image
  • When shown the disclaimer, Select "2"
Uninstalling ComboFix will do the following:
  • Delete ComboFix and its components from your computer.
  • Delete other tools commonly used during the malware removal process.
  • Resets clock settings to standard format.
  • Hides file extensions and hidden/system files.
  • Clears System Restore cache and creates new restore point.
Preventing Malware Infection in the Future
Please also have a look at the following links, giving some advice and suggestions for preventing future infections: Another recommendation, is to download HostMan. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installation and setting up, follow these steps:
  • Double-click the Downloaded installer and install the tool to a location of your choice
  • Via the Start Menu, navigate to HostsMan and run the program.
    • Click "Hosts" in the menu
    • Click "Manage Updates" in the submenu
    • Out of the three, select at least one of the three .
    • Click "Add Update." After that you will only need to click on the following button to retrieve updates:
      Posted Image
  • Click the X to exit the program.
    Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet

Thank you for choosing Bleeping Computer as you malware removal source. Be sure to tell your friends about us!
------------------------
Please allow me one more day to get the fix for your Avast! icon to you :) .

With Regards,
The Panda

#11 paulreden

paulreden
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:40 PM

Posted 16 July 2008 - 10:32 AM

Hi PP

Thanks a million for all your time and effort :thumbsup: I think I've learnt some stuff as well. Thanks also to your coach. My daughter thinks you sit fixing problems whilst eating bamboo!

Great Job

Regards

Paul

#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:40 PM

Posted 17 July 2008 - 08:39 AM

Hello.

Please apply the following registry to fix the Avast! icon in Safe Mode.

Copy down the following instructions as you can't view them in Safe Mode.

If you are unfimiliar with the boot process, please jot down the boot instructions.
  • Shutdown your computer.
  • Press the power on button.
  • Wait for your computer to beep.
  • After hearing the beep, hit the F8 key repeatedly until you see a selection screen.
  • Use your arrow keys to navigate the highlight to Safe Mode.
  • Hit Enter.
  • You will now be asked to choose your operating system. Again, use the arrow keys to select Microsoft Windows XP, if the highlight was not already on it.
  • Hit Enter.
Your computer will proceed to booting into Safe Mode. During the boot process, you may see random code go past your screen. Simply wait for it to pass. Your computer should boot like usually, except with Safe Mode written in the corners of your screen. Your screen may also appear to be a different size because the video drivers are not loaded properly in Safe Mode.

After the boot, you will be asked whether you wish to use system restore, or to continue to Safe Mode. Select OK to choose Safe mode.

  • Copy the following into a notepad. Do not copy the word "quote".


    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"

  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input fix.reg.
  • Hit OK.
When done properly, the icon should look like Posted Image for a .bat file, Posted Image for a .vbs, or Posted Image for a .reg.

Like before, merge the file into the registry. Restart your computer and post a new Hijackthis log (no DSS needed) so I can see the entry returning.

If the entry is back and the icon still won't appear, you might need to reinstall Avast!.

If everything is good, please say so that we can close off this topic.

#13 paulreden

paulreden
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:40 PM

Posted 17 July 2008 - 12:45 PM

Hi PP

Avast icon has re-appeared. So I think we are all done. Thanks again for your help.

Paul

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:42:21, on 17/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\windows\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\windows\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe
C:\Program Files\Belkin\F5D7050v5\Belkinwcui.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\windows\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Belkin Wireless G USB Adapter Client Utility.lnk = ?
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5036.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7420 bytes

#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:40 PM

Posted 17 July 2008 - 01:44 PM

You are very welcome :thumbsup: .

With Regards,
The Panda

#15 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:02:40 PM

Posted 17 July 2008 - 09:44 PM

Hi :thumbsup:

Since the topic appears to have been resolved it is now closed. Glad we could help.
You can delete the "fix.reg" Panda had you create.

If you need topic re-opened please PM a member of the Moderating Team with a link to your topic.
All others please begin a new topic.

Thank you & surf safe!

Blender
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users