Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help With Multiple Infections


  • This topic is locked This topic is locked
18 replies to this topic

#1 bobdor

bobdor

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Alberta, Canada
  • Local time:03:53 PM

Posted 13 July 2008 - 12:35 AM

I have recieved help before and hope to again. Thanks in advance. I have had my laptop for about 2 years. It's operating system is Windows XP HOME. I have had no signs of any virus, ad-ware, malware, trojans or the like, until now. Now my resident shield alert is poping up continually. I run Spyware Terminator, Ad-Aware SE, AVG anti-virus programs. All these programs are finding the infected files, and healing or removing, but like the trojans they are, they keep coming back.
Here are some infections: Zlob.zhp, Vundo, Bho.epi, Generic10.BBBB, Generic10.BCCW, dponhpast.dll. I also get error loading message C:\windows\system32\kjhijdyw.dll .
I hope this is the forum to post this problem. If not move me.
I have run all I know and still infected. I hate to try a clean by formatting hard drive because like most computers you buy now adays, you never get the install disk with it, just a few drivers. This does not reinstall windows nor gives you the key.
Thanks

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:53 PM

Posted 13 July 2008 - 05:56 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download Deckard's System Scanner (DSS) and save to your Desktop.
alternate download site

DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not
    malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 bobdor

bobdor
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Alberta, Canada
  • Local time:03:53 PM

Posted 13 July 2008 - 06:48 PM

Hi Sam
Thanks for your reply.
Well, I'm not sure what to do now. Its' really messed up. Can't get on some sites. Can't get on this site with it. I'm on another comp at work now. I can work off line with files but won't go online on the sites I need. Can't download DSS. I will keep trying to get it to work but realy frustrating. Never had a problem before and pow. I do have everything i need backed up if I have to junk it.
Bobdor

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:53 PM

Posted 13 July 2008 - 06:56 PM

When you get in front of it, try this.

Click Start > Run and type these commands hitting enter after each one:

sc stop clbdriver

sc delete clbdriver



Then locate and delete these files, if present:

C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\system32\drivers\clbdriver.sys



It may allow you to access this site again and download the tools we need more easily.
If it does not work, are you able to download what we need to use and transfer it over to the infected computer?

Edited by Buckeye_Sam, 13 July 2008 - 06:56 PM.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 bobdor

bobdor
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Alberta, Canada
  • Local time:03:53 PM

Posted 13 July 2008 - 07:49 PM

Hi Sam
Ok, I ran the 2 commands. The 3 files you asked to delete are not there. Still can't access bleepingcomputer.com but will try to copy what I need.
Bobdor

#6 bobdor

bobdor
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Alberta, Canada
  • Local time:03:53 PM

Posted 13 July 2008 - 08:13 PM

Hi Sam
Ok have the files copied over so here they are:

main.txt
Deckard's System Scanner v20071014.68
Run by User on 2008-07-13 18:54:54
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
58: 2008-07-14 00:55:10 UTC - RP159 - Deckard's System Scanner Restore Point
57: 2008-07-12 23:19:40 UTC - RP158 - Spyware Terminator - restore point
56: 2008-07-12 03:30:30 UTC - RP157 - Spyware Terminator - restore point
55: 2008-07-12 03:18:13 UTC - RP156 - Removed Windows Live installer
54: 2008-07-08 07:39:46 UTC - RP155 - Installed Windows Live


-- First Restore Point --
1: 2008-07-07 08:58:32 UTC - RP102 - Software Distribution Service 3.0


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 448 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-13 18:57:24
Platform: Windows XP Service Pack 3 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\system32\WFXSNT40.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.Exe
C:\Program Files\AVG\AVG8\avgwdsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
C:\Program Files\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WFXSVC.EXE
C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
C:\Program Files\RealVNC\VNC4\winvnc4.exe
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\User\Desktop\downloads\scanner\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = file://c:/windows/homepage.html
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL
O2 - BHO: (no name) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: (no name) - {149813CF-AFC1-4AC2-A404-B8AA402F323A} - C:\WINDOWS\system32\khfGyyab.dll
O2 - BHO: (no name) - {20177355-706D-416B-A23B-49443A7118F3} - C:\WINDOWS\system32\ssqNDvsT.dll (file missing)
O2 - BHO: (no name) - {52B0206C-C565-45D4-AF37-9562227C455D} - C:\WINDOWS\system32\cbXOIyWP.dll (file missing)
O2 - BHO: {454023ff-18e3-a019-e684-ef2c58a2d968} - {869d2a85-c2fe-486e-910a-3e81ff320454} - C:\WINDOWS\system32\pfhzkq.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {B357B792-E4D7-43D9-A5CD-4023F2A827D8} - C:\WINDOWS\system32\ati2cqa.dll
O2 - BHO: (no name) - {D64B9471-B2C7-433F-81A5-3D89E617B630} - C:\WINDOWS\system32\cbXRKBts.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll
O3 - Toolbar: (no name) - SITEguard - (no file)
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ec0000d7] rundll32.exe "C:\WINDOWS\system32\ytimeeoa.dll",b
O4 - HKLM\..\Run: [FreeKeylogger.exe] C:\Program Files\Free Keylogger\FreeKeylogger.exe
O4 - HKLM\..\Run: [BMef33334b] Rundll32.exe "C:\WINDOWS\system32\bypnuwnj.dll",s
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKCU\..\Run: [ICQ] "C:\PROGRA~1\ICQ6\ICQ.exe" silent
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Controller.LNK = C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: CorelCENTRAL Alarms.LNK = ?
O4 - Global Startup: Desktop Application Director 9.LNK = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...arch.jhtml?p=ZZ
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} () - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1210824645994
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shock...ash/swflash.cab
O16 - DPF: {DCDC28C5-831C-43EA-9C02-78872CCCA409} (VPlayer Control) - http://thesecret.tv/movie/player/vivid_ocx.jpeg
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: khfGyyab - C:\WINDOWS\system32\khfGyyab.dll
O20 - Winlogon Notify: ssqNDvsT - C:\WINDOWS\system32\ssqNDvsT.dll (file missing)
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: SmartLinkService (SLService) - Unknown owner - C:\WINDOWS\system32\slserv.exe
O23 - Service: Spyware Terminator Clam Service (sp_clamsrv) - Crawler.com - C:\Program Files\WinClamAVShield\Sp_clamsrv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\winvnc4.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\system32\WLTRYSVC.EXE


--
End of file - 9977 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 papycpu - c:\windows\system32\drivers\papycpu.sys
R1 papyjoy - c:\windows\system32\drivers\papyjoy.sys
R1 sp_rsdrv2 (Spyware Terminator Driver 2) - c:\windows\system32\drivers\sp_rsdrv2.sys

S3 MR97310_USB_DUAL_CAMERA (MR97310 CIF Dual Mode Camera) - c:\windows\system32\drivers\mr97310c.sys (file missing)
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 sp_rssrv (Spyware Terminator Realtime Shield Service) - "c:\program files\spyware terminator\sp_rsser.exe" <Not Verified; Crawler.com; Crawler Spyware Terminator>
R2 wfxsvc (WinFax PRO) - c:\windows\system32\wfxsvc.exe <Not Verified; Symantec Corporation; Symantec WinFax PRO>

S3 sp_clamsrv (Spyware Terminator Clam Service) - "c:\program files\winclamavshield\sp_clamsrv.exe" <Not Verified; Crawler.com; Spyware Terminator>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-07-13 18:58:00 412 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job


-- Files created between 2008-06-13 and 2008-07-13 -----------------------------

2008-07-13 14:56:18 81152 --a------ C:\WINDOWS\system32\ytimeeoa.dll
2008-07-13 14:53:20 105296 --a------ C:\WINDOWS\system32\pfhzkq.dll
2008-07-13 14:53:18 105296 --a------ C:\WINDOWS\system32\jdsfgqun.dll
2008-07-13 14:51:06 90928 --a------ C:\WINDOWS\system32\bypnuwnj.dll
2008-07-13 14:50:17 441994 --ahs---- C:\WINDOWS\system32\PWyIOXbc.ini2
2008-07-12 00:11:24 25920 --a------ C:\WINDOWS\system32\ljJASijG.dll
2008-07-12 00:11:23 25920 --a------ C:\WINDOWS\system32\khfGyyab.dll
2008-07-11 23:20:15 0 d-------- C:\Program Files\Enigma Software Group
2008-07-10 23:36:24 116352 --a------ C:\WINDOWS\system32\fpkcgngu.dll
2008-07-08 18:17:29 88576 --a------ C:\WINDOWS\system32\ati2cqa.dll
2008-07-07 02:58:20 166956 --ahs---- C:\WINDOWS\system32\stBKRXbc.ini2
2008-06-17 20:39:47 0 d-------- C:\Documents and Settings\Default User\Application Data\AVGTOOLBAR
2008-06-17 20:39:41 0 d-------- C:\Documents and Settings\Default User\Application Data\ICQ Toolbar
2008-06-17 18:11:23 0 d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-06-17 18:10:10 0 d-------- C:\Program Files\Common Files\iS3
2008-06-17 18:10:09 0 d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-06-15 02:34:32 0 d-------- C:\Documents and Settings\User\Contacts
2008-06-15 02:31:50 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-06-15 02:13:14 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-15 02:12:07 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller


-- Find3M Report ---------------------------------------------------------------

2008-07-12 17:19:26 0 d-------- C:\Program Files\Spyware Terminator
2008-07-12 16:11:14 0 d-------- C:\Documents and Settings\User\Application Data\Spyware Terminator
2008-07-12 00:09:08 0 d-------- C:\Program Files\Powercon
2008-06-30 21:18:40 0 d-------- C:\Program Files\Free Keylogger
2008-06-17 20:40:00 0 d-------- C:\Program Files\ICQToolbar
2008-06-17 18:10:10 0 d-------- C:\Program Files\Common Files
2008-06-15 03:58:47 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-15 21:51:01 0 d-------- C:\Program Files\Diablo II
2008-05-15 00:01:25 0 d-------- C:\Program Files\Microsoft Games
2008-05-14 23:37:45 0 d-------- C:\Program Files\Messenger
2008-05-14 23:36:47 0 d-------- C:\Program Files\Movie Maker
2008-05-14 23:28:52 0 d-------- C:\Program Files\Windows NT
2008-05-08 23:41:52 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{149813CF-AFC1-4AC2-A404-B8AA402F323A}]
07/12/2008 12:11 AM 25920 --a------ C:\WINDOWS\system32\khfGyyab.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{20177355-706D-416B-A23B-49443A7118F3}]
C:\WINDOWS\system32\ssqNDvsT.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{52B0206C-C565-45D4-AF37-9562227C455D}]
C:\WINDOWS\system32\cbXOIyWP.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{869d2a85-c2fe-486e-910a-3e81ff320454}]
07/13/2008 02:53 PM 105296 --a------ C:\WINDOWS\system32\pfhzkq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
07/04/2008 04:59 AM 2055960 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B357B792-E4D7-43D9-A5CD-4023F2A827D8}]
04/13/2008 06:11 PM 88576 --a------ C:\WINDOWS\system32\ati2cqa.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D64B9471-B2C7-433F-81A5-3D89E617B630}]
C:\WINDOWS\system32\cbXRKBts.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [07/04/2008 04:59 AM 2055960]

[-HKEY_CLASSES_ROOT\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [08/30/2002 12:17 PM C:\WINDOWS\system32\Ati2mdxx.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [11/01/2003 01:46 PM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [11/01/2003 01:46 PM]
"Omnipage"="C:\Program Files\ScanSoft\OmniPageSE\opware32.exe" [02/20/2002 08:01 PM]
"WinFaxAppPortStarter"="wfxsnt40.exe" [11/28/1998 04:59 AM C:\WINDOWS\system32\WFXSNT40.EXE]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [08/19/2006 04:43 PM]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [06/16/2008 09:32 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/27/2007 06:41 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"MyWebSearch Email Plugin"="C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe" [03/23/2008 06:38 PM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [07/04/2008 04:59 AM]
"ec0000d7"="C:\WINDOWS\system32\ytimeeoa.dll" [07/13/2008 02:56 PM]
"FreeKeylogger.exe"="C:\Program Files\Free Keylogger\FreeKeylogger.exe" [09/17/2006 01:38 PM]
"BMef33334b"="C:\WINDOWS\system32\bypnuwnj.dll" [07/13/2008 02:51 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [06/20/2003 08:00 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/13/2008 06:12 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [04/03/2007 12:59 PM]
"MyWebSearch Email Plugin"="C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe" [03/23/2008 06:38 PM]
"ICQ"="C:\PROGRA~1\ICQ6\ICQ.exe" [04/01/2008 04:40 AM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [10/18/2006 09:05 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= C:\Program Files\Symantec\WinFax\WfxSeh32.Dll [11/28/1998 04:59 AM 38400]
"{20177355-706D-416B-A23B-49443A7118F3}"= C:\WINDOWS\system32\ssqNDvsT.dll [ ]
"{149813CF-AFC1-4AC2-A404-B8AA402F323A}"= C:\WINDOWS\system32\khfGyyab.dll [07/12/2008 12:11 AM 25920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfGyyab]
khfGyyab.dll 07/12/2008 12:11 AM 25920 C:\WINDOWS\system32\khfGyyab.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqNDvsT]
ssqNDvsT.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\cbXOIyWP

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{66186F05-BBBB-4a39-864F-72D84615C679}]
rundll32 sockins32.dll,InitModule



-- End of Deckard's System Scanner: finished at 2008-07-13 19:03:50 ------------



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 3.0
Architecture: X86; Language: English

CPU 0: Mobile AMD Athlon™ XP 2800+
Percentage of Memory in Use: 69%
Physical Memory (total/avail): 447.48 MiB / 138.25 MiB
Pagefile Memory (total/avail): 1056.65 MiB / 669.73 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1879.28 MiB

C: is Fixed (NTFS) - 55.88 GiB total, 42.83 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - IC25N060ATMR04-0 - 55.89 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 55.88 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\User\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=BOBS-ELAP
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\User
LOGONSERVER=\\BOBS-ELAP
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 10 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0a00
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\User\LOCALS~1\Temp
TMP=C:\DOCUME~1\User\LOCALS~1\Temp
USERDOMAIN=BOBS-ELAP
USERNAME=User
USERPROFILE=C:\Documents and Settings\User
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

User (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\system32\UninstIPP.isu
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe -q
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
AnswerWorks Runtime --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\WexTech\AnswerWorks\Uninst.isu"
ArcSoft PhotoImpression --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{19234D4B-AA7A-4165-8ECB-0247B420C515}\Setup.exe" -l0x9 -uninst
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVG Free 8.0 --> C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
BCM Wireless Network Adapter --> C:\WINDOWS\system32\BCMWLU00.exe verbose
Camelot Riches 2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A8C4C1C8-A3B4-4C91-B3DA-D28F10CAAC6D}\setup.exe" -l0x9
Canon MP Drivers --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{58F8C6D9-5B55-486A-A322-4E8D87670031}\Setup.exe" -l0x9 -Uninstall
Canon MP Toolbox 4.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4669544E-20E4-4E56-8B44-2E6E1200051F}\Setup.exe" -l0x9 -Uninstall
Canon Utilities Easy-PhotoPrint --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Canon\Easy-PhotoPrint\Uninst.isu" -c"C:\Program Files\Canon\Easy-PhotoPrint\EZUNINST.DLL"
Corel Applications --> C:\WINDOWS\Corel\Uninst32.exe
Desktop Calendar 0.42b --> "C:\Program Files\Desktop Calendar\unins000.exe"
Dungeon Siege Demo --> "C:\Program Files\Microsoft Games\Dungeon Siege Demo\UNINSTAL.EXE" /runtemp /addremove
Easy-WebPrint --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\Easy-WebPrint\Uninst.isu"
Free Keylogger 2.5 --> "C:\Program Files\Free Keylogger\unins001.exe"
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
Google Updater --> "C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Format SDK (KB902344) --> "C:\WINDOWS\$NtUninstallKB902344$\spuninst\spuninst.exe"
ICQ Toolbar --> regsvr32 /u /s "C:\PROGRA~1\ICQTOO~2\toolbaru.dll"
ICQ Toolbar --> regsvr32 /u /s "C:\Program Files\ICQToolbar\toolbaru.dll"
ICQ6 --> "C:\Program Files\InstallShield Installation Information\{60DE4033-9503-48D1-A483-7846BD217CA9}\setup.exe" -runfromtemp -l0x0009 -removeonly
InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
Java 2 Runtime Environment Standard Edition v1.3.1 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\JavaSoft\JRE\1.3.1\Uninst.isu"
Java 2 Runtime Environment Standard Edition v1.3.1_02 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\JavaSoft\JRE\1.3.1_02\Uninst.isu"
Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe
LiveUpdate 1.90 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Excel 97 --> C:\Program Files\Microsoft Office\Office\Setup\AcmeXl.exe /w Excel97.stf
Microsoft Money 2004 --> MsiExec.exe /I{1D643CD7-4DD6-11D7-A4E0-000874180BB3}
Microsoft Money 2004 System Pack --> MsiExec.exe /I{8C64E145-54BA-11D6-91B1-00500462BE80}
Microsoft Office PowerPoint Viewer 2003 --> MsiExec.exe /X{90AF0409-6000-11D3-8CFE-0150048383C9}
Microsoft Small Business Financial Manager 98 --> C:\Program Files\Microsoft Office\Office\SBFM\Setup\sbfmstp.exe
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Word 97 --> C:\Program Files\Microsoft Office\Office\Setup\AcmeWord.exe /w Word97.stf
Microsoft Works 7.0 --> MsiExec.exe /I{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Netscape 6 (6.2.1) --> C:\WINDOWS\N6Uninst.exe /ua "6.2.1 (en)"
Norton WMI Update --> MsiExec.exe /X{1526D87C-A955-4FAB-BF18-697BA457E352}
OmniPage SE --> MsiExec.exe /I{6249C22D-E6A8-407B-BA8B-40298848ED94}
OpenOffice.org 2.1 --> MsiExec.exe /I{43983EB4-43DC-4C3D-9712-1EF592A31CA8}
PDC2030 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{868C40D3-49C9-46FC-A143-5775826D3115}\setup.exe"
Powercon 3.1.1.1 --> "C:\Program Files\Powercon\unins000.exe"
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
Presto! PageManager 6.01 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5BE42A03-E7B8-42A9-B1BB-FC48B03D58B8}\Setup.exe" -l0x9 anything
PrintMaster Gold 3.00 --> c:\pmw\msrun.exe
QuickBooks --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Intuit\QuickBooks\DeIsL1.isu"
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\System32\QuickTime\Uninstall.log
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Smart Link 56K Modem --> C:\WINDOWS\Modio\SLAMR2KO\Setup.exe /Remove
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe"
Spyware Terminator --> "C:\Program Files\Spyware Terminator\unins000.exe"
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Tomb Raider: Anniversary Demo 1.0 --> C:\Program Files\Tomb Raider - Anniversary Demo\uninsttra.exe
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Virtual Magnifying Glass --> "C:\Program Files\Virtual Magnifying Glass\uninstall.exe"
VNC Free Edition 4.1.2 --> "C:\Program Files\RealVNC\VNC4\unins000.exe"
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Backup Utility --> MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}
Windows Communication Foundation --> MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Connect --> "C:\WINDOWS\$NtUninstallWMCSetup$\spuninst\spuninst.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Workflow Foundation --> MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
Windows XP Service Pack 3 --> "C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinFax PRO --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Symantec\WinFax\WFXUNIST.ISU" -c"C:\Program Files\Symantec\WinFax\UNINSTUB.DLL"
XML Paper Specification Shared Components Pack 1.0 -->


-- Application Event Log -------------------------------------------------------

Event Record #/Type5018 / Error
Event Submitted/Written: 07/13/2008 06:57:51 PM
Event ID/Source: 11 / crypt32
Event Description:
Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Event Record #/Type5017 / Error
Event Submitted/Written: 07/13/2008 06:45:14 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 7.0.6000.16674, faulting module unknown, version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type5010 / Error
Event Submitted/Written: 07/13/2008 05:20:25 PM
Event ID/Source: 2 / WLTRYSVC
Event Description:
SetServiceStatus() failed

Event Record #/Type5005 / Error
Event Submitted/Written: 07/13/2008 04:52:58 PM
Event ID/Source: 2 / WLTRYSVC
Event Description:
SetServiceStatus() failed

Event Record #/Type5001 / Error
Event Submitted/Written: 07/13/2008 01:03:55 AM
Event ID/Source: 2 / WLTRYSVC
Event Description:
SetServiceStatus() failed



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type33454 / Error
Event Submitted/Written: 07/13/2008 06:58:01 PM
Event ID/Source: 7016 / Service Control Manager
Event Description:
The SmartLinkService service has reported an invalid current state 0.

Event Record #/Type33434 / Error
Event Submitted/Written: 07/13/2008 06:00:50 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}

Event Record #/Type33349 / Error
Event Submitted/Written: 07/12/2008 11:02:17 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
AFD
AmdK7
AvgLdx86
AvgMfx86
Fips
IPSec
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
sp_rsdrv2
Tcpip

Event Record #/Type33348 / Error
Event Submitted/Written: 07/12/2008 11:02:17 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:
%%31

Event Record #/Type33347 / Error
Event Submitted/Written: 07/12/2008 11:02:17 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The Messenger service depends on the NetBIOS Interface service which failed to start because of the following error:
%%31



-- End of Deckard's System Scanner: finished at 2008-07-13 19:03:50 ------------

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:53 PM

Posted 14 July 2008 - 09:17 AM

We're going to need another tool, but this one should help quite a bit.

Please download ComboFix and save it to your desktop.
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 bobdor

bobdor
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Alberta, Canada
  • Local time:03:53 PM

Posted 14 July 2008 - 08:21 PM

Hi Sam
We are definitely making progress. I have accessed this site with comp in question. First time since first request. I hope the log is complete, we had a power outage for a few seconds during running compufix. Here is the log:

ComboFix 08-07-14.2 - User 2008-07-14 18:30:35.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.114 [GMT -6:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\User\Application Data\FunWebProducts
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\PopSwatr\History\allowed
C:\Program Files\FunWebProducts\PopSwatr\History\notallow
C:\Program Files\FunWebProducts\ScreenSaver\Images\000618B8.urr
C:\Program Files\FunWebProducts\Shared\Cache(2)\AvatarSmallBtn.html
C:\Program Files\FunWebProducts\Shared\Cache(2)\CursorManiaBtn.html
C:\Program Files\FunWebProducts\Shared\Cache(2)\MailStampBtn.htmlx
C:\Program Files\FunWebProducts\Shared\Cache(2)\MyFunCardsIMBtn.html
C:\Program Files\FunWebProducts\Shared\Cache(2)\MyStationeryBtn.htmlx
C:\Program Files\FunWebProducts\Shared\Cache(2)\SmileyCentralBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\AvatarSmallBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MailStampBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MyStationeryBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\2.bin\F3DTACTL.DLL
C:\Program Files\MyWebSearch\bar\2.bin\F3HISTSW.DLL
C:\Program Files\MyWebSearch\bar\2.bin\F3HTMLMU.DLL
C:\Program Files\MyWebSearch\bar\2.bin\F3HTTPCT.DLL
C:\Program Files\MyWebSearch\bar\2.bin\F3IMSTUB.DLL
C:\Program Files\MyWebSearch\bar\2.bin\F3POPSWT.DLL
C:\Program Files\MyWebSearch\bar\2.bin\F3PSSAVR.SCR
C:\Program Files\MyWebSearch\bar\2.bin\F3REPROX.DLL
C:\Program Files\MyWebSearch\bar\2.bin\F3RESTUB.DLL
C:\Program Files\MyWebSearch\bar\2.bin\F3SCHMON.EXE
C:\Program Files\MyWebSearch\bar\2.bin\F3SCRCTR.DLL
C:\Program Files\MyWebSearch\bar\2.bin\F3SHLLVW.DLL
C:\Program Files\MyWebSearch\bar\2.bin\F3WPHOOK.DLL
C:\Program Files\MyWebSearch\bar\2.bin\M3FFXTBR.MANIFEST
C:\Program Files\MyWebSearch\bar\2.bin\M3IDLE.DLL
C:\Program Files\MyWebSearch\bar\2.bin\M3IMPIPE.EXE
C:\Program Files\MyWebSearch\bar\2.bin\M3NTSTBR.MANIFEST
C:\Program Files\MyWebSearch\bar\2.bin\M3PLUGIN.DLL
C:\Program Files\MyWebSearch\bar\2.bin\M3SKPLAY.EXE
C:\Program Files\MyWebSearch\bar\2.bin\M3SLSRCH.EXE
C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL
C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
C:\Program Files\MyWebSearch\bar\2.bin\MWSOEPLG.DLL
C:\Program Files\MyWebSearch\bar\2.bin\MWSOESTB.DLL
C:\Program Files\MyWebSearch\bar\2.bin\NPMYWEBS.DLL
C:\Program Files\MyWebSearch\bar\3.bin\F3BKGERR.JPG
C:\Program Files\MyWebSearch\bar\3.bin\F3SPACER.WMV
C:\Program Files\MyWebSearch\bar\3.bin\F3WALLPP.DAT
C:\Program Files\MyWebSearch\bar\3.bin\M3FFXTBR.JAR
C:\Program Files\MyWebSearch\bar\3.bin\M3NTSTBR.JAR
C:\Program Files\MyWebSearch\bar\Avatar(2)\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Cache(2)\0007E8F1
C:\Program Files\MyWebSearch\bar\Cache(2)\0007F20E
C:\Program Files\MyWebSearch\bar\Cache(2)\0007F539.bin
C:\Program Files\MyWebSearch\bar\Cache(2)\0007F833.bin
C:\Program Files\MyWebSearch\bar\Cache(2)\0007FBC2.bin
C:\Program Files\MyWebSearch\bar\Cache(2)\00080182.bin
C:\Program Files\MyWebSearch\bar\Cache(2)\03AA5845
C:\Program Files\MyWebSearch\bar\Cache(2)\04FBACC0.bin
C:\Program Files\MyWebSearch\bar\Cache(2)\04FBAF4B.bin
C:\Program Files\MyWebSearch\bar\Cache(2)\04FBB1CC.bin
C:\Program Files\MyWebSearch\bar\Cache(2)\04FBB4B1.bin
C:\Program Files\MyWebSearch\bar\Cache(2)\05A149E2.bin
C:\Program Files\MyWebSearch\bar\Cache(2)\05A14DFE.bin
C:\Program Files\MyWebSearch\bar\Cache(2)\05A14F8F.bin
C:\Program Files\MyWebSearch\bar\Cache\000A269E.bin
C:\Program Files\MyWebSearch\bar\Cache\000A3979.bin
C:\Program Files\MyWebSearch\bar\Cache\000A3F4D.bin
C:\Program Files\MyWebSearch\bar\Cache\000A46C6.bin
C:\Program Files\MyWebSearch\bar\Cache\000AEEC0
C:\Program Files\MyWebSearch\bar\Cache\0116D09E
C:\Program Files\MyWebSearch\bar\Cache\01254229.bin
C:\Program Files\MyWebSearch\bar\Cache\01254FBC.bin
C:\Program Files\MyWebSearch\bar\Cache\01255175.bin
C:\Program Files\MyWebSearch\bar\Cache\0125535F.bin
C:\Program Files\MyWebSearch\bar\Cache\02F525C4
C:\Program Files\MyWebSearch\bar\Cache\0617D2CF.bin
C:\Program Files\MyWebSearch\bar\Cache\0617D491.bin
C:\Program Files\MyWebSearch\bar\Cache\0617D6A4.bin
C:\Program Files\MyWebSearch\bar\Cache\06BEC36A
C:\Program Files\MyWebSearch\bar\Cache\files.ini
C:\Program Files\MyWebSearch\bar\Game(2)\CHECKERS.F3S
C:\Program Files\MyWebSearch\bar\Game(2)\CHESS.F3S
C:\Program Files\MyWebSearch\bar\Game(2)\REVERSI.F3S
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\icons\CM.ICO
C:\Program Files\MyWebSearch\bar\icons\MFC.ICO
C:\Program Files\MyWebSearch\bar\icons\PSS.ICO
C:\Program Files\MyWebSearch\bar\icons\SMILEY.ICO
C:\Program Files\MyWebSearch\bar\icons\WB.ICO
C:\Program Files\MyWebSearch\bar\icons\ZWINKY.ICO
C:\Program Files\MyWebSearch\bar\Message(2)\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Notifier(2)\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Notifier(2)\DOG.F3S
C:\Program Files\MyWebSearch\bar\Notifier(2)\FISH.F3S
C:\Program Files\MyWebSearch\bar\Notifier(2)\KUNGFU.F3S
C:\Program Files\MyWebSearch\bar\Notifier(2)\LIFEGARD.F3S
C:\Program Files\MyWebSearch\bar\Notifier(2)\MAID.F3S
C:\Program Files\MyWebSearch\bar\Notifier(2)\MAILBOX.F3S
C:\Program Files\MyWebSearch\bar\Notifier(2)\OPERA.F3S
C:\Program Files\MyWebSearch\bar\Notifier(2)\ROBOT.F3S
C:\Program Files\MyWebSearch\bar\Notifier(2)\SEDUCT.F3S
C:\Program Files\MyWebSearch\bar\Notifier(2)\SURFER.F3S
C:\Program Files\MyWebSearch\bar\Settings\prevcfg2.htm
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm.bak
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\Program Files\MyWebSearch\bar\Settings\settings.dat.bak
C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL
C:\WINDOWS\cookies.ini
C:\WINDOWS\g32.txt
C:\WINDOWS\index.html
C:\WINDOWS\pskt.ini
C:\WINDOWS\s32.txt
C:\WINDOWS\system32\adult.txt
C:\WINDOWS\system32\aoeemity.ini
C:\WINDOWS\system32\ati2cqa.dll
C:\WINDOWS\system32\bdJllnnn.ini
C:\WINDOWS\system32\bdJllnnn.ini2
C:\WINDOWS\system32\bxaykh.dll
C:\WINDOWS\system32\bypnuwnj.dll
C:\WINDOWS\system32\dprpppht.ini
C:\WINDOWS\system32\f3PSSavr.scr
C:\WINDOWS\system32\feLooUtv.ini
C:\WINDOWS\system32\finance.txt
C:\WINDOWS\system32\fpkcgngu.dll
C:\WINDOWS\system32\gbnibpjh.ini
C:\WINDOWS\system32\hbahbtdy.ini
C:\WINDOWS\system32\iifgHxVN.dll
C:\WINDOWS\system32\jdsfgqun.dll
C:\WINDOWS\system32\jiiacjep.dll
C:\WINDOWS\system32\jkkKcCro.dll
C:\WINDOWS\system32\khfGyyab.dll
C:\WINDOWS\system32\ljJASijG.dll
C:\WINDOWS\system32\lkixfmbn.dll
C:\WINDOWS\system32\lt.res
C:\WINDOWS\system32\nnnllJdb.dll
C:\WINDOWS\system32\other.txt
C:\WINDOWS\system32\pejcaiij.ini
C:\WINDOWS\system32\permwaej.ini
C:\WINDOWS\system32\pfhzkq.dll
C:\WINDOWS\system32\pharma.txt
C:\WINDOWS\system32\PWyIOXbc.ini
C:\WINDOWS\system32\PWyIOXbc.ini2
C:\WINDOWS\system32\rcidctwt.ini
C:\WINDOWS\system32\sft.res
C:\WINDOWS\system32\sn.txt
C:\WINDOWS\system32\stBKRXbc.ini
C:\WINDOWS\system32\stBKRXbc.ini2
C:\WINDOWS\system32\tculwtmn.ini
C:\WINDOWS\system32\wrmxuuir.dll
C:\WINDOWS\system32\wydjihjd.ini
C:\WINDOWS\winhelp.ini
C:\WINDOWS\ws386.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASPIMGR


((((((((((((((((((((((((( Files Created from 2008-06-15 to 2008-07-15 )))))))))))))))))))))))))))))))
.

2008-07-13 18:54 . 2008-07-13 18:54 <DIR> d-------- C:\Deckard
2008-07-13 14:51 . 2008-07-14 18:22 110,437 --a------ C:\WINDOWS\BMef33334b.xml
2008-07-11 23:20 . 2008-07-11 23:20 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-06-17 18:11 . 2008-06-17 18:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-06-17 18:10 . 2008-06-17 18:10 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-06-17 18:10 . 2008-06-17 18:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-06-15 02:59 . 2008-04-13 18:12 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2008-06-15 02:59 . 2008-04-13 18:12 53,760 --a--c--- C:\WINDOWS\system32\dllcache\vfwwdm32.dll
2008-06-15 02:34 . 2008-06-15 02:35 <DIR> d-------- C:\Documents and Settings\User\Contacts
2008-06-15 02:33 . 2008-06-15 02:33 268 --ah----- C:\sqmdata00.sqm
2008-06-15 02:33 . 2008-06-15 02:33 244 --ah----- C:\sqmnoopt00.sqm
2008-06-15 02:31 . 2008-06-15 02:31 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-06-15 02:13 . 2008-06-15 02:17 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-15 02:12 . 2008-07-10 03:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-15 00:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-07-14 03:41 --------- d-----w C:\Program Files\Spyware Terminator
2008-07-14 03:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-07-14 03:03 --------- d-----w C:\Documents and Settings\User\Application Data\Spyware Terminator
2008-07-12 06:09 --------- d-----w C:\Program Files\Powercon
2008-07-04 10:59 96,520 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-04 10:59 76,040 ----a-w C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-04 10:59 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll
2008-07-01 03:18 --------- d-----w C:\Program Files\Free Keylogger
2008-06-18 02:40 --------- d-----w C:\Program Files\ICQToolbar
2008-06-17 03:32 141,312 ----a-w C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-06-15 09:58 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-16 03:51 --------- d-----w C:\Program Files\Diablo II
2008-05-15 06:01 --------- d-----w C:\Program Files\Microsoft Games
2008-05-09 05:41 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-20 08:00 200704]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 18:12 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-03 12:59 68856]
"ICQ"="C:\PROGRA~1\ICQ6\ICQ.exe" [2008-04-01 04:40 172280]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-11-01 13:46 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-11-01 13:46 499712]
"Omnipage"="C:\Program Files\ScanSoft\OmniPageSE\opware32.exe" [2002-02-20 20:01 49152]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-08-19 16:43 180269]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-06-16 21:32 1817600]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-01-27 18:41 98304]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-04 04:59 1232152]
"FreeKeylogger.exe"="C:\Program Files\Free Keylogger\FreeKeylogger.exe" [2006-09-17 13:38 238592]
"ATIModeChange"="Ati2mdxx.exe" [2002-08-30 12:17 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"WinFaxAppPortStarter"="wfxsnt40.exe" [1998-11-28 04:59 43008 C:\WINDOWS\system32\WFXSNT40.EXE]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Controller.LNK - C:\Program Files\Symantec\WinFax\WFXCTL32.EXE [2006-08-18 00:13:03 505856]
CorelCENTRAL Alarms.LNK - C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe [2006-08-17 23:49:34 241664]
Desktop Application Director 9.LNK - C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe [2006-08-17 23:50:31 225280]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-02-07 19:17:08 124912]
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1997-08-19 111376]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1997-08-19 51984]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= "C:\Program Files\Symantec\WinFax\WfxSeh32.Dll" [1998-11-28 04:59 38400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.SP54"= SP5X_32.DLL
"vidc.MJPG"= m3jpeg32.dll
"vidc.dmb1"= m3jpeg32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-04 04:59]
R1 papycpu;papycpu;C:\WINDOWS\system32\drivers\papycpu.sys [1998-10-06 15:36]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-06-16 21:32]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-04 04:59]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-04 04:59]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-04 04:59]
R2 wfxsvc;WinFax PRO;C:\WINDOWS\system32\WFXSVC.EXE [1998-11-28 04:59]

.
Contents of the 'Scheduled Tasks' folder
"2008-07-15 00:58:04 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
- - - - ORPHANS REMOVED - - - -

BHO-{52B0206C-C565-45D4-AF37-9562227C455D} - C:\WINDOWS\system32\cbXOIyWP.dll
BHO-{D64B9471-B2C7-433F-81A5-3D89E617B630} - C:\WINDOWS\system32\cbXRKBts.dll
Toolbar-SITEguard - (no file)
HKLM-Run-ec0000d7 - C:\WINDOWS\system32\jiiacjep.dll
HKLM-Run-BMef33334b - C:\WINDOWS\system32\wrmxuuir.dll
Notify-ssqNDvsT - ssqNDvsT.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-14 18:54:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\RealVNC\VNC4\winvnc4.exe
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\WINDOWS\system32\slrundll.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-07-14 19:02:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-15 01:02:02

Pre-Run: 45,887,070,208 bytes free
Post-Run: 45,780,123,648 bytes free

304 --- E O F --- 2008-06-23 04:02:02

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:53 PM

Posted 15 July 2008 - 09:41 AM

I want to call your attention to this program. Are you aware it is installed?

2008-07-01 03:18 --------- d-----w C:\Program Files\Free Keylogger


You are running an older version of Java. This can be a security risk so let's get you the latest version.
Upgrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 7.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u7-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.



Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


Also post a new log from DSS.
How is your computer behaving now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 bobdor

bobdor
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Alberta, Canada
  • Local time:03:53 PM

Posted 15 July 2008 - 11:15 PM

Hi Sam
Yes I know free keylogger is installed. My laptop is often used by other people, (family or staff) for whatever reason it needs to. I love them dearly but need a way to monitor. I haven't been keeping up to date, but after all this maybe I should be more dillagent. Not knowing what caused all this infection. ??

I will post DSS scan next.

That scan took a long time. Here it is:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, July 15, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, July 15, 2008 20:18:26
Records in database: 957114
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 53265
Threat name: 16
Infected objects: 31
Suspicious objects: 0
Duration of the scan: 02:53:05


File name / Threat name / Threats count
C:\Program Files\RealVNC\VNC4\WinVNC4.exe/C:\Program Files\RealVNC\VNC4\WinVNC4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Program Files\Powercon\othread2.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1
C:\Program Files\RealVNC\VNC4\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Program Files\RealVNC\VNC4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\F3DTACTL.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\F3HISTSW.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\F3HTMLMU.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.l 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\F3HTTPCT.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.af 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\F3IMSTUB.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.au 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\F3POPSWT.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.au 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\F3PSSAVR.SCR.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\F3REPROX.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.au 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\F3RESTUB.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\F3SCHMON.EXE.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.a 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\F3SCRCTR.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.an 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\F3SHLLVW.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\F3WPHOOK.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.bh 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\M3IDLE.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\M3PLUGIN.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.as 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\M3SLSRCH.EXE.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.au 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\MWSOEPLG.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.au 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\MWSOESTB.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\NPMYWEBS.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.i 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.as 1
C:\QooBox\Quarantine\C\WINDOWS\system32\ati2cqa.dll.vir Infected: Rootkit.Win32.Podnuha.il 1
C:\QooBox\Quarantine\C\WINDOWS\system32\f3PSSavr.scr.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch 1
C:\QooBox\Quarantine\C\WINDOWS\system32\fpkcgngu.dll.vir Infected: Trojan.Win32.Monderb.gen 1

The selected area was scanned.

#11 bobdor

bobdor
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Alberta, Canada
  • Local time:03:53 PM

Posted 15 July 2008 - 11:29 PM

Hi Sam

Yes computer is running better and am able to get on most sites easy now. However, 2 things I noticed.

Cannot downlooad HIJACKTHIS.EXE DSS is using a clone to get the scan log. Also I have firewall OFF so that is not blocking the download.

Also I noticed a lot of Mywebsearch\bar\ being infected. This came with ICQ when Smileys were installed. (I beleive) So my question is, "Are some of these internet things we use every day just wrong and is it better not to communicate over the internet if we don't want things like this to happen??" Scary

Here is dss log:
Deckard's System Scanner v20071014.68
Run by User on 2008-07-15 22:18:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 448 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-15 22:18:27
Platform: Windows XP Service Pack 3 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\system32\WFXSNT40.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Free Keylogger\FreeKeylogger.exe
C:\Program Files\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WFXSVC.EXE
C:\Program Files\ICQ6\ICQ.exe
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\Program Files\RealVNC\VNC4\winvnc4.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\User\Desktop\downloads\scanner\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [FreeKeylogger.exe] C:\Program Files\Free Keylogger\FreeKeylogger.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ICQ] "C:\PROGRA~1\ICQ6\ICQ.exe" silent
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Controller.LNK = C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: CorelCENTRAL Alarms.LNK = ?
O4 - Global Startup: Desktop Application Director 9.LNK = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...arch.jhtml?p=ZZ
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} () - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1210824645994
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {DCDC28C5-831C-43EA-9C02-78872CCCA409} (VPlayer Control) - http://thesecret.tv/movie/player/vivid_ocx.jpeg
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: SmartLinkService (SLService) - Unknown owner - C:\WINDOWS\system32\slserv.exe
O23 - Service: Spyware Terminator Clam Service (sp_clamsrv) - Crawler.com - C:\Program Files\WinClamAVShield\Sp_clamsrv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\winvnc4.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\system32\WLTRYSVC.EXE


--
End of file - 8634 bytes

-- Files created between 2008-06-15 and 2008-07-15 -----------------------------

2008-07-15 18:56:08 0 d-------- C:\WINDOWS\Sun
2008-07-15 18:47:35 0 d-------- C:\Program Files\Java
2008-07-15 18:47:28 0 d-------- C:\Program Files\Common Files\Java
2008-07-15 18:46:47 0 d-------- C:\Documents and Settings\User\Application Data\Sun
2008-07-14 18:26:45 68096 --a------ C:\WINDOWS\zip.exe
2008-07-14 18:26:45 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-14 18:26:45 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-14 18:26:45 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-14 18:26:45 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-14 18:26:45 98816 --a------ C:\WINDOWS\sed.exe
2008-07-14 18:26:45 80412 --a------ C:\WINDOWS\grep.exe
2008-07-14 18:26:45 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-11 23:20:15 0 d-------- C:\Program Files\Enigma Software Group
2008-06-17 20:39:47 0 d-------- C:\Documents and Settings\Default User\Application Data\AVGTOOLBAR
2008-06-17 20:39:41 0 d-------- C:\Documents and Settings\Default User\Application Data\ICQ Toolbar
2008-06-17 18:11:23 0 d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-06-17 18:10:10 0 d-------- C:\Program Files\Common Files\iS3
2008-06-17 18:10:09 0 d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-06-15 02:34:32 0 d-------- C:\Documents and Settings\User\Contacts
2008-06-15 02:31:50 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-06-15 02:13:14 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-15 02:12:07 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller


-- Find3M Report ---------------------------------------------------------------

2008-07-15 18:47:28 0 d-------- C:\Program Files\Common Files
2008-07-15 00:07:22 0 d-------- C:\Program Files\Powercon
2008-07-13 21:41:33 0 d-------- C:\Program Files\Spyware Terminator
2008-07-13 21:03:45 0 d-------- C:\Documents and Settings\User\Application Data\Spyware Terminator
2008-06-30 21:18:40 0 d-------- C:\Program Files\Free Keylogger
2008-06-17 20:40:00 0 d-------- C:\Program Files\ICQToolbar
2008-06-15 03:58:47 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-15 21:51:01 0 d-------- C:\Program Files\Diablo II
2008-05-15 00:01:25 0 d-------- C:\Program Files\Microsoft Games
2008-05-08 23:41:52 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
07/04/2008 04:59 AM 2055960 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [07/04/2008 04:59 AM 2055960]

[-HKEY_CLASSES_ROOT\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [08/30/2002 12:17 PM C:\WINDOWS\system32\Ati2mdxx.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [11/01/2003 01:46 PM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [11/01/2003 01:46 PM]
"Omnipage"="C:\Program Files\ScanSoft\OmniPageSE\opware32.exe" [02/20/2002 08:01 PM]
"WinFaxAppPortStarter"="wfxsnt40.exe" [11/28/1998 04:59 AM C:\WINDOWS\system32\WFXSNT40.EXE]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [08/19/2006 04:43 PM]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [06/16/2008 09:32 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/27/2007 06:41 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [07/04/2008 04:59 AM]
"FreeKeylogger.exe"="C:\Program Files\Free Keylogger\FreeKeylogger.exe" [09/17/2006 01:38 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [06/20/2003 08:00 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/13/2008 06:12 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [04/03/2007 12:59 PM]
"ICQ"="C:\PROGRA~1\ICQ6\ICQ.exe" [04/01/2008 04:40 AM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [10/18/2006 09:05 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= C:\Program Files\Symantec\WinFax\WfxSeh32.Dll [11/28/1998 04:59 AM 38400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc




-- End of Deckard's System Scanner: finished at 2008-07-15 22:19:26 ------------

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:53 PM

Posted 16 July 2008 - 08:32 AM

You should be able to download Hijackthis directly from any number of places. Try this link.
http://www.download.com/Trend-Micro-Hijack...4-10227353.html


I understand, on the keylogger. I just wanted to be sure that I brought it to your attention just in case. :)


Anytime you install something, you run the risk of bringing something else along for the ride. During the installation process make sure you actually read the screens and don't just click next. A lot of times it's an option to install something extra, but it's already checked by default and you have to uncheck it. Just be cautious. Mywebsearch is low risk adware, but you still don't want it.


Your log looks pretty good. Just fix this line with Hijackthis.

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...arch.jhtml?p=ZZ



Assuming all seems well on your end, here are some final steps for you.

Now it's time to clean up.
  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it.
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.
================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:thumbsup: :)
[/quote]
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 bobdor

bobdor
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Alberta, Canada
  • Local time:03:53 PM

Posted 18 July 2008 - 12:37 AM

Hi Sam

Ok, things seem to be better now. I tried to do the clean with OTMOVEIT2.EXE but it freezes. The only way I have to exit is to control, alt, delete, task manager and end program. It did make a list but not sure if it finished deleting or not. Did not ask me to reboot.

Went thought the other instructions and downloaded the programs recommended.

So I have a question. As I had some of the anti-spyware, anti-adware programs before, and now have more. Do these programs run together or will they interfear and conflict with each other??

I thank you very much for your advice and help to clean another comp before it got trashed. It runs good and you gave it extended life. thanks again.

Bobdor

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:53 PM

Posted 18 July 2008 - 07:45 AM

Just to be sure that OTMoveit cleaned up the quarantine folders, delete these folders if you find they are still there.

C:\QooBox
C:\Deckard

Do you still have Combofix on your desktop or is it gone?


Program conflicts typically happen when you have too much stuff running at the same time. You always have your antivirus running, which is why you should never run more than one antivirus program. But the antispyware programs don't all need to run in the background. Select one of them to provide your real time protection and run automatically on startup. But make sure the others are not running in the background. Then you can just run them manually on a regular basis. That will give you excellent layers of protection and no conflicts. :thumbsup:
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 bobdor

bobdor
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Alberta, Canada
  • Local time:03:53 PM

Posted 19 July 2008 - 12:24 AM

Hi Sam

I still have combofix. Cannot find the 2 folders mentioned.
C:\QooBox
C:\Deckard

2 things happened when I ran Spybot:
1) I got this error message:
(There are problems in the 'include file c:\Program files\Spybot-Search_Destroy\Includes\TrojansC.sbi) See 'Include errorsl.log' for details

2) Also it could not doete 2 files:
Fun Web Products
Myway.MyWebSearch

I think these are 2 programs I don't want??
Any suggestions??
Thanks




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users