Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirecting Browser Hijacked


  • This topic is locked This topic is locked
12 replies to this topic

#1 woody2

woody2

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:19 AM

Posted 15 July 2008 - 02:56 PM

Hi i wonder if anybody can help me i would be truly grateful,my browser keeps getting hijacked from google but
i also seem to be getting malware etc,i have scanned with malware bites,spysweeper and nod32 to no real avail as
they just seem to be coming back on reboot.I think tune up defrag has been the problem.thanks woody2Attached File  hijackthis.log   8.72KB   37 downloadsAttached File  hijackthis.log   8.72KB   37 downloads

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:19 AM

Posted 15 July 2008 - 03:28 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download Deckard's System Scanner (DSS) and save to your Desktop.
alternate download site

DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not
    malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 woody2

woody2
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:19 AM

Posted 15 July 2008 - 03:52 PM

Attached File  main.txt   22.09KB   34 downloadsAttached File  extra.txt   21.64KB   31 downloadsHi Sam,thanks for helping here are the two files

Deckard's System Scanner v20071014.68
Run by den and fee on 2008-07-15 21:44:36
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-07-15 20:44:37 UTC - RP3 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as den and fee.exe) -----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:46:55, on 15/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Documents and Settings\den and fee\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\den and fee.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0seenus/saos01
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:2323
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
F3 - REG:win.ini: run=
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Cpqset] "C:\Program Files\HPQ\Default Settings\cpqset.exe"
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [BOC-426] C:\PROGRA~1\Comodo\CBOClean\BOC426.exe
O4 - HKLM\..\Run: [TrojanScanner] "C:\Program Files\Trojan Remover\Trjscan.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Free Download Manager] "C:\Program Files\Free Download Manager\fdm.exe" -autorun
O4 - HKCU\..\Run: [AdMunch] "C:\Program Files\Ad Muncher\AdMunch.exe"
O4 - HKCU\..\Run: [EPSON Stylus DX8400 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEE.EXE" /FU "C:\WINDOWS\TEMP\E_S1A7.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.karoo.co.uk/
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O21 - SSODL: obuxsvwv - {010aa2a8-1af7-4f0c-81b4-744039bd0e5e} - C:\Documents and Settings\All Users\Application Data\obuxsvwv.dll
O23 - Service: a-squared Free Service (a2free) - Unknown owner - C:\Program Files\a-squared Free\a2service.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - Unknown owner - C:\WINDOWS\System32\TuneUpDefragService.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 7698 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\HIJACK~1\backups\) --------------------

backup-20080714-212813-408 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
backup-20080714-212813-511 O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - Unknown owner - C:\WINDOWS\System32\TuneUpDefragService.exe (file missing)
backup-20080714-212813-794 O23 - Service: a-squared Free Service (a2free) - Unknown owner - C:\Program Files\a-squared Free\a2service.exe (file missing)

-- File Associations -----------------------------------------------------------

.scr - scrfile - shell\open\command - "%1" %*
.txt - txtfile - shell\open\command - C:\WINDOWS\NOTEPAD.EXE %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Vax347b - c:\windows\system32\drivers\vax347b.sys
R0 Vax347s - c:\windows\system32\drivers\vax347s.sys
R3 Pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>

S3 alcan5wn (SpeedTouch USB ADSL PPP Networking Driver (NDISWAN)) - c:\windows\system32\drivers\alcan5wn.sys <Not Verified; THOMSON; SpeedTouch USB>
S3 alcaudsl (SpeedTouch ADSL Modem ATM Transport) - c:\windows\system32\drivers\alcaudsl.sys <Not Verified; THOMSON; SpeedTouch USB>
S3 ATE_PROCMON - c:\program files\anti trojan elite\atepmon.sys (file missing)
S3 EraserUtilDrvI2 - c:\program files\common files\symantec shared\eengine\eraserutildrvi2.sys (file missing)
S3 mcdbus (Driver for MagicISO SCSI Host Controller) - c:\windows\system32\drivers\mcdbus.sys (file missing)
S3 RegGuard - c:\windows\system32\drivers\regguard.sys <Not Verified; Greatis Software; RegRun Security Suite>
S3 SymIM (Symantec Network Security Intermediate Filter Service) - c:\windows\system32\drivers\symim.sys (file missing)
S3 SymIMMP - c:\windows\system32\drivers\symim.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>

S2 a2free (a-squared Free Service) - "c:\program files\a-squared free\a2service.exe" (file missing)
S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe
S3 TuneUp.Defrag (TuneUp Drive Defrag Service) - c:\windows\system32\tuneupdefragservice.exe (file missing)
S4 Automatic LiveUpdate Scheduler - "c:\program files\symantec\liveupdate\aluschedulersvc.exe" (file missing)
S4 LiveUpdate - "c:\program files\symantec\liveupdate\lucomserver_3_4.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-07-15 21:00:00 498 --a------ C:\WINDOWS\Tasks\1-Click Maintenance.job
2008-07-15 19:11:30 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-07-15 18:00:00 1660 --a------ C:\WINDOWS\Tasks\wrSpySweeper_L997ABBD50B59438F83EF6A0870D3C509.job
2008-06-21 11:05:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-06-15 and 2008-07-15 -----------------------------

2008-07-15 21:42:56 0 dr-h----- C:\Documents and Settings\den and fee\Recent
2008-07-14 19:45:42 162304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-07-14 19:45:42 77312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-07-14 19:45:42 69632 --a------ C:\WINDOWS\system32\ztvcabinet.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>
2008-07-14 19:45:42 153088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-07-14 19:45:17 0 d-------- C:\Program Files\Trojan Remover
2008-07-14 19:45:17 0 d-------- C:\Documents and Settings\den and fee\Application Data\Simply Super Software
2008-07-14 19:45:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-07-13 22:14:52 0 d-------- C:\Documents and Settings\All Users\Application Data\BOC426
2008-07-13 13:31:13 0 d-------- C:\Program Files\Comodo
2008-07-12 17:59:30 217127 --a------ C:\WINDOWS\system32\drv43260.dll <Not Verified; RealNetworks, Inc.; RealVideo 9 (32-bit)>
2008-07-12 17:59:30 208935 --a------ C:\WINDOWS\system32\drv33260.dll <Not Verified; RealNetworks, Inc.; RealVideo 8 (32-bit)>
2008-07-12 17:59:30 176165 --a------ C:\WINDOWS\system32\drv23260.dll <Not Verified; RealNetworks, Inc.; RealVideo G2 (32-bit)>
2008-07-11 18:27:35 0 d-------- C:\Documents and Settings\den and fee\Application Data\Malwarebytes
2008-07-11 18:27:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-11 18:27:28 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-11 17:40:44 68096 --a------ C:\WINDOWS\zip.exe
2008-07-11 17:40:44 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-11 17:40:44 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-11 17:40:44 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-11 17:40:44 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-11 17:40:44 98816 --a------ C:\WINDOWS\sed.exe
2008-07-11 17:40:44 80412 --a------ C:\WINDOWS\grep.exe
2008-07-11 17:40:44 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-10 18:01:47 0 d--h----- C:\$AVG8.VAULT$
2008-07-02 18:27:21 0 d-------- C:\Program Files\Microsoft Silverlight
2008-06-26 15:09:57 0 d-------- C:\Documents and Settings\den and fee\Application Data\Free Download Manager
2008-06-26 15:09:57 0 d-------- C:\Documents and Settings\All Users\Application Data\FreeDownloadManager.ORG
2008-06-25 19:57:48 0 d-------- C:\WINDOWS\Prefetch
2008-06-25 19:46:04 0 d-------- C:\WINDOWS\system32\scripting
2008-06-25 19:46:03 0 d-------- C:\WINDOWS\l2schemas
2008-06-25 19:40:46 0 d-------- C:\WINDOWS\ServicePackFiles
2008-06-24 20:53:15 0 d-------- C:\Documents and Settings\den and fee\Application Data\Free Download Manager(2)
2008-06-24 15:09:39 0 d--hs---- C:\found.000
2008-06-23 20:16:41 6553600 --a------ C:\Documents and Settings\den and fee\ntuser.dat
2008-06-23 18:45:30 122880 --a------ C:\Documents and Settings\All Users\Application Data\obuxsvwv.dll


-- Find3M Report ---------------------------------------------------------------

2008-07-14 14:29:12 0 d-------- C:\Documents and Settings\den and fee\Application Data\uTorrent
2008-07-13 20:58:49 0 d-------- C:\Documents and Settings\den and fee\Application Data\Vso
2008-07-12 17:59:44 34 --a------ C:\Documents and Settings\den and fee\Application Data\pcouffin.log
2008-07-12 17:59:36 7887 --a------ C:\Documents and Settings\den and fee\Application Data\pcouffin.cat
2008-07-12 17:59:35 47360 --a------ C:\Documents and Settings\den and fee\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-07-12 17:59:35 1144 --a------ C:\Documents and Settings\den and fee\Application Data\pcouffin.inf
2008-07-12 17:59:31 0 d-------- C:\Program Files\VSO
2008-07-12 17:56:22 668 --a------ C:\Documents and Settings\den and fee\Application Data\vso_ts_preview.xml
2008-07-09 18:30:55 0 d-------- C:\Program Files\Java
2008-07-02 18:21:41 0 d-------- C:\Documents and Settings\den and fee\Application Data\Adobe
2008-06-27 11:40:40 0 d-------- C:\Program Files\Free Download Manager
2008-06-26 15:21:27 0 d-------- C:\Program Files\Common Files
2008-06-26 15:06:20 0 d-------- C:\Program Files\Windows NT
2008-06-26 15:06:07 0 d-------- C:\Program Files\Movie Maker
2008-06-25 19:35:13 250048 -rahs---- C:\ntldr
2008-05-26 22:53:53 0 d-------- C:\Program Files\PeerGuardian2
2008-05-23 18:58:07 646 --a------ C:\Documents and Settings\den and fee\Application Data\wklnhst.dat
2008-05-20 15:10:41 0 d-------- C:\Program Files\Ad Muncher
2008-05-17 14:40:02 0 d-------- C:\Documents and Settings\den and fee\Application Data\AdobeUM
2008-05-03 19:37:22 164 --a------ C:\install.dat
2008-04-16 17:23:24 835584 --a------ C:\WINDOWS\system32\CheckDll.dll <Not Verified; Max Secure Software; Spyware Detector>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [10/11/2005 21:05]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [01/08/2005 14:26]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [11/10/2005 10:23]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [13/12/2005 16:45]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [24/08/2007 07:00]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [20/02/2008 12:06]
"BOC-426"="C:\PROGRA~1\Comodo\CBOClean\BOC426.exe" [10/04/2008 11:08]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [03/06/2008 20:33]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [04/01/2008 20:56]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 09:00]
"Free Download Manager"="C:\Program Files\Free Download Manager\fdm.exe" [21/06/2008 06:42]
"AdMunch"="C:\Program Files\Ad Muncher\AdMunch.exe" [20/05/2008 15:10]
"EPSON Stylus DX8400 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEE.exe" [12/04/2007 07:00]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [30/03/2006 17:45]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoLowDiskSpaceChecks"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLowDiskSpaceChecks"=0 (0x0)
"NoRecentDocsMenu"=0 (0x0)
"NoInstrumentation"=0 (0x0)
"NoViewOnDrive"=0 (0x0)
"NoLogoff"=0 (0x0)
"ClearRecentDocsOnExit"=0100000000000000
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [05/02/2007 16:39 294400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"obuxsvwv"= {010aa2a8-1af7-4f0c-81b4-744039bd0e5e} - C:\Documents and Settings\All Users\Application Data\obuxsvwv.dll [23/06/2008 18:45 122880]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad Muncher]
"C:\Program Files\Ad Muncher\AdMunch.exe" /bt

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Download Manager]
"C:\Program Files\Free Download Manager\fdm.exe" -autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Uploader Oe Integration]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
C:\Windows\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDAutoLiveupdate]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
"C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
"C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPStart]
"C:\Program Files\Synaptics\SynTP\SynTPStart.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
"C:\Program Files\Windows Defender\MSASCui.exe" -hide

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe"
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" /Start
"Ad Muncher"="C:\Program Files\Ad Muncher\AdMunch.exe" /bt

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp




-- End of Deckard's System Scanner: finished at 2008-07-15 21:47:33 ------------

Edited by Buckeye_Sam, 15 July 2008 - 03:55 PM.


#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:19 AM

Posted 15 July 2008 - 03:59 PM

Just to make easier for me to review, if you could copy and paste your logs instead of attaching them it would save me some time. :thumbsup:


Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\obuxsvwv
    C:\Documents and Settings\All Users\Application Data\obuxsvwv.dll
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Please post a new DSS log also ( just the main.txt this time ).
How is your computer behaving now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 woody2

woody2
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:19 AM

Posted 15 July 2008 - 04:10 PM

Here is the move it file Sam
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\obuxsvwv >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\obuxsvwv deleted successfully.
C:\Documents and Settings\All Users\Application Data\obuxsvwv.dll unregistered successfully.
C:\Documents and Settings\All Users\Application Data\obuxsvwv.dll moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07152008_220225

and the new dss file
Deckard's System Scanner v20071014.68
Run by den and fee on 2008-07-15 22:06:32
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as den and fee.exe) -----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:06:40, on 15/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\den and fee\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\DENAND~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0seenus/saos01
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:2323
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
F3 - REG:win.ini: run=
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Cpqset] "C:\Program Files\HPQ\Default Settings\cpqset.exe"
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [BOC-426] C:\PROGRA~1\Comodo\CBOClean\BOC426.exe
O4 - HKLM\..\Run: [TrojanScanner] "C:\Program Files\Trojan Remover\Trjscan.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Free Download Manager] "C:\Program Files\Free Download Manager\fdm.exe" -autorun
O4 - HKCU\..\Run: [AdMunch] "C:\Program Files\Ad Muncher\AdMunch.exe"
O4 - HKCU\..\Run: [EPSON Stylus DX8400 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEE.EXE" /FU "C:\WINDOWS\TEMP\E_S1A7.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.karoo.co.uk/
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: a-squared Free Service (a2free) - Unknown owner - C:\Program Files\a-squared Free\a2service.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - Unknown owner - C:\WINDOWS\System32\TuneUpDefragService.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 7612 bytes

-- Files created between 2008-06-15 and 2008-07-15 -----------------------------

2008-07-15 21:42:56 0 dr-h----- C:\Documents and Settings\den and fee\Recent
2008-07-14 19:45:42 162304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-07-14 19:45:42 77312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-07-14 19:45:42 69632 --a------ C:\WINDOWS\system32\ztvcabinet.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>
2008-07-14 19:45:42 153088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-07-14 19:45:17 0 d-------- C:\Program Files\Trojan Remover
2008-07-14 19:45:17 0 d-------- C:\Documents and Settings\den and fee\Application Data\Simply Super Software
2008-07-14 19:45:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-07-13 22:14:52 0 d-------- C:\Documents and Settings\All Users\Application Data\BOC426
2008-07-13 13:31:13 0 d-------- C:\Program Files\Comodo
2008-07-12 17:59:30 217127 --a------ C:\WINDOWS\system32\drv43260.dll <Not Verified; RealNetworks, Inc.; RealVideo 9 (32-bit)>
2008-07-12 17:59:30 208935 --a------ C:\WINDOWS\system32\drv33260.dll <Not Verified; RealNetworks, Inc.; RealVideo 8 (32-bit)>
2008-07-12 17:59:30 176165 --a------ C:\WINDOWS\system32\drv23260.dll <Not Verified; RealNetworks, Inc.; RealVideo G2 (32-bit)>
2008-07-11 18:27:35 0 d-------- C:\Documents and Settings\den and fee\Application Data\Malwarebytes
2008-07-11 18:27:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-11 18:27:28 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-11 17:40:44 68096 --a------ C:\WINDOWS\zip.exe
2008-07-11 17:40:44 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-11 17:40:44 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-11 17:40:44 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-11 17:40:44 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-11 17:40:44 98816 --a------ C:\WINDOWS\sed.exe
2008-07-11 17:40:44 80412 --a------ C:\WINDOWS\grep.exe
2008-07-11 17:40:44 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-10 18:01:47 0 d--h----- C:\$AVG8.VAULT$
2008-07-02 18:27:21 0 d-------- C:\Program Files\Microsoft Silverlight
2008-06-26 15:09:57 0 d-------- C:\Documents and Settings\den and fee\Application Data\Free Download Manager
2008-06-26 15:09:57 0 d-------- C:\Documents and Settings\All Users\Application Data\FreeDownloadManager.ORG
2008-06-25 19:57:48 0 d-------- C:\WINDOWS\Prefetch
2008-06-25 19:46:04 0 d-------- C:\WINDOWS\system32\scripting
2008-06-25 19:46:03 0 d-------- C:\WINDOWS\l2schemas
2008-06-25 19:40:46 0 d-------- C:\WINDOWS\ServicePackFiles
2008-06-24 20:53:15 0 d-------- C:\Documents and Settings\den and fee\Application Data\Free Download Manager(2)
2008-06-24 15:09:39 0 d--hs---- C:\found.000
2008-06-23 20:16:41 6553600 --a------ C:\Documents and Settings\den and fee\ntuser.dat


-- Find3M Report ---------------------------------------------------------------

2008-07-14 14:29:12 0 d-------- C:\Documents and Settings\den and fee\Application Data\uTorrent
2008-07-13 20:58:49 0 d-------- C:\Documents and Settings\den and fee\Application Data\Vso
2008-07-12 17:59:44 34 --a------ C:\Documents and Settings\den and fee\Application Data\pcouffin.log
2008-07-12 17:59:36 7887 --a------ C:\Documents and Settings\den and fee\Application Data\pcouffin.cat
2008-07-12 17:59:35 47360 --a------ C:\Documents and Settings\den and fee\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-07-12 17:59:35 1144 --a------ C:\Documents and Settings\den and fee\Application Data\pcouffin.inf
2008-07-12 17:59:31 0 d-------- C:\Program Files\VSO
2008-07-12 17:56:22 668 --a------ C:\Documents and Settings\den and fee\Application Data\vso_ts_preview.xml
2008-07-09 18:30:55 0 d-------- C:\Program Files\Java
2008-07-02 18:21:41 0 d-------- C:\Documents and Settings\den and fee\Application Data\Adobe
2008-06-27 11:40:40 0 d-------- C:\Program Files\Free Download Manager
2008-06-26 15:21:27 0 d-------- C:\Program Files\Common Files
2008-06-26 15:06:20 0 d-------- C:\Program Files\Windows NT
2008-06-26 15:06:07 0 d-------- C:\Program Files\Movie Maker
2008-06-25 19:35:13 250048 -rahs---- C:\ntldr
2008-05-26 22:53:53 0 d-------- C:\Program Files\PeerGuardian2
2008-05-23 18:58:07 646 --a------ C:\Documents and Settings\den and fee\Application Data\wklnhst.dat
2008-05-20 15:10:41 0 d-------- C:\Program Files\Ad Muncher
2008-05-17 14:40:02 0 d-------- C:\Documents and Settings\den and fee\Application Data\AdobeUM
2008-05-03 19:37:22 164 --a------ C:\install.dat
2008-04-16 17:23:24 835584 --a------ C:\WINDOWS\system32\CheckDll.dll <Not Verified; Max Secure Software; Spyware Detector>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [10/11/2005 21:05]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [01/08/2005 14:26]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [11/10/2005 10:23]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [13/12/2005 16:45]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [24/08/2007 07:00]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [20/02/2008 12:06]
"BOC-426"="C:\PROGRA~1\Comodo\CBOClean\BOC426.exe" [10/04/2008 11:08]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [03/06/2008 20:33]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [04/01/2008 20:56]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 09:00]
"Free Download Manager"="C:\Program Files\Free Download Manager\fdm.exe" [21/06/2008 06:42]
"AdMunch"="C:\Program Files\Ad Muncher\AdMunch.exe" [20/05/2008 15:10]
"EPSON Stylus DX8400 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEE.exe" [12/04/2007 07:00]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [30/03/2006 17:45]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoLowDiskSpaceChecks"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLowDiskSpaceChecks"=0 (0x0)
"NoRecentDocsMenu"=0 (0x0)
"NoInstrumentation"=0 (0x0)
"NoViewOnDrive"=0 (0x0)
"NoLogoff"=0 (0x0)
"ClearRecentDocsOnExit"=0100000000000000
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [05/02/2007 16:39 294400]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad Muncher]
"C:\Program Files\Ad Muncher\AdMunch.exe" /bt

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Download Manager]
"C:\Program Files\Free Download Manager\fdm.exe" -autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Uploader Oe Integration]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
C:\Windows\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDAutoLiveupdate]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
"C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
"C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPStart]
"C:\Program Files\Synaptics\SynTP\SynTPStart.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
"C:\Program Files\Windows Defender\MSASCui.exe" -hide

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe"
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" /Start
"Ad Muncher"="C:\Program Files\Ad Muncher\AdMunch.exe" /bt

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp




-- End of Deckard's System Scanner: finished at 2008-07-15 22:06:57 ------------

#6 woody2

woody2
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:19 AM

Posted 15 July 2008 - 04:18 PM

Hi Sam to answer your question it seems to be better,just been on google and haven't ben redirected
can i keep the thread open for a day or so may be after a reboot to see if things are still ok?
I really appreciate your help Sam,i was at my witts end,thanks woody2

#7 woody2

woody2
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:19 AM

Posted 15 July 2008 - 04:23 PM

just when i was happy again,have just been hijacked so something is still there but system still feels a bit quicker
on the plus side.

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:19 AM

Posted 15 July 2008 - 05:44 PM

Ok, let's see a fresh log from DSS and we'll figure out what's up.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 woody2

woody2
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:19 AM

Posted 16 July 2008 - 05:27 AM

Hi Sam heres the fresh dss log as requested;

Deckard's System Scanner v20071014.68
Run by den and fee on 2008-07-16 11:23:52
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as den and fee.exe) -----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:24:00, on 16/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Documents and Settings\den and fee\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\DENAND~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0seenus/saos01
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:2323
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
F3 - REG:win.ini: run=
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Cpqset] "C:\Program Files\HPQ\Default Settings\cpqset.exe"
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [BOC-426] C:\PROGRA~1\Comodo\CBOClean\BOC426.exe
O4 - HKLM\..\Run: [TrojanScanner] "C:\Program Files\Trojan Remover\Trjscan.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Free Download Manager] "C:\Program Files\Free Download Manager\fdm.exe" -autorun
O4 - HKCU\..\Run: [AdMunch] "C:\Program Files\Ad Muncher\AdMunch.exe"
O4 - HKCU\..\Run: [EPSON Stylus DX8400 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEE.EXE" /FU "C:\WINDOWS\TEMP\E_S1A7.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.karoo.co.uk/
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: a-squared Free Service (a2free) - Unknown owner - C:\Program Files\a-squared Free\a2service.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - Unknown owner - C:\WINDOWS\System32\TuneUpDefragService.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 7563 bytes

-- Files created between 2008-06-16 and 2008-07-16 -----------------------------

2008-07-15 23:28:51 0 dr-h----- C:\Documents and Settings\den and fee\Recent
2008-07-14 19:45:42 162304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-07-14 19:45:42 77312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-07-14 19:45:42 69632 --a------ C:\WINDOWS\system32\ztvcabinet.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>
2008-07-14 19:45:42 153088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-07-14 19:45:17 0 d-------- C:\Program Files\Trojan Remover
2008-07-14 19:45:17 0 d-------- C:\Documents and Settings\den and fee\Application Data\Simply Super Software
2008-07-14 19:45:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-07-13 22:14:52 0 d-------- C:\Documents and Settings\All Users\Application Data\BOC426
2008-07-13 13:31:13 0 d-------- C:\Program Files\Comodo
2008-07-12 17:59:30 217127 --a------ C:\WINDOWS\system32\drv43260.dll <Not Verified; RealNetworks, Inc.; RealVideo 9 (32-bit)>
2008-07-12 17:59:30 208935 --a------ C:\WINDOWS\system32\drv33260.dll <Not Verified; RealNetworks, Inc.; RealVideo 8 (32-bit)>
2008-07-12 17:59:30 176165 --a------ C:\WINDOWS\system32\drv23260.dll <Not Verified; RealNetworks, Inc.; RealVideo G2 (32-bit)>
2008-07-11 18:27:35 0 d-------- C:\Documents and Settings\den and fee\Application Data\Malwarebytes
2008-07-11 18:27:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-11 18:27:28 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-11 17:40:44 68096 --a------ C:\WINDOWS\zip.exe
2008-07-11 17:40:44 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-11 17:40:44 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-11 17:40:44 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-11 17:40:44 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-11 17:40:44 98816 --a------ C:\WINDOWS\sed.exe
2008-07-11 17:40:44 80412 --a------ C:\WINDOWS\grep.exe
2008-07-11 17:40:44 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-10 18:01:47 0 d--h----- C:\$AVG8.VAULT$
2008-07-02 18:27:21 0 d-------- C:\Program Files\Microsoft Silverlight
2008-06-26 15:09:57 0 d-------- C:\Documents and Settings\den and fee\Application Data\Free Download Manager
2008-06-26 15:09:57 0 d-------- C:\Documents and Settings\All Users\Application Data\FreeDownloadManager.ORG
2008-06-25 19:57:48 0 d-------- C:\WINDOWS\Prefetch
2008-06-25 19:46:04 0 d-------- C:\WINDOWS\system32\scripting
2008-06-25 19:46:03 0 d-------- C:\WINDOWS\l2schemas
2008-06-25 19:40:46 0 d-------- C:\WINDOWS\ServicePackFiles
2008-06-24 20:53:15 0 d-------- C:\Documents and Settings\den and fee\Application Data\Free Download Manager(2)
2008-06-24 15:09:39 0 d--hs---- C:\found.000
2008-06-23 20:16:41 6815744 --a------ C:\Documents and Settings\den and fee\ntuser.dat


-- Find3M Report ---------------------------------------------------------------

2008-07-14 14:29:12 0 d-------- C:\Documents and Settings\den and fee\Application Data\uTorrent
2008-07-13 20:58:49 0 d-------- C:\Documents and Settings\den and fee\Application Data\Vso
2008-07-12 17:59:44 34 --a------ C:\Documents and Settings\den and fee\Application Data\pcouffin.log
2008-07-12 17:59:36 7887 --a------ C:\Documents and Settings\den and fee\Application Data\pcouffin.cat
2008-07-12 17:59:35 47360 --a------ C:\Documents and Settings\den and fee\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-07-12 17:59:35 1144 --a------ C:\Documents and Settings\den and fee\Application Data\pcouffin.inf
2008-07-12 17:59:31 0 d-------- C:\Program Files\VSO
2008-07-12 17:56:22 668 --a------ C:\Documents and Settings\den and fee\Application Data\vso_ts_preview.xml
2008-07-09 18:30:55 0 d-------- C:\Program Files\Java
2008-07-02 18:21:41 0 d-------- C:\Documents and Settings\den and fee\Application Data\Adobe
2008-06-27 11:40:40 0 d-------- C:\Program Files\Free Download Manager
2008-06-26 15:21:27 0 d-------- C:\Program Files\Common Files
2008-06-26 15:06:20 0 d-------- C:\Program Files\Windows NT
2008-06-26 15:06:07 0 d-------- C:\Program Files\Movie Maker
2008-06-25 19:35:13 250048 -rahs---- C:\ntldr
2008-05-26 22:53:53 0 d-------- C:\Program Files\PeerGuardian2
2008-05-23 18:58:07 646 --a------ C:\Documents and Settings\den and fee\Application Data\wklnhst.dat
2008-05-20 15:10:41 0 d-------- C:\Program Files\Ad Muncher
2008-05-17 14:40:02 0 d-------- C:\Documents and Settings\den and fee\Application Data\AdobeUM
2008-05-03 19:37:22 164 --a------ C:\install.dat
2008-04-16 17:23:24 835584 --a------ C:\WINDOWS\system32\CheckDll.dll <Not Verified; Max Secure Software; Spyware Detector>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [10/11/2005 21:05]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [01/08/2005 14:26]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [11/10/2005 10:23]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [13/12/2005 16:45]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [24/08/2007 07:00]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [20/02/2008 12:06]
"BOC-426"="C:\PROGRA~1\Comodo\CBOClean\BOC426.exe" [10/04/2008 11:08]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [03/06/2008 20:33]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [04/01/2008 20:56]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 09:00]
"Free Download Manager"="C:\Program Files\Free Download Manager\fdm.exe" [21/06/2008 06:42]
"AdMunch"="C:\Program Files\Ad Muncher\AdMunch.exe" [20/05/2008 15:10]
"EPSON Stylus DX8400 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEE.exe" [12/04/2007 07:00]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [30/03/2006 17:45]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoLowDiskSpaceChecks"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLowDiskSpaceChecks"=0 (0x0)
"NoRecentDocsMenu"=0 (0x0)
"NoInstrumentation"=0 (0x0)
"NoViewOnDrive"=0 (0x0)
"NoLogoff"=0 (0x0)
"ClearRecentDocsOnExit"=0100000000000000
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [05/02/2007 16:39 294400]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad Muncher]
"C:\Program Files\Ad Muncher\AdMunch.exe" /bt

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Download Manager]
"C:\Program Files\Free Download Manager\fdm.exe" -autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Uploader Oe Integration]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
C:\Windows\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDAutoLiveupdate]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
"C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
"C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPStart]
"C:\Program Files\Synaptics\SynTP\SynTPStart.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
"C:\Program Files\Windows Defender\MSASCui.exe" -hide

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe"
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" /Start
"Ad Muncher"="C:\Program Files\Ad Muncher\AdMunch.exe" /bt

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp




-- End of Deckard's System Scanner: finished at 2008-07-16 11:24:22 ------------

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:19 AM

Posted 16 July 2008 - 08:54 AM

Hmmm....I don't see anything there.

Can you tell me what's happening?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 woody2

woody2
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:19 AM

Posted 16 July 2008 - 09:22 AM

Hi Sam actually after browsing today it seems that the problem has gone away,i am very grateful for your help
on this matter,you are a star!

Thamks again woody2

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:19 AM

Posted 16 July 2008 - 10:44 AM

Good to hear! :thumbsup:

Now it's time to clean up.
  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it.
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.
================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:) :)
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:19 AM

Posted 27 July 2008 - 07:33 AM

Now that your problem appears to be resolved, this thread will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users