Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Adware.vundo Variant/resident And Trojan.vundo-variant/small-gen


  • Please log in to reply
11 replies to this topic

#1 usermike

usermike

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:England
  • Local time:05:19 AM

Posted 17 July 2008 - 01:28 PM

hi other day used pc and the IE browser got infected, now it doesnt work, there are adverts all the time and cant search for anything without being redirected to other websites. Ive tried using superantispyware but wont scan completely as it restarts the pc, tried avg , norton an a few others and nothing. Here are the logs as follows.

Deckard's System Scanner v20071014.68
Run by steve on 2008-07-17 19:05:07
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as steve.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:05: VIRUS ALERT!, on 17/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PRISMSVC.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Documents and Settings\steve\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\steve.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com
O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.DLL
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {937EA318-D71E-42CB-8271-B1D6F1BBA1BE} - C:\WINDOWS\system32\ddcCVOHb.dll
O2 - BHO: {e0e1055d-55b6-5db9-c404-61f7f90fe4cc} - {cc4ef09f-7f16-404c-9bd5-6b55d5501e0e} - C:\WINDOWS\system32\osrjad.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\2.bin\SPYBLOCK.DLL
O2 - BHO: (no name) - {F8AC36D7-F602-4B69-99B5-2A812E05779F} - C:\WINDOWS\system32\mlJYopno.dll (file missing)
O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\2.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.euro.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=21871
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O20 - Winlogon Notify: !SABWinLogon - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: mlJYopno - mlJYopno.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Broadcom ASF IP Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: DataSvr - Unknown owner - C:\Program Files\Wave Systems Corp\Common\DataServer.exe (file missing)
O23 - Service: PRISMSVC - Conexant Systems, Inc. - C:\WINDOWS\system32\PRISMSVC.EXE
O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6294 bytes

-- Files created between 2008-06-17 and 2008-07-17 -----------------------------

2008-07-17 13:55:47 0 d-------- C:\Documents and Settings\steve\Application Data\MailFrontier
2008-07-17 13:53:37 609312 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-17 13:49:57 0 d-------- C:\Program Files\ZoneAlarmSB
2008-07-17 13:48:13 0 d-------- C:\WINDOWS\system32\ZoneLabs
2008-07-17 11:00:15 116352 --a------ C:\WINDOWS\system32\osrjad.dll
2008-07-17 11:00:15 116352 --a------ C:\WINDOWS\system32\hhcpnqev.dll
2008-07-17 10:57:54 92672 --a------ C:\WINDOWS\system32\deuuyngg.dll
2008-07-16 20:07:13 0 d-------- C:\Program Files\Trend Micro
2008-07-16 19:58:57 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-16 19:58:47 0 d-------- C:\Program Files\SpywareBlaster
2008-07-16 19:03:58 0 d-------- C:\Documents and Settings\steve\Application Data\Symantec
2008-07-16 18:18:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-16 18:16:41 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-07-16 15:50:39 0 d-------- C:\KAV
2008-07-16 14:54:58 92672 --a------ C:\WINDOWS\system32\eevgroqd.dll
2008-07-16 14:52:26 116352 --a------ C:\WINDOWS\system32\paxmig.dll
2008-07-16 14:52:25 116352 --a------ C:\WINDOWS\system32\gkqxthko.dll
2008-07-16 14:08:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-07-16 13:56:30 0 d-------- C:\Program Files\Yahoo!
2008-07-16 13:52:41 0 d-------- C:\WINDOWS\system32\Dell
2008-07-15 19:51:02 0 d-------- C:\Documents and Settings\steve\Application Data\SuperAdBlocker.com
2008-07-15 19:50:42 0 d-------- C:\Program Files\SuperAdBlocker.com
2008-07-15 18:46:06 0 d--h----- C:\$AVG8.VAULT$
2008-07-15 18:40:36 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-15 16:53:55 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-07-15 16:53:50 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-07-15 16:53:43 11264 --a------ C:\WINDOWS\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
2008-07-15 16:52:43 0 d-------- C:\WINDOWS\Internet Logs
2008-07-15 16:22:07 0 d-------- C:\Documents and Settings\steve\Application Data\uTorrent
2008-07-15 15:24:10 0 d-------- C:\WINDOWS\system32\NtmsData
2008-07-15 14:56:08 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-15 14:55:58 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-07-15 14:55:58 0 d-------- C:\Documents and Settings\steve\Application Data\SUPERAntiSpyware.com
2008-07-15 14:51:53 116864 --a------ C:\WINDOWS\system32\wplwsf.dll
2008-07-15 14:51:53 116864 --a------ C:\WINDOWS\system32\nqosmeld.dll
2008-07-15 14:51:52 93184 --a------ C:\WINDOWS\system32\dnpcrwmy.dll
2008-07-14 17:03:27 0 d-------- C:\Program Files\Lavasoft
2008-07-14 17:03:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-14 16:44:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-07-14 16:07:54 0 d-------- C:\Program Files\Common Files\Scanner
2008-07-14 16:06:58 0 dr-h----- C:\Documents and Settings\All Users\Application Data\yahoo!
2008-07-14 16:06:38 0 d-------- C:\Documents and Settings\steve\Application Data\Yahoo!
2008-07-14 15:38:01 0 d-------- C:\Program Files\Opera
2008-07-14 15:15:19 0 d-------- C:\WINDOWS\pss
2008-07-14 14:54:41 0 d--hs---- C:\WINDOWS\CSC
2008-07-14 14:18:45 92672 --a------ C:\WINDOWS\system32\nqsuingr.dll
2008-07-14 14:16:25 116352 --a------ C:\WINDOWS\system32\mrxgeydl.dll
2008-07-14 14:16:25 116352 --a------ C:\WINDOWS\system32\fyhzjk.dll
2008-07-13 11:31:13 116864 --a------ C:\WINDOWS\system32\zygekv.dll
2008-07-13 11:31:12 116864 --a------ C:\WINDOWS\system32\qauhfjld.dll
2008-07-13 11:29:12 0 d-------- C:\Documents and Settings\steve\Application Data\shc5naj0ep7t
2008-07-12 08:46:40 116864 --a------ C:\WINDOWS\system32\xbouvl.dll
2008-07-12 08:46:39 116864 --a------ C:\WINDOWS\system32\hhpiptda.dll
2008-07-12 08:45:55 258492 --ahs---- C:\WINDOWS\system32\bHOVCcdd.ini2
2008-07-12 08:45:48 322816 -----n--- C:\WINDOWS\system32\ddcCVOHb.dll
2008-07-12 08:40:45 33152 --a------ C:\WINDOWS\system32\opnliGWo.dll
2008-07-12 08:40:28 94208 --a------ C:\WINDOWS\system32\pphc3naj0ep7t.exe
2008-07-12 08:40:28 0 d-------- C:\Documents and Settings\steve\Application Data\rhc7naj0ep7t
2008-07-12 08:40:25 0 d-------- C:\Documents and Settings\steve\Application Data\TmpRecentIcons
2008-07-12 08:40:06 172032 --a------ C:\WINDOWS\gpefaowr.exe
2008-07-12 08:40:06 356352 --a------ C:\WINDOWS\fsrpknov.dll
2008-07-12 08:40:06 401408 --a------ C:\WINDOWS\fdxbameg.dll
2008-07-12 08:40:06 163840 --a------ C:\WINDOWS\eswa.exe
2008-07-12 08:40:00 60928 --a------ C:\WINDOWS\system32\blphc3naj0ep7t.scr <Not Verified; Sysinternals; Sysinternals Blue Screen>
2008-07-12 08:39:57 110080 --a------ C:\WINDOWS\system32\lphc3naj0ep7t.exe
2008-06-29 08:40:22 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-29 08:40:16 0 d-------- C:\WINDOWS\SxsCaPendDel
2008-06-27 11:28:57 0 d-------- C:\Documents and Settings\steve\Application Data\Adobe
2008-06-27 09:11:23 0 d-------- C:\Documents and Settings\steve\Application Data\DivX
2008-06-26 21:01:42 0 d-------- C:\Documents and Settings\steve\Application Data\vlc
2008-06-26 21:01:19 0 d-------- C:\Program Files\VideoLAN
2008-06-26 20:58:51 0 d-------- C:\Program Files\DivX
2008-06-26 20:51:29 0 d-------- C:\Documents and Settings\steve\Application Data\WinRAR
2008-06-26 20:50:20 1233886 --a------ C:\Program Files\wrar38b2.exe
2008-06-26 20:40:26 0 d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-06-24 20:07:51 0 d-------- C:\Program Files\uTorrent
2008-06-24 18:51:35 0 d-------- C:\WINDOWS\Sun
2008-06-24 18:51:35 0 d-------- C:\Documents and Settings\steve\Application Data\Sun
2008-06-24 18:50:59 0 d-------- C:\Program Files\Java
2008-06-24 18:50:24 0 d-------- C:\Program Files\Common Files\Java
2008-06-24 18:46:26 0 d-------- C:\Program Files\RALINK
2008-06-24 18:46:12 0 d-------- C:\Documents and Settings\steve\Application Data\InstallShield
2008-06-22 14:51:46 94208 --a------ C:\WINDOWS\system32\GTW32N50.dll
2008-06-22 14:51:46 15872 --a------ C:\WINDOWS\system32\GTNDIS5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>


-- Find3M Report ---------------------------------------------------------------

2008-07-17 12:51:21 0 d-------- C:\Program Files\Common Files
2008-07-16 17:40:36 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-16 13:52:41 0 d-------- C:\Program Files\Dell
2008-07-15 20:09:01 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-14 16:05:05 0 d-------- C:\Program Files\Google
2008-06-25 21:58:47 31319 --a------ C:\Program Files\Petite.Infirmiere.Perverse.FRENCH.XXX.DVDRip.XviD-TESORO.torrent
2008-06-25 21:40:22 34733 --a------ C:\Program Files\Puppet.Master.XXX.DVDRiP.XviD-DivXfacTory.torrent
2008-05-31 00:22:48 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-05-31 00:22:48 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX>
2008-05-31 00:22:48 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX>
2008-05-31 00:22:46 815104 --a------ C:\WINDOWS\system32\divx_xx0a.dll <Not Verified; DivX, Inc.; DivX>
2008-05-31 00:22:46 683520 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX>
2008-05-22 23:22:18 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-05-22 23:19:46 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-05-22 23:19:46 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-05-22 23:18:54 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{937EA318-D71E-42CB-8271-B1D6F1BBA1BE}]
12/07/2008 08:45: VIRUS ALERT! 322816 --------- C:\WINDOWS\system32\ddcCVOHb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cc4ef09f-7f16-404c-9bd5-6b55d5501e0e}]
17/07/2008 11:00: VIRUS ALERT! 116352 --a------ C:\WINDOWS\system32\osrjad.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
17/07/2008 13:49: VIRUS ALERT! 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\2.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F8AC36D7-F602-4B69-99B5-2A812E05779F}]
C:\WINDOWS\system32\mlJYopno.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\2.bin\SPYBLOCK.DLL [17/07/2008 13:49: VIRUS ALERT! 262144]

[-HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [09/07/2008 09:05: VIRUS ALERT!]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 01:56: VIRUS ALERT!]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [30/08/2007 17:43: VIRUS ALERT!]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [21/02/2008 21:13:51]
MA111 Configuration Utility.lnk - C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe [09/03/2008 21:37:31]
Wireless USB 2.0 WLAN Card Utility.lnk - C:\Program Files\Dell Wireless\PRISMCFG.exe [21/02/2008 21:12:59]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{F8AC36D7-F602-4B69-99B5-2A812E05779F}"= C:\WINDOWS\system32\mlJYopno.dll [ ]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000D7}"= C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSEHB.DLL [07/11/2006 12:58: VIRUS ALERT! 77824]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [13/05/2008 10:13: VIRUS ALERT! 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SABWinLogon]
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL 01/08/2007 09:28: VIRUS ALERT! 176128 C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19/04/2007 13:41: VIRUS ALERT! 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlJYopno]
mlJYopno.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PRISMAPI.DLL]
PRISMAPI.DLL 12/10/2006 10:42: VIRUS ALERT! 450649 C:\WINDOWS\system32\PRISMAPI.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau C:\WINDOWS\system32\ddcCVOHb

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=C:\WINDOWS\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
C:\Program Files\BroadJump\Client Foundation\CFD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\f86cd5cf]
rundll32.exe "C:\WINDOWS\system32\nqsuingr.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphc3naj0ep7t]
C:\WINDOWS\system32\lphc3naj0ep7t.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMX Daemon]
ICO.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\WINDOWS\system32\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMrhc7naj0ep7t]
C:\Program Files\rhc7naj0ep7t\rhc7naj0ep7t.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMshc5naj0ep7t]
C:\Program Files\shc5naj0ep7t\shc5naj0ep7t.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SuperAdBlocker]
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UIUCU]
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\UIUCU.EXE -CLEAN_UP -S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet




-- End of Deckard's System Scanner: finished at 2008-07-17 19:06:22 ------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:12: VIRUS ALERT!, on 17/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PRISMSVC.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com
O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\2.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.euro.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=21871
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Broadcom ASF IP Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: DataSvr - Unknown owner - C:\Program Files\Wave Systems Corp\Common\DataServer.exe (file missing)
O23 - Service: PRISMSVC - Conexant Systems, Inc. - C:\WINDOWS\system32\PRISMSVC.EXE
O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5206 bytes


thanks for any help

BC AdBot (Login to Remove)

 


#2 usermike

usermike
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:England
  • Local time:05:19 AM

Posted 18 July 2008 - 10:01 AM

Hmm wondering if i posted this in the correct forum section :thumbsup:

also if wondering why it say steve i am posting here on my clean comp, the dell is the infected one and belonged to my m8 called steve lol

Edited by usermike, 19 July 2008 - 05:22 AM.


#3 usermike

usermike
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:England
  • Local time:05:19 AM

Posted 19 July 2008 - 10:41 AM

is this site active ? as not heard anything couple days

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:19 PM

Posted 19 July 2008 - 02:41 PM

Hello mike.. My name is fenzodahl512 and welcome to BC.. Please be patience as we are all volunteers.. We do have real-life..


Please do the following...


Please visit below webpage for instructions for downloading and running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. DO NOT select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix (located in C:\combofix.txt) when you've accomplished that, along with a new HijackThis log.



Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 usermike

usermike
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:England
  • Local time:05:19 AM

Posted 20 July 2008 - 09:09 AM

Hi Fenzodahl,
Thanks for reply appreciate it. I followed the instructions however upon adding the windows file into combo.exe by dragging it didnt appear to install anything. Also if i click the combo.exe nothing opens. i think the virus is preventing me from running programmes as certain other ones dont open either on that computer.

regards,
mike

Edited by usermike, 20 July 2008 - 09:11 AM.


#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:19 PM

Posted 20 July 2008 - 11:25 AM

rename it to Combo-Fix.exe and then run it.. post the log here..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 usermike

usermike
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:England
  • Local time:05:19 AM

Posted 20 July 2008 - 01:31 PM

hi renamed it n worked 2 logs as follows

ComboFix 08-07-19.1 - steve 2008-07-20 19:07:45.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.657 [GMT 1:00]
Running from: C:\Documents and Settings\steve\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\steve\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\How to Register Malware Protector 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\License Agreement.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\Malware Protector 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\Register Malware Protector 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\Uninstall.lnk
C:\Documents and Settings\steve\Application Data\Microsoft\Internet Explorer\Quick Launch\Malware Protector 2008.lnk
C:\Documents and Settings\steve\Application Data\rhc7naj0ep7t
C:\Documents and Settings\steve\Application Data\shc5naj0ep7t
C:\WINDOWS\cookies.ini
C:\WINDOWS\eswa.exe
C:\WINDOWS\fdxbameg.dll
C:\WINDOWS\fsrpknov.dll
C:\WINDOWS\gpefaowr.exe
C:\WINDOWS\system32\bHOVCcdd.ini
C:\WINDOWS\system32\bHOVCcdd.ini2
C:\WINDOWS\system32\blphc3naj0ep7t.scr
C:\WINDOWS\system32\bnclooyj.dll
C:\WINDOWS\system32\byisby.dll
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\clbdll.old
C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\system32\DDCCVOHB.dll
C:\WINDOWS\system32\deuuyngg.dll
C:\WINDOWS\system32\dnpcrwmy.dll
C:\WINDOWS\system32\dqorgvee.ini
C:\WINDOWS\system32\drivers\clbdriver.sys
C:\WINDOWS\system32\eevgroqd.dll
C:\WINDOWS\system32\fyhzjk.dll
C:\WINDOWS\system32\ggnyuued.ini
C:\WINDOWS\system32\gkqxthko.dll
C:\WINDOWS\system32\hdfbxwpx.ini
C:\WINDOWS\system32\hhcpnqev.dll
C:\WINDOWS\system32\hhpiptda.dll
C:\WINDOWS\system32\jyoolcnb.ini
C:\WINDOWS\system32\lphc3naj0ep7t.exe
C:\WINDOWS\system32\mbwryfkb.ini
C:\WINDOWS\system32\mcbdoksg.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mrxgeydl.dll
C:\WINDOWS\system32\nqosmeld.dll
C:\WINDOWS\system32\nqsuingr.dll
C:\WINDOWS\system32\opnliGWo.dll
C:\WINDOWS\system32\osrjad.dll
C:\WINDOWS\system32\paxmig.dll
C:\WINDOWS\system32\phc3naj0ep7t.bmp
C:\WINDOWS\system32\pphc3naj0ep7t.exe
C:\WINDOWS\system32\qauhfjld.dll
C:\WINDOWS\system32\qdxzos.dll
C:\WINDOWS\system32\rgniusqn.ini
C:\WINDOWS\system32\swnvlywu.ini
C:\WINDOWS\system32\whtkxree.dll
C:\WINDOWS\system32\wplwsf.dll
C:\WINDOWS\system32\xbouvl.dll
C:\WINDOWS\system32\xpwxbfdh.dll
C:\WINDOWS\system32\ymwrcpnd.ini
C:\WINDOWS\system32\zygekv.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLBDRIVER


((((((((((((((((((((((((( Files Created from 2008-06-20 to 2008-07-20 )))))))))))))))))))))))))))))))
.

2008-07-20 19:00 . 2008-01-18 03:36 107,864 --a------ C:\WINDOWS\system32\tsccvid.dll
2008-07-20 18:55 . 2008-07-20 18:55 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2008-07-20 17:00 . 2008-07-20 17:00 <DIR> d-------- C:\Program Files\Pool Buddy Yahoo
2008-07-18 22:17 . 2008-07-18 22:17 <DIR> d-------- C:\Program Files\Common Files\eSellerate
2008-07-18 21:30 . 2008-07-18 21:30 <DIR> d-------- C:\Program Files\TechSmith
2008-07-18 21:30 . 2008-07-18 21:30 <DIR> d-------- C:\Program Files\Common Files\TechSmith Shared
2008-07-18 17:31 . 2008-07-18 17:31 <DIR> d-------- C:\Documents and Settings\steve\Application Data\Apple Computer
2008-07-18 17:30 . 2008-07-18 17:30 <DIR> d-------- C:\Program Files\Safari
2008-07-18 17:29 . 2008-07-18 17:29 <DIR> d-------- C:\Program Files\Bonjour
2008-07-18 17:29 . 2008-07-18 17:29 <DIR> d-------- C:\Program Files\Apple Software Update
2008-07-18 17:29 . 2008-07-18 17:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-07-17 18:59 . 2008-07-17 18:59 <DIR> d-------- C:\Deckard
2008-07-17 14:29 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2008-07-17 14:29 . 2004-08-03 23:07 59,264 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys
2008-07-17 13:55 . 2008-07-17 13:55 <DIR> d-------- C:\Documents and Settings\steve\Application Data\MailFrontier
2008-07-17 13:53 . 2008-07-20 19:20 1,166,624 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-17 13:53 . 2008-07-20 19:17 16,604 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-17 13:49 . 2008-07-17 13:49 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-07-17 13:48 . 2008-07-17 13:48 <DIR> d-------- C:\Program Files\Zone Labs
2008-07-16 20:07 . 2008-07-16 20:07 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-16 19:58 . 2008-07-20 19:02 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-16 19:03 . 2008-07-16 19:03 <DIR> d-------- C:\Documents and Settings\steve\Application Data\Symantec
2008-07-16 18:18 . 2008-07-17 12:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-16 18:16 . 2008-07-17 12:54 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-07-16 15:50 . 2008-07-16 15:50 <DIR> d-------- C:\KAV
2008-07-16 13:56 . 2008-07-20 15:59 <DIR> d-------- C:\Program Files\Yahoo!
2008-07-16 13:52 . 2008-07-16 13:52 <DIR> d-------- C:\WINDOWS\system32\Dell
2008-07-15 19:51 . 2008-07-15 19:51 <DIR> d-------- C:\Documents and Settings\steve\Application Data\SuperAdBlocker.com
2008-07-15 19:50 . 2008-07-15 19:51 <DIR> d-------- C:\Program Files\SuperAdBlocker.com
2008-07-15 18:46 . 2008-07-15 19:13 <DIR> d--h----- C:\$AVG8.VAULT$
2008-07-15 18:40 . 2008-07-16 15:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-15 16:53 . 2008-07-15 19:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-07-15 16:53 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-07-15 16:53 . 2008-07-20 19:18 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-07-15 16:52 . 2008-07-20 19:01 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-07-15 16:22 . 2008-07-17 13:08 <DIR> d-------- C:\Documents and Settings\steve\Application Data\uTorrent
2008-07-15 15:24 . 2008-07-15 15:24 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-07-15 14:56 . 2008-07-15 14:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-15 14:55 . 2008-07-15 20:09 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-15 14:55 . 2008-07-15 20:09 <DIR> d-------- C:\Documents and Settings\steve\Application Data\SUPERAntiSpyware.com
2008-07-14 17:03 . 2008-07-14 17:03 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-14 17:03 . 2008-07-14 17:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-14 16:44 . 2008-07-15 14:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-07-14 16:07 . 2008-07-14 16:07 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-07-14 16:06 . 2008-07-14 16:06 <DIR> d-------- C:\Documents and Settings\steve\Application Data\Yahoo!
2008-07-14 16:06 . 2008-07-15 19:37 <DIR> dr-h----- C:\Documents and Settings\All Users\Application Data\yahoo!
2008-07-14 15:38 . 2008-07-16 14:23 <DIR> d-------- C:\Program Files\Opera
2008-07-12 08:40 . 2001-08-23 13:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-06-29 08:40 . 2008-06-29 09:41 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-06-29 08:40 . 2008-06-29 08:40 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-06-27 09:11 . 2008-06-27 09:11 <DIR> d-------- C:\Documents and Settings\steve\Application Data\DivX
2008-06-26 21:01 . 2008-06-26 21:01 <DIR> d-------- C:\Program Files\VideoLAN
2008-06-26 21:01 . 2008-06-26 21:01 <DIR> d-------- C:\Documents and Settings\steve\Application Data\vlc
2008-06-26 20:58 . 2008-06-26 20:59 <DIR> d-------- C:\Program Files\DivX
2008-06-26 20:58 . 2008-06-26 20:58 20,724,776 --a------ C:\Program Files\DivXInstaller.exe
2008-06-26 20:50 . 2008-06-26 20:50 1,233,886 --a------ C:\Program Files\wrar38b2.exe
2008-06-26 20:40 . 2008-06-26 20:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-06-26 20:39 . 2008-06-26 20:39 13,669,728 --a------ C:\Program Files\winzip112.exe
2008-06-26 03:00 . 2004-08-04 01:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-06-25 22:55 . 2008-06-13 14:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-24 20:07 . 2008-06-24 20:07 <DIR> d-------- C:\Program Files\uTorrent
2008-06-24 18:51 . 2008-06-24 18:51 <DIR> d-------- C:\WINDOWS\Sun
2008-06-24 18:51 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-24 18:50 . 2008-06-24 18:51 <DIR> d-------- C:\Program Files\Java
2008-06-24 18:50 . 2008-06-24 18:50 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-24 18:46 . 2008-06-24 18:46 <DIR> d-------- C:\Program Files\RALINK
2008-06-24 18:46 . 2008-06-24 18:46 <DIR> d-------- C:\Documents and Settings\steve\Application Data\InstallShield
2008-06-24 18:46 . 2007-07-28 14:50 517,632 --a------ C:\WINDOWS\system32\drivers\rt2870.sys
2008-06-22 14:51 . 2006-01-12 19:46 252,928 --a------ C:\WINDOWS\system32\drivers\rt73.sys
2008-06-22 14:51 . 2003-10-13 15:30 94,208 --a------ C:\WINDOWS\system32\GTW32N50.dll
2008-06-22 14:51 . 2003-09-25 23:28 31,930 --a------ C:\WINDOWS\system32\GTNDIS3.VXD
2008-06-22 14:51 . 2005-02-01 18:18 17,992 --a------ C:\WINDOWS\system32\drivers\bcm42rly.sys
2008-06-22 14:51 . 2005-02-01 18:18 17,992 --a------ C:\WINDOWS\system32\bcm42rly.sys
2008-06-22 14:51 . 2003-09-25 22:15 15,872 --a------ C:\WINDOWS\system32\GTNDIS5.sys
2008-06-20 18:41 . 2008-06-20 18:41 245,248 -----c--- C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 11:44 . 2008-06-20 11:44 138,368 -----c--- C:\WINDOWS\system32\dllcache\afd.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-16 16:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-16 12:52 --------- d-----w C:\Program Files\Dell
2008-07-15 19:09 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-15 18:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-14 15:05 --------- d-----w C:\Program Files\Google
2008-07-09 08:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2008-07-09 08:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2008-06-25 20:58 31,319 ----a-w C:\Program Files\Petite.Infirmiere.Perverse.FRENCH.XXX.DVDRip.XviD-TESORO.torrent
2008-06-25 20:40 34,733 ----a-w C:\Program Files\Puppet.Master.XXX.DVDRiP.XviD-DivXfacTory.torrent
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-30 23:22 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-05-30 23:22 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-05-30 23:22 815,104 ----a-w C:\WINDOWS\system32\divx_xx0a.dll
2008-05-30 23:22 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-05-30 23:22 683,520 ----a-w C:\WINDOWS\system32\DivX.dll
2008-05-30 23:22 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-05-30 23:22 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-05-30 23:22 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-05-30 23:22 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-05-30 23:22 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-05-30 23:22 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-05-22 22:22 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-05-22 22:22 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-05-22 22:22 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-05-22 22:22 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2008-05-22 22:22 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-05-22 22:22 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll
2008-05-22 22:22 120,056 ----a-w C:\WINDOWS\system32\pxcpyi64.exe
2008-05-22 22:22 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe
2008-05-22 22:20 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-05-22 22:20 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-05-22 22:19 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-05-22 22:19 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-05-22 22:19 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-05-22 22:18 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-16 10:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 09:05 919016]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2008-02-21 21:13:51 24576]
MA111 Configuration Utility.lnk - C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe [2008-03-09 21:37:31 459264]
Wireless USB 2.0 WLAN Card Utility.lnk - C:\Program Files\Dell Wireless\PRISMCFG.exe [2008-02-21 21:12:59 921707]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000D7}"= "C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSEHB.DLL" [2006-11-07 12:58 77824]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SABWinLogon]
2007-08-01 09:28 176128 C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PRISMAPI.DLL]
2006-10-12 10:42 450649 C:\WINDOWS\system32\PRISMAPI.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=C:\WINDOWS\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
--a------ 2003-01-27 18:16 376912 C:\Program Files\BroadJump\Client Foundation\CFD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 01:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-04-05 22:19 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-04-05 22:22 94208 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2005-04-05 22:23 114688 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-18 21:31 28672 C:\WINDOWS\system32\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-03-17 02:06 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2004-10-14 15:42 1404928 C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-03-25 04:28 144784 C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SuperAdBlocker]
--a------ 2007-08-01 09:28 1564672 C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-05-28 10:33 1506544 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMX Daemon]
--a------ 2006-06-09 13:47 47104 C:\WINDOWS\system32\ico.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R1 SABKUTIL;SABKUTIL;C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys [2007-02-20 16:02]
R2 ASFIPmon;Broadcom ASF IP Monitor;C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe [2005-03-08 20:46]
R2 PRISMSVC;PRISMSVC;C:\WINDOWS\system32\PRISMSVC.EXE [2006-10-12 10:45]
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;C:\WINDOWS\system32\DRIVERS\rt2870.sys [2007-07-28 14:50]
S1 SABDIFSV;SABDIFSV;C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABDIFSV.SYS [2005-09-21 11:17]
S3 StreamSurge;StreamSurge Driver (miniport);C:\WINDOWS\system32\DRIVERS\ss.sys []
.
Contents of the 'Scheduled Tasks' folder
"2008-07-18 16:29:49 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{F8AC36D7-F602-4B69-99B5-2A812E05779F} - C:\WINDOWS\system32\mlJYopno.dll
ShellExecuteHooks-{F8AC36D7-F602-4B69-99B5-2A812E05779F} - C:\WINDOWS\system32\mlJYopno.dll
Notify-mlJYopno - mlJYopno.dll
MSConfigStartUp-f86cd5cf - C:\WINDOWS\system32\nqsuingr.dll
MSConfigStartUp-lphc3naj0ep7t - C:\WINDOWS\system32\lphc3naj0ep7t.exe
MSConfigStartUp-SMrhc7naj0ep7t - C:\Program Files\rhc7naj0ep7t\rhc7naj0ep7t.exe
MSConfigStartUp-SMshc5naj0ep7t - C:\Program Files\shc5naj0ep7t\shc5naj0ep7t.exe
MSConfigStartUp-UIUCU - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\UIUCU.EXE


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-20 19:19:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\PRISMSVR.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-07-20 19:22:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-20 18:22:37

Pre-Run: 46,919,409,664 bytes free
Post-Run: 47,048,318,976 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptOut
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

321 --- E O F --- 2008-07-10 02:00:41


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:24, on 20/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PRISMSVC.EXE
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\2.bin\SPYBLOCK.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.euro.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=21871
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O20 - Winlogon Notify: !SABWinLogon - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Broadcom ASF IP Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DataSvr - Unknown owner - C:\Program Files\Wave Systems Corp\Common\DataServer.exe (file missing)
O23 - Service: PRISMSVC - Conexant Systems, Inc. - C:\WINDOWS\system32\PRISMSVC.EXE
O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5431 bytes

kind regards,
mike

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:19 PM

Posted 20 July 2008 - 01:47 PM

Logs look good... Do this..


Please download Malwarebytes' Anti-Malware from HERE or HERE

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



Please also include a fresh Deckard System Scanner log (after Malwarebytes' step) and tell me about your computer condition...


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 usermike

usermike
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:England
  • Local time:05:19 AM

Posted 20 July 2008 - 02:50 PM

hi again i can use internet again and i am actually posting here with the comp that is/was infected It is also running fast again As asked i scanned with malwarebytes then ran DSS again her is the logs as follows

Malwarebytes' Anti-Malware 1.21
Database version: 971
Windows 5.1.2600 Service Pack 2

20:42:40 20/07/2008
mbam-log-7-20-2008 (20-42-40).txt

Scan type: Full Scan (C:\|)
Objects scanned: 99562
Time elapsed: 35 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 51

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\shc5naj0ep7t (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\rhc7naj0ep7t (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\shc5naj0ep7t (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\sqvgnrpx.bpfv (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\backupwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008 (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.

Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\eswa.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\bnclooyj.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\DDCCVOHB.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\deuuyngg.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\dnpcrwmy.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\eevgroqd.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\fyhzjk.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\gkqxthko.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\hhcpnqev.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\hhpiptda.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\mcbdoksg.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\mrxgeydl.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\nqosmeld.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\nqsuingr.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\opnliGWo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\osrjad.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\paxmig.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\qauhfjld.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\qdxzos.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\wplwsf.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\xbouvl.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\xpwxbfdh.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\zygekv.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9B04E4E5-CCD6-4536-BC03-86DFE69D21EC}\RP115\A0568505.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9B04E4E5-CCD6-4536-BC03-86DFE69D21EC}\RP115\A0568507.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9B04E4E5-CCD6-4536-BC03-86DFE69D21EC}\RP115\A0568508.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9B04E4E5-CCD6-4536-BC03-86DFE69D21EC}\RP115\A0568510.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9B04E4E5-CCD6-4536-BC03-86DFE69D21EC}\RP115\A0568511.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9B04E4E5-CCD6-4536-BC03-86DFE69D21EC}\RP115\A0568512.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9B04E4E5-CCD6-4536-BC03-86DFE69D21EC}\RP115\A0568513.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9B04E4E5-CCD6-4536-BC03-86DFE69D21EC}\RP115\A0568514.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9B04E4E5-CCD6-4536-BC03-86DFE69D21EC}\RP115\A0568515.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9B04E4E5-CCD6-4536-BC03-86DFE69D21EC}\RP115\A0568517.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9B04E4E5-CCD6-4536-BC03-86DFE69D21EC}\RP115\A0568518.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9B04E4E5-CCD6-4536-BC03-86DFE69D21EC}\RP115\A0568520.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9B04E4E5-CCD6-4536-BC03-86DFE69D21EC}\RP115\A0568521.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9B04E4E5-CCD6-4536-BC03-86DFE69D21EC}\RP115\A0568522.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9B04E4E5-CCD6-4536-BC03-86DFE69D21EC}\RP115\A0568523.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9B04E4E5-CCD6-4536-BC03-86DFE69D21EC}\RP115\A0568525.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9B04E4E5-CCD6-4536-BC03-86DFE69D21EC}\RP115\A0568526.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9B04E4E5-CCD6-4536-BC03-86DFE69D21EC}\RP115\A0568528.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9B04E4E5-CCD6-4536-BC03-86DFE69D21EC}\RP115\A0568537.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9B04E4E5-CCD6-4536-BC03-86DFE69D21EC}\RP115\A0568509.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9B04E4E5-CCD6-4536-BC03-86DFE69D21EC}\RP115\A0568527.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk (Rogue.AntivirusXP) -> Quarantined and deleted successfully.
C:\Documents and Settings\steve\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.

Deckard's System Scanner v20071014.68
Run by steve on 2008-07-20 20:45:33
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as steve.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:45, on 20/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PRISMSVC.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\steve\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\steve.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.euro.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=21871
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Broadcom ASF IP Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: DataSvr - Unknown owner - C:\Program Files\Wave Systems Corp\Common\DataServer.exe (file missing)
O23 - Service: PRISMSVC - Conexant Systems, Inc. - C:\WINDOWS\system32\PRISMSVC.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4803 bytes

-- Files created between 2008-06-20 and 2008-07-20 -----------------------------

2008-07-20 19:56:58 0 d-------- C:\Documents and Settings\steve\Application Data\Malwarebytes
2008-07-20 19:56:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-20 19:56:53 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-20 19:40:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-07-20 19:07:16 0 d-------- C:\cmdcons
2008-07-20 19:04:14 68096 --a------ C:\WINDOWS\zip.exe
2008-07-20 19:04:14 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-20 19:04:14 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-20 19:04:14 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-20 19:04:14 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-20 19:04:14 98816 --a------ C:\WINDOWS\sed.exe
2008-07-20 19:04:14 80412 --a------ C:\WINDOWS\grep.exe
2008-07-20 19:04:14 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-20 18:55:53 0 d-------- C:\WINDOWS\system32\QuickTime
2008-07-18 22:17:02 0 d-------- C:\Program Files\Common Files\eSellerate
2008-07-18 17:31:00 0 d-------- C:\Documents and Settings\steve\Application Data\Apple Computer
2008-07-17 13:55:47 0 d-------- C:\Documents and Settings\steve\Application Data\MailFrontier
2008-07-17 13:53:37 3146784 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-17 13:48:13 0 d-------- C:\WINDOWS\system32\ZoneLabs
2008-07-16 20:07:13 0 d-------- C:\Program Files\Trend Micro
2008-07-16 19:58:57 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-16 19:03:58 0 d-------- C:\Documents and Settings\steve\Application Data\Symantec
2008-07-16 18:18:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-16 18:16:41 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-07-16 15:50:39 0 d-------- C:\KAV
2008-07-16 13:56:30 0 d-------- C:\Program Files\Yahoo!
2008-07-16 13:52:41 0 d-------- C:\WINDOWS\system32\Dell
2008-07-15 19:51:02 0 d-------- C:\Documents and Settings\steve\Application Data\SuperAdBlocker.com
2008-07-15 19:50:42 0 d-------- C:\Program Files\SuperAdBlocker.com
2008-07-15 18:46:06 0 d--h----- C:\$AVG8.VAULT$
2008-07-15 18:40:36 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-15 16:53:55 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-07-15 16:53:50 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-07-15 16:53:43 11264 --a------ C:\WINDOWS\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
2008-07-15 16:52:43 0 d-------- C:\WINDOWS\Internet Logs
2008-07-15 16:22:07 0 d-------- C:\Documents and Settings\steve\Application Data\uTorrent
2008-07-15 15:24:10 0 d-------- C:\WINDOWS\system32\NtmsData
2008-07-15 14:56:08 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-15 14:55:58 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-07-15 14:55:58 0 d-------- C:\Documents and Settings\steve\Application Data\SUPERAntiSpyware.com
2008-07-14 17:03:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-14 16:44:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-07-14 16:07:54 0 d-------- C:\Program Files\Common Files\Scanner
2008-07-14 16:06:58 0 dr-h----- C:\Documents and Settings\All Users\Application Data\yahoo!
2008-07-14 16:06:38 0 d-------- C:\Documents and Settings\steve\Application Data\Yahoo!
2008-07-14 15:38:01 0 d-------- C:\Program Files\Opera
2008-07-14 15:15:19 0 d-------- C:\WINDOWS\pss
2008-07-14 14:54:41 0 d--hs---- C:\WINDOWS\CSC
2008-06-29 08:40:22 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-29 08:40:16 0 d-------- C:\WINDOWS\SxsCaPendDel
2008-06-27 11:28:57 0 d-------- C:\Documents and Settings\steve\Application Data\Adobe
2008-06-27 09:11:23 0 d-------- C:\Documents and Settings\steve\Application Data\DivX
2008-06-26 21:01:42 0 d-------- C:\Documents and Settings\steve\Application Data\vlc
2008-06-26 21:01:19 0 d-------- C:\Program Files\VideoLAN
2008-06-26 20:58:51 0 d-------- C:\Program Files\DivX
2008-06-26 20:51:29 0 d-------- C:\Documents and Settings\steve\Application Data\WinRAR
2008-06-26 20:50:20 1233886 --a------ C:\Program Files\wrar38b2.exe
2008-06-26 20:40:26 0 d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-06-24 20:07:51 0 d-------- C:\Program Files\uTorrent
2008-06-24 18:51:35 0 d-------- C:\WINDOWS\Sun
2008-06-24 18:51:35 0 d-------- C:\Documents and Settings\steve\Application Data\Sun
2008-06-24 18:50:59 0 d-------- C:\Program Files\Java
2008-06-24 18:50:24 0 d-------- C:\Program Files\Common Files\Java
2008-06-24 18:46:26 0 d-------- C:\Program Files\RALINK
2008-06-24 18:46:12 0 d-------- C:\Documents and Settings\steve\Application Data\InstallShield
2008-06-22 14:51:46 94208 --a------ C:\WINDOWS\system32\GTW32N50.dll
2008-06-22 14:51:46 15872 --a------ C:\WINDOWS\system32\GTNDIS5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>


-- Find3M Report ---------------------------------------------------------------

2008-07-20 19:40:55 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-20 19:39:02 0 d-------- C:\Program Files\Common Files
2008-07-16 17:40:36 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-16 13:52:41 0 d-------- C:\Program Files\Dell
2008-07-14 16:05:05 0 d-------- C:\Program Files\Google
2008-06-25 21:58:47 31319 --a------ C:\Program Files\Petite.Infirmiere.Perverse.FRENCH.XXX.DVDRip.XviD-TESORO.torrent
2008-06-25 21:40:22 34733 --a------ C:\Program Files\Puppet.Master.XXX.DVDRiP.XviD-DivXfacTory.torrent
2008-05-31 00:22:48 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-05-31 00:22:48 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX>
2008-05-31 00:22:48 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX>
2008-05-31 00:22:46 815104 --a------ C:\WINDOWS\system32\divx_xx0a.dll <Not Verified; DivX, Inc.; DivX>
2008-05-31 00:22:46 683520 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX>
2008-05-22 23:22:18 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-05-22 23:19:46 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-05-22 23:19:46 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-05-22 23:18:54 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [09/07/2008 09:05]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 01:56]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [30/08/2007 17:43]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [21/02/2008 21:13:51]
MA111 Configuration Utility.lnk - C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe [09/03/2008 21:37:31]
Wireless USB 2.0 WLAN Card Utility.lnk - C:\Program Files\Dell Wireless\PRISMCFG.exe [21/02/2008 21:12:59]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [13/05/2008 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19/04/2007 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PRISMAPI.DLL]
PRISMAPI.DLL 12/10/2006 10:42 450649 C:\WINDOWS\system32\PRISMAPI.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=C:\WINDOWS\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
C:\Program Files\BroadJump\Client Foundation\CFD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMX Daemon]
ICO.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\WINDOWS\system32\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SuperAdBlocker]
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet




-- End of Deckard's System Scanner: finished at 2008-07-20 20:46:32 ------------



kind regards
mike

#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:19 PM

Posted 20 July 2008 - 03:36 PM

Great.. your log looks clean to my eyes.. Please rename Combo-Fix back to ComboFix..


Then do this...


Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
    Please note that the space between x and / is needed

    Posted Image


NEXT


I noticed you already have..

1. ZoneLabs consisting of your antivirus and firewall
2. Malwarebytes' as antispyware


Lastly, to keep your operating system up to date please visit the link below monthlyTo learn more about how to protect yourself while on the internet read this excellent article by Grinler: How did I get infected?, With steps so it does not happen again!

Please also read an excellent article by miekiemoes :Help! My computer is slow!

And another excellent article by CastleCops Malware Prevention: Prevent Re-infection

Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :thumbsup:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 usermike

usermike
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:England
  • Local time:05:19 AM

Posted 21 July 2008 - 09:45 AM

hi, i tried clicking start run then typing ConboFix /u path couldnt be found.

The computer is running great now like almost when first bought. Thanks again for all your help this site rocks !!

kind regards
mike

#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:19 PM

Posted 21 July 2008 - 12:09 PM

Do this instead.. By the way, I'm glad your computer is okay now :thumbsup:


Please download OTCleanIt and save it to Desktop.
  • Double-click OTCleanIt.exe
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users