Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

'warning,spyware Detected On Your Computer' Removed But Missing All Of My Programs


  • This topic is locked This topic is locked
19 replies to this topic

#1 bugger

bugger

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 28 July 2008 - 10:13 PM

Previously posted in Am i infected, Mod. edit. Link here: http://www.bleepingcomputer.com/forums/t/158829/warningspyware-detected-on-your-computer-removed-but-missing-all-of-my-programs/ ~ OB advised to post here as it is proving difficult to get rid off. I have done several scans using malwarebytes, avg sdfix and now dss.

It started with the wallpaper changing to a blue screen with " warning Spyware detected on your computer", that background has now gone. All of my Microsoft office programs have gone, along with games, the start up folder is empty, there is no system restore. I cannot connect to the internet using my usb wireless connection ' error797 a connection to the remote computer could not be established because they modem was not found or busy'


When windows opens it comes up with " one of the files containing your sys registry data had to be recovered by a log or alternate copy. The recovery was successful"


This is at least the 3rd week that the laptop has been infected and its driving me nuts, so thanks in advance for the help :thumbsup:

here are all the scan logs, hope this helps


Malwarebytes' Anti-Malware 1.22
Database version: 972
Windows 5.1.2600 Service Pack 2

1:54:30 PM 21/07/2008
mbam-log-7-21-2008 (13-54-30).txt

Scan type: Quick Scan
Objects scanned: 56518
Time elapsed: 21 minute(s), 12 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 5
Registry Values Infected: 7
Registry Data Items Infected: 2
Folders Infected: 17
Files Infected: 47

Memory Processes Infected:
C:\Antivirus 2008 PRO\antivirus-2008pro.exe (Rogue.Installer) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\cwwmkodh.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\rhcjwpj0et67 (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\antivirus 2008 pro (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0c5e7155 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antivirus-2008pro.exe (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{e55e1c86-434d-46f9-a253-2de4ab3f9734} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Antivirus 2008 PRO (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Program Files\Antivirus 2008 PRO\Infected (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Program Files\Antivirus 2008 PRO\Suspicious (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Program Files\rhcjwpj0et67 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008 (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Start Menu\Programs\Antivirus 2008 PRO (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Application Data\rhcjwpj0et67 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Application Data\rhcjwpj0et67\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Application Data\rhcjwpj0et67\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Application Data\rhcjwpj0et67\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Application Data\rhcjwpj0et67\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Application Data\rhcjwpj0et67\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Application Data\rhcjwpj0et67\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Application Data\rhcjwpj0et67\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Application Data\rhcjwpj0et67\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Application Data\rhcjwpj0et67\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Application Data\rhcjwpj0et67\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\cwwmkodh.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\hdokmwwc.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcqgjrys.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\syrjgqcm.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Antivirus 2008 PRO\antivirus-2008pro.exe (Rogue.Installer) -> Quarantined and deleted successfully.
\Antivirus 2008 PRO\antivirus-2008pro.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ddcCSJcC.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mlJYspMG.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pphcnwpj0et67.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lphcnwpj0et67.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temp\dssec.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\4HG71KIK\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\C5KNQR0B\Antivirus2008PRO[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\C5KNQR0B\scan[1].exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\TKCA06ZF\css4[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\Antivirus 2008 PRO\antivirus-2008pro.exe (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Program Files\Antivirus 2008 PRO\vscan.tsi (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Program Files\Antivirus 2008 PRO\zlib.dll (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Program Files\rhcjwpj0et67\database.dat (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcjwpj0et67\license.txt (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcjwpj0et67\MFC71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcjwpj0et67\MFC71ENU.DLL (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcjwpj0et67\msvcp71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcjwpj0et67\msvcr71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcjwpj0et67\rhcjwpj0et67.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcjwpj0et67\rhcjwpj0et67.exe.local (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcjwpj0et67\rhcjwpj0et67Skin.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcjwpj0et67\Uninstall.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Start Menu\Programs\Antivirus 2008 PRO\antivirus-2008pro.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk (Rogue.AntivirusXP) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus-2008pro.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\blphcnwpj0et67.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\phcnwpj0et67.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Desktop\antivirus-2008pro.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temp\.tt1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temp\.tt2.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temp\.tt7.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temp\.tt9.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temp\atmadm2.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temp\media.php (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\rundll32.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.



i scaned the comp again using malwarebytes it picked up nothing and then i used avg and it picked up a few, here are the logs


Malwarebytes' Anti-Malware 1.22
Database version: 972
Windows 5.1.2600 Service Pack 2

10:50:12 AM 26/07/2008
mbam-log-7-26-2008 (10-50-12).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 31430
Time elapsed: 17 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:46:04 26/07/2008

+ Scan result:



C:\WINDOWS\system\14x.exe -> Downloader.Agent.nem : Cleaned with backup (quarantined).
C:\WINDOWS\system32\3x-un-14x.exe -> Downloader.Dadobra.adk : Cleaned with backup (quarantined).
C:\WINDOWS\system\lprhelp32.dll -> Dropper.Agent.qik : Cleaned with backup (quarantined).
C:\Documents and Settings\User\Cookies\user@ssl-hints.netflame[2].txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\User\Cookies\user@cms.trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\WINDOWS\system32\IEDFix.exe -> Trojan.Renos.vaoz : Cleaned with backup (quarantined).


::Report end



AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:56:29 26/07/2008

+ Scan result:



C:\System Volume Information\_restore{76178016-FCC2-48D6-B9C7-F9E4E4D6995A}\RP112\A0052340.exe -> Downloader.Agent.nem : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{76178016-FCC2-48D6-B9C7-F9E4E4D6995A}\RP112\A0052342.exe -> Downloader.Dadobra.adk : Cleaned with backup (quarantined).
C:\Documents and Settings\User\Desktop\downlaods\PRECRAcked-WinRAR.3.80\MediaTubeCodec_ver1.1348.0.exe -> Downloader.Zlob.ppp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{76178016-FCC2-48D6-B9C7-F9E4E4D6995A}\RP112\A0052341.dll -> Dropper.Agent.qik : Cleaned with backup (quarantined).
C:\Documents and Settings\User\Local Settings\Temp\removalfile.bat -> Not-A-Virus.Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{76178016-FCC2-48D6-B9C7-F9E4E4D6995A}\RP112\A0050041.exe -> Not-A-Virus.PUP.MalwareProtector.d : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{76178016-FCC2-48D6-B9C7-F9E4E4D6995A}\RP112\A0051040.exe -> Not-A-Virus.PUP.MalwareProtector.d : Cleaned with backup (quarantined).
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\IOSM4PBA\file[1].exe -> Rootkit.Clbd.cv : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1275210071-1580436667-1060284298-1003\Dc5\IEDFix.exe -> Trojan.Renos.vaoz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{76178016-FCC2-48D6-B9C7-F9E4E4D6995A}\RP112\A0052343.exe -> Trojan.Renos.vaoz : Cleaned with backup (quarantined).


::Report end

also ran SDFIX

SDFix: Version 1.208
Run by User on Sun 27/07/2008 at 10:05

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\Antivirus 2008 PRO\vscan.tsi - Deleted
C:\Antivirus 2008 PRO\zlib.dll - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\.ttA0.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\.ttA9.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\.ttBA.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\.ttA0.tmp.vbs - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\atmadm2.exe.bat - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\bindsrv2.exe.bat - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\dssec.exe.bat - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\vista_sp1.exe.bat - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\bindsrv2.exe.bat - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\media.php.bat - Deleted



Folder \Antivirus 2008 PRO - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-27 10:13:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Disabled:avgemc.exe"
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"="C:\\Program Files\\AVG\\AVG8\\avgnsx.exe:*:Disabled:avgnsx.exe"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Disabled:avgupd.exe"
"C:\\Program Files\\Unwired\\UwWiz.exe"="C:\\Program Files\\Unwired\\UwWiz.exe:*:Disabled:Connection Assistant"
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"="C:\\WINDOWS\\system32\\usmt\\migwiz.exe:*:Disabled:Files and Settings Transfer Wizard"
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"="C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe:*:Disabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Disabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Disabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Disabled:Windows Messenger"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:ęTorrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 2 Jun 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 23 Feb 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 23 Jul 2008 15,452,536 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d7694bef8bd7032a201cda9934644640\BIT2.tmp"
Tue 10 Jun 2008 95,315,977 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f8e4c50bd1c41feac24607e18c5505bd\BIT2.tmp"
Sat 26 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\BIT2.tmp"

Finished!



Deckard's System Scanner v20071014.68
Run by User on 2008-07-29 10:59:41
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 480 MiB (512 MiB recommended).


-- HijackThis (run as User.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:59:44, on 29/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\User\Desktop\dss.exe
C:\TRENDM~1\HIJACK~1\User.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: GtFlashSwitch - OptionNV - C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 5596 bytes

-- Files created between 2008-06-29 and 2008-07-29 -----------------------------

2008-07-29 10:53:44 0 d-------- C:\Trend Micro
2008-07-29 10:53:44 0 d-------- \Trend Micro
2008-07-29 10:53:44 0 d-------- \Trend Micro
2008-07-29 10:48:50 0 d-------- \Deckard
2008-07-29 10:48:50 0 d-------- \Deckard
2008-07-27 10:02:34 0 d-------- C:\WINDOWS\ERUNT
2008-07-27 09:56:52 0 d-------- \SDFix
2008-07-27 09:56:52 0 d-------- \SDFix
2008-07-21 14:00:59 410 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-21 14:00:24 81920 --a------ C:\WINDOWS\system32\404Fix.exe
2008-07-21 14:00:23 86528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-07-21 14:00:21 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-07-21 14:00:20 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-07-21 14:00:19 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-07-21 14:00:19 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-07-21 14:00:16 53248 --a------ C:\WINDOWS\system32\Process.exe http://www.beyondlogic.org; Command Line Process Utility>
2008-07-21 13:23:56 0 d-------- C:\Documents and Settings\User\Application Data\Malwarebytes
2008-07-21 13:23:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-21 12:01:09 0 d--hs---- C:\WINDOWS\CSC
2008-07-21 11:31:33 0 d-------- C:\VundoFix Backups
2008-07-21 11:31:33 0 d-------- \VundoFix Backups
2008-07-21 11:31:33 0 d-------- \VundoFix Backups
2008-07-06 21:47:09 0 d-------- C:\Programs
2008-07-06 21:47:09 0 d-------- \Programs
2008-07-06 21:47:09 0 d-------- \Programs
2008-07-06 21:47:07 0 d-------- C:\WINDOWS\Program Files
2008-07-06 21:34:57 0 d-------- C:\Documents and Settings\User\Application Data\Help
2008-07-01 22:19:36 0 d-------- C:\Documents and Settings\User\Application Data\Grisoft
2008-07-01 22:19:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-06-29 23:40:17 0 d-------- C:\WINDOWS\system32\%programfiles%
2008-06-29 23:40:16 0 d-------- C:\WINDOWS\system32\%commonprogramfiles%
2008-06-29 22:14:55 0 d-------- C:\WINDOWS\system32\NtmsData
2008-06-29 19:51:24 0 d-------- C:\Documents and Settings\User\Application Data\WinRAR
2008-06-29 19:50:39 0 d-------- C:\WINDOWS\WinRAR
2008-06-29 16:11:06 29760 --a------ C:\WINDOWS\system32\4jTs6UFr.exe


-- Find3M Report ---------------------------------------------------------------

2008-07-29 10:49:13 0 d-------- \WINDOWS
2008-07-29 10:49:13 0 d-------- \WINDOWS
2008-07-29 10:46:46 754974720 --ahs---- \pagefile.sys
2008-07-29 10:46:46 754974720 --ahs---- \pagefile.sys
2008-07-27 10:51:19 0 d-------- C:\Documents and Settings\User\Application Data\uTorrent
2008-07-26 11:49:05 244 --ah----- \sqmnoopt04.sqm
2008-07-26 11:49:05 244 --ah----- \sqmnoopt04.sqm
2008-07-26 11:49:05 268 --ah----- \sqmdata04.sqm
2008-07-26 11:49:05 268 --ah----- \sqmdata04.sqm
2008-07-26 10:27:37 244 --ah----- \sqmnoopt03.sqm
2008-07-26 10:27:37 244 --ah----- \sqmnoopt03.sqm
2008-07-26 10:27:37 268 --ah----- \sqmdata03.sqm
2008-07-26 10:27:37 268 --ah----- \sqmdata03.sqm
2008-07-26 10:23:22 244 --ah----- \sqmnoopt02.sqm
2008-07-26 10:23:22 244 --ah----- \sqmnoopt02.sqm
2008-07-26 10:23:22 268 --ah----- \sqmdata02.sqm
2008-07-26 10:23:22 268 --ah----- \sqmdata02.sqm
2008-07-23 13:28:58 244 --ah----- \sqmnoopt01.sqm
2008-07-23 13:28:58 244 --ah----- \sqmnoopt01.sqm
2008-07-23 13:28:58 268 --ah----- \sqmdata01.sqm
2008-07-23 13:28:58 268 --ah----- \sqmdata01.sqm
2008-07-21 16:53:59 172 --ah----- \sqmnoopt00.sqm
2008-07-21 16:53:59 172 --ah----- \sqmnoopt00.sqm
2008-07-21 16:53:59 208 --ah----- \sqmdata00.sqm
2008-07-21 16:53:59 208 --ah----- \sqmdata00.sqm
2008-07-21 14:24:54 244 --ah----- \sqmnoopt19.sqm
2008-07-21 14:24:54 244 --ah----- \sqmnoopt19.sqm
2008-07-21 14:24:54 268 --ah----- \sqmdata19.sqm
2008-07-21 14:24:54 268 --ah----- \sqmdata19.sqm
2008-07-21 14:02:36 3178 --a------ \rapport.txt
2008-07-21 14:02:36 3178 --a------ \rapport.txt
2008-07-21 13:55:03 244 --ah----- \sqmnoopt18.sqm
2008-07-21 13:55:03 244 --ah----- \sqmnoopt18.sqm
2008-07-21 13:55:03 268 --ah----- \sqmdata18.sqm
2008-07-21 13:55:03 268 --ah----- \sqmdata18.sqm
2008-07-21 13:54:30 0 dr------- \Program Files
2008-07-21 13:54:30 0 dr------- \Program Files
2008-07-21 12:43:07 244 --ah----- \sqmnoopt17.sqm
2008-07-21 12:43:07 244 --ah----- \sqmnoopt17.sqm
2008-07-21 12:43:07 268 --ah----- \sqmdata17.sqm
2008-07-21 12:43:07 268 --ah----- \sqmdata17.sqm
2008-07-21 12:00:04 232 --ah----- \sqmdata16.sqm
2008-07-21 12:00:04 232 --ah----- \sqmdata16.sqm
2008-07-21 12:00:03 244 --ah----- \sqmnoopt16.sqm
2008-07-21 12:00:03 244 --ah----- \sqmnoopt16.sqm
2008-07-21 11:57:54 244 --ah----- \sqmnoopt15.sqm
2008-07-21 11:57:54 244 --ah----- \sqmnoopt15.sqm
2008-07-21 11:57:54 268 --ah----- \sqmdata15.sqm
2008-07-21 11:57:54 268 --ah----- \sqmdata15.sqm
2008-07-21 11:54:21 610 --a------ \VundoFix.txt
2008-07-21 11:54:21 610 --a------ \VundoFix.txt
2008-07-21 10:54:51 244 --ah----- \sqmnoopt14.sqm
2008-07-21 10:54:51 244 --ah----- \sqmnoopt14.sqm
2008-07-21 10:54:51 268 --ah----- \sqmdata14.sqm
2008-07-21 10:54:51 268 --ah----- \sqmdata14.sqm
2008-07-07 12:20:26 244 --ah----- \sqmnoopt13.sqm
2008-07-07 12:20:26 244 --ah----- \sqmnoopt13.sqm
2008-07-07 12:20:26 268 --ah----- \sqmdata13.sqm
2008-07-07 12:20:26 268 --ah----- \sqmdata13.sqm
2008-07-07 12:05:10 244 --ah----- \sqmnoopt12.sqm
2008-07-07 12:05:10 244 --ah----- \sqmnoopt12.sqm
2008-07-07 12:05:10 268 --ah----- \sqmdata12.sqm
2008-07-07 12:05:10 268 --ah----- \sqmdata12.sqm
2008-07-07 12:02:35 244 --ah----- \sqmnoopt11.sqm
2008-07-07 12:02:35 244 --ah----- \sqmnoopt11.sqm
2008-07-07 12:02:35 268 --ah----- \sqmdata11.sqm
2008-07-07 12:02:35 268 --ah----- \sqmdata11.sqm
2008-07-06 21:52:15 244 --ah----- \sqmnoopt10.sqm
2008-07-06 21:52:15 244 --ah----- \sqmnoopt10.sqm
2008-07-06 21:52:15 268 --ah----- \sqmdata10.sqm
2008-07-06 21:52:15 268 --ah----- \sqmdata10.sqm
2008-07-06 21:35:17 244 --ah----- \sqmnoopt09.sqm
2008-07-06 21:35:17 244 --ah----- \sqmnoopt09.sqm
2008-07-06 21:35:17 268 --ah----- \sqmdata09.sqm
2008-07-06 21:35:17 268 --ah----- \sqmdata09.sqm
2008-07-06 21:29:09 244 --ah----- \sqmnoopt08.sqm
2008-07-06 21:29:09 244 --ah----- \sqmnoopt08.sqm
2008-07-06 21:29:09 268 --ah----- \sqmdata08.sqm
2008-07-06 21:29:09 268 --ah----- \sqmdata08.sqm
2008-07-06 21:25:41 244 --ah----- \sqmnoopt07.sqm
2008-07-06 21:25:41 244 --ah----- \sqmnoopt07.sqm
2008-07-06 21:25:41 268 --ah----- \sqmdata07.sqm
2008-07-06 21:25:41 268 --ah----- \sqmdata07.sqm
2008-07-06 21:17:07 244 --ah----- \sqmnoopt06.sqm
2008-07-06 21:17:07 244 --ah----- \sqmnoopt06.sqm
2008-07-06 21:17:07 268 --ah----- \sqmdata06.sqm
2008-07-06 21:17:07 268 --ah----- \sqmdata06.sqm
2008-07-01 23:11:38 244 --ah----- \sqmnoopt05.sqm
2008-07-01 23:11:38 244 --ah----- \sqmnoopt05.sqm
2008-07-01 23:11:38 268 --ah----- \sqmdata05.sqm
2008-07-01 23:11:38 268 --ah----- \sqmdata05.sqm
2008-06-29 22:04:02 0 d--hs---- \System Volume Information
2008-06-29 22:04:02 0 d--hs---- \System Volume Information
2008-06-16 22:59:27 0 d-------- C:\Documents and Settings\User\Application Data\RegSweep


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [11/06/2007 17:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [12/08/2004 21:18]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 10:34]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [11/04/2008 19:48]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau C:\WINDOWS\system32\hgGyawVP

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0ee9e650-e13c-11dc-8a1e-000802da3a11}]
AutoRun\command- E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a25cba00-e0c8-11dc-8a1d-000802da3a11}]
AutoRun\command- E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a25cba01-e0c8-11dc-8a1d-000802da3a11}]
AutoRun\command- E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a25cba04-e0c8-11dc-8a1d-000802da3a11}]
AutoRun\command- E:\AutoRun.exe




-- End of Deckard's System Scanner: finished at 2008-07-29 11:00:19 ------------

Edited by Orange Blossom, 28 July 2008 - 11:06 PM.


BC AdBot (Login to Remove)

 


#2 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:02:46 AM

Posted 08 August 2008 - 09:47 PM

Hello and welcome to BC

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. We aim to provide the valuable service known to come from BC to every member we can, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay.

Please download Deckard's System Scanner (DSS) and save to your Desktop.
alternate download site

DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not
    malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.


If you already preformed the steps above We still need to see the current state of the machine fresh scan and logs are still necessary

click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /config
This will open up DSS configuration
click on Check All
click Scan
DSS will now run again when finished
Please post back both logs that open in notepad
Main txt and extra txt



Next
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


#3 bugger

bugger
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 11 August 2008 - 08:12 AM

i have noticed that AVG version 8 is picked up in the scans, i have never d/l the program so i don't know where that has come from, if thats any help. i cant do the kaspersky scan even after i turn off the firewall, windows comes up with the publusher cannot be verified the publisher is shown as defult/


Deckard's System Scanner v200 71014.68
Run by User on 2008-08-11 20:40:08
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 480 MiB (512 MiB recommended).


-- HijackThis (run as User.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:42:33, on 11/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\User\Desktop\dss.exe
C:\TRENDM~1\HIJACK~1\User.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: GtFlashSwitch - OptionNV - C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 5284 bytes

-- Files created between 2008-07-11 and 2008-08-11 -----------------------------

2008-07-29 10:53:44 0 d-------- C:\Trend Micro
2008-07-29 10:53:44 0 d-------- \Trend Micro
2008-07-29 10:53:44 0 d-------- \Trend Micro
2008-07-29 10:48:50 0 d-------- \Deckard
2008-07-29 10:48:50 0 d-------- \Deckard
2008-07-27 10:02:34 0 d-------- C:\WINDOWS\ERUNT
2008-07-27 09:56:52 0 d-------- \SDFix
2008-07-27 09:56:52 0 d-------- \SDFix
2008-07-21 14:00:59 410 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-21 14:00:24 81920 --a------ C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; 404Fix>
2008-07-21 14:00:23 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-07-21 14:00:21 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-07-21 14:00:20 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-07-21 14:00:19 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-07-21 14:00:19 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-07-21 14:00:16 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-07-21 13:23:56 0 d-------- C:\Documents and Settings\User\Application Data\Malwarebytes
2008-07-21 13:23:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-21 12:01:09 0 d--hs---- C:\WINDOWS\CSC
2008-07-21 11:31:33 0 d-------- C:\VundoFix Backups
2008-07-21 11:31:33 0 d-------- \VundoFix Backups
2008-07-21 11:31:33 0 d-------- \VundoFix Backups


-- Find3M Report ---------------------------------------------------------------

2008-08-11 20:34:31 754974720 --ahs---- \pagefile.sys
2008-08-11 20:34:31 754974720 --ahs---- \pagefile.sys
2008-08-11 20:34:30 0 dr------- \Program Files
2008-08-11 20:34:30 0 dr------- \Program Files
2008-08-11 20:33:05 244 --ah----- \sqmnoopt05.sqm
2008-08-11 20:33:05 244 --ah----- \sqmnoopt05.sqm
2008-08-11 20:33:05 268 --ah----- \sqmdata05.sqm
2008-08-11 20:33:05 268 --ah----- \sqmdata05.sqm
2008-07-29 10:49:13 0 d-------- \WINDOWS
2008-07-29 10:49:13 0 d-------- \WINDOWS
2008-07-27 10:51:19 0 d-------- C:\Documents and Settings\User\Application Data\uTorrent
2008-07-26 11:49:05 244 --ah----- \sqmnoopt04.sqm
2008-07-26 11:49:05 244 --ah----- \sqmnoopt04.sqm
2008-07-26 11:49:05 268 --ah----- \sqmdata04.sqm
2008-07-26 11:49:05 268 --ah----- \sqmdata04.sqm
2008-07-26 10:27:37 244 --ah----- \sqmnoopt03.sqm
2008-07-26 10:27:37 244 --ah----- \sqmnoopt03.sqm
2008-07-26 10:27:37 268 --ah----- \sqmdata03.sqm
2008-07-26 10:27:37 268 --ah----- \sqmdata03.sqm
2008-07-26 10:23:22 244 --ah----- \sqmnoopt02.sqm
2008-07-26 10:23:22 244 --ah----- \sqmnoopt02.sqm
2008-07-26 10:23:22 268 --ah----- \sqmdata02.sqm
2008-07-26 10:23:22 268 --ah----- \sqmdata02.sqm
2008-07-23 13:28:58 244 --ah----- \sqmnoopt01.sqm
2008-07-23 13:28:58 244 --ah----- \sqmnoopt01.sqm
2008-07-23 13:28:58 268 --ah----- \sqmdata01.sqm
2008-07-23 13:28:58 268 --ah----- \sqmdata01.sqm
2008-07-21 16:53:59 172 --ah----- \sqmnoopt00.sqm
2008-07-21 16:53:59 172 --ah----- \sqmnoopt00.sqm
2008-07-21 16:53:59 208 --ah----- \sqmdata00.sqm
2008-07-21 16:53:59 208 --ah----- \sqmdata00.sqm
2008-07-21 14:24:54 244 --ah----- \sqmnoopt19.sqm
2008-07-21 14:24:54 244 --ah----- \sqmnoopt19.sqm
2008-07-21 14:24:54 268 --ah----- \sqmdata19.sqm
2008-07-21 14:24:54 268 --ah----- \sqmdata19.sqm
2008-07-21 14:02:36 3178 --a------ \rapport.txt
2008-07-21 14:02:36 3178 --a------ \rapport.txt
2008-07-21 13:55:03 244 --ah----- \sqmnoopt18.sqm
2008-07-21 13:55:03 244 --ah----- \sqmnoopt18.sqm
2008-07-21 13:55:03 268 --ah----- \sqmdata18.sqm
2008-07-21 13:55:03 268 --ah----- \sqmdata18.sqm
2008-07-21 12:43:07 244 --ah----- \sqmnoopt17.sqm
2008-07-21 12:43:07 244 --ah----- \sqmnoopt17.sqm
2008-07-21 12:43:07 268 --ah----- \sqmdata17.sqm
2008-07-21 12:43:07 268 --ah----- \sqmdata17.sqm
2008-07-21 12:00:04 232 --ah----- \sqmdata16.sqm
2008-07-21 12:00:04 232 --ah----- \sqmdata16.sqm
2008-07-21 12:00:03 244 --ah----- \sqmnoopt16.sqm
2008-07-21 12:00:03 244 --ah----- \sqmnoopt16.sqm
2008-07-21 11:57:54 244 --ah----- \sqmnoopt15.sqm
2008-07-21 11:57:54 244 --ah----- \sqmnoopt15.sqm
2008-07-21 11:57:54 268 --ah----- \sqmdata15.sqm
2008-07-21 11:57:54 268 --ah----- \sqmdata15.sqm
2008-07-21 11:54:21 610 --a------ \VundoFix.txt
2008-07-21 11:54:21 610 --a------ \VundoFix.txt
2008-07-21 10:54:51 244 --ah----- \sqmnoopt14.sqm
2008-07-21 10:54:51 244 --ah----- \sqmnoopt14.sqm
2008-07-21 10:54:51 268 --ah----- \sqmdata14.sqm
2008-07-21 10:54:51 268 --ah----- \sqmdata14.sqm
2008-07-07 12:20:26 244 --ah----- \sqmnoopt13.sqm
2008-07-07 12:20:26 244 --ah----- \sqmnoopt13.sqm
2008-07-07 12:20:26 268 --ah----- \sqmdata13.sqm
2008-07-07 12:20:26 268 --ah----- \sqmdata13.sqm
2008-07-07 12:05:10 244 --ah----- \sqmnoopt12.sqm
2008-07-07 12:05:10 244 --ah----- \sqmnoopt12.sqm
2008-07-07 12:05:10 268 --ah----- \sqmdata12.sqm
2008-07-07 12:05:10 268 --ah----- \sqmdata12.sqm
2008-07-07 12:02:35 244 --ah----- \sqmnoopt11.sqm
2008-07-07 12:02:35 244 --ah----- \sqmnoopt11.sqm
2008-07-07 12:02:35 268 --ah----- \sqmdata11.sqm
2008-07-07 12:02:35 268 --ah----- \sqmdata11.sqm
2008-07-06 21:52:15 244 --ah----- \sqmnoopt10.sqm
2008-07-06 21:52:15 244 --ah----- \sqmnoopt10.sqm
2008-07-06 21:52:15 268 --ah----- \sqmdata10.sqm
2008-07-06 21:52:15 268 --ah----- \sqmdata10.sqm
2008-07-06 21:47:09 0 d-------- \Programs
2008-07-06 21:47:09 0 d-------- \Programs
2008-07-06 21:35:17 244 --ah----- \sqmnoopt09.sqm
2008-07-06 21:35:17 244 --ah----- \sqmnoopt09.sqm
2008-07-06 21:35:17 268 --ah----- \sqmdata09.sqm
2008-07-06 21:35:17 268 --ah----- \sqmdata09.sqm
2008-07-06 21:34:57 0 d-------- C:\Documents and Settings\User\Application Data\Help
2008-07-06 21:29:09 244 --ah----- \sqmnoopt08.sqm
2008-07-06 21:29:09 244 --ah----- \sqmnoopt08.sqm
2008-07-06 21:29:09 268 --ah----- \sqmdata08.sqm
2008-07-06 21:29:09 268 --ah----- \sqmdata08.sqm
2008-07-06 21:25:41 244 --ah----- \sqmnoopt07.sqm
2008-07-06 21:25:41 244 --ah----- \sqmnoopt07.sqm
2008-07-06 21:25:41 268 --ah----- \sqmdata07.sqm
2008-07-06 21:25:41 268 --ah----- \sqmdata07.sqm
2008-07-06 21:17:07 244 --ah----- \sqmnoopt06.sqm
2008-07-06 21:17:07 244 --ah----- \sqmnoopt06.sqm
2008-07-06 21:17:07 268 --ah----- \sqmdata06.sqm
2008-07-06 21:17:07 268 --ah----- \sqmdata06.sqm
2008-06-29 22:04:02 0 d--hs---- \System Volume Information
2008-06-29 22:04:02 0 d--hs---- \System Volume Information
2008-06-29 19:51:24 0 d-------- C:\Documents and Settings\User\Application Data\WinRAR
2008-06-29 16:10:32 29760 --a------ C:\WINDOWS\system32\4jTs6UFr.exe
2008-06-16 22:59:27 0 d-------- C:\Documents and Settings\User\Application Data\RegSweep


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [12/08/2004 21:18]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 10:34]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [11/04/2008 19:48]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau C:\WINDOWS\system32\hgGyawVP

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0ee9e650-e13c-11dc-8a1e-000802da3a11}]
AutoRun\command- E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a25cba00-e0c8-11dc-8a1d-000802da3a11}]
AutoRun\command- E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a25cba01-e0c8-11dc-8a1d-000802da3a11}]
AutoRun\command- E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a25cba04-e0c8-11dc-8a1d-000802da3a11}]
AutoRun\command- E:\AutoRun.exe




-- End of Deckard's System Scanner: finished at 2008-08-11 20:42:59 ------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:48:48, on 11/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\User\Desktop\dss.exe
C:\TRENDM~1\HIJACK~1\User.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: GtFlashSwitch - OptionNV - C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 5284 bytes



Deckard's System Scanner v20071014.68
Run by User on 2008-08-11 20:54:08
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; System Restore is disabled (service is not running).


-- Last 1 Restore Point(s) --
1: 2008-06-29 14:04:14 UTC - RP112 - System Checkpoint


Performed disk cleanup.

Total Physical Memory: 480 MiB (512 MiB recommended).


-- HijackThis (run as User.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:54:11, on 11/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\User\desktop\dss.exe
C:\TRENDM~1\HIJACK~1\User.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: GtFlashSwitch - OptionNV - C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 5284 bytes

-- File Associations -----------------------------------------------------------

.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 caboagp (ATI Cabo AGP Filter) - c:\windows\system32\drivers\atisgkaf.sys <Not Verified; ATI Technologies Inc.; ATI AGP GART Driver>

S3 catchme - c:\docume~1\user\locals~1\temp\catchme.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 GtFlashSwitch - "c:\program files\common files\gtflashswitch\gtflashswitch.exe" <Not Verified; OptionNV; GtFlashSwitch>

S3 PACSPTISVR - "c:\program files\common files\sony shared\avlib\pacsptisvr.exe" <Not Verified; ; PACSPTISVR Module>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Process Modules -------------------------------------------------------------

All modules okay.


-- Scheduled Tasks -------------------------------------------------------------

2008-07-29 11:00:06 350 --a------ C:\WINDOWS\Tasks\At12.job
2008-07-28 19:00:02 350 --a------ C:\WINDOWS\Tasks\At20.job
2008-07-28 18:00:03 350 --a------ C:\WINDOWS\Tasks\At19.job
2008-07-28 16:00:14 350 --a------ C:\WINDOWS\Tasks\At17.job
2008-07-26 20:00:16 350 --a------ C:\WINDOWS\Tasks\At21.job
2008-07-26 17:00:02 350 --a------ C:\WINDOWS\Tasks\At18.job
2008-07-26 15:00:02 350 --a------ C:\WINDOWS\Tasks\At16.job
2008-07-26 14:00:03 350 --a------ C:\WINDOWS\Tasks\At15.job
2008-07-26 13:00:03 350 --a------ C:\WINDOWS\Tasks\At14.job
2008-07-26 12:00:09 350 --a------ C:\WINDOWS\Tasks\At13.job
2008-07-01 23:00:04 350 --a------ C:\WINDOWS\Tasks\At24.job
2008-06-29 22:00:12 350 --a------ C:\WINDOWS\Tasks\At23.job
2008-06-29 21:00:04 350 --a------ C:\WINDOWS\Tasks\At22.job
2008-06-29 16:11:07 350 --a------ C:\WINDOWS\Tasks\At9.job
2008-06-29 16:11:07 350 --a------ C:\WINDOWS\Tasks\At8.job
2008-06-29 16:11:07 350 --a------ C:\WINDOWS\Tasks\At7.job
2008-06-29 16:11:07 350 --a------ C:\WINDOWS\Tasks\At6.job
2008-06-29 16:11:07 350 --a------ C:\WINDOWS\Tasks\At5.job
2008-06-29 16:11:07 350 --a------ C:\WINDOWS\Tasks\At4.job
2008-06-29 16:11:07 350 --a------ C:\WINDOWS\Tasks\At3.job
2008-06-29 16:11:07 350 --a------ C:\WINDOWS\Tasks\At2.job
2008-06-29 16:11:07 350 --a------ C:\WINDOWS\Tasks\At11.job
2008-06-29 16:11:07 350 --a------ C:\WINDOWS\Tasks\At10.job
2008-06-29 16:11:07 350 --a------ C:\WINDOWS\Tasks\At1.job
2008-06-17 10:42:48 384 --a------ C:\WINDOWS\Tasks\RegSweep Scheduled Scan.job


-- Files created between 2008-07-11 and 2008-08-11 -----------------------------

2008-07-29 10:53:44 0 d-------- C:\Trend Micro
2008-07-29 10:53:44 0 d-------- \Trend Micro
2008-07-29 10:53:44 0 d-------- \Trend Micro
2008-07-29 10:48:50 0 d-------- \Deckard
2008-07-29 10:48:50 0 d-------- \Deckard
2008-07-27 10:02:34 0 d-------- C:\WINDOWS\ERUNT
2008-07-27 09:56:52 0 d-------- \SDFix
2008-07-27 09:56:52 0 d-------- \SDFix
2008-07-21 14:00:59 410 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-21 14:00:24 81920 --a------ C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; 404Fix>
2008-07-21 14:00:23 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-07-21 14:00:21 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-07-21 14:00:20 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-07-21 14:00:19 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-07-21 14:00:19 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-07-21 14:00:16 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-07-21 13:23:56 0 d-------- C:\Documents and Settings\User\Application Data\Malwarebytes
2008-07-21 13:23:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-21 12:01:09 0 d--hs---- C:\WINDOWS\CSC
2008-07-21 11:31:33 0 d-------- C:\VundoFix Backups
2008-07-21 11:31:33 0 d-------- \VundoFix Backups
2008-07-21 11:31:33 0 d-------- \VundoFix Backups


-- Find3M Report ---------------------------------------------------------------

2008-08-11 20:34:31 754974720 --ahs---- \pagefile.sys
2008-08-11 20:34:31 754974720 --ahs---- \pagefile.sys
2008-08-11 20:34:30 0 dr------- \Program Files
2008-08-11 20:34:30 0 dr------- \Program Files
2008-08-11 20:33:05 244 --ah----- \sqmnoopt05.sqm
2008-08-11 20:33:05 244 --ah----- \sqmnoopt05.sqm
2008-08-11 20:33:05 268 --ah----- \sqmdata05.sqm
2008-08-11 20:33:05 268 --ah----- \sqmdata05.sqm
2008-07-29 10:49:13 0 d-------- \WINDOWS
2008-07-29 10:49:13 0 d-------- \WINDOWS
2008-07-27 10:51:19 0 d-------- C:\Documents and Settings\User\Application Data\uTorrent
2008-07-26 11:49:05 244 --ah----- \sqmnoopt04.sqm
2008-07-26 11:49:05 244 --ah----- \sqmnoopt04.sqm
2008-07-26 11:49:05 268 --ah----- \sqmdata04.sqm
2008-07-26 11:49:05 268 --ah----- \sqmdata04.sqm
2008-07-26 10:27:37 244 --ah----- \sqmnoopt03.sqm
2008-07-26 10:27:37 244 --ah----- \sqmnoopt03.sqm
2008-07-26 10:27:37 268 --ah----- \sqmdata03.sqm
2008-07-26 10:27:37 268 --ah----- \sqmdata03.sqm
2008-07-26 10:23:22 244 --ah----- \sqmnoopt02.sqm
2008-07-26 10:23:22 244 --ah----- \sqmnoopt02.sqm
2008-07-26 10:23:22 268 --ah----- \sqmdata02.sqm
2008-07-26 10:23:22 268 --ah----- \sqmdata02.sqm
2008-07-23 13:28:58 244 --ah----- \sqmnoopt01.sqm
2008-07-23 13:28:58 244 --ah----- \sqmnoopt01.sqm
2008-07-23 13:28:58 268 --ah----- \sqmdata01.sqm
2008-07-23 13:28:58 268 --ah----- \sqmdata01.sqm
2008-07-21 16:53:59 172 --ah----- \sqmnoopt00.sqm
2008-07-21 16:53:59 172 --ah----- \sqmnoopt00.sqm
2008-07-21 16:53:59 208 --ah----- \sqmdata00.sqm
2008-07-21 16:53:59 208 --ah----- \sqmdata00.sqm
2008-07-21 14:24:54 244 --ah----- \sqmnoopt19.sqm
2008-07-21 14:24:54 244 --ah----- \sqmnoopt19.sqm
2008-07-21 14:24:54 268 --ah----- \sqmdata19.sqm
2008-07-21 14:24:54 268 --ah----- \sqmdata19.sqm
2008-07-21 14:02:36 3178 --a------ \rapport.txt
2008-07-21 14:02:36 3178 --a------ \rapport.txt
2008-07-21 13:55:03 244 --ah----- \sqmnoopt18.sqm
2008-07-21 13:55:03 244 --ah----- \sqmnoopt18.sqm
2008-07-21 13:55:03 268 --ah----- \sqmdata18.sqm
2008-07-21 13:55:03 268 --ah----- \sqmdata18.sqm
2008-07-21 12:43:07 244 --ah----- \sqmnoopt17.sqm
2008-07-21 12:43:07 244 --ah----- \sqmnoopt17.sqm
2008-07-21 12:43:07 268 --ah----- \sqmdata17.sqm
2008-07-21 12:43:07 268 --ah----- \sqmdata17.sqm
2008-07-21 12:00:04 232 --ah----- \sqmdata16.sqm
2008-07-21 12:00:04 232 --ah----- \sqmdata16.sqm
2008-07-21 12:00:03 244 --ah----- \sqmnoopt16.sqm
2008-07-21 12:00:03 244 --ah----- \sqmnoopt16.sqm
2008-07-21 11:57:54 244 --ah----- \sqmnoopt15.sqm
2008-07-21 11:57:54 244 --ah----- \sqmnoopt15.sqm
2008-07-21 11:57:54 268 --ah----- \sqmdata15.sqm
2008-07-21 11:57:54 268 --ah----- \sqmdata15.sqm
2008-07-21 11:54:21 610 --a------ \VundoFix.txt
2008-07-21 11:54:21 610 --a------ \VundoFix.txt
2008-07-21 10:54:51 244 --ah----- \sqmnoopt14.sqm
2008-07-21 10:54:51 244 --ah----- \sqmnoopt14.sqm
2008-07-21 10:54:51 268 --ah----- \sqmdata14.sqm
2008-07-21 10:54:51 268 --ah----- \sqmdata14.sqm
2008-07-07 12:20:26 244 --ah----- \sqmnoopt13.sqm
2008-07-07 12:20:26 244 --ah----- \sqmnoopt13.sqm
2008-07-07 12:20:26 268 --ah----- \sqmdata13.sqm
2008-07-07 12:20:26 268 --ah----- \sqmdata13.sqm
2008-07-07 12:05:10 244 --ah----- \sqmnoopt12.sqm
2008-07-07 12:05:10 244 --ah----- \sqmnoopt12.sqm
2008-07-07 12:05:10 268 --ah----- \sqmdata12.sqm
2008-07-07 12:05:10 268 --ah----- \sqmdata12.sqm
2008-07-07 12:02:35 244 --ah----- \sqmnoopt11.sqm
2008-07-07 12:02:35 244 --ah----- \sqmnoopt11.sqm
2008-07-07 12:02:35 268 --ah----- \sqmdata11.sqm
2008-07-07 12:02:35 268 --ah----- \sqmdata11.sqm
2008-07-06 21:52:15 244 --ah----- \sqmnoopt10.sqm
2008-07-06 21:52:15 244 --ah----- \sqmnoopt10.sqm
2008-07-06 21:52:15 268 --ah----- \sqmdata10.sqm
2008-07-06 21:52:15 268 --ah----- \sqmdata10.sqm
2008-07-06 21:47:09 0 d-------- \Programs
2008-07-06 21:47:09 0 d-------- \Programs
2008-07-06 21:35:17 244 --ah----- \sqmnoopt09.sqm
2008-07-06 21:35:17 244 --ah----- \sqmnoopt09.sqm
2008-07-06 21:35:17 268 --ah----- \sqmdata09.sqm
2008-07-06 21:35:17 268 --ah----- \sqmdata09.sqm
2008-07-06 21:34:57 0 d-------- C:\Documents and Settings\User\Application Data\Help
2008-07-06 21:29:09 244 --ah----- \sqmnoopt08.sqm
2008-07-06 21:29:09 244 --ah----- \sqmnoopt08.sqm
2008-07-06 21:29:09 268 --ah----- \sqmdata08.sqm
2008-07-06 21:29:09 268 --ah----- \sqmdata08.sqm
2008-07-06 21:25:41 244 --ah----- \sqmnoopt07.sqm
2008-07-06 21:25:41 244 --ah----- \sqmnoopt07.sqm
2008-07-06 21:25:41 268 --ah----- \sqmdata07.sqm
2008-07-06 21:25:41 268 --ah----- \sqmdata07.sqm
2008-07-06 21:17:07 244 --ah----- \sqmnoopt06.sqm
2008-07-06 21:17:07 244 --ah----- \sqmnoopt06.sqm
2008-07-06 21:17:07 268 --ah----- \sqmdata06.sqm
2008-07-06 21:17:07 268 --ah----- \sqmdata06.sqm
2008-06-29 22:04:02 0 d--hs---- \System Volume Information
2008-06-29 22:04:02 0 d--hs---- \System Volume Information
2008-06-29 19:51:24 0 d-------- C:\Documents and Settings\User\Application Data\WinRAR
2008-06-29 16:10:32 29760 --a------ C:\WINDOWS\system32\4jTs6UFr.exe
2008-06-16 22:59:27 0 d-------- C:\Documents and Settings\User\Application Data\RegSweep


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [12/08/2004 21:18]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 10:34]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [11/04/2008 19:48]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau C:\WINDOWS\system32\hgGyawVP

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0ee9e650-e13c-11dc-8a1e-000802da3a11}]
AutoRun\command- E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a25cba00-e0c8-11dc-8a1d-000802da3a11}]
AutoRun\command- E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a25cba01-e0c8-11dc-8a1d-000802da3a11}]
AutoRun\command- E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a25cba04-e0c8-11dc-8a1d-000802da3a11}]
AutoRun\command- E:\AutoRun.exe




-- End of Deckard's System Scanner: finished at 2008-08-11 20:55:55 ------------



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® M processor 1400MHz
Percentage of Memory in Use: 56%
Physical Memory (total/avail): 479.36 MiB / 207.82 MiB
Pagefile Memory (total/avail): 1122 MiB / 898.25 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1903.71 MiB

C: is Fixed (NTFS) - 78.13 GiB total, 64.58 GiB free.
D: is Fixed (NTFS) - 33.66 GiB total, 33.59 GiB free.

\\.\PHYSICALDRIVE0 - ST9120822A - 111.79 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 78.13 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 33.66 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntivirusOverride is set.

AV: AVG Anti-Virus Professional Edition v8.0 (GRISOFT) Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Disabled:avgemc.exe"
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"="C:\\Program Files\\AVG\\AVG8\\avgnsx.exe:*:Disabled:avgnsx.exe"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Disabled:avgupd.exe"
"C:\\Program Files\\Unwired\\UwWiz.exe"="C:\\Program Files\\Unwired\\UwWiz.exe:*:Disabled:Connection Assistant"
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"="C:\\WINDOWS\\system32\\usmt\\migwiz.exe:*:Disabled:Files and Settings Transfer Wizard"
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"="C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe:*:Disabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Disabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Disabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Disabled:Windows Messenger"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Documents and Settings\\User\\Desktop\\dss.exe"="C:\\Documents and Settings\\User\\Desktop\\dss.exe:*:Enabled:dss.exe"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\User\Application Data
COMPUTERNAME=NONE-0FE356AE6A
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\User
LOGONSERVER=\\NONE-0FE356AE6A
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\Program Files\Support Tools\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 9 Stepping 5, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0905
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\User\LOCALS~1\Temp
TMP=C:\DOCUME~1\User\LOCALS~1\Temp
USERDOMAIN=NONE-0FE356AE6A
USERNAME=User
USERPROFILE=C:\Documents and Settings\User
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

User (admin)


-- Add/Remove Programs ---------------------------------------------------------

µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
HijackThis 2.0.2 --> "C:\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Windows Support Tools --> MsiExec.exe /I{8398B542-3CC4-44D9-83DF-696CCE70124B}


-- Application Event Log -------------------------------------------------------

Event Record #/Type1934 / Warning
Event Submitted/Written: 07/29/2008 10:51:34 AM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{90110409-6000-11D3-8CFE-0150048383C9}', feature 'ProductNonBootFiles' failed during request for component '{611A5543-AEAC-11D3-8621-005004838609}'

Event Record #/Type1932 / Warning
Event Submitted/Written: 07/29/2008 10:50:45 AM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{90110409-6000-11D3-8CFE-0150048383C9}', feature 'ProductNonBootFiles' failed during request for component '{611A5543-AEAC-11D3-8621-005004838609}'

Event Record #/Type1931 / Warning
Event Submitted/Written: 07/29/2008 10:50:45 AM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{90110409-6000-11D3-8CFE-0150048383C9}', feature 'ProductNonBootFiles' failed during request for component '{611A5543-AEAC-11D3-8621-005004838609}'

Event Record #/Type1930 / Warning
Event Submitted/Written: 07/29/2008 10:50:45 AM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{90110409-6000-11D3-8CFE-0150048383C9}', feature 'ProductNonBootFiles' failed during request for component '{611A5543-AEAC-11D3-8621-005004838609}'

Event Record #/Type1929 / Warning
Event Submitted/Written: 07/29/2008 10:48:18 AM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{50F90522-2ACE-434E-9987-F42A5F06208F}', feature 'FE_FileManager' failed during request for component '{F114BDD1-E645-4208-8F43-3543B584FC31}'



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type7297 / Error
Event Submitted/Written: 08/11/2008 08:34:58 PM
Event ID/Source: 7024 / Service Control Manager
Event Description:
The AVG8 WatchDog service terminated with service-specific error 3758161970 (0xE0010032).

Event Record #/Type7296 / Error
Event Submitted/Written: 08/11/2008 08:34:58 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The AVG8 E-mail Scanner service depends on the AVG8 WatchDog service which failed to start because of the following error:
%%1066

Event Record #/Type7295 / Error
Event Submitted/Written: 08/11/2008 08:34:58 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The System Restore Service service terminated with the following error:
%%1114

Event Record #/Type7284 / Error
Event Submitted/Written: 08/11/2008 08:25:21 PM
Event ID/Source: 16 / Windows Update Agent
Event Description:
Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.

Event Record #/Type7273 / Error
Event Submitted/Written: 08/11/2008 08:24:25 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The System Restore Service service terminated with the following error:
%%1114



-- End of Deckard's System Scanner: finished at 2008-08-11 20:55:55 ------------

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:46 AM

Posted 12 August 2008 - 03:43 PM

Hello. I am PropagandaPanda (Panda or PP for short) and I will be helping you with your log.

I will need some time to look over your computer's log(s). I am still in training, so my responses to you must be checked by a coach.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.

Please take note of a few guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it may not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
With Regards,
The Panda

Important Note to Other Users Reading this Topic: The instructions provided in this topic are for the original topic starter only. Even if you have similar problems or log entries to those given here, please do not follow the directions, especially those involving specific tools and scripts. Doing so can result in serious damage to your computer. Instead, please start your own topic. Feel free to link to any relevant topics as needed.

#5 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:46 AM

Posted 14 August 2008 - 12:25 PM

Hello Bugger.

It seems that your machine suffered quite a lot of damage, some of which is likely permanent. You may have to resort to a repair install. At the very least, you will need to reinstall most of your programs.

Most of the malware is gone though.

Peer-to-Peer Programs Warning
Your log shows that you are using so called peer-to-peer or file-sharing programs (in your case uTorrent). These programs allow to share files between users as the name(s) suggest. In today's world cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

It is your decision whether or not you wish to keep your program(s). However, please refrain from using them until your computer has been declared clean.

Registry Cleaner(s) Warning
The following is referring to RegSweep

Please be aware that Bleeping Computer staff do not recommend the usage of registry cleaners/tools due to the following facts:
  • Registry tools can cause irreparable damage to your Operating System. This could include making your computer inoperatable.
  • These programs generally only delete "orphaned" or "dead" entries. This merely removes entries that point to files that no longer exist on your computer. Registry entries do not take up a significant amount of hardrive space. The program itself (and its own registry entries) likely occupy relatively more space.
  • The amount of improvement in performance you gain is minimal.
This is done, assuming that the major audience here at this board may be inexperienced users and thus a suggested safeguard from our side.
If you feel that your have sufficient knowledge to use such tools safely, then you are welcome to keep them.

Download and Run OTMoveIT
  • Please download OTMoveIt2 by OldTimerto your desktop.
  • Double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the quotebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    catchme <delete service>
    C:\WINDOWS\Tasks\At12.job
    C:\WINDOWS\Tasks\At20.job
    C:\WINDOWS\Tasks\At19.job
    C:\WINDOWS\Tasks\At17.job
    C:\WINDOWS\Tasks\At21.job
    C:\WINDOWS\Tasks\At18.job
    C:\WINDOWS\Tasks\At16.job
    C:\WINDOWS\Tasks\At15.job
    C:\WINDOWS\Tasks\At14.job
    C:\WINDOWS\Tasks\At13.job
    C:\WINDOWS\Tasks\At24.job
    C:\WINDOWS\Tasks\At23.job
    C:\WINDOWS\Tasks\At22.job
    C:\WINDOWS\Tasks\At9.job
    C:\WINDOWS\Tasks\At8.job
    C:\WINDOWS\Tasks\At7.job
    C:\WINDOWS\Tasks\At6.job
    C:\WINDOWS\Tasks\At5.job
    C:\WINDOWS\Tasks\At4.job
    C:\WINDOWS\Tasks\At3.job
    C:\WINDOWS\Tasks\At2.job
    C:\WINDOWS\Tasks\At11.job
    C:\WINDOWS\Tasks\At10.job
    C:\WINDOWS\Tasks\At1.job
    C:\WINDOWS\system32\4jTs6UFr.exe
    C:\WINDOWS\system32\hgGyawVP.dll

  • Return to OTMoveIt2, right click in the Paste List Of Files/Patterns To Move window (under the yellow bar) and choose Paste.
  • Click the red Posted Image button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Apply Registry Fix
  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "quote".


    REGEDIT4

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Authentication Packages"=hex(7):6D,73,76,31,5F,30,20,6E,77,70,72,6F,76,61,\
    75,00,00

  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input fix.reg.
  • Hit OK.
When done properly, the icon should look like Posted Image for a .reg file.

Double click fix.reg and answer Yes to the prompts. You will recieve a message that the entries have been successfully merged. Delete fix.reg after use.

Create and run Batch Script
  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "quote".


    @ECHO OFF
    dir "%programfiles%">report.txt
    report.txt
    del %0

  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input check.bat.
  • Hit OK.
When done properly, the icon should look like Posted Image for a .reg file.

Double click check.reg. A black command prompt will open followed by a notepad. Copy the contents of the notepad back in your next reply

Reinstall Antivirus
I see that your AVG is outdated and is missing components. I can't see the uninstall list, so try this to uninstall it:
Start>Run>Type
"C:\Program Files\AVG\AVG8\setup.exe" /UNINSTALL
This should uninstall your AVG. If it does not, do not continue with installing a new antivirus yet. If you are asked to restart, do so.

Install a free anti-virus program from below:---------------------------
Post back with:
-the OTMoveIt log
-a new DSS log
-the batch script report

Also tell me if you were able to uninstall AVG.

With Regards,
The Panda

Edited by PropagandaPanda, 14 August 2008 - 12:26 PM.


#6 bugger

bugger
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 16 August 2008 - 04:52 AM

catchme service deleted successfully.
C:\WINDOWS\Tasks\At12.job moved successfully.
C:\WINDOWS\Tasks\At20.job moved successfully.
C:\WINDOWS\Tasks\At19.job moved successfully.
C:\WINDOWS\Tasks\At17.job moved successfully.
C:\WINDOWS\Tasks\At21.job moved successfully.
C:\WINDOWS\Tasks\At18.job moved successfully.
C:\WINDOWS\Tasks\At16.job moved successfully.
C:\WINDOWS\Tasks\At15.job moved successfully.
C:\WINDOWS\Tasks\At14.job moved successfully.
C:\WINDOWS\Tasks\At13.job moved successfully.
C:\WINDOWS\Tasks\At24.job moved successfully.
C:\WINDOWS\Tasks\At23.job moved successfully.
C:\WINDOWS\Tasks\At22.job moved successfully.
C:\WINDOWS\Tasks\At9.job moved successfully.
C:\WINDOWS\Tasks\At8.job moved successfully.
C:\WINDOWS\Tasks\At7.job moved successfully.
C:\WINDOWS\Tasks\At6.job moved successfully.
C:\WINDOWS\Tasks\At5.job moved successfully.
C:\WINDOWS\Tasks\At4.job moved successfully.
C:\WINDOWS\Tasks\At3.job moved successfully.
C:\WINDOWS\Tasks\At2.job moved successfully.
C:\WINDOWS\Tasks\At11.job moved successfully.
C:\WINDOWS\Tasks\At10.job moved successfully.
C:\WINDOWS\Tasks\At1.job moved successfully.
C:\WINDOWS\system32\4jTs6UFr.exe moved successfully.
File/Folder C:\WINDOWS\system32\hgGyawVP.dll not found.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08162008_174104


Volume in drive C has no label.
Volume Serial Number is 0C5E-71FA

Directory of C:\Documents and Settings\User\Desktop

16/08/2008 17:47 <DIR> .
16/08/2008 17:47 <DIR> ..
16/08/2008 17:47 66 check.bat
28/06/2008 00:00 177,371 cleo on beanbag.JPG
29/06/2008 19:47 <DIR> downlaods
11/08/2008 20:39 686,630 dss.exe
11/08/2008 20:42 525 HijackThis.lnk
17/02/2008 17:10 104 Internet.lnk
25/06/2008 18:30 28,672 LOD Insurance Payment.doc
29/06/2008 21:26 <DIR> MOB SONGS
25/03/2008 17:32 701,390 MOV00001.3gp
16/02/2008 23:30 1,373,337 MOV00002.3gp
16/08/2008 17:40 291,840 OTMoveIt2.exe
22/02/2008 20:31 449,606 Put your lights on .amr
22/02/2008 20:37 1,740,144 Rehab.dcf
16/08/2008 17:47 0 report.txt
22/02/2008 20:32 671,494 Smooth.amr
27/07/2008 10:50 <DIR> songs to burn to cd
16/02/2008 23:27 1,624,624 Thunderstruck hells bells.3gp
29/06/2008 21:24 4,305,625 traci_brown
28/06/2008 00:04 61,837 you lookin at me.JPG
16 File(s) 12,113,265 bytes
5 Dir(s) 69,329,559,552 bytes free


Deckard's System Scanner v20071014.68
Run by User on 2008-08-16 17:49:26
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 480 MiB (512 MiB recommended).


-- HijackThis (run as User.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:49:37, on 16/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\User\Desktop\dss.exe
C:\TRENDM~1\HIJACK~1\User.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: solution Class - {99C6D1BB-7555-474C-91DA-D8FB62A9CC75} - C:\WINDOWS\system32\N14UpXjA.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: GtFlashSwitch - OptionNV - C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 5419 bytes

-- Files created between 2008-07-16 and 2008-08-16 -----------------------------

2008-08-16 17:43:01 0 d-------- C:\WINDOWS\LastGood
2008-08-16 17:41:04 0 d-------- \_OTMoveIt
2008-08-16 17:41:04 0 d-------- \_OTMoveIt
2008-08-11 21:12:17 29184 --a------ C:\WINDOWS\system32\N14UpXjA.dll <Not Verified; TODO: <Company name>; TODO: <Product name>>
2008-08-11 21:11:56 36354 --a------ C:\WINDOWS\system32\nBCu7x6a.exe
2008-07-29 10:53:44 0 d-------- C:\Trend Micro
2008-07-29 10:53:44 0 d-------- \Trend Micro
2008-07-29 10:53:44 0 d-------- \Trend Micro
2008-07-29 10:48:50 0 d-------- \Deckard
2008-07-29 10:48:50 0 d-------- \Deckard
2008-07-27 10:02:34 0 d-------- C:\WINDOWS\ERUNT
2008-07-27 09:56:52 0 d-------- \SDFix
2008-07-27 09:56:52 0 d-------- \SDFix
2008-07-21 14:00:59 410 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-21 14:00:24 81920 --a------ C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; 404Fix>
2008-07-21 14:00:23 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-07-21 14:00:21 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-07-21 14:00:20 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-07-21 14:00:19 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-07-21 14:00:19 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-07-21 14:00:16 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-07-21 13:23:56 0 d-------- C:\Documents and Settings\User\Application Data\Malwarebytes
2008-07-21 13:23:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-21 12:01:09 0 d--hs---- C:\WINDOWS\CSC
2008-07-21 11:31:33 0 d-------- C:\VundoFix Backups
2008-07-21 11:31:33 0 d-------- \VundoFix Backups
2008-07-21 11:31:33 0 d-------- \VundoFix Backups


-- Find3M Report ---------------------------------------------------------------

2008-08-16 17:44:40 0 d-------- \WINDOWS
2008-08-16 17:44:40 0 d-------- \WINDOWS
2008-08-16 17:37:47 754974720 --ahs---- \pagefile.sys
2008-08-16 17:37:47 754974720 --ahs---- \pagefile.sys
2008-08-11 21:15:35 244 --ah----- \sqmnoopt06.sqm
2008-08-11 21:15:35 244 --ah----- \sqmnoopt06.sqm
2008-08-11 21:15:35 268 --ah----- \sqmdata06.sqm
2008-08-11 21:15:35 268 --ah----- \sqmdata06.sqm
2008-08-11 20:34:30 0 dr------- \Program Files
2008-08-11 20:34:30 0 dr------- \Program Files
2008-08-11 20:33:05 244 --ah----- \sqmnoopt05.sqm
2008-08-11 20:33:05 244 --ah----- \sqmnoopt05.sqm
2008-08-11 20:33:05 268 --ah----- \sqmdata05.sqm
2008-08-11 20:33:05 268 --ah----- \sqmdata05.sqm
2008-07-27 10:51:19 0 d-------- C:\Documents and Settings\User\Application Data\uTorrent
2008-07-26 11:49:05 244 --ah----- \sqmnoopt04.sqm
2008-07-26 11:49:05 244 --ah----- \sqmnoopt04.sqm
2008-07-26 11:49:05 268 --ah----- \sqmdata04.sqm
2008-07-26 11:49:05 268 --ah----- \sqmdata04.sqm
2008-07-26 10:27:37 244 --ah----- \sqmnoopt03.sqm
2008-07-26 10:27:37 244 --ah----- \sqmnoopt03.sqm
2008-07-26 10:27:37 268 --ah----- \sqmdata03.sqm
2008-07-26 10:27:37 268 --ah----- \sqmdata03.sqm
2008-07-26 10:23:22 244 --ah----- \sqmnoopt02.sqm
2008-07-26 10:23:22 244 --ah----- \sqmnoopt02.sqm
2008-07-26 10:23:22 268 --ah----- \sqmdata02.sqm
2008-07-26 10:23:22 268 --ah----- \sqmdata02.sqm
2008-07-23 13:28:58 244 --ah----- \sqmnoopt01.sqm
2008-07-23 13:28:58 244 --ah----- \sqmnoopt01.sqm
2008-07-23 13:28:58 268 --ah----- \sqmdata01.sqm
2008-07-23 13:28:58 268 --ah----- \sqmdata01.sqm
2008-07-21 16:53:59 172 --ah----- \sqmnoopt00.sqm
2008-07-21 16:53:59 172 --ah----- \sqmnoopt00.sqm
2008-07-21 16:53:59 208 --ah----- \sqmdata00.sqm
2008-07-21 16:53:59 208 --ah----- \sqmdata00.sqm
2008-07-21 14:24:54 244 --ah----- \sqmnoopt19.sqm
2008-07-21 14:24:54 244 --ah----- \sqmnoopt19.sqm
2008-07-21 14:24:54 268 --ah----- \sqmdata19.sqm
2008-07-21 14:24:54 268 --ah----- \sqmdata19.sqm
2008-07-21 14:02:36 3178 --a------ \rapport.txt
2008-07-21 14:02:36 3178 --a------ \rapport.txt
2008-07-21 13:55:03 244 --ah----- \sqmnoopt18.sqm
2008-07-21 13:55:03 244 --ah----- \sqmnoopt18.sqm
2008-07-21 13:55:03 268 --ah----- \sqmdata18.sqm
2008-07-21 13:55:03 268 --ah----- \sqmdata18.sqm
2008-07-21 12:43:07 244 --ah----- \sqmnoopt17.sqm
2008-07-21 12:43:07 244 --ah----- \sqmnoopt17.sqm
2008-07-21 12:43:07 268 --ah----- \sqmdata17.sqm
2008-07-21 12:43:07 268 --ah----- \sqmdata17.sqm
2008-07-21 12:00:04 232 --ah----- \sqmdata16.sqm
2008-07-21 12:00:04 232 --ah----- \sqmdata16.sqm
2008-07-21 12:00:03 244 --ah----- \sqmnoopt16.sqm
2008-07-21 12:00:03 244 --ah----- \sqmnoopt16.sqm
2008-07-21 11:57:54 244 --ah----- \sqmnoopt15.sqm
2008-07-21 11:57:54 244 --ah----- \sqmnoopt15.sqm
2008-07-21 11:57:54 268 --ah----- \sqmdata15.sqm
2008-07-21 11:57:54 268 --ah----- \sqmdata15.sqm
2008-07-21 11:54:21 610 --a------ \VundoFix.txt
2008-07-21 11:54:21 610 --a------ \VundoFix.txt
2008-07-21 10:54:51 244 --ah----- \sqmnoopt14.sqm
2008-07-21 10:54:51 244 --ah----- \sqmnoopt14.sqm
2008-07-21 10:54:51 268 --ah----- \sqmdata14.sqm
2008-07-21 10:54:51 268 --ah----- \sqmdata14.sqm
2008-07-07 12:20:26 244 --ah----- \sqmnoopt13.sqm
2008-07-07 12:20:26 244 --ah----- \sqmnoopt13.sqm
2008-07-07 12:20:26 268 --ah----- \sqmdata13.sqm
2008-07-07 12:20:26 268 --ah----- \sqmdata13.sqm
2008-07-07 12:05:10 244 --ah----- \sqmnoopt12.sqm
2008-07-07 12:05:10 244 --ah----- \sqmnoopt12.sqm
2008-07-07 12:05:10 268 --ah----- \sqmdata12.sqm
2008-07-07 12:05:10 268 --ah----- \sqmdata12.sqm
2008-07-07 12:02:35 244 --ah----- \sqmnoopt11.sqm
2008-07-07 12:02:35 244 --ah----- \sqmnoopt11.sqm
2008-07-07 12:02:35 268 --ah----- \sqmdata11.sqm
2008-07-07 12:02:35 268 --ah----- \sqmdata11.sqm
2008-07-06 21:52:15 244 --ah----- \sqmnoopt10.sqm
2008-07-06 21:52:15 244 --ah----- \sqmnoopt10.sqm
2008-07-06 21:52:15 268 --ah----- \sqmdata10.sqm
2008-07-06 21:52:15 268 --ah----- \sqmdata10.sqm
2008-07-06 21:47:09 0 d-------- \Programs
2008-07-06 21:47:09 0 d-------- \Programs
2008-07-06 21:35:17 244 --ah----- \sqmnoopt09.sqm
2008-07-06 21:35:17 244 --ah----- \sqmnoopt09.sqm
2008-07-06 21:35:17 268 --ah----- \sqmdata09.sqm
2008-07-06 21:35:17 268 --ah----- \sqmdata09.sqm
2008-07-06 21:34:57 0 d-------- C:\Documents and Settings\User\Application Data\Help
2008-07-06 21:29:09 244 --ah----- \sqmnoopt08.sqm
2008-07-06 21:29:09 244 --ah----- \sqmnoopt08.sqm
2008-07-06 21:29:09 268 --ah----- \sqmdata08.sqm
2008-07-06 21:29:09 268 --ah----- \sqmdata08.sqm
2008-07-06 21:25:41 244 --ah----- \sqmnoopt07.sqm
2008-07-06 21:25:41 244 --ah----- \sqmnoopt07.sqm
2008-07-06 21:25:41 268 --ah----- \sqmdata07.sqm
2008-07-06 21:25:41 268 --ah----- \sqmdata07.sqm
2008-06-29 22:04:02 0 d--hs---- \System Volume Information
2008-06-29 22:04:02 0 d--hs---- \System Volume Information
2008-06-29 19:51:24 0 d-------- C:\Documents and Settings\User\Application Data\WinRAR
2008-06-16 22:59:27 0 d-------- C:\Documents and Settings\User\Application Data\RegSweep


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{99C6D1BB-7555-474C-91DA-D8FB62A9CC75}]
11/08/2008 21:12 29184 --a------ C:\WINDOWS\system32\N14UpXjA.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [12/08/2004 21:18]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 10:34]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [11/04/2008 19:48]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0ee9e650-e13c-11dc-8a1e-000802da3a11}]
AutoRun\command- E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a25cba00-e0c8-11dc-8a1d-000802da3a11}]
AutoRun\command- E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a25cba01-e0c8-11dc-8a1d-000802da3a11}]
AutoRun\command- E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a25cba04-e0c8-11dc-8a1d-000802da3a11}]
AutoRun\command- E:\AutoRun.exe




-- End of Deckard's System Scanner: finished at 2008-08-16 17:50:01 ------------

#7 bugger

bugger
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 16 August 2008 - 04:54 AM

I tried removing avg and it came up with this error at the end.

Local machine: prepared for the installation
Installation:
Error: Uninstallation is not possible. Product not installed.


is it ok to install another anti-virus program?

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:46 AM

Posted 16 August 2008 - 10:08 AM

Hello Bugger.

Let's try to overwrite the current AVG installation by installing over it.

Create and run Batch Script
  • Let's try this again.
  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "quote".


    @ECHO OFF
    dir "c:\program files">report.txt
    report.txt
    del %0

  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input check.bat.
  • Hit OK.
Double click check.bat. A black command prompt will open followed by a notepad. Copy the contents of the notepad back in your next reply



Install AVG Free again
----------------
Post back with a fresh DSS log and the report.txt.

With Regards,
The Panda

#9 bugger

bugger
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 17 August 2008 - 06:32 AM

when i staerted up windoew, it asks me to log in as normal and the username is User and normally i just press enter, but it comes up with "unable to log you on cannot log on because of an account restrictions" I haven't had this happen before.

#10 bugger

bugger
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 17 August 2008 - 06:38 AM

I also can't turn off the computer either by holding the power button down or by holding alt/cont/del simultaniously.

#11 bugger

bugger
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 17 August 2008 - 06:43 AM

I got it to turn off, i musnt have been holding the power button down long enough

#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:46 AM

Posted 17 August 2008 - 08:15 AM

Reply:

Hello Bugger.

Is this the only account on your computer? Try to boot into Safe Mode and see if you can logon to the "Administrator" account.

With Regards,
The Panda

#13 bugger

bugger
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 18 August 2008 - 04:05 AM

There is only one account, and i did it in safe mode with the ' last know settings that worked" and that has worked fine.

#14 bugger

bugger
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 18 August 2008 - 04:09 AM

Volume in drive C has no label.
Volume Serial Number is 0C5E-71FA

Directory of c:\program files

11/08/2008 20:34 <DIR> .
11/08/2008 20:34 <DIR> ..
05/03/2008 17:16 <DIR> Adobe
20/01/2008 09:08 <DIR> Analog Devices
07/03/2008 17:45 <DIR> ATI Technologies
25/02/2008 19:52 <DIR> AVG
20/01/2008 09:04 <DIR> Broadcom
07/04/2008 23:00 <DIR> Common Files
20/01/2008 08:51 <DIR> ComPlus Applications
25/02/2008 14:19 <DIR> Google
16/06/2008 09:54 <DIR> Internet Explorer
25/02/2008 11:11 <DIR> K-Lite Codec Pack
25/02/2008 09:53 <DIR> Messenger
20/01/2008 09:19 <DIR> Microsoft ActiveSync
20/01/2008 08:56 <DIR> microsoft frontpage
20/01/2008 09:18 <DIR> Microsoft Office
20/01/2008 09:19 <DIR> Microsoft.NET
20/01/2008 08:52 <DIR> Movie Maker
20/01/2008 08:50 <DIR> MSN
20/01/2008 08:51 <DIR> MSN Gaming Zone
18/02/2008 16:43 <DIR> MSXML 4.0
20/01/2008 08:53 <DIR> NetMeeting
20/01/2008 08:53 <DIR> Online Services
07/03/2008 17:55 <DIR> Optus Internet Security Suite
22/02/2008 06:06 <DIR> Optus Wireless Broadband
15/02/2008 12:08 <DIR> Optus Wireless Connect
18/02/2008 16:46 <DIR> Outlook Express
07/04/2008 23:03 <DIR> Sony
17/02/2008 11:25 <DIR> Sony Ericsson
17/02/2008 15:07 <DIR> uTorrent
16/03/2008 15:05 <DIR> Windows Live
23/02/2008 00:30 <DIR> Windows Media Connect 2
23/02/2008 00:30 <DIR> Windows Media Player
20/01/2008 08:51 <DIR> Windows NT
29/06/2008 22:25 <DIR> WinRAR
20/01/2008 08:56 <DIR> xerox
0 File(s) 0 bytes
36 Dir(s) 69,290,409,984 bytes free


Deckard's System Scanner v20071014.68
Run by User on 2008-08-18 17:52:07
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 480 MiB (512 MiB recommended).


-- HijackThis (run as User.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:52:33, on 18/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\User\Desktop\dss.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\TRENDM~1\HIJACK~1\User.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: solution Class - {99C6D1BB-7555-474C-91DA-D8FB62A9CC75} - C:\WINDOWS\system32\N14UpXjA.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: GtFlashSwitch - OptionNV - C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 5932 bytes

-- Files created between 2008-07-18 and 2008-08-18 -----------------------------

2008-08-18 17:46:15 0 d-------- C:\Documents and Settings\User\Application Data\AVGTOOLBAR
2008-08-16 17:41:04 0 d-------- \_OTMoveIt
2008-08-16 17:41:04 0 d-------- \_OTMoveIt
2008-08-11 21:12:17 29184 --a------ C:\WINDOWS\system32\N14UpXjA.dll <Not Verified; TODO: <Company name>; TODO: <Product name>>
2008-08-11 21:11:56 36354 --a------ C:\WINDOWS\system32\nBCu7x6a.exe
2008-07-29 10:53:44 0 d-------- C:\Trend Micro
2008-07-29 10:53:44 0 d-------- \Trend Micro
2008-07-29 10:53:44 0 d-------- \Trend Micro
2008-07-29 10:48:50 0 d-------- \Deckard
2008-07-29 10:48:50 0 d-------- \Deckard
2008-07-27 10:02:34 0 d-------- C:\WINDOWS\ERUNT
2008-07-27 09:56:52 0 d-------- \SDFix
2008-07-27 09:56:52 0 d-------- \SDFix
2008-07-21 14:00:59 410 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-21 14:00:24 81920 --a------ C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; 404Fix>
2008-07-21 14:00:23 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-07-21 14:00:21 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-07-21 14:00:20 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-07-21 14:00:19 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-07-21 14:00:19 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-07-21 14:00:16 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-07-21 13:23:56 0 d-------- C:\Documents and Settings\User\Application Data\Malwarebytes
2008-07-21 13:23:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-21 12:01:09 0 d--hs---- C:\WINDOWS\CSC
2008-07-21 11:31:33 0 d-------- C:\VundoFix Backups
2008-07-21 11:31:33 0 d-------- \VundoFix Backups
2008-07-21 11:31:33 0 d-------- \VundoFix Backups


-- Find3M Report ---------------------------------------------------------------

2008-08-18 17:51:12 0 d-------- \WINDOWS
2008-08-18 17:51:12 0 d-------- \WINDOWS
2008-08-18 17:50:32 754974720 --ahs---- \pagefile.sys
2008-08-18 17:50:32 754974720 --ahs---- \pagefile.sys
2008-08-18 17:49:20 268 --ah----- \sqmdata08.sqm
2008-08-18 17:49:20 268 --ah----- \sqmdata08.sqm
2008-08-18 17:49:19 244 --ah----- \sqmnoopt08.sqm
2008-08-18 17:49:19 244 --ah----- \sqmnoopt08.sqm
2008-08-18 17:41:41 0 dr------- \Program Files
2008-08-18 17:41:41 0 dr------- \Program Files
2008-08-16 17:55:25 244 --ah----- \sqmnoopt07.sqm
2008-08-16 17:55:25 244 --ah----- \sqmnoopt07.sqm
2008-08-16 17:55:25 268 --ah----- \sqmdata07.sqm
2008-08-16 17:55:25 268 --ah----- \sqmdata07.sqm
2008-08-11 21:15:35 244 --ah----- \sqmnoopt06.sqm
2008-08-11 21:15:35 244 --ah----- \sqmnoopt06.sqm
2008-08-11 21:15:35 268 --ah----- \sqmdata06.sqm
2008-08-11 21:15:35 268 --ah----- \sqmdata06.sqm
2008-08-11 20:33:05 244 --ah----- \sqmnoopt05.sqm
2008-08-11 20:33:05 244 --ah----- \sqmnoopt05.sqm
2008-08-11 20:33:05 268 --ah----- \sqmdata05.sqm
2008-08-11 20:33:05 268 --ah----- \sqmdata05.sqm
2008-07-27 10:51:19 0 d-------- C:\Documents and Settings\User\Application Data\uTorrent
2008-07-26 11:49:05 244 --ah----- \sqmnoopt04.sqm
2008-07-26 11:49:05 244 --ah----- \sqmnoopt04.sqm
2008-07-26 11:49:05 268 --ah----- \sqmdata04.sqm
2008-07-26 11:49:05 268 --ah----- \sqmdata04.sqm
2008-07-26 10:27:37 244 --ah----- \sqmnoopt03.sqm
2008-07-26 10:27:37 244 --ah----- \sqmnoopt03.sqm
2008-07-26 10:27:37 268 --ah----- \sqmdata03.sqm
2008-07-26 10:27:37 268 --ah----- \sqmdata03.sqm
2008-07-26 10:23:22 244 --ah----- \sqmnoopt02.sqm
2008-07-26 10:23:22 244 --ah----- \sqmnoopt02.sqm
2008-07-26 10:23:22 268 --ah----- \sqmdata02.sqm
2008-07-26 10:23:22 268 --ah----- \sqmdata02.sqm
2008-07-23 13:28:58 244 --ah----- \sqmnoopt01.sqm
2008-07-23 13:28:58 244 --ah----- \sqmnoopt01.sqm
2008-07-23 13:28:58 268 --ah----- \sqmdata01.sqm
2008-07-23 13:28:58 268 --ah----- \sqmdata01.sqm
2008-07-21 16:53:59 172 --ah----- \sqmnoopt00.sqm
2008-07-21 16:53:59 172 --ah----- \sqmnoopt00.sqm
2008-07-21 16:53:59 208 --ah----- \sqmdata00.sqm
2008-07-21 16:53:59 208 --ah----- \sqmdata00.sqm
2008-07-21 14:24:54 244 --ah----- \sqmnoopt19.sqm
2008-07-21 14:24:54 244 --ah----- \sqmnoopt19.sqm
2008-07-21 14:24:54 268 --ah----- \sqmdata19.sqm
2008-07-21 14:24:54 268 --ah----- \sqmdata19.sqm
2008-07-21 14:02:36 3178 --a------ \rapport.txt
2008-07-21 14:02:36 3178 --a------ \rapport.txt
2008-07-21 13:55:03 244 --ah----- \sqmnoopt18.sqm
2008-07-21 13:55:03 244 --ah----- \sqmnoopt18.sqm
2008-07-21 13:55:03 268 --ah----- \sqmdata18.sqm
2008-07-21 13:55:03 268 --ah----- \sqmdata18.sqm
2008-07-21 12:43:07 244 --ah----- \sqmnoopt17.sqm
2008-07-21 12:43:07 244 --ah----- \sqmnoopt17.sqm
2008-07-21 12:43:07 268 --ah----- \sqmdata17.sqm
2008-07-21 12:43:07 268 --ah----- \sqmdata17.sqm
2008-07-21 12:00:04 232 --ah----- \sqmdata16.sqm
2008-07-21 12:00:04 232 --ah----- \sqmdata16.sqm
2008-07-21 12:00:03 244 --ah----- \sqmnoopt16.sqm
2008-07-21 12:00:03 244 --ah----- \sqmnoopt16.sqm
2008-07-21 11:57:54 244 --ah----- \sqmnoopt15.sqm
2008-07-21 11:57:54 244 --ah----- \sqmnoopt15.sqm
2008-07-21 11:57:54 268 --ah----- \sqmdata15.sqm
2008-07-21 11:57:54 268 --ah----- \sqmdata15.sqm
2008-07-21 11:54:21 610 --a------ \VundoFix.txt
2008-07-21 11:54:21 610 --a------ \VundoFix.txt
2008-07-21 10:54:51 244 --ah----- \sqmnoopt14.sqm
2008-07-21 10:54:51 244 --ah----- \sqmnoopt14.sqm
2008-07-21 10:54:51 268 --ah----- \sqmdata14.sqm
2008-07-21 10:54:51 268 --ah----- \sqmdata14.sqm
2008-07-07 12:20:26 244 --ah----- \sqmnoopt13.sqm
2008-07-07 12:20:26 244 --ah----- \sqmnoopt13.sqm
2008-07-07 12:20:26 268 --ah----- \sqmdata13.sqm
2008-07-07 12:20:26 268 --ah----- \sqmdata13.sqm
2008-07-07 12:05:10 244 --ah----- \sqmnoopt12.sqm
2008-07-07 12:05:10 244 --ah----- \sqmnoopt12.sqm
2008-07-07 12:05:10 268 --ah----- \sqmdata12.sqm
2008-07-07 12:05:10 268 --ah----- \sqmdata12.sqm
2008-07-07 12:02:35 244 --ah----- \sqmnoopt11.sqm
2008-07-07 12:02:35 244 --ah----- \sqmnoopt11.sqm
2008-07-07 12:02:35 268 --ah----- \sqmdata11.sqm
2008-07-07 12:02:35 268 --ah----- \sqmdata11.sqm
2008-07-06 21:52:15 244 --ah----- \sqmnoopt10.sqm
2008-07-06 21:52:15 244 --ah----- \sqmnoopt10.sqm
2008-07-06 21:52:15 268 --ah----- \sqmdata10.sqm
2008-07-06 21:52:15 268 --ah----- \sqmdata10.sqm
2008-07-06 21:47:09 0 d-------- \Programs
2008-07-06 21:47:09 0 d-------- \Programs
2008-07-06 21:35:17 244 --ah----- \sqmnoopt09.sqm
2008-07-06 21:35:17 244 --ah----- \sqmnoopt09.sqm
2008-07-06 21:35:17 268 --ah----- \sqmdata09.sqm
2008-07-06 21:35:17 268 --ah----- \sqmdata09.sqm
2008-07-06 21:34:57 0 d-------- C:\Documents and Settings\User\Application Data\Help
2008-06-29 22:04:02 0 d--hs---- \System Volume Information
2008-06-29 22:04:02 0 d--hs---- \System Volume Information
2008-06-29 19:51:24 0 d-------- C:\Documents and Settings\User\Application Data\WinRAR


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{99C6D1BB-7555-474C-91DA-D8FB62A9CC75}]
11/08/2008 21:12 29184 --a------ C:\WINDOWS\system32\N14UpXjA.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
18/08/2008 17:46 2055960 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [18/08/2008 17:46 2055960]

[-HKEY_CLASSES_ROOT\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [18/08/2008 17:46]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [12/08/2004 21:18]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 10:34]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [11/04/2008 19:48]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau C:\WINDOWS\system32\hgGyawVP

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0ee9e650-e13c-11dc-8a1e-000802da3a11}]
AutoRun\command- E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a25cba00-e0c8-11dc-8a1d-000802da3a11}]
AutoRun\command- E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a25cba01-e0c8-11dc-8a1d-000802da3a11}]
AutoRun\command- E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a25cba04-e0c8-11dc-8a1d-000802da3a11}]
AutoRun\command- E:\AutoRun.exe




-- End of Deckard's System Scanner: finished at 2008-08-18 17:53:17 ------------

Edited by bugger, 18 August 2008 - 04:55 AM.


#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:46 AM

Posted 18 August 2008 - 09:28 AM

Hello Bugger.

Seems you got hit with an infection just recently identified :thumbsup: . It has characteristics of a backdoor.

Please delete DSS.exe that is on your desktop as the tool is out of order.

Posted ImageBackdoor Threat
I'm sorry to say that your computer is infected with one or more backdoor trojans.

This means that sensitive information could have been stolen. I would advise to change any passwords for any accounts that you have accessed with the infected computer using a clean computer ASAP. If you have used this computer for banking, I would strongly suggest that you report the possible stolen information. Please do not use the computer for any further transactions, or to enter any other information, if at all possible, until it is declared clean.

You may want to read this article on how to handle identity theft.
You may also want to read this article regarding preventing of identity theft.

This computer can still be cleaned, however, I cannot guarantee that it will be 100% safe even after disinfection.

Please read When Should I Format, How Should I Reinstall.

I will proceed assuming you wish to disinfect. If you want to do a reinstall, reply back saying so.

Submit File to Jotti Scanner
There is an unidentified file that I would like you to check out for me using Jotti.
  • Open Jotti Online Scanner.
  • At the top of the page you'll see a box. Paste in the following line(s) (do one line at a time).
    • C:\WINDOWS\system32\nBCu7x6a.exe
  • Click Submit. If more than one file was listed, repeat for each of them.
  • Wait for the scan to finish.
  • Copy Scanner Results into your next reply.
Run OTMoveIt
  • Double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the quote below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{99C6D1BB-7555-474C-91DA-D8FB62A9CC75}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\solution.DLL
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{E81CF86B-F683-422A-B742-3F2427EA9D6A}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{99C6D1BB-7555-474C-91DA-D8FB62A9CC75}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{892B2785-B0D0-4AA2-AE6A-0ED60B00A979}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00476C87-A276-49BF-86BC-FF005732430B}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\solution.solution
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\solution.solution.1
    C:\WINDOWS\system32\N14UpXjA.dll
    C:\WINDOWS\system32\hgGyawVP.dll
    C:\WINDOWS\system32\nBCu7x6a.exe

  • Return to OTMoveIt2, right click in the Paste List Of Files/Patterns To Move window (under the yellow bar) and choose Paste.
  • Click the red Posted Image button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Apply Registry Fix
  • Are you sure you did this step last round?
  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "quote".


    REGEDIT4

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Authentication Packages"=hex(7):6D,73,76,31,5F,30,20,6E,77,70,72,6F,76,61,\
    75,00,00

  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input fix.reg.
  • Hit OK.
When done properly, the icon should look like Posted Image for a .reg file.

Double click fix.reg and answer Yes to the prompts. You will recieve a message that the entries have been successfully merged (if you don't please take not of the message that you do get). Delete fix.reg after use.

F-Secure Online Scan
Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.
--------------------------
Post back with:
-the OTMoveIt log
-the F-Secure log
-a new HijackThis log (not DSS)

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users