Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Slow Computer Anti Virus Finds Things But Cannot Remove


  • This topic is locked This topic is locked
29 replies to this topic

#1 EscapeV

EscapeV

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 31 July 2008 - 06:48 PM

computer has been running super slow and trojans have been popping up that my antivirus cant remove heres the DSS reports

the main.txt is:

Deckard's System Scanner v20071014.68
Run by HP_Administrator on 2008-07-31 19:13:25
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
97: 2008-07-31 23:14:03 UTC - RP278 - Deckard's System Scanner Restore Point
96: 2008-07-31 16:33:27 UTC - RP277 - Spyware Terminator - restore point
95: 2008-07-31 16:24:31 UTC - RP276 - Spyware Terminator - restore point
94: 2008-07-31 04:18:31 UTC - RP275 - System Checkpoint
93: 2008-07-29 19:00:49 UTC - RP274 - System Checkpoint


-- First Restore Point --
1: 2008-05-03 02:18:11 UTC - RP182 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-31 19:16:47
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\Program Files\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG8\avgam.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgnsx.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HP_Administrator\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=localhost:8080;gopher=localhost:8080;http=localhost:8080;https=localhost:8080;socks=localhost:1080
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {14698742-2059-3025-9058-954023874141} - (no file)
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {47627A37-1E3D-4C04-BA95-04BFBF5DEF42} - (no file)
O2 - BHO: (no name) - {50940F85-F015-14F1-A05F-F69858AC6D05} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5F118A63-742C-4032-8735-B42A4692A1BE} - (no file)
O2 - BHO: (no name) - {66CC07E5-204F-4567-9EF8-796BEABB0E53} - (no file)
O2 - BHO: (no name) - {6B7957E2-EBFF-4F6C-8078-6168E3913AEB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {8B60577B-48D0-4AFC-A842-6C78A20DB811} - (no file)
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {B75E6147-DCA3-4225-81AB-07CCC6D485D5} - (no file)
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ProxyCap] C:\PROGRA~1\PROXYL~1\ProxyCap\proxycap.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O10 - Unknown file in Winsock LSP: C:\WINDOWS\system32\nwprovau.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} (SupportSoft External Control) - https://actsvr.comcastonline.com/techtools/...%20Controls.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} () - http://www.popcap.com/games/popcaploader_v6.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: caotxb.dll,yzztnmsn.dll,joliom.dll,jsnoer.dll,nhmxejkl.dll,tisqdtyu.dll,avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Spyware Terminator Clam Service (sp_clamsrv) - Crawler.com - C:\Program Files\WinClamAVShield\Sp_clamsrv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


--
End of file - 9844 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 sp_rsdrv2 (Spyware Terminator Driver 2) - c:\windows\system32\drivers\sp_rsdrv2.sys
R3 pgfilter - c:\program files\peerguardian2\pgfilter.sys

S3 catchme - c:\docume~1\hp_adm~1\locals~1\temp\catchme.sys (file missing)
S3 dump_wmimmc - c:\program files\games-masters.com\cabal online (europe)\gameguard\dump_wmimmc.sys (file missing)
S3 NPPTNT2 - c:\windows\system32\npptnt2.sys <Not Verified; INCA Internet Co., Ltd.; nProtect NPSC Kernel Mode Driver for NT>
S3 XDva037 - c:\windows\system32\xdva037.sys (file missing)
S3 XDva119 - c:\windows\system32\xdva119.sys (file missing)
S3 XDva121 - c:\windows\system32\xdva121.sys (file missing)
S3 XDva134 - c:\windows\system32\xdva134.sys (file missing)
S3 XDva158 - c:\windows\system32\xdva158.sys (file missing)
S3 XDva167 - c:\windows\system32\xdva167.sys (file missing)
S3 XDva177 - c:\windows\system32\xdva177.sys (file missing)
S3 XDva186 - c:\windows\system32\xdva186.sys (file missing)
S3 XDva189 - c:\windows\system32\xdva189.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 sp_rssrv (Spyware Terminator Realtime Shield Service) - "c:\program files\spyware terminator\sp_rsser.exe" <Not Verified; Crawler.com; Crawler Spyware Terminator>

S3 sp_clamsrv (Spyware Terminator Clam Service) - "c:\program files\winclamavshield\sp_clamsrv.exe" <Not Verified; Crawler.com; Spyware Terminator>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-07-24 11:00:22 292 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job
2007-10-21 15:01:33 360 --a------ C:\WINDOWS\Tasks\Uniblue SpyEraser.job
2007-08-09 09:29:38 414 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job


-- Files created between 2008-06-30 and 2008-07-31 -----------------------------

2008-07-31 13:47:10 0 dr-h----- C:\Documents and Settings\HP_Administrator\Recent
2008-07-31 12:50:04 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-07-31 12:50:03 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-07-31 12:50:03 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-07-31 12:50:03 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-07-24 11:41:15 0 d-------- C:\Program Files\Common Files\INCA Shared
2008-07-18 17:44:40 0 d-------- C:\Program Files\ZoneAlarmSB
2008-07-16 22:36:55 0 d--h----- C:\$AVG8.VAULT$
2008-07-16 22:29:01 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-16 22:29:01 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\AVGTOOLBAR
2008-07-16 22:28:46 0 d-------- C:\Program Files\AVG
2008-07-16 22:28:46 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-16 21:24:17 0 d-------- C:\WINDOWS\ERUNT
2008-07-16 21:01:33 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-07-16 21:01:30 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-07-16 19:28:17 0 d--hs---- C:\sfn
2008-07-16 19:28:14 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2008-07-16 19:27:21 24 --a------ C:\WINDOWS\system32\pzwlaime.sys
2008-07-16 19:27:15 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-07-16 19:22:35 0 d--hs---- C:\zhb
2008-07-16 17:30:13 0 d--hs---- C:\knz
2008-07-16 17:29:53 24 --a------ C:\WINDOWS\system32\ngjxakin.sys
2008-07-16 17:29:42 24 --a------ C:\WINDOWS\system32\qbhxaklo.sys
2008-07-16 17:29:08 24 --a------ C:\WINDOWS\system32\pzwmaime.sys
2008-07-16 17:28:52 24 --a------ C:\WINDOWS\system32\wymxajkl.sys
2008-07-16 17:28:40 24 --a------ C:\WINDOWS\system32\sqjsakaq.sys
2008-07-16 17:27:56 36 --a------ C:\WINDOWS\system32\ijzhatde.sys
2008-07-16 17:26:11 0 d--hs---- C:\ckb
2008-07-16 17:26:10 0 d--hs---- C:\mre
2008-07-16 17:22:05 0 d--hs---- C:\flh
2008-07-16 17:18:13 20 --a------ C:\WINDOWS\system32\ladyapaw.sys
2008-07-16 17:18:09 0 d--hs---- C:\onl
2008-07-16 17:18:08 0 d--hs---- C:\gtl
2008-07-16 17:17:44 36 --a------ C:\WINDOWS\system32\ijsgajba.sys
2008-07-16 17:17:17 0 d--hs---- C:\djp
2008-07-16 17:16:45 0 d--hs---- C:\wba
2008-07-16 17:16:42 0 d--hs---- C:\ohf
2008-07-06 21:06:42 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-07-06 21:05:59 0 d-------- C:\Program Files\Windows Live
2008-07-06 21:05:15 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-07-06 16:09:21 0 d-------- C:\Documents and Settings\HP_Administrator\CabalRider


-- Find3M Report ---------------------------------------------------------------

2008-07-31 19:17:53 0 d-------- C:\Program Files\PeerGuardian2
2008-07-31 12:56:07 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Spyware Terminator
2008-07-31 12:56:05 0 d-------- C:\Program Files\Spyware Terminator
2008-07-31 12:50:23 1598 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-31 12:49:07 0 d-------- C:\Program Files\WinClamAVShield
2008-07-24 11:41:15 0 d-------- C:\Program Files\Common Files
2008-07-18 22:12:22 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Skype
2008-07-18 17:44:57 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-07-04 18:43:17 0 d-------- C:\Program Files\Games-Masters.com
2008-07-04 17:26:11 0 d-------- C:\Program Files\OGPlanet
2008-06-11 03:36:27 0 d-------- C:\Program Files\Diner Dash 3-in-1
2008-06-11 03:35:20 0 d-------- C:\Program Files\Google
2008-05-31 17:27:11 0 d-------- C:\Program Files\Steam


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{14698742-2059-3025-9058-954023874141}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{47627A37-1E3D-4C04-BA95-04BFBF5DEF42}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{50940F85-F015-14F1-A05F-F69858AC6D05}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5F118A63-742C-4032-8735-B42A4692A1BE}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{66CC07E5-204F-4567-9EF8-796BEABB0E53}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6B7957E2-EBFF-4F6C-8078-6168E3913AEB}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8B60577B-48D0-4AFC-A842-6C78A20DB811}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
07/17/2008 06:45 PM 2055960 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B75E6147-DCA3-4225-81AB-07CCC6D485D5}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
07/18/2008 05:44 PM 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [07/17/2008 06:45 PM 2055960]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [07/18/2008 05:44 PM 262144]

[-HKEY_CLASSES_ROOT\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[-HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/06/2005 12:56 AM]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [08/24/2007 08:00 AM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [07/26/2008 09:24 AM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [07/09/2008 09:05 AM]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [05/06/2008 11:43 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 08:00 AM]
"Uniblue SpeedUpMyPC"="C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe" [07/05/2007 12:20 PM]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [09/18/2005 07:40 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [07/07/2008 09:42 AM]
"ProxyCap"="C:\PROGRA~1\PROXYL~1\ProxyCap\proxycap.exe" [05/29/2006 08:59 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [4/23/2008 3:38:16 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E490415F-65F8-B5C5-D8BA-9405FB12054E}"= C:\WINDOWS\system32\yzztnmsn.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=caotxb.dll,yzztnmsn.dll,joliom.dll,jsnoer.dll,nhmxejkl.dll,tisqdtyu.dll,avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\geedc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ProxyCap]
C:\PROGRA~1\PROXYL~1\ProxyCap\proxycap.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareTerminator]
"C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue Registry Booster2]
C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe /S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpeedUpMyPC]
C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpyEraser]
"C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

*Newly Created Service* - PGFILTER



-- End of Deckard's System Scanner: finished at 2008-07-31 19:18:37 ------------



THE EXTRA TXT IS :

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ 64 Processor 3700+
Percentage of Memory in Use: 53%
Physical Memory (total/avail): 958.48 MiB / 441.65 MiB
Pagefile Memory (total/avail): 2312.73 MiB / 1701 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1917.87 MiB

C: is Fixed (NTFS) - 177.8 GiB total, 64.34 GiB free.
D: is Fixed (FAT32) - 8.5 GiB total, 1.11 GiB free.
E: is CDROM (Unformatted)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)

\\.\PHYSICALDRIVE0 - ST3200826AS - 186.31 GiB - 2 partitions
\PARTITION0 - Unknown - 8.51 GiB - D:
\PARTITION1 (bootable) - Installable File System - 177.8 GiB - C:

\\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device

BC AdBot (Login to Remove)

 


m

#2 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:03:50 PM

Posted 10 August 2008 - 10:30 PM

Hello and welcome to BC

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. We aim to provide the valuable service known to come from BC to every member we can, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay.

Please download Deckard's System Scanner (DSS) and save to your Desktop.
alternate download site

DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not
    malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.


If you already preformed the steps above We still need to see the current state of the machine fresh scan and logs are still necessary

click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /config
This will open up DSS configuration
click on Check All
click Scan
DSS will now run again when finished
Please post back both logs that open in notepad
Main txt and extra txt



Next
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please post back with dss reports main.txt, extra.txt and Kaspersky report.

Regards
SNOWHITE
Posted Image

#3 EscapeV

EscapeV
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 11 August 2008 - 02:07 PM

thanks for getting back with me......... heres the fresh DSS scan results:

Deckard's System Scanner v20071014.68
Run by HP_Administrator on 2008-08-11 15:03:38
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as HP_Administrator.exe) ------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:03:44 PM, on 8/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Documents and Settings\HP_Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\HP_ADM~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=localhost:8080;gopher=localhost:8080;http=localhost:8080;https=localhost:8080;socks=localhost:1080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {47627A37-1E3D-4C04-BA95-04BFBF5DEF42} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5F118A63-742C-4032-8735-B42A4692A1BE} - (no file)
O2 - BHO: (no name) - {66CC07E5-204F-4567-9EF8-796BEABB0E53} - (no file)
O2 - BHO: (no name) - {6B7957E2-EBFF-4F6C-8078-6168E3913AEB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {8B60577B-48D0-4AFC-A842-6C78A20DB811} - (no file)
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {B75E6147-DCA3-4225-81AB-07CCC6D485D5} - (no file)
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ProxyCap] C:\PROGRA~1\PROXYL~1\ProxyCap\proxycap.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} (SupportSoft External Control) - https://actsvr.comcastonline.com/techtools/...%20Controls.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: caotxb.dll,yzztnmsn.dll,joliom.dll,jsnoer.dll,nhmxejkl.dll,tisqdtyu.dll,avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Spyware Terminator Clam Service (sp_clamsrv) - Crawler.com - C:\Program Files\WinClamAVShield\sp_clamsrv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8310 bytes

-- Files created between 2008-07-11 and 2008-08-11 -----------------------------

2008-08-11 14:46:31 0 dr-h----- C:\Documents and Settings\HP_Administrator\Recent
2008-07-31 12:50:04 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-07-31 12:50:03 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-07-31 12:50:03 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-07-31 12:50:03 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-07-24 11:41:15 0 d-------- C:\Program Files\Common Files\INCA Shared
2008-07-18 17:44:40 0 d-------- C:\Program Files\ZoneAlarmSB
2008-07-16 22:36:55 0 d--h----- C:\$AVG8.VAULT$
2008-07-16 22:29:01 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-16 22:29:01 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\AVGTOOLBAR
2008-07-16 22:28:46 0 d-------- C:\Program Files\AVG
2008-07-16 22:28:46 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-16 21:24:17 0 d-------- C:\WINDOWS\ERUNT
2008-07-16 21:01:33 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-07-16 21:01:30 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-07-16 19:28:17 0 d--hs---- C:\sfn
2008-07-16 19:28:14 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2008-07-16 19:27:21 24 --a------ C:\WINDOWS\system32\pzwlaime.sys
2008-07-16 19:27:15 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-07-16 19:22:35 0 d--hs---- C:\zhb
2008-07-16 17:30:13 0 d--hs---- C:\knz
2008-07-16 17:29:53 24 --a------ C:\WINDOWS\system32\ngjxakin.sys
2008-07-16 17:29:42 24 --a------ C:\WINDOWS\system32\qbhxaklo.sys
2008-07-16 17:29:08 24 --a------ C:\WINDOWS\system32\pzwmaime.sys
2008-07-16 17:28:52 24 --a------ C:\WINDOWS\system32\wymxajkl.sys
2008-07-16 17:28:40 24 --a------ C:\WINDOWS\system32\sqjsakaq.sys
2008-07-16 17:27:56 36 --a------ C:\WINDOWS\system32\ijzhatde.sys
2008-07-16 17:26:11 0 d--hs---- C:\ckb
2008-07-16 17:26:10 0 d--hs---- C:\mre
2008-07-16 17:22:05 0 d--hs---- C:\flh
2008-07-16 17:18:13 20 --a------ C:\WINDOWS\system32\ladyapaw.sys
2008-07-16 17:18:09 0 d--hs---- C:\onl
2008-07-16 17:18:08 0 d--hs---- C:\gtl
2008-07-16 17:17:44 36 --a------ C:\WINDOWS\system32\ijsgajba.sys
2008-07-16 17:17:17 0 d--hs---- C:\djp
2008-07-16 17:16:45 0 d--hs---- C:\wba
2008-07-16 17:16:42 0 d--hs---- C:\ohf


-- Find3M Report ---------------------------------------------------------------

2008-08-11 15:03:41 0 d-------- C:\Program Files\PeerGuardian2
2008-08-11 14:54:52 0 d-------- C:\Program Files\Spyware Terminator
2008-08-11 14:54:51 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Spyware Terminator
2008-08-11 14:39:36 0 d-------- C:\Program Files\WinClamAVShield
2008-08-08 03:41:56 0 d-------- C:\Program Files\Java
2008-07-31 12:50:23 1598 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-24 11:41:15 0 d-------- C:\Program Files\Common Files
2008-07-18 22:12:22 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Skype
2008-07-18 17:44:57 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-07-06 21:45:07 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-07-06 21:05:59 0 d-------- C:\Program Files\Windows Live
2008-07-04 18:43:17 0 d-------- C:\Program Files\Games-Masters.com
2008-07-04 17:26:11 0 d-------- C:\Program Files\OGPlanet
2008-06-11 03:36:27 0 d-------- C:\Program Files\Diner Dash 3-in-1
2008-06-11 03:35:20 0 d-------- C:\Program Files\Google


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{47627A37-1E3D-4C04-BA95-04BFBF5DEF42}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5F118A63-742C-4032-8735-B42A4692A1BE}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{66CC07E5-204F-4567-9EF8-796BEABB0E53}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6B7957E2-EBFF-4F6C-8078-6168E3913AEB}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8B60577B-48D0-4AFC-A842-6C78A20DB811}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
07/17/2008 06:45 PM 2055960 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B75E6147-DCA3-4225-81AB-07CCC6D485D5}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
07/18/2008 05:44 PM 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [07/17/2008 06:45 PM 2055960]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [07/18/2008 05:44 PM 262144]

[-HKEY_CLASSES_ROOT\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[-HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/06/2005 12:56 AM]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [08/24/2007 08:00 AM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [07/26/2008 09:24 AM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [07/09/2008 09:05 AM]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [08/11/2008 02:40 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 08:00 AM]
"Uniblue SpeedUpMyPC"="C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe" [07/05/2007 12:20 PM]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [09/18/2005 07:40 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [07/07/2008 09:42 AM]
"ProxyCap"="C:\PROGRA~1\PROXYL~1\ProxyCap\proxycap.exe" [05/29/2006 08:59 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [4/23/2008 3:38:16 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E490415F-65F8-B5C5-D8BA-9405FB12054E}"= C:\WINDOWS\system32\yzztnmsn.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=caotxb.dll,yzztnmsn.dll,joliom.dll,jsnoer.dll,nhmxejkl.dll,tisqdtyu.dll,avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\geedc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ProxyCap]
C:\PROGRA~1\PROXYL~1\ProxyCap\proxycap.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareTerminator]
"C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue Registry Booster2]
C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe /S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpeedUpMyPC]
C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpyEraser]
"C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

*Newly Created Service* - PGFILTER



-- End of Deckard's System Scanner: finished at 2008-08-11 15:04:16 ------------

doing the kasp scan now............. thanks again

#4 EscapeV

EscapeV
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 11 August 2008 - 07:04 PM

This is the kaspersky report: it only took me 4 and a half hours to complete it................ thanks
----------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, August 11, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, August 11, 2008 20:10:51
Records in database: 1083295
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Files scanned: 130195
Threat name: 12
Infected objects: 21
Suspicious objects: 0
Duration of the scan: 04:39:31


File name / Threat name / Threats count
C:\Documents and Settings\HP_Administrator\.housecall6.6\Quarantine\bokcgjgu.dll.vir.bac_a03956 Infected: not-a-virus:AdWare.Win32.Virtumonde.aps 1
C:\Documents and Settings\HP_Administrator\.housecall6.6\Quarantine\bpmlwrxx.dll.vir.bac_a03956 Infected: not-a-virus:AdWare.Win32.Virtumonde.bif 1
C:\Documents and Settings\HP_Administrator\.housecall6.6\Quarantine\fexkvtcm.dll.bac_a03956 Infected: not-a-virus:AdWare.Win32.SecToolBar.k 1
C:\Documents and Settings\HP_Administrator\.housecall6.6\Quarantine\fubhtbiw.dll.bac_a03956 Infected: not-a-virus:AdWare.Win32.SecToolBar.k 1
C:\Documents and Settings\HP_Administrator\.housecall6.6\Quarantine\hote4444.dll.ren.bac_a01924 Infected: not-a-virus:AdWare.Win32.TTC.a 1
C:\Documents and Settings\HP_Administrator\.housecall6.6\Quarantine\hote83122.dll.ren.bac_a01924 Infected: not-a-virus:AdWare.Win32.TTC.a 1
C:\Documents and Settings\HP_Administrator\.housecall6.6\Quarantine\insmrcfh.dll.vir.bac_a03956 Infected: not-a-virus:AdWare.Win32.Virtumonde.aps 1
C:\Documents and Settings\HP_Administrator\.housecall6.6\Quarantine\lrexiiog.dll.bac_a03956 Infected: not-a-virus:AdWare.Win32.SecToolBar.k 1
C:\Documents and Settings\HP_Administrator\.housecall6.6\Quarantine\shtrpxeu.dll.bac_a03956 Infected: not-a-virus:AdWare.Win32.SecToolBar.k 1
C:\Documents and Settings\HP_Administrator\.housecall6.6\Quarantine\ufrpgfgm.dll.bac_a03956 Infected: not-a-virus:AdWare.Win32.SecToolBar.k 1
C:\Documents and Settings\HP_Administrator\.housecall6.6\Quarantine\yadjbfcj.dll.vir.bac_a03956 Infected: not-a-virus:AdWare.Win32.Virtumonde.aps 1
C:\Documents and Settings\HP_Administrator\.housecall6.6\Quarantine\yqebcses.exe.vir.bac_a03956 Infected: Trojan.Win32.Obfuscated.kp 1
C:\Documents and Settings\HP_Administrator\.housecall6.6\Quarantine\yvdkokqj.dll.bac_a03956 Infected: not-a-virus:AdWare.Win32.SecToolBar.k 1
C:\Documents and Settings\HP_Administrator\Desktop\virus scan\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\S48KT2Y3\sina[1].htm Infected: Trojan-Downloader.HTML.Agent.bx 1
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\S48KT2Y3\sina[2].htm Infected: Trojan-Downloader.HTML.Agent.bx 1
C:\Program Files\BitLord\Downloads\AVG Internet Security v8.0.93+Crack+Serial-HeartBug\Crack\crack.exe Infected: Trojan.Win32.Delf.czb 1
C:\Program Files\HTTP-Tunnel\uninstall.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.qe 1
C:\Program Files\Internet Explorer\propryhde.html Infected: Trojan-Clicker.HTML.IFrame.dn 1
C:\Program Files\Proxy Labs\ProxyCap\spinstWI.dll Infected: Trojan.Win32.Zapchast.kt 1
C:\qoobox\Quarantine\C\z.exe.vir Infected: not-a-virus:PSWTool.Win32.ProtectStorage.b 1

The selected area was scanned.

#5 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:03:50 PM

Posted 14 August 2008 - 12:56 AM

Hello EscapeV :thumbsup:


Lets proceed with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.


Regards
SNOWHITE
Posted Image

#6 EscapeV

EscapeV
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 14 August 2008 - 05:31 PM

Thanks for the help...... heres the combofix log:


ComboFix 08-08-13.05 - HP_Administrator 2008-08-14 16:37:51.2 - NTFSx86
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\HP_Administrator\Application Data\macromedia\Flash Player\#SharedObjects\VUV6RUJ8\interclick.com
C:\Documents and Settings\HP_Administrator\Application Data\macromedia\Flash Player\#SharedObjects\VUV6RUJ8\interclick.com\ud.sol
C:\Documents and Settings\HP_Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\HP_Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\HP_Administrator\Cookies.\hp_administrator@a.amd[2].txt
C:\Documents and Settings\HP_Administrator\Cookies.\hp_administrator@ad.yieldmanager[2].txt
C:\Documents and Settings\HP_Administrator\Cookies.\hp_administrator@neopets[1].txt
C:\Documents and Settings\HP_Administrator\Cookies.\hp_administrator@revsci[2].txt
C:\WINDOWS\system32\axsxrnhc.ini
C:\WINDOWS\system32\cclnwxvy.ini
C:\WINDOWS\system32\cgsqatyu.sys
C:\WINDOWS\system32\erjxakin.sys
C:\WINDOWS\system32\fstlbsys.sys
C:\WINDOWS\system32\fxcbbime.sys
C:\WINDOWS\system32\fxwlbime.sys
C:\WINDOWS\system32\fxwmbime.sys
C:\WINDOWS\system32\fzmsbwin.sys
C:\WINDOWS\system32\gpsgajba.sys
C:\WINDOWS\system32\gpzhatde.sys
C:\WINDOWS\system32\gsdhadwd.sys
C:\WINDOWS\system32\ijsgajba.sys
C:\WINDOWS\system32\ijzhatde.sys
C:\WINDOWS\system32\ladyapaw.sys
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\ngjxakin.sys
C:\WINDOWS\system32\noudaxrv.ini
C:\WINDOWS\system32\pzdyapaw.sys
C:\WINDOWS\system32\pzwlaime.sys
C:\WINDOWS\system32\pzwmaime.sys
C:\WINDOWS\system32\ravrgtex.ini
C:\WINDOWS\system32\rnmxajkl.sys
C:\WINDOWS\system32\sdjsakaq.sys
C:\WINDOWS\system32\smmhbsrv.sys
C:\WINDOWS\system32\spmybapi.sys
C:\WINDOWS\system32\sqjsakaq.sys
C:\WINDOWS\system32\wymxajkl.sys
C:\WINDOWS\system32\xfztbmsn.sys
C:\WINDOWS\system32\xsdjbbmp.sys
C:\WINDOWS\system32\xzcsbhlp.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_RPCS


((((((((((((((((((((((((( Files Created from 2008-07-14 to 2008-08-14 )))))))))))))))))))))))))))))))
.

2008-07-31 19:13 . 2008-07-31 19:13 <DIR> d-------- C:\Deckard
2008-07-31 12:50 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-07-31 12:50 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-07-31 12:50 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-07-31 12:50 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-07-24 11:41 . 2008-07-24 11:41 <DIR> d-------- C:\Program Files\Common Files\INCA Shared
2008-07-18 17:44 . 2008-07-18 17:44 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-07-16 22:36 . 2008-07-31 10:19 <DIR> d--h----- C:\$AVG8.VAULT$
2008-07-16 22:29 . 2008-08-14 16:34 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-16 22:29 . 2008-08-13 08:55 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\AVGTOOLBAR
2008-07-16 22:29 . 2008-07-26 09:23 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-16 22:29 . 2008-07-17 18:45 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-16 22:29 . 2008-07-17 18:45 12,936 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-07-16 22:29 . 2008-07-17 18:45 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-07-16 22:28 . 2008-07-16 22:28 <DIR> d-------- C:\Program Files\AVG
2008-07-16 22:28 . 2008-07-16 22:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-16 21:24 . 2008-07-16 21:24 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-16 21:11 . 2008-07-18 17:30 <DIR> d-------- C:\SDFix
2008-07-16 19:28 . 2008-07-17 04:37 <DIR> d--hs---- C:\sfn
2008-07-16 19:22 . 2008-07-16 19:28 <DIR> d--hs---- C:\zhb
2008-07-16 17:30 . 2008-07-16 17:31 <DIR> d--hs---- C:\knz
2008-07-16 17:29 . 2008-07-16 21:52 24 --a------ C:\WINDOWS\system32\qbhxaklo.sys
2008-07-16 17:26 . 2008-07-17 00:23 <DIR> d--hs---- C:\mre
2008-07-16 17:26 . 2008-07-16 22:37 <DIR> d--hs---- C:\ckb
2008-07-16 17:22 . 2008-07-16 23:51 <DIR> d--hs---- C:\flh
2008-07-16 17:18 . 2008-07-16 17:20 <DIR> d--hs---- C:\onl
2008-07-16 17:18 . 2008-07-16 17:18 <DIR> d--hs---- C:\gtl
2008-07-16 17:17 . 2008-07-16 17:18 <DIR> d--hs---- C:\djp
2008-07-16 17:16 . 2008-07-16 17:18 <DIR> d--hs---- C:\wba
2008-07-16 17:16 . 2008-07-16 17:18 <DIR> d--hs---- C:\ohf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-14 22:22 --------- d-----w C:\Program Files\Spyware Terminator
2008-08-14 20:42 153,788 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-14 20:42 13,226,016 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-14 20:34 --------- d-----w C:\Program Files\PeerGuardian2
2008-08-14 14:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-08-13 14:34 --------- d-----w C:\Program Files\WinClamAVShield
2008-08-11 18:54 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Spyware Terminator
2008-08-08 07:41 --------- d-----w C:\Program Files\Java
2008-07-23 17:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-19 02:12 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Skype
2008-07-18 17:01 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-17 11:41 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-17 11:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-09 13:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2008-07-07 01:45 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-07-07 01:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-07-07 01:05 --------- d-----w C:\Program Files\Windows Live
2008-07-04 22:43 --------- d-----w C:\Program Files\Games-Masters.com
2008-07-04 21:26 --------- d-----w C:\Program Files\OGPlanet
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2007-11-15 02:52 49,744 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\GDIPFONTCACHEV1.DAT
2007-11-11 15:15 451,373 --sha-w C:\WINDOWS\system32\cdeeg.ini.ren
2004-08-08 23:29 3,640 --sh--w C:\WINDOWS\system32\ictxaiua.sys
2004-08-08 23:31 520 --sh--w C:\WINDOWS\system32\nttzapaq.sys
2004-08-08 23:29 520 --sh--w C:\WINDOWS\system32\smdsbsrv.sys
2004-08-08 23:31 2,080 --sh--w C:\WINDOWS\system32\vlhxaklo.sys
2004-08-08 23:31 520 --sh--w C:\WINDOWS\system32\xscqbhlp.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 08:00 15360]
"Uniblue SpeedUpMyPC"="C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe" [2007-07-05 12:20 9495832]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2005-09-18 19:40 1421824]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 09:42 2156368]
"ProxyCap"="C:\PROGRA~1\PROXYL~1\ProxyCap\proxycap.exe" [2006-05-29 08:59 225280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-06 00:56 64512]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 08:00 33648]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-26 09:24 1235736]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 09:05 919016]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-08-11 14:40 1783808]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
"vidc.wmv3"= C:\PROGRA~1\COMBIN~1\Filters\wmv9vcm.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 19:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ProxyCap]
--a------ 2006-05-29 08:59 225280 C:\PROGRA~1\PROXYL~1\ProxyCap\proxycap.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareTerminator]
--a------ 2008-08-11 14:40 1783808 C:\Program Files\Spyware Terminator\SpywareTerminatorShield.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-08-09 09:26 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue Registry Booster2]
--a------ 2007-04-23 15:40 1645088 C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpeedUpMyPC]
--a------ 2007-07-05 12:20 9495832 C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpyEraser]
--a------ 2007-10-16 09:26 1258248 C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2005-12-08 14:55 3096576 C:\Program Files\Yahoo!\Messenger\YPager.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
"C:\\WINDOWS\\system32\\java.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-07-17 18:45]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-26 09:23]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-05-06 11:43]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-26 09:23]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-17 18:45]
S3 dump_wmimmc;dump_wmimmc;C:\Program Files\Games-Masters.com\CABAL Online (Europe)\GameGuard\dump_wmimmc.sys []
S3 XDva037;XDva037;C:\WINDOWS\system32\XDva037.sys []
S3 XDva119;XDva119;C:\WINDOWS\system32\XDva119.sys []
S3 XDva121;XDva121;C:\WINDOWS\system32\XDva121.sys []
S3 XDva134;XDva134;C:\WINDOWS\system32\XDva134.sys []
S3 XDva158;XDva158;C:\WINDOWS\system32\XDva158.sys []
S3 XDva167;XDva167;C:\WINDOWS\system32\XDva167.sys []
S3 XDva177;XDva177;C:\WINDOWS\system32\XDva177.sys []
S3 XDva186;XDva186;C:\WINDOWS\system32\XDva186.sys []
S3 XDva189;XDva189;C:\WINDOWS\system32\XDva189.sys []
S3 XDva190;XDva190;C:\WINDOWS\system32\XDva190.sys []
.
Contents of the 'Scheduled Tasks' folder

2008-08-13 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2007-07-05 12:20]

2007-08-09 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2007-07-05 12:20]

2007-10-21 C:\WINDOWS\Tasks\Uniblue SpyEraser.job
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe [2007-10-16 09:26]
.
- - - - ORPHANS REMOVED - - - -

BHO-{47627A37-1E3D-4C04-BA95-04BFBF5DEF42} - (no file)
BHO-{5F118A63-742C-4032-8735-B42A4692A1BE} - (no file)
BHO-{66CC07E5-204F-4567-9EF8-796BEABB0E53} - (no file)
BHO-{6B7957E2-EBFF-4F6C-8078-6168E3913AEB} - (no file)
BHO-{8B60577B-48D0-4AFC-A842-6C78A20DB811} - (no file)
BHO-{B75E6147-DCA3-4225-81AB-07CCC6D485D5} - (no file)
ShellExecuteHooks-{C629FF4F-ACDB-5C90-A098-FACB3456A26C} - (no file)
ShellExecuteHooks-{8FD45A54-9875-698F-E56E-65102358FDF8} - (no file)
ShellExecuteHooks-{9319A1F1-9410-9654-3201-345FFA349139} - (no file)
ShellExecuteHooks-{90AF1289-F140-A140-D012-C1458759FC09} - (no file)
ShellExecuteHooks-{48093456-9012-4568-9076-908765467184} - (no file)
ShellExecuteHooks-{47A924AF-1A5F-CF21-AB1D-1D5CF82A8A74} - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\wkxcu1a5.default\


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-14 18:22:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-08-14 18:29:06 - machine was rebooted [HP_Administrator]
ComboFix-quarantined-files.txt 2008-08-14 22:28:59
ComboFix2.txt 2007-11-28 15:34:53

Pre-Run: 70,036,373,504 bytes free
Post-Run: 70,130,413,568 bytes free

251 --- E O F --- 2008-07-23 17:03:24

#7 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:03:50 PM

Posted 18 August 2008 - 06:48 AM

Hello EscapeV,

Open notepad and copy/paste the text in the quotebox below into it:

http://www.bleepingcomputer.com/forums/t/160802/slow-computer-anti-virus-finds-things-but-cannot-remove/

Folder::
C:\sfn
C:\zhb
C:\knz
C:\mre
C:\ckb
C:\flh
C:\onl
C:\gtl
C:\djp
C:\wba
C:\ohf

Collect::[29]
C:\WINDOWS\system32\cdeeg.ini.ren
C:\WINDOWS\system32\qbhxaklo.sys
C:\WINDOWS\system32\ictxaiua.sys
C:\WINDOWS\system32\nttzapaq.sys
C:\WINDOWS\system32\smdsbsrv.sys
C:\WINDOWS\system32\vlhxaklo.sys
C:\WINDOWS\system32\xscqbhlp.sys

Save this as CFScript.txt


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
  • A browser will open.
  • Simply follow the instructions to copy/paste/send the requested file.
Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.
More information with a screenshot, can be found here.

Please post back with ComboFix log, new HijackThis log, Uninstall list and let me know how is the computer running.


Regards
SNOWHITE
Posted Image

#8 EscapeV

EscapeV
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 18 August 2008 - 09:04 PM

this is the log, i submitted the malware zip file per instructions:

ComboFix 08-08-18.01 - HP_Administrator 2008-08-18 21:54:03.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.500 [GMT -4:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Administrator\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ckb
C:\djp
C:\Documents and Settings\HP_Administrator\Application Data\macromedia\Flash Player\#SharedObjects\VUV6RUJ8\interclick.com
C:\Documents and Settings\HP_Administrator\Application Data\macromedia\Flash Player\#SharedObjects\VUV6RUJ8\interclick.com\ud.sol
C:\Documents and Settings\HP_Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\HP_Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@ad.yieldmanager[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@neopets[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@realmedia[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@specificclick[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@trafficmp[2].txt
C:\Documents and Settings\HP_Administrator\UserData
C:\Documents and Settings\HP_Administrator\UserData\6T3W9G3A\ATLPreloadCheck[1].xml
C:\Documents and Settings\HP_Administrator\UserData\6T3W9G3A\ATLPreloadCheck[2].xml
C:\Documents and Settings\HP_Administrator\UserData\6T3W9G3A\ATLWINDOWS[1].xml
C:\Documents and Settings\HP_Administrator\UserData\6T3W9G3A\ATLWINDOWS[2].xml
C:\Documents and Settings\HP_Administrator\UserData\87F7YC91\ATLTRANSACTIONS[1].xml
C:\Documents and Settings\HP_Administrator\UserData\87F7YC91\ATLTRANSACTIONS[2].xml
C:\Documents and Settings\HP_Administrator\UserData\index.dat
C:\Documents and Settings\HP_Administrator\UserData\PC0NP901\ATLWINDOWS[1].xml
C:\Documents and Settings\HP_Administrator\UserData\PC0NP901\ATLWINDOWS[2].xml
C:\Documents and Settings\HP_Administrator\UserData\PC0NP901\ATLWINDOWS[3].xml
C:\Documents and Settings\HP_Administrator\UserData\PC0NP901\IsOnIE6tbPromo[1].xml
C:\Documents and Settings\HP_Administrator\UserData\VFXZFPSG\ATLSpecialValues[1].xml
C:\Documents and Settings\HP_Administrator\UserData\VFXZFPSG\ATLSpecialValues[2].xml
C:\Documents and Settings\HP_Administrator\UserData\VFXZFPSG\ATLTRANSACTIONS[2].xml
C:\Documents and Settings\HP_Administrator\UserData\VFXZFPSG\ATLWINDOWS[1].xml

#9 EscapeV

EscapeV
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 18 August 2008 - 09:08 PM

this is the uninstall list:

2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:08:12 PM, on 8/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=localhost:8080;gopher=localhost:8080;http=localhost:8080;https=localhost:8080;socks=localhost:1080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ProxyCap] C:\PROGRA~1\PROXYL~1\ProxyCap\proxycap.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} (SupportSoft External Control) - https://actsvr.comcastonline.com/techtools/...%20Controls.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Spyware Terminator Clam Service (sp_clamsrv) - Crawler.com - C:\Program Files\WinClamAVShield\sp_clamsrv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7741 bytes

#10 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:03:50 PM

Posted 20 August 2008 - 05:04 AM

Hello again EscapeV,

It seems you have posted the reports incomplete.

Please disable TeaTimer since it may interfere with the fixes:
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.
Next please re-run combofix:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Double click ComboFix to scan for malware.


When the tool is finished, it will produce a report for you, include that report in your next reply. It will be located here:

C:\ComboFix.txt

Next, your uninstall report also seems to be incomplete, please make new report and post it back here:
Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.
Please include Combofix report, uninstall list and fresh HijackThis report in your next reply.

Regards
SNOWHITE
Posted Image

#11 EscapeV

EscapeV
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 20 August 2008 - 08:37 AM

ComboFix 08-08-19.02 - HP_Administrator 2008-08-20 8:49:08.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.543 [GMT -4:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\HP_Administrator\Application Data\macromedia\Flash Player\#SharedObjects\VUV6RUJ8\static.youku.com
C:\Documents and Settings\HP_Administrator\Application Data\macromedia\Flash Player\#SharedObjects\VUV6RUJ8\static.youku.com\v\swf\qplayer.swf\youku.sol
C:\Documents and Settings\HP_Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com
C:\Documents and Settings\HP_Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com\settings.sol
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@trafficmp[1].txt
C:\WINDOWS\system32\dao350.dll

.
((((((((((((((((((((((((( Files Created from 2008-07-20 to 2008-08-20 )))))))))))))))))))))))))))))))
.

2008-08-18 21:42 . 2008-08-18 21:42 <DIR> d--hs---- C:\found.000
2008-08-18 14:37 . 2008-08-18 14:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kodak
2008-08-16 01:20 . 2008-08-16 01:20 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-16 01:20 . 2008-08-16 01:20 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-31 19:13 . 2008-07-31 19:13 <DIR> d-------- C:\Deckard
2008-07-31 12:50 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-07-31 12:50 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-07-31 12:50 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-07-31 12:50 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-07-24 11:41 . 2008-07-24 11:41 <DIR> d-------- C:\Program Files\Common Files\INCA Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-20 12:47 --------- d-----w C:\Program Files\PeerGuardian2
2008-08-20 12:41 1,489,920 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-08-19 23:34 --------- d-----w C:\Program Files\Spyware Terminator
2008-08-19 23:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-08-19 23:13 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Spyware Terminator
2008-08-19 11:56 7,376,205 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-08-14 20:42 153,788 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-14 20:42 13,226,016 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-13 14:34 --------- d-----w C:\Program Files\WinClamAVShield
2008-08-13 12:55 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\AVGTOOLBAR
2008-08-08 07:41 --------- d-----w C:\Program Files\Java
2008-07-31 16:50 1,598 ----a-w C:\WINDOWS\system32\tmp.reg
2008-07-26 13:23 97,928 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-23 17:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-19 02:12 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Skype
2008-07-18 21:44 --------- d-----w C:\Program Files\ZoneAlarmSB
2008-07-18 17:01 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-17 22:45 76,040 ----a-w C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-17 22:45 12,936 ----a-w C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-07-17 22:45 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll
2008-07-17 11:41 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-17 11:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-17 02:28 --------- d-----w C:\Program Files\AVG
2008-07-17 02:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-07-09 13:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2008-07-09 13:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2008-07-07 01:45 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-07-07 01:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-07-07 01:05 --------- d-----w C:\Program Files\Windows Live
2008-07-04 22:43 --------- d-----w C:\Program Files\Games-Masters.com
2008-07-04 21:26 --------- d-----w C:\Program Files\OGPlanet
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2007-11-15 02:52 49,744 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-08-14_18.28.34.12 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 08:00 15360]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2005-09-18 19:40 1421824]
"ProxyCap"="C:\PROGRA~1\PROXYL~1\ProxyCap\proxycap.exe" [2006-05-29 08:59 225280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-06 00:56 64512]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 08:00 33648]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-26 09:24 1235736]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 09:05 919016]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-08-11 14:40 1783808]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
"vidc.wmv3"= C:\PROGRA~1\COMBIN~1\Filters\wmv9vcm.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 19:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ProxyCap]
--a------ 2006-05-29 08:59 225280 C:\PROGRA~1\PROXYL~1\ProxyCap\proxycap.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareTerminator]
--a------ 2008-08-11 14:40 1783808 C:\Program Files\Spyware Terminator\SpywareTerminatorShield.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-08-09 09:26 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue Registry Booster2]
--a------ 2007-04-23 15:40 1645088 C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpeedUpMyPC]
--a------ 2007-07-05 12:20 9495832 C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpyEraser]
--a------ 2007-10-16 09:26 1258248 C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2005-12-08 14:55 3096576 C:\Program Files\Yahoo!\Messenger\YPager.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
"C:\\WINDOWS\\system32\\java.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-07-17 18:45]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-26 09:23]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-05-06 11:43]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-26 09:23]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-17 18:45]
S3 dump_wmimmc;dump_wmimmc;C:\Program Files\Games-Masters.com\CABAL Online (Europe)\GameGuard\dump_wmimmc.sys []
S3 XDva037;XDva037;C:\WINDOWS\system32\XDva037.sys []
S3 XDva119;XDva119;C:\WINDOWS\system32\XDva119.sys []
S3 XDva121;XDva121;C:\WINDOWS\system32\XDva121.sys []
S3 XDva134;XDva134;C:\WINDOWS\system32\XDva134.sys []
S3 XDva158;XDva158;C:\WINDOWS\system32\XDva158.sys []
S3 XDva167;XDva167;C:\WINDOWS\system32\XDva167.sys []
S3 XDva177;XDva177;C:\WINDOWS\system32\XDva177.sys []
S3 XDva186;XDva186;C:\WINDOWS\system32\XDva186.sys []
S3 XDva189;XDva189;C:\WINDOWS\system32\XDva189.sys []
S3 XDva190;XDva190;C:\WINDOWS\system32\XDva190.sys []
.
Contents of the 'Scheduled Tasks' folder

2008-08-13 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2007-07-05 12:20]

2007-08-09 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2007-07-05 12:20]

2007-10-21 C:\WINDOWS\Tasks\Uniblue SpyEraser.job
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe [2007-10-16 09:26]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\wkxcu1a5.default\
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-20 08:52:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-20 8:54:13
ComboFix-quarantined-files.txt 2008-08-20 12:53:55
ComboFix2.txt 2008-08-19 01:59:57
ComboFix3.txt 2008-08-14 22:29:07
ComboFix4.txt 2007-11-28 15:34:53

Pre-Run: 69,703,827,456 bytes free
Post-Run: 69,714,173,952 bytes free

180 --- E O F --- 2008-07-23 17:03:24

#12 EscapeV

EscapeV
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 20 August 2008 - 08:39 AM

2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
360Share Pro(remove only)
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 7.1.0
Adobe Shockwave Player
ATI Control Panel
ATI Display Driver
AVG 8.0
BitLord 1.1
BlogTorrent beta-0.91
CABAL Online
CABAL Online v3.3
Combined Community Codec Pack 2007-02-22
Counter-Strike: Source
Data Fax SoftModem with SmartCP
DivX
DivX Content Uploader
DivX Player
DivX Web Player
Download Manager 2.3.6
DVD Flick
Final Draft 7
GdiplusUpgrade
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
HP Deskjet Printer Preload
HP DigitalMedia Archive
HP Document Viewer 5.3
HP Driver Diagnostics
HP Image Zone 5.3
HP Image Zone for Media Center PC
HP Imaging Device Functions 5.3
HP Photosmart 330,380,420,470,7800,8000,8200 Series
HP Photosmart Cameras 5.0
HP PSC & OfficeJet 5.3.A
HP PSC & OfficeJet 5.3.B
HP Solution Center & Imaging Support Tools 5.3
HP Update
InterVideo WinDVD Player
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Java™ SE Runtime Environment 6 Update 1
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2005
Microsoft National Language Support Downlevel APIs
Microsoft Office Access 2007
Microsoft Office Access 2007
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel 2007
Microsoft Office Excel 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove 2007
Microsoft Office Groove 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint 2007
Microsoft Office PowerPoint 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher 2007
Microsoft Office Publisher 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word 2007
Microsoft Office Word 2007
Microsoft Office Word MUI (English) 2007
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (2.0.0.16)
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
muvee autoProducer 4.5
muvee autoProducer unPlugged 1.2
PeerGuardian 2.0
ProxyCap
PS2
Quicken 2006
QuickTime
RealPlayer
Remove IntelliMover Demo
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Excel 2007 (KB946974)
Security Update for Excel 2007 (KB946974)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB951808)
Security Update for Microsoft Office system 2007 (KB951808)
Security Update for Microsoft Office system 2007 (KB951808)
Security Update for Microsoft Office Word 2007 (KB950113)
Security Update for Microsoft Office Word 2007 (KB950113)
Security Update for Office 2007 (KB947801)
Security Update for Office 2007 (KB947801)
Security Update for Office 2007 (KB947801)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Visio 2007 (KB947590)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Shop for HP Supplies
Skype™ 3.5
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Spybot - Search & Destroy
Spyware Terminator
Steam
Uniblue RegistryBooster2
Uniblue SpeedUpMyPC 3
Uniblue SpyEraser
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Office 2007 (KB946691)
Update for Office 2007 (KB946691)
Update for Office 2007 (KB946691)
Update for Office 2007 (KB946691)
Update for Office 2007 (KB946691)
Update for Office 2007 (KB946691)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb953463)
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB953356)
VideoLAN VLC media player 0.8.6d
Wheel of Fortune Deluxe (remove only)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live installer
Windows Live Safety scanner
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892050
Windows XP Hotfix - KB893066
Windows XP Media Center Edition 2005 KB925766
WinRAR archiver
Xiah
Yahoo! Messenger
Your Freedom
Your Uninstaller! 2008 Version 6.0
ZoneAlarm
ZoneAlarm Spy Blocker

#13 EscapeV

EscapeV
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 20 August 2008 - 08:41 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:40:43 AM, on 8/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=localhost:8080;gopher=localhost:8080;http=localhost:8080;https=localhost:8080;socks=localhost:1080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [ProxyCap] C:\PROGRA~1\PROXYL~1\ProxyCap\proxycap.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} (SupportSoft External Control) - https://actsvr.comcastonline.com/techtools/...%20Controls.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Spyware Terminator Clam Service (sp_clamsrv) - Crawler.com - C:\Program Files\WinClamAVShield\sp_clamsrv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7489 bytes

#14 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:03:50 PM

Posted 23 August 2008 - 07:15 AM

How is the computer running ?

Go to Start > Control Panel > Add or Remove Programs.

Remove the following programs, if they are present.Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.Please remove them:

J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ SE Runtime Environment 6 Update 1

I highly suggest that you remove the P2P programs from your computer, even when a program like this is not infected itself, it will still bring malware into your system because more than half of all files available for download from peer-to-peer networks have been deliberately infected with some form of malware. I recommend that you remove this program from your system:

BitLord 1.1
If you are unsure of how to use Add or Remove Programs, the please see this tutorial:
How To Remove An Installed Program From Your Computer

Please run the F-Secure Online Scanner
Note: This Scanner is for Internet Explorer Only!
Follow the Instruction here for installation.
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes, the scan will begin automatically.
The scan will take some time to finish, so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy&Paste the entire report in your next reply, include new HijackThis report as well.

Regards
SNOWHITE
Posted Image

#15 EscapeV

EscapeV
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 23 August 2008 - 02:42 PM

Scanning Report
Saturday, August 23, 2008 12:00:53 - 15:22:53

Computer name: MAYFAIR
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\
Result: 8 malware found
AdWare.Win32.BetterInternet (spyware)

* System

RiskTool.Win32.Reboot (spyware)

* System

TrackingCookie.2o7 (spyware)

* System

TrackingCookie.Questionmarket (spyware)

* System

Trojan-Clicker.HTML.IFrame (virus)

* System

Trojan-Clicker.HTML.IFrame.dn (virus)

* C:\PROGRAM FILES\INTERNET EXPLORER\PROPRYHDE.HTML

Trojan.Win32.Delf.czb (virus)

* C:\PROGRAM FILES\BITLORD\DOWNLOADS\AVG INTERNET SECURITY V8.0.93+CRACK+SERIAL-HEARTBUG\CRACK\CRACK.EXE (Renamed)

Trojan.Win32.Zapchast.kt (virus)

* C:\PROGRAM FILES\PROXY LABS\PROXYCAP\SPINSTWI.DLL (Renamed & Submitted)

Statistics
Scanned:

* Files: 53510
* System: 5219
* Not scanned: 8

Actions:

* Disinfected: 0
* Renamed: 2
* Deleted: 0
* None: 6
* Submitted: 1

Files not scanned:

* C:\HIBERFIL.SYS
* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{62B8A399-99C9-46C7-B688-7B763CDFEBB9}.BIN

Options
Scanning engines:

* F-Secure USS: 2.30.0
* F-Secure Hydra: 2.8.8110, 2008-08-23
* F-Secure AVP: 7.0.171, 2008-08-22
* F-Secure Pegasus: 1.20.0, 2008-04-14
* F-Secure Blacklight: 1.0.68

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users