Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vaspus Virus - No Welcome/homepage Screen


  • This topic is locked This topic is locked
17 replies to this topic

#1 endemic15

endemic15

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:44 AM

Posted 02 August 2008 - 03:00 PM

The vaspus name came up in my NOD32 scan. I am not sure if this virus comes w/ other trojans and malware. It looks like it does.
My home page / welcome screen is blank. I was able to get on IE through task manager.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:57:11 PM, on 8/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BM5f8097c2] Rundll32.exe "C:\WINDOWS\system32\waoisakw.dll",s
O4 - HKLM\..\Run: [5cb3a45e] rundll32.exe "C:\WINDOWS\system32\cstnplgt.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [s9201] "C:\Documents and Settings\All Users\Application Data\SecuriSoft SARL\WinSpywareProtect\wspwprtct.exe" /autorun
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://nyc-pxy02.insidemedia.net/whalecom0...m0/iNotes6W.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5BDBA960-6534-11D3-97C7-00500422B550} (LotusDRSControl Class) - https://nyc-pxy02.insidemedia.net/whalecom0.../dolcontrol.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1188731753609
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=19588
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15029/CTPID.cab
O20 - AppInit_DLLs: xknsnt.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7160 bytes

Edited by endemic15, 02 August 2008 - 03:33 PM.


BC AdBot (Login to Remove)

 


#2 endemic15

endemic15
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:44 AM

Posted 02 August 2008 - 06:17 PM

Ok. I got my desktop back. I ran combofix in recovery mode.

Here's the latest hijack file.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:16:56 PM, on 8/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://nyc-pxy02.insidemedia.net/whalecom0...m0/iNotes6W.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5BDBA960-6534-11D3-97C7-00500422B550} (LotusDRSControl Class) - https://nyc-pxy02.insidemedia.net/whalecom0.../dolcontrol.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1188731753609
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=19588
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15029/CTPID.cab
O20 - AppInit_DLLs: xknsnt.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7081 bytes

#3 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:06:44 AM

Posted 10 August 2008 - 11:20 PM

Hello and welcome to BC

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. We aim to provide the valuable service known to come from BC to every member we can, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay.

Please download Deckard's System Scanner (DSS) and save to your Desktop.
alternate download site

DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not
    malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.


If you already preformed the steps above We still need to see the current state of the machine fresh scan and logs are still necessary

click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /config
This will open up DSS configuration
click on Check All
click Scan
DSS will now run again when finished
Please post back both logs that open in notepad
Main txt and extra txt



Next
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please post back with dss reports main.txt, extra.txt and Kaspersky report.

Regards
SNOWHITE
Posted Image

#4 endemic15

endemic15
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:44 AM

Posted 11 August 2008 - 11:24 AM

Excellent. Thanks for the help.

I ran DSS and it only gave me the main.txt file. The extra.txt was not minimized or in the System Scanner folder. Also, Kaspersky kept crashing and/or hanging during the update pahse.

Deckard's System Scanner v20071014.68
Run by qw on 2008-07-11 12:21:35
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 7.29 GiB (less than 15%) free.


-- HijackThis (run as qw.exe) --------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:21:37 PM, on 7/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\qw\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\qw.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://nyc-pxy02.insidemedia.net/whalecom0...m0/iNotes6W.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5BDBA960-6534-11D3-97C7-00500422B550} (LotusDRSControl Class) - https://nyc-pxy02.insidemedia.net/whalecom0.../dolcontrol.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1188731753609
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15029/CTPID.cab
O20 - AppInit_DLLs: xknsnt.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7086 bytes

-- Files created between 2008-06-11 and 2008-07-11 -----------------------------

2008-08-06 10:56:31 110592 --a------ C:\WINDOWS\system32\JkDefragScreenSaver.scr <Not Verified; J.C. Kessels; JkDefrag>
2008-08-06 10:56:31 245760 --a------ C:\WINDOWS\system32\JkDefragScreenSaver.exe <Not Verified; J.C. Kessels; JkDefrag>
2008-08-06 10:56:30 0 d-------- C:\Program Files\JkDefrag
2008-08-05 23:07:09 0 d-------- C:\Documents and Settings\qw\Application Data\Auslogics
2008-08-05 23:07:04 0 d-------- C:\Program Files\Auslogics
2008-08-02 20:50:36 0 d-------- C:\Documents and Settings\qw\Application Data\Malwarebytes
2008-08-02 20:50:33 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-02 20:50:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-02 18:52:19 68096 --a------ C:\WINDOWS\zip.exe
2008-08-02 18:52:19 49152 --a------ C:\WINDOWS\VFind.exe
2008-08-02 18:52:19 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-08-02 18:52:19 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-08-02 18:52:19 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-08-02 18:52:19 98816 --a------ C:\WINDOWS\sed.exe
2008-08-02 18:52:19 80412 --a------ C:\WINDOWS\grep.exe
2008-08-02 18:52:19 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-08-02 18:45:11 0 dr-hs---- C:\cmdcons
2008-08-02 18:44:59 0 d-------- C:\WINDOWS\setupupd
2008-08-02 18:41:27 0 d-------- C:\WINDOWS\setup.pss
2008-08-02 14:13:33 0 d-------- C:\Program Files\Panda Security
2008-08-01 12:43:33 0 d-------- C:\Program Files\iPod
2008-07-25 21:05:15 0 d-------- C:\Documents and Settings\qw\Application Data\DivX
2008-07-25 21:04:46 0 d-------- C:\Program Files\DivX
2008-07-13 12:00:39 0 d-------- C:\Program Files\Absolute Video to Audio Converter
2008-07-11 22:32:20 0 d-------- C:\Program Files\iTunes
2008-07-09 23:03:52 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-07-07 23:11:51 0 d-------- C:\Program Files\t@b
2008-07-07 14:45:05 0 d-------- C:\WINDOWS\system32\windows media
2008-07-07 14:44:58 0 d--h----- C:\WINDOWS\msdownld.tmp
2008-07-07 14:11:40 0 d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-07-07 14:11:37 0 d-------- C:\Program Files\NCH Swift Sound
2008-07-07 14:11:37 0 d-------- C:\Documents and Settings\qw\Application Data\NCH Swift Sound
2008-07-07 14:11:32 0 d-------- C:\Documents and Settings\All Users\Application Data\NCH Software
2008-07-07 14:10:43 0 d-------- C:\Program Files\NCH Software
2008-07-07 13:41:27 0 d-------- C:\Documents and Settings\qw\Application Data\AVSMedia
2008-07-07 13:39:18 413760 --a------ C:\WINDOWS\system32\mpg4c32.dll <Not Verified; Microsoft Corporation; Microsoft MPEG-4 Video Codec>
2008-07-07 13:39:18 261632 --a------ C:\WINDOWS\system32\mcdvd_32.dll <Not Verified; MainConcept; MainConcept DV Codec "2.0.4>
2008-07-07 13:39:17 0 d-------- C:\Program Files\Common Files\AVSMedia
2008-07-07 13:39:16 0 d-------- C:\Program Files\AVSMedia
2008-07-07 13:22:23 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-07 10:39:13 0 d-------- C:\Program Files\QuickTime
2008-07-07 10:34:55 0 d-------- C:\WINDOWS\system32\Adobe
2008-06-29 22:46:45 0 d-------- C:\Program Files\MusicBrainz Tagger
2008-06-17 08:50:03 0 d--hs---- C:\WINDOWS\ftpcache
2008-06-17 08:47:37 0 d-------- C:\temp
2008-06-17 08:44:03 0 d-------- C:\Program Files\Samsung
2008-06-17 08:43:17 528384 --a------ C:\WINDOWS\system32\VZWDownManager.exe <Not Verified; Verizon; VZWDownManager Application>
2008-06-17 08:43:17 49152 --a------ C:\WINDOWS\system32\VZWDLManager.dll <Not Verified; ; VZWDLManager Module>
2008-06-17 08:42:49 0 d-------- C:\Program Files\Verizon Wireless


-- Find3M Report ---------------------------------------------------------------

2008-08-08 02:08:04 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-08-08 00:38:19 0 d-------- C:\Program Files\Soulseek
2008-08-03 12:31:12 0 d-------- C:\Program Files\Java
2008-08-02 18:55:31 0 d-------- C:\Program Files\Common Files
2008-08-02 14:19:48 0 d-------- C:\Documents and Settings\qw\Application Data\Digidesign
2008-07-13 17:09:16 0 d-------- C:\Program Files\Magic Video Converter
2008-07-13 12:03:33 0 d-------- C:\Program Files\Absolute Video Converter
2008-07-07 10:35:31 0 d-------- C:\Documents and Settings\qw\Application Data\Adobe
2008-06-04 21:46:25 0 d-------- C:\Program Files\Replay AV 8
2008-05-27 22:41:25 287 --a------ C:\Documents and Settings\qw\Application Data\iPod Access v4 Prefs
2008-05-16 19:17:13 0 d-------- C:\Program Files\Replay Media Catcher
2008-05-09 23:22:55 2560 --a------ C:\WINDOWS\system32\bitcometres.dll <Not Verified; BitComet; BitComet BCTP Helper>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ptipbmf"="ptipbmf.dll" [06/20/2003 12:06 AM C:\WINDOWS\system32\ptipbmf.dll]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [09/01/2007 10:58 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [04/25/2008 12:51 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [05/27/2008 10:50 AM]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [07/10/2008 09:47 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07/30/2008 10:47 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 05:00 AM]
"RegistryMechanic"="C:\Program Files\Registry Mechanic\RegMech.exe" [07/08/2008 04:41 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=xknsnt.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Getting Started with MacDrive 5.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Getting Started with MacDrive 5.lnk
backup=C:\WINDOWS\pss\Getting Started with MacDrive 5.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VIA RAID TOOL.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VIA RAID TOOL.lnk
backup=C:\WINDOWS\pss\VIA RAID TOOL.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^qw^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\qw\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^qw^Start Menu^Programs^Startup^MEMonitor.lnk]
path=C:\Documents and Settings\qw\Start Menu\Programs\Startup\MEMonitor.lnk
backup=C:\WINDOWS\pss\MEMonitor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet]
"C:\Program Files\BitComet\BitComet.exe" /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mediafour Mac Volume Notifications]
"C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SoundMAX Agent Service (default)"=2 (0x2)
"rpcapd"=3 (0x3)
"Pml Driver HPZ12"=2 (0x2)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"Diskeeper"=2 (0x2)
"DigiRefresh"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)
"Capture Device Service"=2 (0x2)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"AVG Anti-Spyware Guard"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"Adobe LM Service"=3 (0x3)




-- End of Deckard's System Scanner: finished at 2008-07-11 12:21:54 ------------

#5 endemic15

endemic15
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:44 AM

Posted 12 August 2008 - 02:49 PM

I was able to get Kapersky to work. Here's both now.

Deckard's System Scanner v20071014.68
Run by qw on 2008-07-11 12:21:35
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 7.29 GiB (less than 15%) free.


-- HijackThis (run as qw.exe) --------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:21:37 PM, on 7/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\qw\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\qw.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://nyc-pxy02.insidemedia.net/whalecom0...m0/iNotes6W.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5BDBA960-6534-11D3-97C7-00500422B550} (LotusDRSControl Class) - https://nyc-pxy02.insidemedia.net/whalecom0.../dolcontrol.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1188731753609
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15029/CTPID.cab
O20 - AppInit_DLLs: xknsnt.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7086 bytes

-- Files created between 2008-06-11 and 2008-07-11 -----------------------------

2008-08-06 10:56:31 110592 --a------ C:\WINDOWS\system32\JkDefragScreenSaver.scr <Not Verified; J.C. Kessels; JkDefrag>
2008-08-06 10:56:31 245760 --a------ C:\WINDOWS\system32\JkDefragScreenSaver.exe <Not Verified; J.C. Kessels; JkDefrag>
2008-08-06 10:56:30 0 d-------- C:\Program Files\JkDefrag
2008-08-05 23:07:09 0 d-------- C:\Documents and Settings\qw\Application Data\Auslogics
2008-08-05 23:07:04 0 d-------- C:\Program Files\Auslogics
2008-08-02 20:50:36 0 d-------- C:\Documents and Settings\qw\Application Data\Malwarebytes
2008-08-02 20:50:33 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-02 20:50:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-02 18:52:19 68096 --a------ C:\WINDOWS\zip.exe
2008-08-02 18:52:19 49152 --a------ C:\WINDOWS\VFind.exe
2008-08-02 18:52:19 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-08-02 18:52:19 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-08-02 18:52:19 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-08-02 18:52:19 98816 --a------ C:\WINDOWS\sed.exe
2008-08-02 18:52:19 80412 --a------ C:\WINDOWS\grep.exe
2008-08-02 18:52:19 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-08-02 18:45:11 0 dr-hs---- C:\cmdcons
2008-08-02 18:44:59 0 d-------- C:\WINDOWS\setupupd
2008-08-02 18:41:27 0 d-------- C:\WINDOWS\setup.pss
2008-08-02 14:13:33 0 d-------- C:\Program Files\Panda Security
2008-08-01 12:43:33 0 d-------- C:\Program Files\iPod
2008-07-25 21:05:15 0 d-------- C:\Documents and Settings\qw\Application Data\DivX
2008-07-25 21:04:46 0 d-------- C:\Program Files\DivX
2008-07-13 12:00:39 0 d-------- C:\Program Files\Absolute Video to Audio Converter
2008-07-11 22:32:20 0 d-------- C:\Program Files\iTunes
2008-07-09 23:03:52 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-07-07 23:11:51 0 d-------- C:\Program Files\t@b
2008-07-07 14:45:05 0 d-------- C:\WINDOWS\system32\windows media
2008-07-07 14:44:58 0 d--h----- C:\WINDOWS\msdownld.tmp
2008-07-07 14:11:40 0 d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-07-07 14:11:37 0 d-------- C:\Program Files\NCH Swift Sound
2008-07-07 14:11:37 0 d-------- C:\Documents and Settings\qw\Application Data\NCH Swift Sound
2008-07-07 14:11:32 0 d-------- C:\Documents and Settings\All Users\Application Data\NCH Software
2008-07-07 14:10:43 0 d-------- C:\Program Files\NCH Software
2008-07-07 13:41:27 0 d-------- C:\Documents and Settings\qw\Application Data\AVSMedia
2008-07-07 13:39:18 413760 --a------ C:\WINDOWS\system32\mpg4c32.dll <Not Verified; Microsoft Corporation; Microsoft MPEG-4 Video Codec>
2008-07-07 13:39:18 261632 --a------ C:\WINDOWS\system32\mcdvd_32.dll <Not Verified; MainConcept; MainConcept DV Codec "2.0.4>
2008-07-07 13:39:17 0 d-------- C:\Program Files\Common Files\AVSMedia
2008-07-07 13:39:16 0 d-------- C:\Program Files\AVSMedia
2008-07-07 13:22:23 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-07 10:39:13 0 d-------- C:\Program Files\QuickTime
2008-07-07 10:34:55 0 d-------- C:\WINDOWS\system32\Adobe
2008-06-29 22:46:45 0 d-------- C:\Program Files\MusicBrainz Tagger
2008-06-17 08:50:03 0 d--hs---- C:\WINDOWS\ftpcache
2008-06-17 08:47:37 0 d-------- C:\temp
2008-06-17 08:44:03 0 d-------- C:\Program Files\Samsung
2008-06-17 08:43:17 528384 --a------ C:\WINDOWS\system32\VZWDownManager.exe <Not Verified; Verizon; VZWDownManager Application>
2008-06-17 08:43:17 49152 --a------ C:\WINDOWS\system32\VZWDLManager.dll <Not Verified; ; VZWDLManager Module>
2008-06-17 08:42:49 0 d-------- C:\Program Files\Verizon Wireless


-- Find3M Report ---------------------------------------------------------------

2008-08-08 02:08:04 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-08-08 00:38:19 0 d-------- C:\Program Files\Soulseek
2008-08-03 12:31:12 0 d-------- C:\Program Files\Java
2008-08-02 18:55:31 0 d-------- C:\Program Files\Common Files
2008-08-02 14:19:48 0 d-------- C:\Documents and Settings\qw\Application Data\Digidesign
2008-07-13 17:09:16 0 d-------- C:\Program Files\Magic Video Converter
2008-07-13 12:03:33 0 d-------- C:\Program Files\Absolute Video Converter
2008-07-07 10:35:31 0 d-------- C:\Documents and Settings\qw\Application Data\Adobe
2008-06-04 21:46:25 0 d-------- C:\Program Files\Replay AV 8
2008-05-27 22:41:25 287 --a------ C:\Documents and Settings\qw\Application Data\iPod Access v4 Prefs
2008-05-16 19:17:13 0 d-------- C:\Program Files\Replay Media Catcher
2008-05-09 23:22:55 2560 --a------ C:\WINDOWS\system32\bitcometres.dll <Not Verified; BitComet; BitComet BCTP Helper>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ptipbmf"="ptipbmf.dll" [06/20/2003 12:06 AM C:\WINDOWS\system32\ptipbmf.dll]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [09/01/2007 10:58 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [04/25/2008 12:51 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [05/27/2008 10:50 AM]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [07/10/2008 09:47 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07/30/2008 10:47 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 05:00 AM]
"RegistryMechanic"="C:\Program Files\Registry Mechanic\RegMech.exe" [07/08/2008 04:41 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=xknsnt.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Getting Started with MacDrive 5.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Getting Started with MacDrive 5.lnk
backup=C:\WINDOWS\pss\Getting Started with MacDrive 5.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VIA RAID TOOL.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VIA RAID TOOL.lnk
backup=C:\WINDOWS\pss\VIA RAID TOOL.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^qw^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\qw\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^qw^Start Menu^Programs^Startup^MEMonitor.lnk]
path=C:\Documents and Settings\qw\Start Menu\Programs\Startup\MEMonitor.lnk
backup=C:\WINDOWS\pss\MEMonitor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet]
"C:\Program Files\BitComet\BitComet.exe" /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mediafour Mac Volume Notifications]
"C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SoundMAX Agent Service (default)"=2 (0x2)
"rpcapd"=3 (0x3)
"Pml Driver HPZ12"=2 (0x2)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"Diskeeper"=2 (0x2)
"DigiRefresh"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)
"Capture Device Service"=2 (0x2)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"AVG Anti-Spyware Guard"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"Adobe LM Service"=3 (0x3)




-- End of Deckard's System Scanner: finished at 2008-07-11 12:21:54 ------------



KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, August 12, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, August 12, 2008 18:10:29
Records in database: 1086451


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\
E:\
G:\

Scan statistics
Files scanned 132814
Threat name 6
Infected objects 12
Suspicious objects 0
Duration of the scan 02:00:13

File name Threat name Threats count
C:\Program Files\ESET\infected\HRTHJ4BA.NQF Infected: not-a-virus:AdWare.Win32.Virtumonde.qwo 1

C:\Program Files\ESET\infected\N1KXJECA.NQF Infected: Trojan.Win32.Monder.gen 1

C:\Program Files\ESET\infected\PUDJ2CBA.NQF Infected: Trojan.Win32.Monder.ai 1

C:\Program Files\ESET\infected\SOMOKFDA.NQF Infected: Trojan.Win32.Monder.ai 1

C:\Program Files\ESET\infected\ZKBDSRBA.NQF Infected: Trojan.Win32.Monder.gen 1

C:\QooBox\Quarantine\C\WINDOWS\system32\udkyrbod.dll.vir Infected: Trojan.Win32.Monder.ck 1

C:\QooBox\Quarantine\catchme2008-03-04_ 91350.43.zip Infected: Trojan.Win32.Monder.gen 1

C:\VundoFix Backups\bmtifplu.dll.bad Infected: Trojan.Win32.Monder.ck 1

C:\VundoFix Backups\ddccd.dll.bad Infected: Trojan.Win32.Monder.gen 1

C:\VundoFix Backups\jjrewkbj.dll.bad Infected: Trojan.Win32.Monder.ao 1

C:\VundoFix Backups\ompggjnu.dll.bad Infected: Trojan.Win32.Monder.bh 1

C:\VundoFix Backups\vlpbbtvv.dll.bad Infected: Trojan.Win32.Monder.gen 1

The selected area was scanned.

#6 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:06:44 AM

Posted 14 August 2008 - 01:11 AM

Hello endemic15,

Lets proceed with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
If you already have ComboFix.exe, please remove it before proceeding with next steps, this is a newer version of the file that I need you to download it.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

SNOWHITE
Posted Image

#7 endemic15

endemic15
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:44 AM

Posted 14 August 2008 - 10:28 AM

Here ya go.

ComboFix 08-08-13.05 - qw 2008-08-14 11:21:11.10 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.704 [GMT -7:00]
Running from: C:\Documents and Settings\qw\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\qw\Application Data\macromedia\Flash Player\#SharedObjects\CD9ZANMG\interclick.com
C:\Documents and Settings\qw\Application Data\macromedia\Flash Player\#SharedObjects\CD9ZANMG\interclick.com\ud.sol
C:\Documents and Settings\qw\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\qw\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\qw\Cookies.\qw@myspace[1].txt

.
((((((((((((((((((((((((( Files Created from 2008-07-14 to 2008-08-14 )))))))))))))))))))))))))))))))
.

2008-08-12 15:05 . 2007-09-27 01:21 536,576 --a------ C:\WINDOWS\ndolres.dll
2008-08-12 15:05 . 2007-09-27 01:21 258,048 --a------ C:\WINDOWS\doluninst.exe
2008-08-06 10:56 . 2008-08-06 14:36 <DIR> d-------- C:\Program Files\JkDefrag
2008-08-06 10:56 . 2008-02-01 09:50 245,760 --a------ C:\WINDOWS\system32\JkDefragScreenSaver.exe
2008-08-06 10:56 . 2006-11-01 13:06 166,712 --a------ C:\WINDOWS\system32\sdelete.exe
2008-08-06 10:56 . 2007-03-19 15:20 124,288 --a------ C:\WINDOWS\system32\Contig.exe
2008-08-06 10:56 . 2008-02-01 09:50 110,592 --a------ C:\WINDOWS\system32\JkDefragScreenSaver.scr
2008-08-05 23:07 . 2008-08-05 23:07 <DIR> d-------- C:\Program Files\Auslogics
2008-08-05 23:07 . 2008-08-05 23:07 <DIR> d-------- C:\Documents and Settings\qw\Application Data\Auslogics
2008-08-02 20:50 . 2008-08-02 20:50 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-02 20:50 . 2008-08-02 20:50 <DIR> d-------- C:\Documents and Settings\qw\Application Data\Malwarebytes
2008-08-02 20:50 . 2008-08-02 20:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-02 20:50 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-02 20:50 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-02 14:26 . 2008-08-02 14:26 26,390,696 --a------ C:\WINDOWS\system32\Diskeeper2008-ProPremier.exe
2008-08-02 14:14 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-08-02 14:13 . 2008-08-02 14:13 <DIR> d-------- C:\Program Files\Panda Security
2008-08-01 12:43 . 2008-08-01 12:43 <DIR> d-------- C:\Program Files\iPod
2008-07-25 21:05 . 2008-07-25 21:05 <DIR> d-------- C:\Documents and Settings\qw\Application Data\DivX
2008-07-25 21:04 . 2008-07-27 02:45 <DIR> d-------- C:\Program Files\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-13 21:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-12 04:19 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-08 07:38 --------- d-----w C:\Program Files\Soulseek
2008-08-03 19:31 --------- d-----w C:\Program Files\Java
2008-08-02 21:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-08-02 21:19 --------- d-----w C:\Documents and Settings\qw\Application Data\Digidesign
2008-08-01 19:43 --------- d-----w C:\Program Files\iTunes
2008-07-14 00:09 --------- d-----w C:\Program Files\Magic Video Converter
2008-07-13 19:03 --------- d-----w C:\Program Files\Absolute Video Converter
2008-07-13 19:00 --------- d-----w C:\Program Files\Absolute Video to Audio Converter
2008-07-10 16:35 32,000 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
2008-07-08 06:54 --------- d-----w C:\Program Files\CleanUp!
2008-07-08 06:11 --------- d-----w C:\Program Files\t@b
2008-07-07 23:25 --------- d-----w C:\Program Files\NCH Software
2008-07-07 23:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Software
2008-07-07 21:13 --------- d-----w C:\Program Files\NCH Swift Sound
2008-07-07 21:13 --------- d-----w C:\Documents and Settings\qw\Application Data\NCH Swift Sound
2008-07-07 21:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-07-07 20:41 --------- d-----w C:\Documents and Settings\qw\Application Data\AVSMedia
2008-07-07 20:40 --------- d-----w C:\Program Files\Common Files\AVSMedia
2008-07-07 20:39 --------- d-----w C:\Program Files\AVSMedia
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 17:39 --------- d-----w C:\Program Files\QuickTime
2008-06-30 05:47 --------- d-----w C:\Program Files\MusicBrainz Tagger
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 15:38 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-18 17:52 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-06-17 15:44 --------- d-----w C:\Program Files\Samsung
2008-06-17 15:42 --------- d-----w C:\Program Files\Verizon Wireless
2005-12-20 08:56 13,164 -c--a-w C:\Program Files\INSTALL.LOG
2003-08-25 04:05 339,944 -c--a-w C:\Program Files\UNWISE.EXE
2007-03-09 07:12 27,648 -csha-w C:\WINDOWS\system32\AVSredirect.dll
2007-06-27 02:08 286,752 -csha-w C:\WINDOWS\system32\drivers\fidbox.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-09-01 22:58 949376]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-25 00:51 185896]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]
"Ptipbmf"="ptipbmf.dll" [2003-06-20 00:06 118784 C:\WINDOWS\system32\ptipbmf.dll]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=xknsnt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.iac2"= C:\PROGRA~1\REPLAY~1\iac25_32.ax
"MIDI2"= diomidi.dll
"wave1"= Digi32.dll
"vidc.mpng"= C:\Program Files\t@b\0.958\686\tabdec.dll
"vidc.mvjp"= C:\Program Files\t@b\0.958\686\tabdec.dll
"vidc.444p"= C:\Program Files\t@b\0.958\686\tabdec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Getting Started with MacDrive 5.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Getting Started with MacDrive 5.lnk
backup=C:\WINDOWS\pss\Getting Started with MacDrive 5.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VIA RAID TOOL.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VIA RAID TOOL.lnk
backup=C:\WINDOWS\pss\VIA RAID TOOL.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^qw^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\qw\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^qw^Start Menu^Programs^Startup^MEMonitor.lnk]
path=C:\Documents and Settings\qw\Start Menu\Programs\Startup\MEMonitor.lnk
backup=C:\WINDOWS\pss\MEMonitor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a--c--- 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet]
--a------ 2008-05-05 02:02 2334520 C:\Program Files\BitComet\BitComet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a--c--- 2006-02-19 02:41 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-30 10:47 289064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mediafour Mac Volume Notifications]
-ra--c--- 2002-12-17 15:43 61440 C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a--c--- 2004-08-29 13:23 53248 C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a--c--- 2004-08-29 13:23 131072 C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a--c--- 2001-07-09 03:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-04-25 00:51 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SoundMAX Agent Service (default)"=2 (0x2)
"rpcapd"=3 (0x3)
"Pml Driver HPZ12"=2 (0x2)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"Diskeeper"=2 (0x2)
"DigiRefresh"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)
"Capture Device Service"=2 (0x2)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"AVG Anti-Spyware Guard"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"Adobe LM Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Soulseek\\slsk.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26524:TCP"= 26524:TCP:BitComet 26524 TCP
"26524:UDP"= 26524:UDP:BitComet 26524 UDP
"1700:TCP"= 1700:TCP:MioNet Remote Drive Access
"1641:TCP"= 1641:TCP:MioNet Remote Drive Verification
"1647:TCP"= 1647:TCP:MioNet Storage Device Configuration
"5432:UDP"= 5432:UDP:MioNet Storage Device Discovery
"86:TCP"= 86:TCP:BroadCam Web Server

R0 DigiFilter;DigiFilter;C:\WINDOWS\system32\drivers\DigiFi~1.sys [2004-03-31 04:00]
R0 MDPMGRNT;MDPMGRNT;C:\WINDOWS\system32\drivers\MDPMGRNT.sys [2003-11-05 17:06]
R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R0 viasraid;viasraid;C:\WINDOWS\system32\DRIVERS\viasraid.sys [2003-10-30 20:22]
R1 Asapi;Asapi;C:\WINDOWS\system32\drivers\Asapi.sys [2002-04-17 20:27]
S3 APLMp50;APLMp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\APLMp50.sys [2006-11-28 22:46]
S3 dalwdmservice;dal service;C:\WINDOWS\system32\drivers\dalwdm.sys [2004-09-27 13:51]
S3 KMW_KBD;Kensington Input Devices Class filter driver;C:\WINDOWS\system32\DRIVERS\KMW_KBD.sys []
S3 KMW_USB;Kensington MouseWorks USB filter driver;C:\WINDOWS\system32\DRIVERS\KMW_USB.sys [2004-01-19 16:07]
S3 MDFSYSNT;MDFSYSNT;C:\WINDOWS\system32\drivers\MDFSYSNT.sys [2003-10-07 14:38]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys []
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys []

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-08-01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Lotus iNotes Sync Manager - C:\DOCUME~1\qw\Desktop\LOTUSI~1\nDOLMgr.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R0 -: HKLM-Main,Start Page = about:blank
R1 -: HKCU-Internet Settings,ProxyOverride = 127.0.0.1; *.local
O8 -: &D&ownload &with BitComet - C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 -: &D&ownload all video with BitComet - C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 -: &D&ownload all with BitComet - C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 -: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206
O18 -: Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - C:\Program Files\CoreFTP\pftpns.dll

O16 -: {5BDBA960-6534-11D3-97C7-00500422B550} - hxxps://nyc-pxy02.insidemedia.net/whalecom0471e1d572ac8ea54bd73d924d20c21d97b00e05c45fd74bf1/whalecom0/download/dolcontrol.cab
C:\WINDOWS\Downloaded Program Files\lotusdownloader.inf
C:\WINDOWS\Downloaded Program Files\npdolctl.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-14 11:24:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Lotus iNotes Sync Manager = C:\DOCUME~1\qw\Desktop\LOTUSI~1\nDOLMgr.exe -minimize??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-14 11:25:17
ComboFix-quarantined-files.txt 2008-08-14 18:25:13
ComboFix2.txt 2008-08-03 02:05:19
ComboFix3.txt 2008-03-06 03:23:14
ComboFix4.txt 2008-03-04 17:15:55

Pre-Run: 7,167,328,256 bytes free
Post-Run: 7,613,771,776 bytes free

234 --- E O F --- 2008-08-13 21:39:55

#8 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:06:44 AM

Posted 18 August 2008 - 04:45 AM

Hello endemic15 and sorry for the delay,

1. Go to this website: www.virustotal.com
2. Upload this file by copy/pasting (Ctrl+C/Ctrl+V) it in to the file box: C:\WINDOWS\ndolres.dll
3. Submit the file and copy/paste the results back into this thread.
4. Repeat the same instructions for the next files too:C:\WINDOWS\doluninst.exe
Run HijackThis.
Click on Do a system scan only.
Place a checkmark next to these lines (if still present).

O20 - AppInit_DLLs: xknsnt.dll

Then close all windows except HijackThis and click Fix Checked.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
Do you still have the "No Welcome/homepage Screen" problem ?

Post back with VirusTotal reports, SUPERAntiSpyware report and fresh HijackThis report.


Regards
SNOWHITE
Posted Image

#9 endemic15

endemic15
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:44 AM

Posted 18 August 2008 - 03:35 PM

Excellent. Thanks so much for this.

I have my home page screen back. It's weird virustotal did not pick up those 2 files.


Virustotal

File ndolres.dll received on 08.18.2008 20:51:50 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/36 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 42 and 60 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.8.19.0 2008.08.18 -
AntiVir 7.8.1.19 2008.08.18 -
Authentium 5.1.0.4 2008.08.18 -
Avast 4.8.1195.0 2008.08.18 -
AVG 8.0.0.161 2008.08.18 -
BitDefender 7.2 2008.08.18 -
CAT-QuickHeal 9.50 2008.08.18 -
ClamAV 0.93.1 2008.08.18 -
DrWeb 4.44.0.09170 2008.08.18 -
eSafe 7.0.17.0 2008.08.18 -
eTrust-Vet 31.6.6035 2008.08.15 -
Ewido 4.0 2008.08.18 -
F-Prot 4.4.4.56 2008.08.18 -
F-Secure 7.60.13501.0 2008.08.18 -
Fortinet 3.14.0.0 2008.08.18 -
GData 2.0.7306.1023 2008.08.18 -
Ikarus T3.1.1.34.0 2008.08.18 -
K7AntiVirus 7.10.420 2008.08.18 -
Kaspersky 7.0.0.125 2008.08.18 -
McAfee 5363 2008.08.18 -
Microsoft 1.3807 2008.08.18 -
NOD32v2 3365 2008.08.18 -
Norman 5.80.02 2008.08.18 -
Panda 9.0.0.4 2008.08.18 -
PCTools 4.4.2.0 2008.08.18 -
Prevx1 V2 2008.08.18 -
Rising 20.58.02.00 2008.08.18 -
Sophos 4.32.0 2008.08.18 -
Sunbelt 3.1.1546.1 2008.08.15 -
Symantec 10 2008.08.18 -
TheHacker 6.3.0.5.053 2008.08.18 -
TrendMicro 8.700.0.1004 2008.08.18 -
VBA32 3.12.8.3 2008.08.18 -
ViRobot 2008.8.18.1339 2008.08.18 -
VirusBuster 4.5.11.0 2008.08.18 -
Webwasher-Gateway 6.6.2 2008.08.18 -
Additional information
File size: 536576 bytes
MD5...: dc374896d57b1b9f4c135057264571d8
SHA1..: 6090b1200a2c850cc967e22d32f3c86baafa34fc
SHA256: f19caa7ea3064477a7597a9544a73ac1fc125e93a81f01fd1fbcef4c451a2ea1
SHA512: 9ac8142614890a03a91e02bd94d4ec82f6e222cf339d14b90e2f46819c43b420
b642ced422f30a747abe33676fb1de7d147bdb7b5683bb2fc99760d130d956c8
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x10001000
timedatestamp.....: 0x46fb681d (Thu Sep 27 08:21:49 2007)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x29c 0x1000 1.38 2b5ea82058738870c37a9e012f2f7690
.rdata 0x2000 0x284 0x1000 0.94 967138d05c4be1578c3da1ec9c337a73
.data 0x3000 0x2c 0x1000 0.01 586326841f6d4db7c7987fcbc4ac4891
.rsrc 0x4000 0x7da58 0x7e000 4.49 ddd07f6db5a18f643803c26e5a451e0d
.reloc 0x82000 0x330 0x1000 0.29 23037ef7d9ce9a935a1117b4dfea4b0f

( 2 imports )
> MSVCR71.dll: _onexit, _adjust_fdiv, malloc, _initterm, __dllonexit, _except_handler3, free
> KERNEL32.dll: GetProcAddress, DisableThreadLibraryCalls, GetModuleHandleA

( 0 exports )

File doluninst.exe received on 08.18.2008 20:54:24 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/36 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.8.19.0 2008.08.18 -
AntiVir 7.8.1.19 2008.08.18 -
Authentium 5.1.0.4 2008.08.18 -
Avast 4.8.1195.0 2008.08.18 -
AVG 8.0.0.161 2008.08.18 -
BitDefender 7.2 2008.08.18 -
CAT-QuickHeal 9.50 2008.08.18 -
ClamAV 0.93.1 2008.08.18 -
DrWeb 4.44.0.09170 2008.08.18 -
eSafe 7.0.17.0 2008.08.18 -
eTrust-Vet 31.6.6035 2008.08.15 -
Ewido 4.0 2008.08.18 -
F-Prot 4.4.4.56 2008.08.18 -
F-Secure 7.60.13501.0 2008.08.18 -
Fortinet 3.14.0.0 2008.08.18 -
GData 2.0.7306.1023 2008.08.18 -
Ikarus T3.1.1.34.0 2008.08.18 -
K7AntiVirus 7.10.420 2008.08.18 -
Kaspersky 7.0.0.125 2008.08.18 -
McAfee 5363 2008.08.18 -
Microsoft 1.3807 2008.08.18 -
NOD32v2 3365 2008.08.18 -
Norman 5.80.02 2008.08.18 -
Panda 9.0.0.4 2008.08.18 -
PCTools 4.4.2.0 2008.08.18 -
Prevx1 V2 2008.08.18 -
Rising 20.58.02.00 2008.08.18 -
Sophos 4.32.0 2008.08.18 -
Sunbelt 3.1.1546.1 2008.08.15 -
Symantec 10 2008.08.18 -
TheHacker 6.3.0.5.053 2008.08.18 -
TrendMicro 8.700.0.1004 2008.08.18 -
VBA32 3.12.8.3 2008.08.18 -
ViRobot 2008.8.18.1339 2008.08.18 -
VirusBuster 4.5.11.0 2008.08.18 -
Webwasher-Gateway 6.6.2 2008.08.18 -
Additional information
File size: 258048 bytes
MD5...: ea606a57f9d36d43c39de9831a574638
SHA1..: 8303bf8ca349ee6d2d7c8a2cc5a07a9db1d56536
SHA256: 188a281c7ae827574ee5bcaa0867b4da6ecce291ff9b84869fc402fc0c61fdd0
SHA512: af82cdb65f15304877497d69f9348127dd98f915aa1857ec42c0da8170049b8d
4672e3ebea73d8ee4ad853829cea1225ea4b31d31989dc390f12d65126d2158c
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x407ac8
timedatestamp.....: 0x46fb681e (Thu Sep 27 08:21:50 2007)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x7824 0x8000 6.01 47eac983d8e49642dd708863e1833a63
.rdata 0x9000 0x1d66 0x2000 4.58 e4fba20f819dcc5df46b68531e953ccc
.data 0xb000 0x464 0x1000 0.37 c123e28b3cc64c4e00226b4e660037f5
.rsrc 0xc000 0x327f0 0x33000 3.87 8e76ba0b69dfe2a0f0740284b999ece3

( 5 imports )
> MSVCR71.dll: malloc, _callnewh, _what@exception@@UBEPBDXZ, __0exception@@QAE@ABQBD@Z, _c_exit, _exit, _XcptFilter, _ismbblead, _cexit, _acmdln, _amsg_exit, fprintf, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _except_handler3, __1type_info@@UAE@XZ, __dllonexit, _onexit, _terminate@@YAXXZ, _controlfp, _unlink, _errno, _strdup, free, _mbschr, exit, _beginthread, _endthread, fopen, fgets, strncpy, fclose, strrchr, strcat, _chdir, strcpy, memset, _strlwr, strstr, __0exception@@QAE@ABV0@@Z, __0exception@@QAE@XZ, __1exception@@UAE@XZ, _CxxThrowException, __3@YAXPAX@Z, __CxxFrameHandler, sprintf, _findfirst, _findnext, _chmod, _findclose, _rmdir, _mbslen, _mbsicmp, _mbscmp, _mbsstr, _mbsnbcpy, memmove, memchr, memcpy, strlen, __getmainargs, memcmp
> KERNEL32.dll: GetACP, GetModuleHandleA, CreateFileA, WriteFile, CreateMailslotA, GetPrivateProfileStringA, FormatMessageA, GetCommandLineA, RemoveDirectoryA, GetCurrentDirectoryA, LoadLibraryA, GetProcAddress, FreeLibrary, CreateProcessA, GetExitCodeProcess, Sleep, CloseHandle, GetStartupInfoA
> USER32.dll: UpdateWindow, CreateDialogParamA, ShowWindow, CreateWindowExA, DispatchMessageA, TranslateMessage, IsDialogMessageA, GetMessageA, RegisterClassExA, LoadCursorA, LoadIconA, SetFocus, DestroyWindow, SendMessageA, GetDlgItem, EnableWindow, SetDlgItemTextA, LoadStringA, MessageBoxA, FindWindowA, DefWindowProcA, PostQuitMessage, SetForegroundWindow
> GDI32.dll: GetStockObject
> ADVAPI32.dll: RegCloseKey, RegQueryValueExA, RegOpenKeyExA, RegDeleteValueA, RegDeleteKeyA, RegEnumKeyExA

( 0 exports )



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/18/2008 at 03:51 AM

Application Version : 4.15.1000

Core Rules Database Version : 3269
Trace Rules Database Version: 1280

Scan type : Custom Scan
Total Scan Time : 00:34:51

Memory items scanned : 358
Memory threats detected : 0
Registry items scanned : 6051
Registry threats detected : 0
File items scanned : 18280
File threats detected : 1

Adware.ClickSpring/Yazzle
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\YAZZLE1281OINUNINSTALLER.EXE.VIR


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:34:37 PM, on 8/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1; *.local
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://nyc-pxy02.insidemedia.net/whalecom0...m0/iNotes6W.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5BDBA960-6534-11D3-97C7-00500422B550} - https://nyc-pxy02.insidemedia.net/whalecom0.../dolcontrol.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1188731753609
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15029/CTPID.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7018 bytes

#10 endemic15

endemic15
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:44 AM

Posted 19 August 2008 - 01:04 PM

Just wanted to add one thing. Pages ae barely loading, almost hanging now. This maybe because we're still in the cleaning process. Just a heads up.

#11 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:06:44 AM

Posted 20 August 2008 - 05:18 AM

Hello,

Please upload those two files at my channel, I would like to take a closer look at them:

Click on this link:
http://www.bleepingcomputer.com/submit-malware.php?channel=29

Copy&Paste this filepath:C:\WINDOWS\ndolres.dll
Into the Browse box for uploading files, or click into it and paste the filepath at the File Name empty box, click on the Open button, then click on the Send File button.

Wait for message like "File was successfully submited" to show up.

Repeat the same for the following file:

C:\WINDOWS\doluninst.exe
Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.
Post also fresh HijackThis log.

Regards
SNOWHITE
Posted Image

#12 endemic15

endemic15
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:44 AM

Posted 20 August 2008 - 12:32 PM

Just did it and sent the files

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:31:44 PM, on 8/20/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1; *.local
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://nyc-pxy02.insidemedia.net/whalecom0...m0/iNotes6W.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5BDBA960-6534-11D3-97C7-00500422B550} - https://nyc-pxy02.insidemedia.net/whalecom0.../dolcontrol.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1188731753609
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15029/CTPID.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6846 bytes

Absolute MP3 Splitter version 2.5.7
Absolute Sound Recorder version 3.4.7
Absolute Video Converter 2.8.7
Absolute Video Splitter Joiner 1.7.3
Absolute Video to Audio Converter 2.8.2
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 8.1.2
Adobe Shockwave Player 11
Adobe Stock Photos 1.0
AIM 6
Aimersoft DVD Ripper(Build 1.0.16)
AmpliTube
Antares Auto-Tune 3.00 RTAS PC
Antares Autotune DX v4.12
Antares AVOX Vocal Kit Bundle RTAS v1.02
Antares Kantos v1.02 VST & RTAS
Antares Microphone Modeler DX v1.32
Antares Tube v1.02 RTAS
Apple Mobile Device Support
Apple Software Update
ASAPI Update
ASIO4ALL v2
AusLogics Disk Defrag
AVS DVDMenu Editor 1.2.1.19
AVS Video Editor 3.5
BitComet 1.01
Bomb Factory (48k Edition) v3.15
Bomb Factory PlugIns
Bonjour
Celemony Melodyne v2.5.0.6 Studio Edition
CleanUp!
Core FTP LE 2.0
Digidesign ASIO Driver
DigiDesign DINR AudioSuite v3.41.330
DigiDesign Focusrite D2 1.71.345
DigiDesign Focusrite D3 AudioSuite 1.51.345
Digidesign Maxim
Digidesign Pro Tools® LE 6.4
Digidesign Pro Tools® LE 6.7
Digidesign Shared Plug-Ins
Digidesign Soundreplacer
DVD Decrypter (Remove Only)
Elemental Audio Max Bundle
FMJSoft Chromatia Tuner v2.0
Focusrite d3
Freez FLV to MP3 Converter
FXpansion DR-008
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
GRM Tools RTAS v1.04
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Customer Participation Program 7.0
HP Imaging Device Functions 7.0
HP Photosmart Essential
HP Photosmart, Officejet and Deskjet 7.0.A
HP Software Update
HP Solution Center 7.0
InterVideo DeviceService
iTunes
iZotope Ozone v3.05
iZotope Spectron v1.02
iZotope Spectron v1.04
iZotope Trash v1.04
Java™ 6 Update 5
Java™ 6 Update 7
JkDefrag 3.34
Kaspersky Online Scanner
LADSPA_plugins-win-0.4.15
Lexicon PSP 42 VST DX v1.0
Lounge Lizard EP-2 v2.0
MacDrive 5
Magic Video Converter Trial Version (English) 8.0.2.18
Malwarebytes' Anti-Malware
Marvell Miniport Driver
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MSXML 4.0 SP2 (KB936181)
MusicBrainz Tagger 0.10.5
Musicmatch® Jukebox
Native Instruments Guitar Rig v1.2
NCH Toolbox
Nero - Burning Rom
NOD32 antivirus system
Nomad Factory Blue Tubes Bundle v2.0
Nomad Factory Liquid Bundle VST v1.6
Nomad Factory Rock Amp Legends VST v1.0
Nuendo Dolby Digital Encoder 1.01
OCR Software by I.R.I.S 7.0
OrangeVocoder v2.0-OxYGeN
PACE System Files
Panda ActiveScan
Panda ActiveScan 2.0
Pitch 'n Time AudioSuite
PowerDVD
Prism Video Converter
PSP 84 v1.0
PSP Nitro VST and DX 1.0
PSP VintageWarmer v1.5d
PSP_Audioware_Mastercomp_DX_RTAS_VST_v1.0-PLZ
quantum-fx 1.06
QuickTime
RealPlayer
Replay AV 8
Replay Converter 2.75C
Replay Media Catcher
Replay Media Catcher
ReValver
rgcAudio Pentagon I v1.21
rgcAudio Pentagon I VSTi v1.0
rgcAudio Triangle I VSTi v1.1
rpsoft 2000 Convert
SAMSUNG Mobile USB DRIVER(4.40.7.0) v1.6
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Serato Scratch Studio Edition RTAS v1.0
Serato.Pitch.n.Time.RTAS.v2.2.1
Sonalksis SV-315 Compressor Plug-in (evaluation)
Sony Inflator RTAS v1.0
SoulSeek Client 156c
SoundMAX
SPEED 1.04
SpinAudio 3DDelays 1.0
SpinAudio 3DPanner Studio 1.0
SpinAudio RoomVerb M2 2.0 Demo
SpinAudio RoomVerb M2 2.1
SpinAudio RoomVerb M2 v2.1.142
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
Steinberg GRM Tools Vol.2
Steinberg GRM-Tools Volume One v1.2
Steinberg WaveLab 5.00a
SUPERAntiSpyware Free Edition
Switch
Synchro Arts VocAlign Project AudioSuite PlugIn v2.8
t@b ZS4 Video Editor v0.958-686
TC Native Bundle DX VST v2.02
TC.Works.Mercury.v1.01.VSTi.Factory.Presets.for.LAP
TC.Works.Native.Bundle.v3.0.VST.WinAll-cRime
TimeWorks Mastering EQ
Timeworks Millenium Pack
Timeworks ReverbX
Tweak UI
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
V CAST Music Manager
VIA Integrated Setup Wizard
Voxengo GlissEQ VST 2.0
Voxengo PHA-979 VST 1.1
VST to RTAS Adapter
WaveMachine Labs Drumagog VST RTAS v4.02
WavePad Uninstall
Waves 4.0
Waves Diamond Bundle v5.0
Waves IR1 v5.1
Waves L3 Multimaximizer v1.0
Waves Renaissance Collection 2
WD Diagnostics
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
WriteExpress 3,001 Business & Sales Letters

#13 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:06:44 AM

Posted 23 August 2008 - 08:05 AM

Hello, how is the computer running?

Both of the files you uploaded are legit.

Go to Start > Control Panel > Add or Remove Programs.

Remove the following programs, if they are present.Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.

Java™ 6 Update 5

I advice not using of P2P programs, Even when a program like this is not infected itself, it will still bring malware into your system because more than half of all files available for download from peer-to-peer networks have been deliberately infected with some form of malware. I recommend that you remove this programs from your system.

BitComet 1.01
If you are unsure of how to use Add or Remove Programs, the please see this tutorial:
How To Remove An Installed Program From Your Computer

Please run the F-Secure Online Scanner
Note: This Scanner is for Internet Explorer Only!
Follow the Instruction here for installation.
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes, the scan will begin automatically.
The scan will take some time to finish, so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy&Paste the entire report in your next reply and fresh HijackThis log.

Regards
SNOWHITE
Posted Image

#14 endemic15

endemic15
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:44 AM

Posted 23 August 2008 - 04:36 PM

I did everything you wrote. Also, my NOD32 is coming up on expiration. Is there a best in class anti-spyware / anti-virus like NOD32 you reccommend I subscribe to as a monitoring program?

Scanning Report
Saturday, August 23, 2008 16:00:32 - 17:34:13
Computer name: 93E9EFB3BC2845D
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\ G:\


--------------------------------------------------------------------------------

Result: 2 malware found
TrackingCookie.Atwola (spyware)
System
TrackingCookie.Revsci (spyware)
System

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 68819
System: 6840
Not scanned: 7
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 2
Submitted: 0
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 2.30.0
F-Secure Hydra: 2.8.8110, 2008-08-23
F-Secure AVP: 7.0.171, 2008-08-22
F-Secure Pegasus: 1.20.0, 2008-04-14
F-Secure Blacklight: 1.0.68
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:36:15 PM, on 8/23/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1; *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://nyc-pxy02.insidemedia.net/whalecom0...m0/iNotes6W.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5BDBA960-6534-11D3-97C7-00500422B550} - https://nyc-pxy02.insidemedia.net/whalecom0.../dolcontrol.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1188731753609
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15029/CTPID.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6258 bytes

#15 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:06:44 AM

Posted 25 August 2008 - 05:41 PM

Hello endemic15 :thumbsup:

System Drive C: has 7.29 GiB (less than 15%) free.


Try to free up some space at your C drive, less then 15% might be the reason for your having slow computer.

Your reports seem clean, are you still experiencing problems with the computer?

my NOD32 is coming up on expiration. Is there a best in class anti-spyware / anti-virus like NOD32 you reccommend I subscribe to as a monitoring program?


I use avast! 4 home edition, it is free, you can see list of features here. Another antivirus that I also recommend is Antivir which is also free and has some very good detection on malwares.

Let me know how is the computer running and of any remaining problems.

Regards
SNOWHITE
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users