Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Spysheriff Or Something Similar


  • This topic is locked This topic is locked
19 replies to this topic

#1 yampybird

yampybird

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Location:It's cold, it's wet - Oh must be Telford then!
  • Local time:07:16 AM

Posted 01 October 2006 - 10:42 AM

Hello folks

I have tried all things recommended on this site and others. It just keeps on coming back.

Each time I run a killer program it says it has deleted the files (I delete them from quarrantine too!) then next time I reboot ..... here we go again.

I have run Spybot, Ad-aware, XoftSpySE, VCOM system suite, Panda (plus the other two recommended), I have a firewall VCOM it is fully up to date. I am up to date with Windows security patches. I have tried to get into the registry but not allowed unless in safemode. I have run all the above programmes in safe mode, I have also tried the smitfraud fix, regcure, VCOM registry fixer. I have used the task manager to end processes that shouldn't be running but I'm not 100% sure what should be and what shouldn't so unless it said spysheriff, smitfraud.c, dailytoolbar etc(which nothing did) I didn't end it. I have tried editing the start menu to stop unwanted things from loading at the start, but same problem. Appart from the really obvious stuff that should be running I am unsure what is good and what is bad.

Windows installer keeps flashing up but doesn't seem to be loading anything, and doesn't hang around long enough for me to stop it. It also doesn't show up in the task manager, so dead end there. Silly as it sounds I have had one success. The desktop "wallpaper" now does not show my IP address - it used to! Each time I try to delete the wall paper "c:\yod.html" (which in hebrew means finger of god - amazing what you find out when you are trying to get rid of an irritating virus for days on end) it comes back. :thumbsup:

My desktop is flickering continually - nothing wrong with monitor. And according to the pop-up (advisory balloons) I have 23 virus infections.

I would really, REALLY appreciate some help with this, it is driving me nuts :flowers:

Here is the spybot s&d log file (where it says nothing done, that is because I saved the logfile without fixing the errors, when I do fix the errors, exactly the same one's come back next time I reboot) the hijack this log file is below that, below those are the rapport text file and the smitfiles report.

Thanks for taking the time to read this.

Kind regards
Kate

BlazeFind.Bridge: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Bridge.brdg

BlazeFind.Bridge: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{4FDBDBAD-FEFE-4C4C-9CC1-1181052AFB12}

BlazeFind.Bridge: Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9C691A33-7DDA-4C2F-BE4C-C176083F35CF}

DailyToolbar: User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1060284298-1677128483-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-59D4-4008-9058-080011001200}

DailyToolbar: User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1060284298-1677128483-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-C1EC-0345-6EC2-4D0300000000}

DailyToolbar: User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1060284298-1677128483-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-F09C-02B4-6EC2-AD0300000000}

DailyToolbar: User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1060284298-1677128483-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CEFF6CD-6F08-4E4D-BCCD-FF7415288C3B}

DailyToolbar: User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1060284298-1677128483-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7B55BB05-0B4D-44FD-81A6-B136188F5DEB}

DailyToolbar: User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1060284298-1677128483-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8333C319-0669-4893-A418-F56D9249FCA6}

DailyToolbar: User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1060284298-1677128483-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9C691A33-7DDA-4C2F-BE4C-C176083F35CF}

DailyToolbar: User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1060284298-1677128483-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E52DEDBB-D168-4BDB-B229-C48160800E81}

DailyToolbar: User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1060284298-1677128483-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FFD2825E-0785-40C5-9A41-518F53A8261F}

DailyToolbar: Application ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\AppID\{951B3138-AE8E-4676-A05A-250A5F111631}

DailyToolbar: Autorun settings (Transponder) (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Transponder

DailyToolbar: Application ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\AppID\DailyToolbar.DLL

DailyToolbar: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\DailyToolbar.IEBand

DailyToolbar: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\DailyToolbar.SysMgr

DailyToolbar: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\IEToolbar.AffiliateCtl

DailyToolbar: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{58F9B276-E1CC-458E-8159-21CBC021874B}

DailyToolbar: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{8333C319-0669-4893-A418-F56D9249FCA6}

DailyToolbar: Global settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\NIX Solutions\DailyToolbar

ABetterInternet: Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000000-C1EC-0345-6EC2-4D0300000000}

CashDeluxe: Web page (File, nothing done)
C:\WINDOWS\yod.htm

Smitfraud-C.: Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1060284298-1677128483-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\RunOnce\Srv32 spool service\Adware.Srv32

Smitfraud-C.: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Srv32 spool service\Adware.Srv32

Smitfraud-C.: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Software\TPS108\Adware.Srv32

Smitfraud-C.: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1060284298-1677128483-1343024091-1003\Software\Microsoft\IPCheck

Smitfraud-C.: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1060284298-1677128483-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\RunOnce\Srv32 spool service

Smitfraud-C.: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{60e2e76b-60e2e76b-60e2e76b-60e2e76b-60e2e76b}

Smitfraud-C.: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{E52DEDBB-D168-4BDB-B229-C48160800E81}

Smitfraud-C.: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{10195311-E434-47A9-ADBA-48839E3F7E4E}

Smitfraud-C.: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{A6A68CBD-6673-41B1-B997-3F83A25B45B0}

Smitfraud-C.: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{ABAFA0B4-F78D-42E5-8C31-1A441D01C1DF}

Smitfraud-C.: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{B71C7D9A-DA43-4E8B-BB98-1684AC2AF324}

Smitfraud-C.: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\DailyToolbar

Smitfraud-C.: Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3ceff6cd-6f08-4e4d-bccd-ff7415288c3b}

Smitfraud-C.: Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7b55bb05-0b4d-44fd-81a6-b136188f5deb}

Smitfraud-C.: Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e52dedbb-d168-4bdb-b229-c48160800e81}

Smitfraud-C.: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Srv32 spool service

Smitfraud-C.: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Popup.HTMLEvent.

Smitfraud-C.: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\url_relpacer.URLResolver

Admess: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\WStart.WHttpHelper

Admess: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\WStart.WHttpHelper.1

Alexa: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{F1FABE79-25FC-46de-8C5A-2C6DB9D64333}

Alexa: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{3E60160F-0ED6-4DCC-B6B6-850CDE4FD217}

Alexa: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{0BBB0424-E98E-4405-9A94-481854765C80}

Alexa: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{0F3332B5-BC98-48AF-9FAC-05FEC94EBE73}

Alexa: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{A69107CC-BEC8-4A34-B474-211B0F46A764}

Alexa: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{FA77AD79-09CF-41FB-B171-CC856F9E737F}

Alexa: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{B7B84995-8B92-46BF-94AA-FA2F3DD23B84}

Alexa: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Alexa Toolbar

Alexa: Type library (Registry key, nothing done)
HKEY_CLASSES_ROOT\TypeLib\{547AB549-4DD8-4ea0-B070-F6EA062148FF}

Alexa: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Popup.PopupKiller

Alexa: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\AlxTB.BHO

Alexa: Uninstall settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Alexa Toolbar

Alexa: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\PopMenu.Menu

Alexa: Global settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Alexa Internet

Statblaster.All files7: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{80BB7465-A638-43B5-9827-8E8FE38DFCC1}

Statblaster.All files7: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Jao.jao

Statblaster.All files7: Type library (Registry key, nothing done)
HKEY_CLASSES_ROOT\TypeLib\{C094876D-1B0E-46FA-B6A6-7FFC0F970C27}

Statblaster.All files7: Uninstall settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\bridge

VX2.b.BDS: Global settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Transponder

VX2.c: Global settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\RespondMiter

VX2.g.SiteHlpr: Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FFD2825E-0785-40C5-9A41-518F53A8261F}

SpywareSheriff.FakeAlert: Autorun settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adware.Srv32

SpywareSheriff.FakeAlert: Program file (File, nothing done)
C:\WINDOWS\system32\runsrv32.exe

SpywareSheriff.FakeAlert: Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000000-59D4-4008-9058-080011001200}

SpywareSheriff.FakeAlert: Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000000-F09C-02B4-6EC2-AD0300000000}

SpywareSheriff.FakeAlert: Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8333c319-0669-4893-a418-f56d9249fca6}

SpywareSheriff.FakeAlert: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\RespondMiter\Adware.Srv32

SpywareSheriff.FakeAlert: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Software\TPS108

SpywareSheriff.FakeAlert: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Transponder\Adware.Srv32

Common Dialogs: History (2 files) (Registry key, nothing done)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

Log: Activity: SchedLgU.Txt (Backup file, nothing done)
C:\WINDOWS\SchedLgU.Txt

Log: Activity: ntbtlog.txt (Backup file, nothing done)
C:\WINDOWS\ntbtlog.txt

Log: Install: setupact.log (Backup file, nothing done)
C:\WINDOWS\setupact.log

Log: Install: setupapi.log (Backup file, nothing done)
C:\WINDOWS\setupapi.log

Log: Shutdown: System32\wbem\logs\wbemess.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.log

Log: Shutdown: System32\wbem\logs\wmiprov.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wmiprov.log

Cookie: Cookie (31) (Cookie, nothing done)


Cache: Cache (830) (Cache, nothing done)



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-10-01 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-09-29 Includes\Cookies.sbi (*)
2006-09-29 Includes\Dialer.sbi (*)
2006-09-29 Includes\Hijackers.sbi (*)
2006-09-29 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2006-09-29 Includes\Malware.sbi (*)
2006-09-29 Includes\PUPS.sbi (*)
2006-09-29 Includes\Revision.sbi (*)
2006-09-29 Includes\Security.sbi (*)
2006-09-29 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-09-29 Includes\Trojans.sbi (*)




Logfile of HijackThis v1.99.1
Scan saved at 15:54:01, on 01/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sumsw32.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Icons\Seticon.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\TalkTalk\bin\sprtcmd.exe
C:\Program Files\XoftSpySE\xoftspy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.4156\GoogleToolbarNotifier.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\GhostSurf 2005\Proxy.exe
C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Kate\Local Settings\Temporary Internet Files\Content.IE5\E1XMZIHW\stng260[1].exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file)
O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file)
O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file)
O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file)
O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file)
O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [GhostSurf Reminder] "C:\Program Files\GhostSurf 2005\Privacy Control Center.exe" reminder
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SetIcon] C:\Program Files\Icons\Seticon.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [TalkTalk] "C:\Program Files\TalkTalk\bin\sprtcmd.exe" /P TalkTalk
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [XoftSpySE] C:\Program Files\XoftSpySE\xoftspy.exe -s
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe
O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.4156\GoogleToolbarNotifier.exe
O4 - Startup: GhostSurf proxy.lnk = C:\Program Files\GhostSurf 2005\Proxy.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://beckynm8s.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1132858105056
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C4399CD1-C1BE-4FF9-BC48-15754910E206}: NameServer = 62.24.128.18 62.24.128.17
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SystemSuite Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe

SmitFraudFix v2.103

Scan done at 11:19:58.38, 01/10/2006
Run from C:\Documents and Settings\Kate\Desktop
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


Deleting Temp Files


Registry Cleaning

Registry Cleaning done.

After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End


smitRem log file
version 3.2

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
"IE"="6.0000"
The current date is: 01/10/2006
The current time is: 11:08:22.41

Running from
C:\Documents and Settings\Kate\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Appinitdll check ........ Thank you Grinler!

dumphive.exe ©2000-2004 Markus Stephany
REGEDIT4

[Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!


checking for drsmartload2 key


drsmartload2 key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
AlfaCleaner uninstaller NOT present
SpyFalcon uninstaller NOT present
SpywareQuake uninstaller NOT present
SpywareSheriff uninstaller NOT present
Trust Cleaner uninstaller NOT present
SpyHeal uninstaller NOT present
VirusBurst uninstaller NOT present
BraveSentry uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 780 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN! :huh:

Edited by yampybird, 01 October 2006 - 11:00 AM.

Yampybird

You know you're getting on a bit when you have to scroll down to find your birth year on forms or when you have
to put your nose on the screen to
read things clearly

BC AdBot (Login to Remove)

 


m

#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:16 AM

Posted 02 October 2006 - 09:00 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 yampybird

yampybird
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Location:It's cold, it's wet - Oh must be Telford then!
  • Local time:07:16 AM

Posted 03 October 2006 - 02:46 AM

Hi Sam
Thanks for replying this has really been doing my head in.

Ran Combofix, log below:
Kate - 06-10-03 8:34:11.94 Service Pack 2
ComboFix 06.09.28 - Running from: "C:\Documents and Settings\Kate\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-09-03 to 2006-10-03 ))))))))))))))))))))))))))))))))))


2006-10-01 17:51 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-10-01 16:40 32,768 --a------ C:\WINDOWS\system32\runsrv32.exe
2006-10-01 14:49 32,768 --a------ C:\WINDOWS\ZServ.dll
2006-10-01 14:49 32,768 --a------ C:\WINDOWS\system32\wstart.dll
2006-10-01 14:49 32,768 --a------ C:\WINDOWS\system32\udpmod.dll
2006-10-01 14:49 32,768 --a------ C:\WINDOWS\system32\txfdb32.dll
2006-10-01 14:49 32,768 --a------ C:\WINDOWS\system32\runsrv32.dll
2006-10-01 14:49 32,768 --a------ C:\WINDOWS\system32\questmod.dll
2006-10-01 14:49 32,768 --a------ C:\WINDOWS\system32\jao.dll
2006-10-01 14:49 32,768 --a------ C:\WINDOWS\system32\bridge.dll
2006-10-01 14:49 32,768 --a------ C:\WINDOWS\system32\a.exe
2006-10-01 14:49 32,768 --a------ C:\WINDOWS\susp.exe
2006-10-01 14:49 32,768 --a------ C:\WINDOWS\Pynix.dll
2006-10-01 14:49 32,768 --a------ C:\WINDOWS\dlmax.dll
2006-10-01 14:49 32,768 --a------ C:\WINDOWS\BTGrab.dll
2006-10-01 14:48 32,768 --a------ C:\WINDOWS\system32\tcpservice2.exe
2006-10-01 14:48 32,768 --a------ C:\WINDOWS\system32\dailytoolbar.dll
2006-10-01 14:48 32,768 --a------ C:\WINDOWS\system32\alxres.dll
2006-10-01 14:48 32,768 --a------ C:\WINDOWS\alxtb1.dll
2006-10-01 14:48 32,768 --a------ C:\WINDOWS\alxie328.dll
2006-10-01 14:48 32,768 --a------ C:\WINDOWS\alexaie.dll
2006-09-20 10:53 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2006-09-20 10:48 5,332 --a------ C:\WINDOWS\system32\vkueptvv.exe
2006-09-13 08:05 5,332 --a------ C:\WINDOWS\system32\ymdopbkb.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-02 14:37 -------- d-------- C:\Program Files\SpywareGuard
2006-10-02 13:45 -------- d-------- C:\Program Files\SpywareBlaster
2006-10-02 13:38 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-10-01 19:48 -------- dr------- C:\Program Files\Common Files\Microsoft Shared
2006-10-01 19:48 -------- dr------- C:\Program Files\Common Files
2006-10-01 19:48 -------- d-------- C:\Program Files\Microsoft Visual Studio
2006-10-01 17:51 -------- d-------- C:\Program Files\Internet Explorer
2006-10-01 15:54 -------- d-------- C:\Program Files\HijackThis
2006-10-01 15:19 -------- d-------- C:\Program Files\XoftSpySE
2006-10-01 15:19 -------- d-------- C:\Program Files\Multimedia Card Reader
2006-10-01 15:19 -------- d-------- C:\Program Files\Icons
2006-10-01 15:18 -------- d-------- C:\Program Files\Google
2006-10-01 15:18 -------- d-------- C:\Program Files\GhostSurf 2005
2006-10-01 13:14 -------- d-------- C:\Program Files\Lavasoft
2006-10-01 13:14 -------- d-------- C:\Documents and Settings\Kate\Application Data\Lavasoft
2006-10-01 10:39 -------- d-------- C:\Program Files\RegCure
2006-09-20 10:34 -------- d-------- C:\Program Files\Ubisoft
2006-09-18 15:56 -------- d-------- C:\Program Files\MSN Messenger
2006-09-15 14:57 -------- d-------- C:\Program Files\Yahoo!
2006-09-01 10:32 -------- d-------- C:\Documents and Settings\Kate\Application Data\Help
2006-08-30 14:54 -------- d-------- C:\Program Files\AdwareAlert
2006-08-30 12:04 89352 --a--c--- C:\Documents and Settings\Kate\Application Data\GDIPFONTCACHEV1.DAT
2006-08-29 21:20 8704 --a------ C:\WINDOWS\system32\bxingqps.exe
2006-08-29 21:20 40448 --a------ C:\WINDOWS\system32\sumsw32.exe
2006-08-29 18:54 7462 --a------ C:\WINDOWS\system32\fiqqfons.exe
2006-08-27 22:15 -------- d-------- C:\Program Files\iTunes
2006-08-27 22:10 -------- d-------- C:\Documents and Settings\Kate\Application Data\Apple Computer
2006-08-27 22:09 -------- d-------- C:\Program Files\QuickTime
2006-08-27 22:07 -------- d-------- C:\Program Files\Apple Software Update
2006-08-27 19:28 5332 --a------ C:\WINDOWS\system32\jxpoxufh.exe
2006-08-26 10:06 -------- d-------- C:\Documents and Settings\Kate\Application Data\Canon
2006-08-21 13:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 10:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 10:14 128896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys
2006-07-29 23:02 21840 --a----t- C:\WINDOWS\system32\SIntfNT.dll
2006-07-29 23:02 17212 --a----t- C:\WINDOWS\system32\SIntf32.dll
2006-07-29 23:02 12067 --a----t- C:\WINDOWS\system32\SIntf16.dll
2006-07-29 19:32 48936 --a------ C:\WINDOWS\system32\sirenacm.dll
2006-07-28 10:03 7440 --a------ C:\WINDOWS\system32\hweewnka.exe
2006-07-27 14:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 09:24 72704 --a------ C:\WINDOWS\system32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"PcSync"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\PcSync2.exe /NoDialog"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.4156\\GoogleToolbarNotifier.exe"
"adware.srv32"=""
"transponder"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce\Srv32 spool service]
"Adware.Srv32"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb03.exe"
"Fix-It AV"="C:\\PROGRA~1\\VCOM\\SYSTEM~1\\MemCheck.exe"
"GhostSurf Reminder"="\"C:\\Program Files\\GhostSurf 2005\\Privacy Control Center.exe\" reminder"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"PCSuiteTrayApplication"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\LaunchApplication.exe -onlytray"
"DataLayer"="C:\\Program Files\\Common Files\\PCSuite\\DataLayer\\DataLayer.exe"
"Adobe Version Cue CS2"="\"C:\\Program Files\\Adobe\\Adobe Version Cue CS2\\ControlPanel\\VersionCueCS2Tray.exe\""
"Acrobat Assistant 7.0"="\"C:\\Program Files\\Adobe\\Adobe Acrobat 7.0\\Distillr\\Acrotray.exe\""
"SetIcon"="C:\\Program Files\\Icons\\Seticon.exe"
"Sunkist2k"="C:\\Program Files\\Multimedia Card Reader\\shwicon2k.exe"
"SpeedTouch USB Diagnostics"="\"C:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe\" /icon"
"TalkTalk"="\"C:\\Program Files\\TalkTalk\\bin\\sprtcmd.exe\" /P TalkTalk"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"XoftSpySE"="C:\\Program Files\\XoftSpySE\\xoftspy.exe -s"
"Adware.Srv32"="C:\\WINDOWS\\system32\\runsrv32.exe"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"
"Transponder"="C:\\WINDOWS\\system32\\susp.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce\Srv32 spool service]
"Adware.Srv32"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"Mcafee Antivirus Monitoring System8"="VSStatmn8.exe"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"Mcafee Antivirus Monitoring System8"="VSStatmn8.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\adware.srv32]
"item"="adware.srv32"
"command"="C:\\WINDOWS\\system32\\XPAgent.exe"
"hkey"="HKEY"
"key"="Run"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\transponder]
"item"="transponder"
"command"="C:\\WINDOWS\\system32\\XPAgent.exe"
"hkey"="HKEY"
"key"="Run"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\XPAgent]
"item"="XPAgent"
"command"="C:\\WINDOWS\\system32\\XPAgent.exe"
"hkey"="HKEY"
"key"="Run"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\RegCure.job
C:\WINDOWS\tasks\XoftSpySE.job

Completion time: 03/10/2006 8:35:17.39
ComboFix.txt
Yampybird

You know you're getting on a bit when you have to scroll down to find your birth year on forms or when you have
to put your nose on the screen to
read things clearly

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:16 AM

Posted 03 October 2006 - 08:38 AM

Ok, let's see what we can do for you. :thumbsup:


Open Notepad, and copy everything in the code box below and paste it into a new notepad file. Change the "Save As Type" to "All Files". Save it as fixme.reg on your Desktop. Make sure there is NO blank line above "REGEDIT4"!

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\XPAgent]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\transponder]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\adware.srv32]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Mcafee Antivirus Monitoring System8"=-

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Mcafee Antivirus Monitoring System8"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce\Srv32 spool service]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adware.Srv32"=-
"Transponder"=-

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce\Srv32 spool service]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"adware.srv32"=-
"transponder"=-
Locate fixme.reg on your Desktop and double-click on it. When it asks if you want to merge with the registry, click YES.



================



Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):



    C:\WINDOWS\system32\runsrv32.exe
    C:\WINDOWS\ZServ.dll
    C:\WINDOWS\system32\wstart.dll
    C:\WINDOWS\system32\udpmod.dll
    C:\WINDOWS\system32\txfdb32.dll
    C:\WINDOWS\system32\runsrv32.dll
    C:\WINDOWS\system32\questmod.dll
    C:\WINDOWS\system32\jao.dll
    C:\WINDOWS\system32\bridge.dll
    C:\WINDOWS\system32\a.exe
    C:\WINDOWS\susp.exe
    C:\WINDOWS\Pynix.dll
    C:\WINDOWS\dlmax.dll
    C:\WINDOWS\BTGrab.dll
    C:\WINDOWS\system32\tcpservice2.exe
    C:\WINDOWS\system32\dailytoolbar.dll
    C:\WINDOWS\system32\alxres.dll
    C:\WINDOWS\alxtb1.dll
    C:\WINDOWS\alxie328.dll
    C:\WINDOWS\alexaie.dll
    C:\WINDOWS\system32\vkueptvv.exe
    C:\WINDOWS\system32\ymdopbkb.exe
    C:\WINDOWS\system32\hweewnka.exe
    C:\WINDOWS\system32\jxpoxufh.exe
    C:\WINDOWS\system32\bxingqps.exe
    C:\WINDOWS\system32\sumsw32.exe
    C:\WINDOWS\system32\fiqqfons.exe



  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

    If your computer does not restart automatically, please restart it manually.

  • After rebooting, open up Killbox again. Click File -> Logs -> Actions History Log
  • Post this log in your next reply.
==============




Download SmitfraudFix (by S!Ri) to your Desktop.
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.


Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log.




==============


Also post a new hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 yampybird

yampybird
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Location:It's cold, it's wet - Oh must be Telford then!
  • Local time:07:16 AM

Posted 03 October 2006 - 09:52 AM

OK Sam
All done, here are the log files

Kill Box Log

Pocket Killbox version 2.0.0.881
Running on Windows XP as Kate(Administrator)
was started @ Tuesday, October 03, 2006, 3:32 PM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\runsrv32.exe


# 2 [Delete on Reboot]
Path = C:\WINDOWS\ZServ.dll


# 3 [Delete on Reboot]
Path = C:\WINDOWS\system32\wstart.dll


# 4 [Delete on Reboot]
Path = C:\WINDOWS\system32\udpmod.dll


# 5 [Delete on Reboot]
Path = C:\WINDOWS\system32\txfdb32.dll


# 6 [Delete on Reboot]
Path = C:\WINDOWS\system32\runsrv32.dll


# 7 [Delete on Reboot]
Path = C:\WINDOWS\system32\questmod.dll


# 8 [Delete on Reboot]
Path = C:\WINDOWS\system32\jao.dll


# 9 [Delete on Reboot]
Path = C:\WINDOWS\system32\bridge.dll


# 10 [Delete on Reboot]
Path = C:\WINDOWS\system32\a.exe


# 11 [Delete on Reboot]
Path = C:\WINDOWS\susp.exe


# 12 [Delete on Reboot]
Path = C:\WINDOWS\Pynix.dll


# 13 [Delete on Reboot]
Path = C:\WINDOWS\dlmax.dll


# 14 [Delete on Reboot]
Path = C:\WINDOWS\BTGrab.dll


# 15 [Delete on Reboot]
Path = C:\WINDOWS\system32\tcpservice2.exe


# 16 [Delete on Reboot]
Path = C:\WINDOWS\system32\dailytoolbar.dll


# 17 [Delete on Reboot]
Path = C:\WINDOWS\system32\alxres.dll


# 18 [Delete on Reboot]
Path = C:\WINDOWS\alxtb1.dll


# 19 [Delete on Reboot]
Path = C:\WINDOWS\alxie328.dll


# 20 [Delete on Reboot]
Path = C:\WINDOWS\alexaie.dll


# 21 [Delete on Reboot]
Path = C:\WINDOWS\system32\vkueptvv.exe


# 22 [Delete on Reboot]
Path = C:\WINDOWS\system32\ymdopbkb.exe


# 23 [Delete on Reboot]
Path = C:\WINDOWS\system32\hweewnka.exe


# 24 [Delete on Reboot]
Path = C:\WINDOWS\system32\jxpoxufh.exe


# 25 [Delete on Reboot]
Path = C:\WINDOWS\system32\bxingqps.exe


# 26 [Delete on Reboot]
Path = C:\WINDOWS\system32\sumsw32.exe


# 27 [Delete on Reboot]
Path = C:\WINDOWS\system32\fiqqfons.exe


I Rebooted @ 3:34:37 PM
Killbox Closed(Exit) @ 3:34:55 PM
__________________________________________________

Pocket Killbox version 2.0.0.881
Running on Windows XP as Kate(Administrator)
was started @ Tuesday, October 03, 2006, 3:38 PM

Rapport report
SmitFraudFix v2.103

Scan done at 15:43:09.64, 03/10/2006
Run from C:\Documents and Settings\Kate\Desktop
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\Documents and Settings\Kate


C:\Documents and Settings\Kate\Application Data


Start Menu


C:\DOCUME~1\Kate\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


pe386-msguard-lzx32


Scanning wininet.dll infection


End

Hijack this log
Logfile of HijackThis v1.99.1
Scan saved at 15:45:21, on 03/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Icons\Seticon.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\TalkTalk\bin\sprtcmd.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\GhostSurf 2005\Proxy.exe
C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\notepad.exe
C:\Documents and Settings\Kate\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file)
O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file)
O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file)
O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file)
O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file)
O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [GhostSurf Reminder] "C:\Program Files\GhostSurf 2005\Privacy Control Center.exe" reminder
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SetIcon] C:\Program Files\Icons\Seticon.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [TalkTalk] "C:\Program Files\TalkTalk\bin\sprtcmd.exe" /P TalkTalk
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [XoftSpySE] C:\Program Files\XoftSpySE\xoftspy.exe -s
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Startup: GhostSurf proxy.lnk = C:\Program Files\GhostSurf 2005\Proxy.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://beckynm8s.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1132858105056
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C4399CD1-C1BE-4FF9-BC48-15754910E206}: NameServer = 62.24.128.17 62.24.128.18
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SystemSuite Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
Yampybird

You know you're getting on a bit when you have to scroll down to find your birth year on forms or when you have
to put your nose on the screen to
read things clearly

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:16 AM

Posted 03 October 2006 - 10:12 AM

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file)
O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file)
O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)
O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file)
O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file)
O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file)
O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file)
O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file)
O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file)
O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe



Reboot and post a new hijackthis log.
Let me know how your computer is working now.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 yampybird

yampybird
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Location:It's cold, it's wet - Oh must be Telford then!
  • Local time:07:16 AM

Posted 03 October 2006 - 10:28 AM

Hi Sam

PC still has blue screen but haven't had any popups yet, which is very, very good. Still a lot of flickering going on

apart from that OK

Logfile of HijackThis v1.99.1
Scan saved at 16:23:27, on 03/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Icons\Seticon.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\TalkTalk\bin\sprtcmd.exe
C:\Documents and Settings\Kate\Desktop\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\GhostSurf 2005\Proxy.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [GhostSurf Reminder] "C:\Program Files\GhostSurf 2005\Privacy Control Center.exe" reminder
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SetIcon] C:\Program Files\Icons\Seticon.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [TalkTalk] "C:\Program Files\TalkTalk\bin\sprtcmd.exe" /P TalkTalk
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [XoftSpySE] C:\Program Files\XoftSpySE\xoftspy.exe -s
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Startup: GhostSurf proxy.lnk = C:\Program Files\GhostSurf 2005\Proxy.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://beckynm8s.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1132858105056
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SystemSuite Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
Yampybird

You know you're getting on a bit when you have to scroll down to find your birth year on forms or when you have
to put your nose on the screen to
read things clearly

#8 yampybird

yampybird
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Location:It's cold, it's wet - Oh must be Telford then!
  • Local time:07:16 AM

Posted 03 October 2006 - 03:14 PM

Hi Sam

I have sorted out the desktop prblem, but I am still getting problems. I keep getting Data layer problems (?) whatever they are - it keeps shutting down and I am still getting Windows installer flashing about in the background.

I have run virus checks and spyware removers on the remainder, so here is an updated hijackthis log


Logfile of HijackThis v1.99.1
Scan saved at 21:12:03, on 03/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Icons\Seticon.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\TalkTalk\bin\sprtcmd.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\GhostSurf 2005\Proxy.exe
C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Kate\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [GhostSurf Reminder] "C:\Program Files\GhostSurf 2005\Privacy Control Center.exe" reminder
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SetIcon] C:\Program Files\Icons\Seticon.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [TalkTalk] "C:\Program Files\TalkTalk\bin\sprtcmd.exe" /P TalkTalk
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [XoftSpySE] C:\Program Files\XoftSpySE\xoftspy.exe -s
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\RunOnce: [MxRunner] C:\PROGRA~1\VCOM\SYSTEM~1\MxRunner.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Startup: GhostSurf proxy.lnk = C:\Program Files\GhostSurf 2005\Proxy.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://beckynm8s.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1132858105056
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C4399CD1-C1BE-4FF9-BC48-15754910E206}: NameServer = 62.24.128.17 62.24.128.18
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SystemSuite Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
Yampybird

You know you're getting on a bit when you have to scroll down to find your birth year on forms or when you have
to put your nose on the screen to
read things clearly

#9 yampybird

yampybird
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Location:It's cold, it's wet - Oh must be Telford then!
  • Local time:07:16 AM

Posted 04 October 2006 - 01:59 AM

Hi Sam (again) :thumbsup:

I have also noticed that the task manager is missing all of its toolbars at the top, so I cannot change between the tabs or close it down without right clicking on it, it is just a window pane with no buttons at all.

Windows installer is having a party but not actually installing anything? :flowers:

IE is very slow but sped up a bit after I shut down ewido.

Thanks for reading and all your efforts

Yampybird
Yampybird

You know you're getting on a bit when you have to scroll down to find your birth year on forms or when you have
to put your nose on the screen to
read things clearly

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:16 AM

Posted 04 October 2006 - 06:21 AM

For your task manager, double click anywhere on the border and you should get the tabs back.

As far as your other issue, it sounds like you have a program that runs on startup that is improperly installed. I've got a hunch it's related to the other error that you are getting.

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [SetIcon] C:\Program Files\Icons\Seticon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [MxRunner] C:\PROGRA~1\VCOM\SYSTEM~1\MxRunner.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE



Reboot your computer and let me know if you notice any difference.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 yampybird

yampybird
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Location:It's cold, it's wet - Oh must be Telford then!
  • Local time:07:16 AM

Posted 04 October 2006 - 07:42 AM

Hello Sam

Sorry for delay in reply, housework gripped me firmly by the throat and shook me until I did it! :thumbsup:

Right I have done all that, silly me not clicking the border (basic stuff) - just in panic mode I guess.

I have rebooted and windows installer is still trying to install but now the screen stays on longer, but still doesn't tell me what it's trying to install.

Yesterday I had to reinstall office coz it wouldn't recognise or open from the desktop, program list or anywhere else! It didn't give me the option to repair so I just stuck it over the top. Now I keep getting alerts from my firewall saying that ie.exe and outlook.exe have changed and do I want to allow them to access the internet I keep saying yes but I haven't changed them, I also ask it to remember my answer but (like me) it keeps forgetting (in the pc's case it isn't due to age?) The desktop is still flickering and now all the icons change to the generic .exe icon and then flash back to their correct icons a nano second later.

Any thoughts :flowers:

Kate
Yampybird

You know you're getting on a bit when you have to scroll down to find your birth year on forms or when you have
to put your nose on the screen to
read things clearly

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:16 AM

Posted 04 October 2006 - 08:12 PM

Please post a new log from Combofix.


Download and scan with the free 15 day trial of Counterspy
Save the report when it's finished:
  • Once Counterspy has done scanning,the 'Scan Results' box will appear.
  • Click on 'View Results'.
  • Under (Recommended Action),using the drop down menus at the side of each entry found,set EVERYTHING to Remove.
  • Then click on Take Action.
  • Once everything has been removed,click on View Details.
  • Copy and Paste those details into your next reply here.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 yampybird

yampybird
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Location:It's cold, it's wet - Oh must be Telford then!
  • Local time:07:16 AM

Posted 05 October 2006 - 06:14 AM

Hello Sam

I had to reinstall Publisher yesterday, but that has not made any change to windows installer. It seems to be at it's most active when I'm using Outlook and Opera - I changed browser thinking that might help, from IE to Opera, but it has made no difference.

Thanks again

Kate - 06-10-05 8:43:08.04 Service Pack 2
ComboFix 06.09.28 - Running from: "C:\Documents and Settings\Kate\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-09-05 to 2006-10-05 ))))))))))))))))))))))))))))))))))


2006-10-03 15:42 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-10-03 15:42 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-10-03 15:42 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-10-03 15:42 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-10-01 17:51 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-09-20 10:53 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-04 17:10 38455 --a------ C:\Documents and Settings\Kate\Application Data\Comma Separated Values (Windows).ADR
2006-10-04 16:13 -------- dr------- C:\Program Files\Common Files\Microsoft Shared
2006-10-04 15:11 -------- d-------- C:\Program Files\Opera
2006-10-04 15:07 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-04 14:59 -------- d-------- C:\Documents and Settings\Kate\Application Data\Mozilla
2006-10-04 14:12 -------- d-------- C:\Documents and Settings\Kate\Application Data\wsInspector
2006-10-04 13:29 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-10-04 10:27 -------- d-------- C:\Program Files\Startup Inspector for Windows
2006-10-03 16:59 -------- d-------- C:\Program Files\SpywareGuard
2006-10-03 13:43 -------- d-------- C:\Program Files\Google
2006-10-02 13:45 -------- d-------- C:\Program Files\SpywareBlaster
2006-10-01 19:48 -------- dr------- C:\Program Files\Common Files
2006-10-01 19:48 -------- d-------- C:\Program Files\Microsoft Visual Studio
2006-10-01 17:51 -------- d-------- C:\Program Files\Internet Explorer
2006-10-01 15:54 -------- d-------- C:\Program Files\HijackThis
2006-10-01 15:19 -------- d-------- C:\Program Files\XoftSpySE
2006-10-01 15:19 -------- d-------- C:\Program Files\Multimedia Card Reader
2006-10-01 15:19 -------- d-------- C:\Program Files\Icons
2006-10-01 15:18 -------- d-------- C:\Program Files\GhostSurf 2005
2006-10-01 13:14 -------- d-------- C:\Program Files\Lavasoft
2006-10-01 13:14 -------- d-------- C:\Documents and Settings\Kate\Application Data\Lavasoft
2006-10-01 10:39 -------- d-------- C:\Program Files\RegCure
2006-09-20 10:34 -------- d-------- C:\Program Files\Ubisoft
2006-09-18 15:56 -------- d-------- C:\Program Files\MSN Messenger
2006-09-15 14:57 -------- d-------- C:\Program Files\Yahoo!
2006-09-01 10:32 -------- d-------- C:\Documents and Settings\Kate\Application Data\Help
2006-08-30 14:54 -------- d-------- C:\Program Files\AdwareAlert
2006-08-30 12:04 89352 --a--c--- C:\Documents and Settings\Kate\Application Data\GDIPFONTCACHEV1.DAT
2006-08-27 22:15 -------- d-------- C:\Program Files\iTunes
2006-08-27 22:10 -------- d-------- C:\Documents and Settings\Kate\Application Data\Apple Computer
2006-08-27 22:09 -------- d-------- C:\Program Files\QuickTime
2006-08-27 22:07 -------- d-------- C:\Program Files\Apple Software Update
2006-08-26 10:06 -------- d-------- C:\Documents and Settings\Kate\Application Data\Canon
2006-08-21 13:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 10:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 10:14 128896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys
2006-07-29 23:02 21840 --a----t- C:\WINDOWS\system32\SIntfNT.dll
2006-07-29 23:02 17212 --a----t- C:\WINDOWS\system32\SIntf32.dll
2006-07-29 23:02 12067 --a----t- C:\WINDOWS\system32\SIntf16.dll
2006-07-29 19:32 48936 --a------ C:\WINDOWS\system32\sirenacm.dll
2006-07-27 14:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 09:24 72704 --a------ C:\WINDOWS\system32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb03.exe"
"Fix-It AV"="C:\\PROGRA~1\\VCOM\\SYSTEM~1\\MemCheck.exe"
"GhostSurf Reminder"="\"C:\\Program Files\\GhostSurf 2005\\Privacy Control Center.exe\" reminder"
"Adobe Version Cue CS2"="\"C:\\Program Files\\Adobe\\Adobe Version Cue CS2\\ControlPanel\\VersionCueCS2Tray.exe\""
"Sunkist2k"="C:\\Program Files\\Multimedia Card Reader\\shwicon2k.exe"
"TalkTalk"="\"C:\\Program Files\\TalkTalk\\bin\\sprtcmd.exe\" /P TalkTalk"
"XoftSpySE"="C:\\Program Files\\XoftSpySE\\xoftspy.exe -s"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"CurrentState"=hex:04,00,00,40
"Flags"=dword:00000002
"FriendlyName"="My Current Home Page"
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00
"Source"="About:Home"
"SubscribedURL"="About:Home"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Ad-Aware SE Personal.job
C:\WINDOWS\tasks\RegCure.job
C:\WINDOWS\tasks\Spybot - Search & Destroy.job
C:\WINDOWS\tasks\XoftSpySE.job

Completion time: 05/10/2006 8:44:10.91
ComboFix.txt
ComboFix2.txt


Spyware Scan Details
Start Date: 05/10/2006 08:51:53
End Date: 05/10/2006 09:51:07
Total Time: 59 mins 14 secs

Detected spyware

InternetOffers Adware more information...
Details: InternetOffers displays popup advertisements with no attribution and installs without consent.
Status: Deleted

Infected files detected
C:\Program Files\Common Files\iwqk\iwqkd\vocabulary


Weatherbug Low Risk Adware more information...
Details: Minibug is an adware that displays ads on to your computer.
Status: Deleted

Infected registry entries detected
HKEY_CLASSES_ROOT\interface\{04a38f6b-006f-4247-ba4c-02a139d5531c}
HKEY_CLASSES_ROOT\interface\{04a38f6b-006f-4247-ba4c-02a139d5531c}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\interface\{04a38f6b-006f-4247-ba4c-02a139d5531c}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\interface\{04a38f6b-006f-4247-ba4c-02a139d5531c}\TypeLib {3C2D2A1E-031F-4397-9614-87C932A848E0}
HKEY_CLASSES_ROOT\interface\{04a38f6b-006f-4247-ba4c-02a139d5531c}\TypeLib Version 1.0
HKEY_CLASSES_ROOT\interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} IMiniBugTransporterX
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1\CLSID {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 MiniBugTransporterX Class
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx\CLSID {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx\CurVer MiniBugTransporter.MiniBugTransporterX.1
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx MiniBugTransporterX Class
HKEY_CLASSES_ROOT\typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0}
HKEY_CLASSES_ROOT\typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0}\1.0\FLAGS 0
HKEY_CLASSES_ROOT\typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0}\1.0\HELPDIR C:\Program Files\Common Files\Real\WeatherBug\
HKEY_CLASSES_ROOT\typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0}\1.0 MiniBugTransporter 1.0 Type Library
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\InprocServer32 ThreadingModel Apartment
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\MiscStatus\1 132497
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\MiscStatus 0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\ProgID MiniBugTransporter.MiniBugTransporterX.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\TypeLib {3C2D2A1E-031F-4397-9614-87C932A848E0}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\Version 1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\VersionIndependentProgID MiniBugTransporter.MiniBugTransporterX
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} MiniBugTransporterX Class
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX.1\CLSID {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX.1 MiniBugTransporterX Class
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX\CLSID {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX\CurVer MiniBugTransporter.MiniBugTransporterX.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX MiniBugTransporterX Class
HKEY_CLASSES_ROOT\clsid\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c}
HKEY_CLASSES_ROOT\clsid\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
HKEY_CLASSES_ROOT\clsid\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}
HKEY_CLASSES_ROOT\clsid\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c}\InprocServer32 ThreadingModel Apartment
HKEY_CLASSES_ROOT\clsid\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c}\MiscStatus\1 132497
HKEY_CLASSES_ROOT\clsid\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c}\MiscStatus 0
HKEY_CLASSES_ROOT\clsid\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c}\ProgID MiniBugTransporter.MiniBugTransporterX.1
HKEY_CLASSES_ROOT\clsid\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c}\TypeLib {3C2D2A1E-031F-4397-9614-87C932A848E0}
HKEY_CLASSES_ROOT\clsid\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c}\Version 1.0
HKEY_CLASSES_ROOT\clsid\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c}\VersionIndependentProgID MiniBugTransporter.MiniBugTransporterX
HKEY_CLASSES_ROOT\clsid\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} MiniBugTransporterX Class


My Way Speedbar Browser Plug-in more information...
Details: MyWay Speedbar is a search toolbar that installs into Internet Explorer and Netscape Navigator, adding search functions and popup blocking.
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}\TreatAs {A9571378-68A1-443d-B082-284F960C6D17}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}


iSearch.DesktopSearch Spyware more information...
Details: Removes the users access to use Windows Search and replaces it with C:\WINDOWS\isrvs\desktop.exe.
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID {17492023-C23A-453E-A040-C7C580BBF700} 1


Spw.BlockChecker Spyware more information...
Details: Spw.BlockChecker is a free utility designed for popular instant messaging programs to see if a buddy has you blocked.
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List %windir%\system32\ccapp.exe %windir%\system32\ccapp.exe:*:Enabled:System Process


MyWebSearch Toolbar Potentially Unwanted Software more information...
Details: WebSearch Toolbar is a customizable Internet Explorer search toolbar with various other tools.
Status: Deleted

Infected registry entries detected
HKEY_CLASSES_ROOT\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}
HKEY_CLASSES_ROOT\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}\TreatAs {A9571378-68A1-443d-B082-284F960C6D17}
HKEY_CLASSES_ROOT\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}
HKEY_CLASSES_ROOT\MyWebSearch.PseudoTransparentPlugin
HKEY_CLASSES_ROOT\MyWebSearch.PseudoTransparentPlugin\CurVer MyWebSearch.PseudoTransparentPlugin.1
HKEY_CLASSES_ROOT\MyWebSearch.PseudoTransparentPlugin MyWebSearch Pseudo Transparent Plugin
HKEY_CLASSES_ROOT\MyWebSearch.PseudoTransparentPlugin.1
HKEY_CLASSES_ROOT\MyWebSearch.PseudoTransparentPlugin.1 MyWebSearch Pseudo Transparent Plugin


Com.com Cookie more information...
Details: Redirects to cnet.com
Status: Deleted

Infected cookies detected
c:\documents and settings\kate\cookies\kate@com[1].txt


PriceGrabber Cookie more information...
Status: Deleted

Infected cookies detected
c:\documents and settings\kate\cookies\kate@pricegrabber[1].txt
Yampybird

You know you're getting on a bit when you have to scroll down to find your birth year on forms or when you have
to put your nose on the screen to
read things clearly

#14 yampybird

yampybird
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Location:It's cold, it's wet - Oh must be Telford then!
  • Local time:07:16 AM

Posted 05 October 2006 - 01:15 PM

Just another problem that I keep getting ..... could be related :thumbsup:

I have swopped ie for opera 9, I am now not having the windows installer pop up when I'm surfing but my homepage keeps turning to blank page and the settings keep changing. Also I can't link from hypertext in my emails to the internet anymore (I could when I first installed opera)

My firewall keeps telling me that my settings have changed for Outlook, and opera and a couple of other things, and I haven't changed them?

Windows installer is mainly popping up when I am doing anything XP Office based - which, as I said in an earlier post, I had to reinstall a couple of days ago.

I hope this gives more fuel for the fire coz this is driving me bonkers :flowers: It's like having your house burgled, I don't feel like the PC is mine anymore. Ho hum!!!

Thanks Sam

Edited by yampybird, 05 October 2006 - 01:17 PM.

Yampybird

You know you're getting on a bit when you have to scroll down to find your birth year on forms or when you have
to put your nose on the screen to
read things clearly

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:16 AM

Posted 05 October 2006 - 05:47 PM

First, after reviewing your most recent combofix log and the log from Counterspy I don't feel as if we are dealing with a malware problem any longer.

The links from your email don't work with Opera probably because it's not set up as your default browser.

Do you have your Office XP disc? If so, put it in your disc drive and see if the next time windows installer comes up it installs something from the disc.

What firewall are you using?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users