Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

107up.exe Virus?


  • This topic is locked This topic is locked
13 replies to this topic

#1 sammy27

sammy27

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:34 AM

Posted 03 December 2006 - 09:19 PM

This is saying its a virus detected 107up.exe. It started when I installed tvants on my computer.Its slowing everything down.What do I do?Here is my log. Logfile of HijackThis v1.99.1
Scan saved at 6:06:53 PM, on 12/3/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\EARTHL~1\PROTEC~1\ADSSER~1.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\{5C45B4F1-03A2-1033-1128-000004260001}\Update.exe
C:\Program Files\EarthLink MailBox\MailClnt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\107up.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\RarSFX3\csrss.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 2 for HijackThis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.earthlink.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://client.jogo.cn/cdn/browser/sidesear...esearch-en.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://client.jogo.cn/cdn/browser/customse...msearch-en.html
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - C:\Program Files\EarthLink\Toolbar\EScamBlk.dll
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink\Toolbar\EScamBlk.dll
O2 - BHO: CNNIC ═°┬š╣Ąż▀Drag - {352E3B3A-CAB5-4DBC-B940-C7F84D0447D8} - (no file)
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink\Toolbar\ElnkPuB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink\Toolbar\ProtctIE.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink\Toolbar\uninsttb.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink\Toolbar\Toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [EarthLink Installer] " /C
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Earthlink Protection Control Center] C:\Program Files\EarthLink\Protection Control Center\elnk_pcc.exe /minimize
O4 - HKLM\..\Run: [rundll32] C:\Program Files\Common Files\rundll32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [rwmm] C:\Program Files\Common Files\rwmm\rwmmm.exe
O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink\Toolbar\SearchUI.dll/search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {0645D7F3-C20E-4E0B-A545-557527497C0B} (NMInstall Control) - http://a14.g.akamai.net/f/14/7141/1d/www.n...GAPANEL_USA.cab
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/activex...wareControl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/25bc409d6c6baa...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1156530831353
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1452/ftp...02/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/pla...0/Installer.exe
O23 - Service: ADSService - Copyrightę Aluria Software, LLC - C:\PROGRA~1\EARTHL~1\PROTEC~1\ADSSER~1.EXE
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: EarthLink Firewall Process Path Service (ElnkFWPPService) - Aluria Software, LLC. - C:\PROGRA~1\EARTHL~1\PROTEC~1\EFWPPS~1.EXE

BC AdBot (Login to Remove)

 


#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:34 PM

Posted 05 December 2006 - 11:28 AM

Hello and welcome :thumbsup:

Lets get started.

Please run BitDefender Online Scanner:
  • Read the terms and then click I Agree
  • You may receive a Security Warning about the BitDefender ActiveX control, If you do, please allow it to install.
  • On the Scanning Options screen, hit Click Here To Scan and then follow the on screen prompts.
  • Once BitDefender is finished scanning your computer it will automatically remove the infections.
  • Once the removal process is finished click the Close button and a dialog box will appear asking if you want to send your scan log back to the makers of BitDefender.
  • You do not have to do this but what you do want to do is press the button that says View Log and copy & paste that logs contents here.
-----

After that is done, please download Combofix to your desktop:
  • Double-click combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log in your next reply.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Hi there, stranger!

#3 sammy27

sammy27
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:34 AM

Posted 05 December 2006 - 07:31 PM

Hi! Here is bitdefenders log
BitDefender Online Scanner - Real Time Virus Report



Generated at: Tue, Dec 05, 2006 - 16:25:36


--------------------------------------------------------------------------------





Scan Info



Scanned Files
78337

Infected Files
13








Virus Detected



Backdoor.PcClient.GV
1

GenPack:Trojan.Downloader.Agent.AWI
8

Adware.Softomate.D
4










--------------------------------------------------------------------------------



This summary of the scan process will be used by the BitDefender Antivirus Lab to create agregate statistics about virus activity around the world.

#4 sammy27

sammy27
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:34 AM

Posted 05 December 2006 - 07:34 PM

And here is the combo fix log
Owner - 06-12-05 16:28:39.08 Service Pack 1
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\Owner\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Owner\My Documents\CROSOF~1
C:\QooBox\Purity\Program Files\Common Files\ICROSO~1


((((((((((((((((((((((((((((((( Files Created from 2006-11-05 to 2006-12-05 ))))))))))))))))))))))))))))))))))


2006-12-05 15:28 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2006-12-05 15:17 240,265 --a------ C:\Program Files\107up.exe
2006-12-03 18:00 <DIR> d-------- C:\Program Files\HijackThis
2006-12-03 17:29 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-12-03 16:04 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2006-12-03 16:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-12-03 13:26 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2006-12-03 13:25 <DIR> d-------- C:\Program Files\Lavasoft
2006-12-02 15:23 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Help
2006-12-01 19:50 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2006-12-01 19:48 4,928 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-12-01 19:48 348,704 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-12-01 19:48 17,664 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-12-01 19:48 <DIR> d-------- C:\Program Files\Grisoft
2006-12-01 19:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2006-12-01 19:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AVG7
2006-12-01 19:14 153,088 --a------ C:\WINDOWS\system32\UNWISE.EXE
2006-12-01 13:07 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-12-01 12:59 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2006-11-26 15:38 <DIR> d-------- C:\WINDOWS\rwmm
2006-11-25 19:10 177,664 --a------ C:\WINDOWS\~tmp4164.exe
2006-11-25 19:09 177,664 --a------ C:\WINDOWS\~tmp9069.exe
2006-11-25 19:09 177,664 --a------ C:\WINDOWS\~tmp7167.exe
2006-11-25 19:08 177,664 --a------ C:\WINDOWS\~tmp2290.exe
2006-11-25 19:05 177,664 --a------ C:\WINDOWS\~tmp2226.exe
2006-11-25 19:03 177,664 --a------ C:\WINDOWS\~tmp1388.exe
2006-11-25 19:01 177,664 --a------ C:\WINDOWS\~tmp3885.exe
2006-11-25 19:00 177,664 --a------ C:\WINDOWS\~tmp8400.exe
2006-11-25 18:32 177,664 --a------ C:\WINDOWS\~tmp3515.exe
2006-11-25 18:28 177,664 --a------ C:\WINDOWS\~tmp7689.exe
2006-11-24 22:08 177,664 --a------ C:\WINDOWS\~tmp8374.exe
2006-11-24 22:07 177,664 --a------ C:\WINDOWS\~tmp2534.exe
2006-11-24 22:06 177,664 --a------ C:\WINDOWS\~tmp6812.exe
2006-11-24 22:03 177,664 --a------ C:\WINDOWS\~tmp188.exe
2006-11-24 22:02 177,664 --a------ C:\WINDOWS\~tmp9859.exe
2006-11-24 22:00 177,664 --a------ C:\WINDOWS\~tmp3724.exe
2006-11-24 21:58 177,664 --a------ C:\WINDOWS\~tmp8365.exe
2006-11-24 21:54 177,664 --a------ C:\WINDOWS\~tmp4975.exe
2006-11-24 21:51 177,664 --a------ C:\WINDOWS\~tmp3747.exe
2006-11-24 21:51 177,664 --a------ C:\WINDOWS\~tmp162.exe
2006-11-24 21:48 177,664 --a------ C:\WINDOWS\~tmp9490.exe
2006-11-24 21:41 177,664 --a------ C:\WINDOWS\~tmp7325.exe
2006-11-24 21:38 177,664 --a------ C:\WINDOWS\~tmp9351.exe
2006-11-24 21:37 177,664 --a------ C:\WINDOWS\~tmp6772.exe
2006-11-24 21:36 177,664 --a------ C:\WINDOWS\~tmp4757.exe
2006-11-24 21:34 177,664 --a------ C:\WINDOWS\~tmp5213.exe
2006-11-24 21:33 177,664 --a------ C:\WINDOWS\~tmp3253.exe
2006-11-24 21:32 177,664 --a------ C:\WINDOWS\~tmp5917.exe
2006-11-24 20:22 177,664 --a------ C:\WINDOWS\~tmp627.exe
2006-11-24 20:11 177,664 --a------ C:\WINDOWS\~tmp8011.exe
2006-11-24 20:08 177,664 --a------ C:\WINDOWS\~tmp6800.exe
2006-11-24 20:07 177,664 --a------ C:\WINDOWS\~tmp2528.exe
2006-11-24 20:05 177,664 --a------ C:\WINDOWS\~tmp7728.exe
2006-11-24 19:37 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\vlc
2006-11-24 19:23 253,952 --a------ C:\WINDOWS\system32\wmpcd.dll
2006-11-24 19:23 1,404,928 --a------ C:\WINDOWS\system32\wmpui.dll
2006-11-24 19:23 1,298,432 --a------ C:\WINDOWS\system32\wmpcore.dll
2006-11-24 19:22 77,824 --a------ C:\WINDOWS\system32\wmpshell.dll
2006-11-24 19:22 6,656 --a------ C:\WINDOWS\system32\laprxy.dll
2006-11-24 19:22 5,120 --a------ C:\WINDOWS\system32\asferror.dll
2006-11-24 19:22 442,398 --a------ C:\WINDOWS\system32\wmadmoe.dll
2006-11-24 19:22 274,432 --a------ C:\WINDOWS\system32\wmasf.dll
2006-11-24 19:22 253,952 --a------ C:\WINDOWS\system32\wmnetmgr.dll
2006-11-24 19:22 245,760 --a------ C:\WINDOWS\system32\MSSCP.dll
2006-11-24 19:22 24,576 --a------ C:\WINDOWS\system32\logagent.exe
2006-11-24 19:22 22,528 --a------ C:\WINDOWS\system32\WMDMLOG.dll
2006-11-24 19:22 20,480 --a------ C:\WINDOWS\system32\WMDMPS.dll
2006-11-24 19:22 179,712 --a------ C:\WINDOWS\system32\cewmdm.dll
2006-11-24 19:22 175,104 --a------ C:\WINDOWS\system32\MsPMSP.dll
2006-11-24 19:22 155,648 --a------ C:\WINDOWS\system32\MSWMDM.dll
2006-11-24 19:22 152,576 --a------ C:\WINDOWS\system32\qasf.dll
2006-11-24 19:22 1,998,848 --a------ C:\WINDOWS\system32\wmploc.dll
2006-11-24 19:22 1,220,608 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-11-24 19:21 828,152 --a------ C:\WINDOWS\system32\wmv9dmod.dll
2006-11-24 19:21 76,830 --a------ C:\WINDOWS\system32\drmstor.dll
2006-11-24 19:21 602,112 --a------ C:\WINDOWS\system32\drmv2clt.dll
2006-11-24 19:21 294,912 --a------ C:\WINDOWS\system32\wmvdmod.dll
2006-11-24 19:21 266,240 --a------ C:\WINDOWS\system32\drmclien.dll
2006-11-24 19:21 204,800 --a------ C:\WINDOWS\system32\blackbox.dll
2006-11-24 19:21 184,320 --a------ C:\WINDOWS\system32\wmadmod.dll
2006-11-24 19:21 174,592 --a------ C:\WINDOWS\system32\msnetobj.dll
2006-11-24 19:21 110,592 --a------ C:\WINDOWS\system32\wmsdmod.dll
2006-11-24 19:21 <DIR> d-------- C:\WINDOWS\RegisteredPackages
2006-11-24 19:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2006-11-24 19:12 <DIR> d-------- C:\Program Files\TVUPlayer
2006-11-24 19:11 <DIR> d-------- C:\Program Files\TVAnts
2006-11-24 19:10 <DIR> d-------- C:\WINDOWS\uninstall
2006-11-24 19:10 <DIR> d-------- C:\Program Files\SatelliteTVforPC
2006-11-23 20:15 56,432 --a------ C:\WINDOWS\system32\drivers\ADSFilter.sys
2006-11-23 20:15 <DIR> d-------- C:\Program Files\Common Files\Command Software
2006-11-23 07:42 2 --a------ C:\WINDOWS\system32\wcpcc.exe
2006-11-23 07:41 131 --a-s---- C:\WINDOWS\test.bat
2006-11-23 07:39 97,455 --a------ C:\WINDOWS\5-a0c18a429b8010fee34ee31d9073371d.exe
2006-11-23 07:39 66,267 --a------ C:\WINDOWS\10-47488c40c3cddfee98fc3b173f6d7beb.exe
2006-11-23 07:39 622,613 --a------ C:\WINDOWS\4-efb7bab6499fc415ee93f4097033deae.exe
2006-11-23 07:39 356,663 --a------ C:\WINDOWS\12-b101c483c2fe3ac4a2bd5fae3377ef4f.exe
2006-11-23 07:39 139,264 --a------ C:\WINDOWS\mirar_distro_876088.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-05 15:58 -------- d-------- C:\Program Files\Common Files
2006-12-03 17:38 -------- d-------- C:\Program Files\QuickTime
2006-12-03 17:37 -------- d-------- C:\Program Files\Internet Explorer
2006-12-03 17:37 -------- d-------- C:\Program Files\EarthLink MailBox
2006-12-01 19:14 -------- d-------- C:\Program Files\EarthLink
2006-11-28 20:28 -------- d-------- C:\Documents and Settings\Owner\Application Data\Macromedia
2006-11-26 15:38 -------- d-------- C:\Program Files\Common Files\rwmm
2006-11-26 15:03 -------- d-------- C:\Program Files\Stamps.com Internet Postage
2006-11-25 19:10 177664 --a------ C:\WINDOWS\~tmp4164.exe
2006-11-25 19:09 177664 --a------ C:\WINDOWS\~tmp9069.exe
2006-11-25 19:09 177664 --a------ C:\WINDOWS\~tmp7167.exe
2006-11-25 19:08 177664 --a------ C:\WINDOWS\~tmp2290.exe
2006-11-25 19:05 177664 --a------ C:\WINDOWS\~tmp2226.exe
2006-11-25 19:03 177664 --a------ C:\WINDOWS\~tmp1388.exe
2006-11-25 19:01 177664 --a------ C:\WINDOWS\~tmp3885.exe
2006-11-25 19:00 177664 --a------ C:\WINDOWS\~tmp8400.exe
2006-11-25 18:32 177664 --a------ C:\WINDOWS\~tmp3515.exe
2006-11-25 18:28 177664 --a------ C:\WINDOWS\~tmp7689.exe
2006-11-24 22:08 177664 --a------ C:\WINDOWS\~tmp8374.exe
2006-11-24 22:07 177664 --a------ C:\WINDOWS\~tmp2534.exe
2006-11-24 22:06 177664 --a------ C:\WINDOWS\~tmp6812.exe
2006-11-24 22:03 177664 --a------ C:\WINDOWS\~tmp188.exe
2006-11-24 22:02 177664 --a------ C:\WINDOWS\~tmp9859.exe
2006-11-24 22:00 177664 --a------ C:\WINDOWS\~tmp3724.exe
2006-11-24 21:58 177664 --a------ C:\WINDOWS\~tmp8365.exe
2006-11-24 21:54 177664 --a------ C:\WINDOWS\~tmp4975.exe
2006-11-24 21:51 177664 --a------ C:\WINDOWS\~tmp3747.exe
2006-11-24 21:51 177664 --a------ C:\WINDOWS\~tmp162.exe
2006-11-24 21:48 177664 --a------ C:\WINDOWS\~tmp9490.exe
2006-11-24 21:41 177664 --a------ C:\WINDOWS\~tmp7325.exe
2006-11-24 21:38 177664 --a------ C:\WINDOWS\~tmp9351.exe
2006-11-24 21:37 177664 --a------ C:\WINDOWS\~tmp6772.exe
2006-11-24 21:36 177664 --a------ C:\WINDOWS\~tmp4757.exe
2006-11-24 21:34 177664 --a------ C:\WINDOWS\~tmp5213.exe
2006-11-24 21:33 177664 --a------ C:\WINDOWS\~tmp3253.exe
2006-11-24 21:32 177664 --a------ C:\WINDOWS\~tmp5917.exe
2006-11-24 20:22 177664 --a------ C:\WINDOWS\~tmp627.exe
2006-11-24 20:11 177664 --a------ C:\WINDOWS\~tmp8011.exe
2006-11-24 20:08 177664 --a------ C:\WINDOWS\~tmp6800.exe
2006-11-24 20:07 177664 --a------ C:\WINDOWS\~tmp2528.exe
2006-11-24 20:05 177664 --a------ C:\WINDOWS\~tmp7728.exe
2006-11-24 19:23 -------- d-------- C:\Program Files\Windows Media Player
2006-11-24 19:22 -------- d---s---- C:\Documents and Settings\Owner\Application Data\Microsoft
2006-11-23 20:15 -------- d-------- C:\Program Files\Common Files\EarthLink
2006-11-23 20:09 49 --a------ C:\Documents and Settings\Owner\Application Data\internaldb41.dat
2006-11-23 20:09 337 --a------ C:\Documents and Settings\Owner\Application Data\internaldb1942.dat
2006-11-23 07:40 9216 --a------ C:\Documents and Settings\Owner\Application Data\internaldb8467.dat
2006-11-23 07:40 20480 --a------ C:\Documents and Settings\Owner\Application Data\internaldb4827.dat
2006-11-23 07:40 0 --a------ C:\Documents and Settings\Owner\Application Data\internaldb6334.dat
2006-11-23 07:39 23 --a------ C:\Documents and Settings\Owner\Application Data\inifile41.ini
2006-11-23 07:39 0 --a------ C:\Documents and Settings\Owner\Application Data\internaldb5436.dat
2006-11-22 18:26 -------- d-------- C:\Program Files\Common Files\Adobe
2006-11-04 15:39 -------- d-------- C:\Program Files\Yahoo!
2006-11-04 15:38 -------- d-------- C:\Program Files\Adobe
2006-11-04 15:37 -------- d-------- C:\Documents and Settings\Owner\Application Data\Leadertech
2006-11-04 15:36 -------- d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2006-11-04 15:33 -------- d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2006-11-04 15:33 -------- d-------- C:\Documents and Settings\Owner\Application Data\AdobeAUM
2006-10-29 17:47 -------- d-------- C:\Program Files\ArcadeRockstar
2006-10-14 10:30 -------- d-------- C:\Program Files\Virtools Web Player 3.0
2006-10-07 20:16 -------- d-------- C:\Program Files\iWin.com Games
2006-10-07 19:36 -------- d-------- C:\Program Files\Yahoo! Games
2006-09-21 18:17 2560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2006-09-21 15:33 443952 --a------ C:\WINDOWS\system32\nminstall.dll
2006-09-13 13:59 4 --ah----- C:\WINDOWS\uccspecb.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"rwmm"="C:\\Program Files\\Common Files\\rwmm\\rwmmm.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"EarthLink Installer"="\" /C"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Earthlink Protection Control Center"="C:\\Program Files\\EarthLink\\Protection Control Center\\elnk_pcc.exe /minimize"
"rundll32"="C:\\Program Files\\Common Files\\rundll32.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,e6,00,00,00,00,00,00,00,9a,03,00,00,42,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f2,01,00,00,23,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-12-05 16:28:59.00
C:\ComboFix.txt ... 06-12-05 16:28
C:\ComboFix2.txt ... 06-12-05 15:58

#5 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:34 PM

Posted 06 December 2006 - 09:03 AM

Looks like we'll need to run another version of ComboFix :thumbsup:

Please download Combofix.exe to your desktop:
  • Reboot your computer into Safe Mode.
  • Double-click combofix.exe to run the tool. When it's ready, it shall produce a log. Save it, and post it to your next reply.
  • Reboot into Normal Windows and post back with the log.
Note:
Do not mouse-click Combofix's window whilst it's running. That may cause it to stall.
Hi there, stranger!

#6 sammy27

sammy27
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:34 AM

Posted 06 December 2006 - 02:27 PM

Hi. Here is my combo fix log while in safe mode
Owner - 06-12-06 11:13:57.64 Service Pack 1
ComboFix 06.12.01W - Running from: "C:\Documents and Settings\Owner\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\aamd532.dll
C:\WINDOWS\~tmp1388.exe
C:\WINDOWS\~tmp162.exe
C:\WINDOWS\~tmp188.exe
C:\WINDOWS\~tmp2226.exe
C:\WINDOWS\~tmp2290.exe
C:\WINDOWS\~tmp2528.exe
C:\WINDOWS\~tmp2534.exe
C:\WINDOWS\~tmp3253.exe
C:\WINDOWS\~tmp3515.exe
C:\WINDOWS\~tmp3724.exe
C:\WINDOWS\~tmp3747.exe
C:\WINDOWS\~tmp3885.exe
C:\WINDOWS\~tmp4164.exe
C:\WINDOWS\~tmp4757.exe
C:\WINDOWS\~tmp4975.exe
C:\WINDOWS\~tmp5213.exe
C:\WINDOWS\~tmp5917.exe
C:\WINDOWS\~tmp627.exe
C:\WINDOWS\~tmp6772.exe
C:\WINDOWS\~tmp6800.exe
C:\WINDOWS\~tmp6812.exe
C:\WINDOWS\~tmp7167.exe
C:\WINDOWS\~tmp7325.exe
C:\WINDOWS\~tmp7689.exe
C:\WINDOWS\~tmp7728.exe
C:\WINDOWS\~tmp8011.exe
C:\WINDOWS\~tmp8365.exe
C:\WINDOWS\~tmp8374.exe
C:\WINDOWS\~tmp8400.exe
C:\WINDOWS\~tmp9069.exe
C:\WINDOWS\~tmp9351.exe
C:\WINDOWS\~tmp9490.exe
C:\WINDOWS\~tmp9859.exe

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\qoobox\purity\Documents and Settings\Owner\My Documents\CROSOF~1
C:\qoobox\purity\Program Files\Common Files\ICROSO~1


((((((((((((((((((((((((((((((( Files Created from 2006-11-06 to 2006-12-06 ))))))))))))))))))))))))))))))))))


2006-12-06 11:08 <DIR> d-------- C:\WINDOWS\pss
2006-12-05 15:28 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2006-12-05 15:17 240,265 --a------ C:\Program Files\107up.exe
2006-12-03 18:00 <DIR> d-------- C:\Program Files\HijackThis
2006-12-03 17:29 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-12-03 16:04 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2006-12-03 16:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-12-03 13:26 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2006-12-03 13:25 <DIR> d-------- C:\Program Files\Lavasoft
2006-12-02 15:23 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Help
2006-12-01 19:50 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2006-12-01 19:48 4,928 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-12-01 19:48 348,704 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-12-01 19:48 17,664 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-12-01 19:48 <DIR> d-------- C:\Program Files\Grisoft
2006-12-01 19:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2006-12-01 19:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AVG7
2006-12-01 19:14 153,088 --a------ C:\WINDOWS\system32\UNWISE.EXE
2006-12-01 13:07 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-12-01 12:59 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2006-11-26 15:38 <DIR> d-------- C:\WINDOWS\rwmm
2006-11-24 19:37 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\vlc
2006-11-24 19:23 253,952 --a------ C:\WINDOWS\system32\wmpcd.dll
2006-11-24 19:23 1,404,928 --a------ C:\WINDOWS\system32\wmpui.dll
2006-11-24 19:23 1,298,432 --a------ C:\WINDOWS\system32\wmpcore.dll
2006-11-24 19:22 77,824 --a------ C:\WINDOWS\system32\wmpshell.dll
2006-11-24 19:22 6,656 --a------ C:\WINDOWS\system32\laprxy.dll
2006-11-24 19:22 5,120 --a------ C:\WINDOWS\system32\asferror.dll
2006-11-24 19:22 442,398 --a------ C:\WINDOWS\system32\wmadmoe.dll
2006-11-24 19:22 274,432 --a------ C:\WINDOWS\system32\wmasf.dll
2006-11-24 19:22 253,952 --a------ C:\WINDOWS\system32\wmnetmgr.dll
2006-11-24 19:22 245,760 --a------ C:\WINDOWS\system32\MSSCP.dll
2006-11-24 19:22 24,576 --a------ C:\WINDOWS\system32\logagent.exe
2006-11-24 19:22 22,528 --a------ C:\WINDOWS\system32\WMDMLOG.dll
2006-11-24 19:22 20,480 --a------ C:\WINDOWS\system32\WMDMPS.dll
2006-11-24 19:22 179,712 --a------ C:\WINDOWS\system32\cewmdm.dll
2006-11-24 19:22 175,104 --a------ C:\WINDOWS\system32\MsPMSP.dll
2006-11-24 19:22 155,648 --a------ C:\WINDOWS\system32\MSWMDM.dll
2006-11-24 19:22 152,576 --a------ C:\WINDOWS\system32\qasf.dll
2006-11-24 19:22 1,998,848 --a------ C:\WINDOWS\system32\wmploc.dll
2006-11-24 19:22 1,220,608 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-11-24 19:21 828,152 --a------ C:\WINDOWS\system32\wmv9dmod.dll
2006-11-24 19:21 76,830 --a------ C:\WINDOWS\system32\drmstor.dll
2006-11-24 19:21 602,112 --a------ C:\WINDOWS\system32\drmv2clt.dll
2006-11-24 19:21 294,912 --a------ C:\WINDOWS\system32\wmvdmod.dll
2006-11-24 19:21 266,240 --a------ C:\WINDOWS\system32\drmclien.dll
2006-11-24 19:21 204,800 --a------ C:\WINDOWS\system32\blackbox.dll
2006-11-24 19:21 184,320 --a------ C:\WINDOWS\system32\wmadmod.dll
2006-11-24 19:21 174,592 --a------ C:\WINDOWS\system32\msnetobj.dll
2006-11-24 19:21 110,592 --a------ C:\WINDOWS\system32\wmsdmod.dll
2006-11-24 19:21 <DIR> d-------- C:\WINDOWS\RegisteredPackages
2006-11-24 19:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2006-11-24 19:12 <DIR> d-------- C:\Program Files\TVUPlayer
2006-11-24 19:11 <DIR> d-------- C:\Program Files\TVAnts
2006-11-24 19:10 <DIR> d-------- C:\WINDOWS\uninstall
2006-11-24 19:10 <DIR> d-------- C:\Program Files\SatelliteTVforPC
2006-11-23 20:15 56,432 --a------ C:\WINDOWS\system32\drivers\ADSFilter.sys
2006-11-23 20:15 <DIR> d-------- C:\Program Files\Common Files\Command Software
2006-11-23 07:42 2 --a------ C:\WINDOWS\system32\wcpcc.exe
2006-11-23 07:41 131 --a-s---- C:\WINDOWS\test.bat
2006-11-23 07:39 97,455 --a------ C:\WINDOWS\5-a0c18a429b8010fee34ee31d9073371d.exe
2006-11-23 07:39 66,267 --a------ C:\WINDOWS\10-47488c40c3cddfee98fc3b173f6d7beb.exe
2006-11-23 07:39 622,613 --a------ C:\WINDOWS\4-efb7bab6499fc415ee93f4097033deae.exe
2006-11-23 07:39 356,663 --a------ C:\WINDOWS\12-b101c483c2fe3ac4a2bd5fae3377ef4f.exe
2006-11-23 07:39 139,264 --a------ C:\WINDOWS\mirar_distro_876088.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-05 15:58 -------- d-------- C:\Program Files\Common Files
2006-12-03 17:38 -------- d-------- C:\Program Files\QuickTime
2006-12-03 17:37 -------- d-------- C:\Program Files\Internet Explorer
2006-12-03 17:37 -------- d-------- C:\Program Files\EarthLink MailBox
2006-12-01 19:14 -------- d-------- C:\Program Files\EarthLink
2006-11-28 20:28 -------- d-------- C:\Documents and Settings\Owner\Application Data\Macromedia
2006-11-26 15:38 -------- d-------- C:\Program Files\Common Files\rwmm
2006-11-26 15:03 -------- d-------- C:\Program Files\Stamps.com Internet Postage
2006-11-24 19:23 -------- d-------- C:\Program Files\Windows Media Player
2006-11-24 19:22 -------- d---s---- C:\Documents and Settings\Owner\Application Data\Microsoft
2006-11-23 20:15 -------- d-------- C:\Program Files\Common Files\EarthLink
2006-11-23 20:09 49 --a------ C:\Documents and Settings\Owner\Application Data\internaldb41.dat
2006-11-23 20:09 337 --a------ C:\Documents and Settings\Owner\Application Data\internaldb1942.dat
2006-11-23 07:40 9216 --a------ C:\Documents and Settings\Owner\Application Data\internaldb8467.dat
2006-11-23 07:40 20480 --a------ C:\Documents and Settings\Owner\Application Data\internaldb4827.dat
2006-11-23 07:40 0 --a------ C:\Documents and Settings\Owner\Application Data\internaldb6334.dat
2006-11-23 07:39 23 --a------ C:\Documents and Settings\Owner\Application Data\inifile41.ini
2006-11-23 07:39 0 --a------ C:\Documents and Settings\Owner\Application Data\internaldb5436.dat
2006-11-22 18:26 -------- d-------- C:\Program Files\Common Files\Adobe
2006-11-04 15:39 -------- d-------- C:\Program Files\Yahoo!
2006-11-04 15:38 -------- d-------- C:\Program Files\Adobe
2006-11-04 15:37 -------- d-------- C:\Documents and Settings\Owner\Application Data\Leadertech
2006-11-04 15:36 -------- d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2006-11-04 15:33 -------- d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2006-11-04 15:33 -------- d-------- C:\Documents and Settings\Owner\Application Data\AdobeAUM
2006-10-29 17:47 -------- d-------- C:\Program Files\ArcadeRockstar
2006-10-14 10:30 -------- d-------- C:\Program Files\Virtools Web Player 3.0
2006-10-07 20:16 -------- d-------- C:\Program Files\iWin.com Games
2006-10-07 19:36 -------- d-------- C:\Program Files\Yahoo! Games
2006-09-21 18:17 2560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2006-09-21 15:33 443952 --a------ C:\WINDOWS\system32\nminstall.dll
2006-09-13 13:59 4 --ah----- C:\WINDOWS\uccspecb.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"rwmm"="C:\\Program Files\\Common Files\\rwmm\\rwmmm.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"EarthLink Installer"="\" /C"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Earthlink Protection Control Center"="C:\\Program Files\\EarthLink\\Protection Control Center\\elnk_pcc.exe /minimize"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,80,00,00,00,00,00,00,00,00,02,00,00,c2,01,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f2,01,00,00,23,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

Completion time: 06-12-06 11:16:07.46
C:\ComboFix.txt ... 06-12-06 11:16
C:\ComboFix2.txt ... 06-12-05 16:28
C:\ComboFix3.txt ... 06-12-05 15:58

#7 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:34 PM

Posted 07 December 2006 - 09:31 AM

Looking much better already :thumbsup:

You can go ahead and delete the first ComboFix version I had you download. We'll still need the Safe Mode one.

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Program Files\107up.exe
    C:\WINDOWS\rwmm
    C:\WINDOWS\system32\wcpcc.exe
    C:\WINDOWS\5-a0c18a429b8010fee34ee31d9073371d.exe
    C:\WINDOWS\10-47488c40c3cddfee98fc3b173f6d7beb.exe
    C:\WINDOWS\4-efb7bab6499fc415ee93f4097033deae.exe
    C:\WINDOWS\12-b101c483c2fe3ac4a2bd5fae3377ef4f.exe
    C:\WINDOWS\mirar_distro_876088.exe
    C:\Program Files\Common Files\rwmm
    C:\WINDOWS\uccspecb.sys


  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

-------

Once that is done...

Updating Java and Clearing Cache
  • Go to Start > Control Panel double-click on the Software icon > Add/Remove Programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
    It should have next icon next to it: Posted Image
    Select it and click Remove.
  • After the reboot, go back into the Control Panel and double-click the Java Icon.
  • Under Temporary Internet Files, click the Delete Files button.
  • There are three options in the window to clear the cache - Leave ALL 3 CheckedDownloaded Applets
    Downloaded Applications
    Other Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.
------

Post back with a fresh ComboFix log (the later version in Safe Mode again) + a fresh HijackThis log. Also let me know of any issues you currently have... Ads? PC slow? Anything? :flowers:
Hi there, stranger!

#8 sammy27

sammy27
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:34 AM

Posted 07 December 2006 - 11:37 AM

Hi again.Here is my fresh highjackthis log
Logfile of HijackThis v1.99.1
Scan saved at 8:30:27 AM, on 12/7/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\EARTHL~1\PROTEC~1\ADSSER~1.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.earthlink.net
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - C:\Program Files\EarthLink\Toolbar\EScamBlk.dll
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink\Toolbar\EScamBlk.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink\Toolbar\ElnkPuB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink\Toolbar\ProtctIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink\Toolbar\uninsttb.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink\Toolbar\Toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [EarthLink Installer] " /C
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Earthlink Protection Control Center] C:\Program Files\EarthLink\Protection Control Center\elnk_pcc.exe /minimize
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKCU\..\Run: [rwmm] C:\Program Files\Common Files\rwmm\rwmmm.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink\Toolbar\SearchUI.dll/search.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {0645D7F3-C20E-4E0B-A545-557527497C0B} (NMInstall Control) - http://a14.g.akamai.net/f/14/7141/1d/www.n...GAPANEL_USA.cab
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/activex...wareControl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/25bc409d6c6baa...ip/RdxIE601.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1156530831353
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1452/ftp...02/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/pla...0/Installer.exe
O23 - Service: ADSService - Copyrightę Aluria Software, LLC - C:\PROGRA~1\EARTHL~1\PROTEC~1\ADSSER~1.EXE
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: EarthLink Firewall Process Path Service (ElnkFWPPService) - Aluria Software, LLC. - C:\PROGRA~1\EARTHL~1\PROTEC~1\EFWPPS~1.EXE

And here is my fresh combofix log in safe mode
Owner - 06-12-07 8:15:47.15 Service Pack 1
ComboFix 06.12.01W - Running from: "C:\Documents and Settings\Owner\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\qoobox\purity\Documents and Settings\Owner\My Documents\CROSOF~1
C:\qoobox\purity\Program Files\Common Files\ICROSO~1


((((((((((((((((((((((((((((((( Files Created from 2006-11-07 to 2006-12-07 ))))))))))))))))))))))))))))))))))


2006-12-07 07:55 <DIR> d-------- C:\Program Files\Java
2006-12-07 07:55 <DIR> d-------- C:\Program Files\Common Files\Java
2006-12-07 07:46 <DIR> d--hs---- C:\Config.Msi
2006-12-07 07:31 <DIR> d-------- C:\!KillBox
2006-12-06 11:16 <DIR> d-------- C:\WINDOWS\temp
2006-12-06 11:08 <DIR> d-------- C:\WINDOWS\pss
2006-12-05 15:28 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2006-12-03 18:00 <DIR> d-------- C:\Program Files\HijackThis
2006-12-03 17:29 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-12-03 16:04 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2006-12-03 16:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-12-03 13:26 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2006-12-03 13:25 <DIR> d-------- C:\Program Files\Lavasoft
2006-12-02 15:23 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Help
2006-12-01 19:50 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2006-12-01 19:48 4,928 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-12-01 19:48 348,704 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-12-01 19:48 17,664 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-12-01 19:48 <DIR> d-------- C:\Program Files\Grisoft
2006-12-01 19:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2006-12-01 19:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AVG7
2006-12-01 19:14 153,088 --a------ C:\WINDOWS\system32\UNWISE.EXE
2006-12-01 13:07 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-12-01 12:59 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2006-11-26 15:38 <DIR> d-------- C:\WINDOWS\rwmm
2006-11-24 19:37 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\vlc
2006-11-24 19:23 253,952 --a------ C:\WINDOWS\system32\wmpcd.dll
2006-11-24 19:23 1,404,928 --a------ C:\WINDOWS\system32\wmpui.dll
2006-11-24 19:23 1,298,432 --a------ C:\WINDOWS\system32\wmpcore.dll
2006-11-24 19:22 77,824 --a------ C:\WINDOWS\system32\wmpshell.dll
2006-11-24 19:22 6,656 --a------ C:\WINDOWS\system32\laprxy.dll
2006-11-24 19:22 5,120 --a------ C:\WINDOWS\system32\asferror.dll
2006-11-24 19:22 442,398 --a------ C:\WINDOWS\system32\wmadmoe.dll
2006-11-24 19:22 274,432 --a------ C:\WINDOWS\system32\wmasf.dll
2006-11-24 19:22 253,952 --a------ C:\WINDOWS\system32\wmnetmgr.dll
2006-11-24 19:22 245,760 --a------ C:\WINDOWS\system32\MSSCP.dll
2006-11-24 19:22 24,576 --a------ C:\WINDOWS\system32\logagent.exe
2006-11-24 19:22 22,528 --a------ C:\WINDOWS\system32\WMDMLOG.dll
2006-11-24 19:22 20,480 --a------ C:\WINDOWS\system32\WMDMPS.dll
2006-11-24 19:22 179,712 --a------ C:\WINDOWS\system32\cewmdm.dll
2006-11-24 19:22 175,104 --a------ C:\WINDOWS\system32\MsPMSP.dll
2006-11-24 19:22 155,648 --a------ C:\WINDOWS\system32\MSWMDM.dll
2006-11-24 19:22 152,576 --a------ C:\WINDOWS\system32\qasf.dll
2006-11-24 19:22 1,998,848 --a------ C:\WINDOWS\system32\wmploc.dll
2006-11-24 19:22 1,220,608 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-11-24 19:21 828,152 --a------ C:\WINDOWS\system32\wmv9dmod.dll
2006-11-24 19:21 76,830 --a------ C:\WINDOWS\system32\drmstor.dll
2006-11-24 19:21 602,112 --a------ C:\WINDOWS\system32\drmv2clt.dll
2006-11-24 19:21 294,912 --a------ C:\WINDOWS\system32\wmvdmod.dll
2006-11-24 19:21 266,240 --a------ C:\WINDOWS\system32\drmclien.dll
2006-11-24 19:21 204,800 --a------ C:\WINDOWS\system32\blackbox.dll
2006-11-24 19:21 184,320 --a------ C:\WINDOWS\system32\wmadmod.dll
2006-11-24 19:21 174,592 --a------ C:\WINDOWS\system32\msnetobj.dll
2006-11-24 19:21 110,592 --a------ C:\WINDOWS\system32\wmsdmod.dll
2006-11-24 19:21 <DIR> d-------- C:\WINDOWS\RegisteredPackages
2006-11-24 19:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2006-11-24 19:12 <DIR> d-------- C:\Program Files\TVUPlayer
2006-11-24 19:11 <DIR> d-------- C:\Program Files\TVAnts
2006-11-24 19:10 <DIR> d-------- C:\WINDOWS\uninstall
2006-11-24 19:10 <DIR> d-------- C:\Program Files\SatelliteTVforPC
2006-11-23 20:15 56,432 --a------ C:\WINDOWS\system32\drivers\ADSFilter.sys
2006-11-23 20:15 <DIR> d-------- C:\Program Files\Common Files\Command Software
2006-11-23 07:41 131 --a-s---- C:\WINDOWS\test.bat


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-07 07:57 -------- d-------- C:\Program Files\Google
2006-12-07 07:55 -------- d-------- C:\Program Files\Common Files
2006-12-03 17:38 -------- d-------- C:\Program Files\QuickTime
2006-12-03 17:37 -------- d-------- C:\Program Files\Internet Explorer
2006-12-03 17:37 -------- d-------- C:\Program Files\EarthLink MailBox
2006-12-01 19:14 -------- d-------- C:\Program Files\EarthLink
2006-11-28 20:28 -------- d-------- C:\Documents and Settings\Owner\Application Data\Macromedia
2006-11-26 15:38 -------- d-------- C:\Program Files\Common Files\rwmm
2006-11-26 15:03 -------- d-------- C:\Program Files\Stamps.com Internet Postage
2006-11-24 19:23 -------- d-------- C:\Program Files\Windows Media Player
2006-11-24 19:22 -------- d---s---- C:\Documents and Settings\Owner\Application Data\Microsoft
2006-11-23 20:15 -------- d-------- C:\Program Files\Common Files\EarthLink
2006-11-23 20:09 49 --a------ C:\Documents and Settings\Owner\Application Data\internaldb41.dat
2006-11-23 20:09 337 --a------ C:\Documents and Settings\Owner\Application Data\internaldb1942.dat
2006-11-23 07:40 9216 --a------ C:\Documents and Settings\Owner\Application Data\internaldb8467.dat
2006-11-23 07:40 20480 --a------ C:\Documents and Settings\Owner\Application Data\internaldb4827.dat
2006-11-23 07:40 0 --a------ C:\Documents and Settings\Owner\Application Data\internaldb6334.dat
2006-11-23 07:39 23 --a------ C:\Documents and Settings\Owner\Application Data\inifile41.ini
2006-11-23 07:39 0 --a------ C:\Documents and Settings\Owner\Application Data\internaldb5436.dat
2006-11-22 18:26 -------- d-------- C:\Program Files\Common Files\Adobe
2006-11-04 15:39 -------- d-------- C:\Program Files\Yahoo!
2006-11-04 15:38 -------- d-------- C:\Program Files\Adobe
2006-11-04 15:37 -------- d-------- C:\Documents and Settings\Owner\Application Data\Leadertech
2006-11-04 15:36 -------- d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2006-11-04 15:33 -------- d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2006-11-04 15:33 -------- d-------- C:\Documents and Settings\Owner\Application Data\AdobeAUM
2006-10-29 17:47 -------- d-------- C:\Program Files\ArcadeRockstar
2006-10-14 10:30 -------- d-------- C:\Program Files\Virtools Web Player 3.0
2006-10-07 20:16 -------- d-------- C:\Program Files\iWin.com Games
2006-10-07 19:36 -------- d-------- C:\Program Files\Yahoo! Games
2006-09-21 18:17 2560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2006-09-21 15:33 443952 --a------ C:\WINDOWS\system32\nminstall.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"rwmm"="C:\\Program Files\\Common Files\\rwmm\\rwmmm.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"EarthLink Installer"="\" /C"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Earthlink Protection Control Center"="C:\\Program Files\\EarthLink\\Protection Control Center\\elnk_pcc.exe /minimize"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,80,00,00,00,00,00,00,00,00,02,00,00,c2,01,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f2,01,00,00,23,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

Completion time: 06-12-07 8:17:45.56
C:\ComboFix.txt ... 06-12-07 08:17
C:\ComboFix2.txt ... 06-12-06 11:16
C:\ComboFix3.txt ... 06-12-05 16:28

#9 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:34 PM

Posted 07 December 2006 - 01:20 PM

Please run a scan with HijackThis and check the following objects for removal:

O4 - HKCU\..\Run: [rwmm] C:\Program Files\Common Files\rwmm\rwmmm.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/25bc409d6c6baa...ip/RdxIE601.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1452/ftp...02/cpbrkpie.cab


Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis and reboot.

Now, navigate to and delete the following folders if found (let me know if you don't find them):

C:\WINDOWS\rwmm
C:\Program Files\Common Files\rwmm


Empty recycle bin.

---

Finally lets run another scan just in case...

Download GMER:
  • Unzip it and double-click GMER.exe
  • Click the rootkit-tab and click scan.
  • Once done, click Copy.
  • This will copy the results to clipboard.
  • Paste the results in your next reply and, please let me know if you have any issues right now... :thumbsup:
Note: don't check the 'Show All' box.
Hi there, stranger!

#10 sammy27

sammy27
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:34 AM

Posted 07 December 2006 - 07:10 PM

Hello. I did find the two folders,but when I deleted the first one to my recycle bin it wouldnt let me empty it.Then when I searched for the second one a box pops up that says the file might be a part of my hard drive.Here is the copy of the newest scan
GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2006-12-07 16:02:26
Windows 5.1.2600 Service Pack 1


---- System - GMER 1.0.12 ----

Code 8190FEE8 ZwClose
Code 8190FC88 ZwCreateSection
Code 8190FB58 ZwSetInformationFile
Code 819DCA70 ZwSetSystemInformation
Code 8190FDB8 ZwWriteFile
Code 819DC93F IoCreateFile
Code 8190FEE7 NtClose
Code 8190FC87 NtCreateSection
Code 8190FB57 NtSetInformationFile
Code 8190FDB7 NtWriteFile

---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!KeInitializeInterrupt + B67 804DA23C 1 Byte [ 06 ]
PAGE ntoskrnl.exe!ZwSetSystemInformation 805779DC 5 Bytes JMP 819DCA74
PAGE ntoskrnl.exe!NtCreateSection 8057FB92 7 Bytes JMP 8190FC8C
PAGE ntoskrnl.exe!NtClose 80581355 6 Bytes JMP 8190FEEC
PAGE ntoskrnl.exe!IoCreateFile 80583218 5 Bytes JMP 819DC944
PAGE ntoskrnl.exe!NtWriteFile 8058DC04 7 Bytes JMP 8190FDBC
PAGE ntoskrnl.exe!NtSetInformationFile 80592589 5 Bytes JMP 8190FB5C
PAGE Fastfat.SYS F56AD90C 7 Bytes JMP 8190FA2C
.text ntdll.dll!NtClose 77F758AA 5 Bytes JMP 72033FAA
.text ntdll.dll!NtCreateProcess 77F759F4 5 Bytes JMP 72034135
.text ntdll.dll!NtCreateProcessEx 77F75A03 5 Bytes JMP 72034019
.text ntdll.dll!NtCreateSection 77F75A21 5 Bytes JMP 72033FC8

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Fastfat \FatCdrom IRP_MJ_FILE_SYSTEM_CONTROL Code 8190FA28
Device \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL Code 8190FA28

---- Files - GMER 1.0.12 ----

ADS C:\Program Files\iWin.com Games\Family Feud\FamilyFeud.exe:{AAB37A21-9C90-8FE2-3841-0CC7D04D7A79}
ADS C:\Program Files\Yahoo! Games\Family Feud\FamilyFeud.exe:{03134AAF-A1B3-690E-9D31-CDE1663EC12E}

---- EOF - GMER 1.0.12 ----

#11 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:34 PM

Posted 08 December 2006 - 11:13 AM

Remove the folder in Safe Mode, also empty the recycle bin in Safe Mode :thumbsup:

Let me know if you still can't. Anyway, how is the computer acting?
Hi there, stranger!

#12 sammy27

sammy27
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:34 AM

Posted 09 December 2006 - 09:41 AM

great that worked.The computers running great thankyou so much!

#13 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:34 PM

Posted 09 December 2006 - 03:31 PM

You're very much welcome :thumbsup:

Lets not forget some additional steps..

First priority: Install Service Pack 2 by visiting Microsoft Update. After you have installed it, reboot, download & install ALL the available critical updates. Then some more preventive maintenance:

Please read here how to clear old restore points and create a new one.

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Here's some tips for future to prevent spyware;

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed. (My favourite)
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Other necessary Programs:
  • AntiVirus Program <= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kaspersky, this is a must have. (Note to only use 1 at-the-time)
  • Firewall <= A firewall is definatley a must have. Two good free versions are Kerio Personal Firewall and ZoneLabs. (Note to only use 1 at-the-time)
  • More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox.
And also see TonyKlein's good advice;
So how did I get infected in the first place?
Hi there, stranger!

#14 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:34 PM

Posted 11 December 2006 - 10:09 AM

Since this issue appears to be resolved, this Topic has been closed. Should you need this Topic reopened, please PM a Staff member with the address of this thread. :thumbsup:
Hi there, stranger!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users