Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Command- Help Me Remove It From The Pc Please


  • This topic is locked This topic is locked
22 replies to this topic

#1 byonic

byonic

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:35 AM

Posted 16 February 2007 - 07:49 AM

Hi,

I have a problem with a program calling itself 'Command'.

Spybot detects it, but cannot remove it from my system whilst windows is running normally, or in safe mode, or if Spybot runs on startup.

It appears on my 'Add / Remove programs' list, but when I try to remove it IE is started and navigated to a Command website stating "keep progams free" or something similar.

I didn't pursue whatever the website wanted me to do, as I thought it would be malicous rather than delicious!

Also, whilst writing this post, I checked my 'Add / Remove programs' list again, and I couldn't see Command, but did see 'Outerinfo' and 'VSAdd-in for Internet Explorer', both of which I do not recognise.

Can you help me by detecting the malware on my system and advise me on disposing of it?

Many thanks in advance!

:thumbsup:


My HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:45:56, on 16/02/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://mail.bigyellowfeet.com:8383/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [{14139C83-0AE9-1033-0917-04040713002c}] "C:\Program Files\Common Files\{14139C83-0AE9-1033-0917-04040713002c}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [syswin] C:\WINDOWS\System32\v6.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: OKI LPR Utility.lnk = C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
Big Yellow Feet
The production company

BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:35 AM

Posted 16 February 2007 - 09:44 AM

Hello,

Your system is terribly infected. Actually this doesn't suprise me at all because I notice that your Windows is not up to date and vulnerable and you do not seem to be running Antivirus software and a Firewall. This is somewhat suicidal in today's digital world.
That's why I want you to install them first!!

Avira, AVG OR Avast OR Active Virus Shield (uncheck the Security Toolbar during install) are good FREE antivirus.
Never install more than one antivirusscanner or firewall on your system! Several together can give problems and decrease the reliability of it seriously!
Agnitum Outpost Free, ZoneAlarm Free OR Kerio are FREE firewalls.

Understanding and using firewalls

After you installed them, reboot your computer.

Uninstall Outerinfo and VSAdd-in for Internet Explorer and reboot once again.

After reboot, Can you rename Hijackthis.exe to Analyse.exe
Then scan with Analyse.exe and post the log in your next reply (which will be a hijackthislog ofcourse)

Also, I need a Hijackthislog made in Windows Normal mode, not from Windows safe mode as above log.

Edited by miekiemoes, 16 February 2007 - 09:45 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 byonic

byonic
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:35 AM

Posted 16 February 2007 - 12:17 PM

Hi miekiemoes,

and thanks for your swift response to my post.

I have done as you suggested; by removing all antivirus software (I was running a version of adaware and AVG) and I have now installed Avast! and Zonealarm.

note: I did have Zonealarm installed previously, but I had trouble using it - I seemed to lose access to the internet altogether! So I (rather stupidly) uninstalled it instead of taking the time to learn how to use it properly. :thumbsup:

Anyway, aside from that admission, both an antivirus program and a firewall are on here now.
I am running Spybot Teatimer too. is this an issue?

follows my HijackThis log:

:flowers:


Logfile of HijackThis v1.99.1
Scan saved at 16:56:57, on 16/02/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\basfipm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\System32\NILaunch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\analyse.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://mail.bigyellowfeet.com:8383/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {010FF400-8DFB-439D-987B-DCDE5195F4D8} - C:\WINDOWS\System32\xxyyvwu.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {71342D12-876F-4A77-881F-213FB5B8368E} - C:\WINDOWS\System32\mljge.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7DCAA553-F574-4A55-B924-FBBA9F988BD3} - C:\WINDOWS\System32\gebcc.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [{14139C83-0AE9-1033-0917-04040713002c}] "C:\Program Files\Common Files\{14139C83-0AE9-1033-0917-04040713002c}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [syswin] C:\WINDOWS\System32\v6.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: OKI LPR Utility.lnk = C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: mljge - C:\WINDOWS\System32\mljge.dll
O20 - Winlogon Notify: winbjt32 - winbjt32.dll (file missing)
O20 - Winlogon Notify: xxyyvwu - xxyyvwu.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\windows\system32\ZoneLabs\vsmon.exe
Big Yellow Feet
The production company

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:35 AM

Posted 16 February 2007 - 12:43 PM

Hello,

Teatimer is no issue, but it may interfere with the fixes.
So,
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer during HijackThis Cleanup
Then, Download ResetTeaTimer.bat.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

It is important you don't miss a step and perform everything in the right order!!

* Please download VundoFix.exe to your C:\.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • In case it says that nothing was found, Right click the list box (white box) in the main VundoFix window.
  • Select “Add More Files?” from the menu that comes up. This will open a new VundoFix window.
  • In the Window: copy and paste next in the first field: C:\WINDOWS\System32\mljge.dll
  • Click the “Add Files” button.
  • Click the "Close Window" button.
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

--------------------

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present (some entries won't be present anymore):

O2 - BHO: (no name) - {010FF400-8DFB-439D-987B-DCDE5195F4D8} - C:\WINDOWS\System32\xxyyvwu.dll (file missing)
O2 - BHO: (no name) - {71342D12-876F-4A77-881F-213FB5B8368E} - C:\WINDOWS\System32\mljge.dll
O2 - BHO: (no name) - {7DCAA553-F574-4A55-B924-FBBA9F988BD3} - C:\WINDOWS\System32\gebcc.dll (file missing)
O4 - HKLM\..\Run: [{14139C83-0AE9-1033-0917-04040713002c}] "C:\Program Files\Common Files\{14139C83-0AE9-1033-0917-04040713002c}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [syswin] C:\WINDOWS\System32\v6.exe
O20 - Winlogon Notify: mljge - C:\WINDOWS\System32\mljge.dll
O20 - Winlogon Notify: winbjt32 - winbjt32.dll (file missing)
O20 - Winlogon Notify: xxyyvwu - xxyyvwu.dll (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!
Don't worry if some entries won't go away, we'll deal with that later...

---------------------

* Please download, install, and update AVG Anti-Spyware
  • Load AVG Anti-Spyware and then click the Update tab at the top. Under Manual Update click Start update.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Then click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
  • AVG Anti-Spyware will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
  • Close AVG Anti-Spyware and reboot!!
    I need the log later.
-------------------------

* Download ComboScan to your Desktop.
  • Close all applications and windows.
  • Double-click on comboscan.exe to run it, and follow the prompts.
  • The scan may take a minute. When the scan is complete, a text file will open - ComboScan.txt
Extra Note: When running Comboscan, some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Also, it may happen that your Antivirus flags Comboscan as suspicious. Please allow the Comboscan to run and don't let your Antivirus delete it. (In this case, it may be better to temporary disable your Antivirus)

Post next logs in your following reply:
  • Log from Comboscan (Comboscan.txt)
  • Log from Vundofix (vundofix.txt)
  • Log from AVG Antispyware
You may need several replies to post the logs in case they won't fit in one reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 byonic

byonic
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:35 AM

Posted 16 February 2007 - 03:25 PM

I have followed the instructions set out in the last post. The logs follow.

However, whilst Comboscan was running Avast gave me warnings that viruses were found. I followed the suggested route of moving them to chest. I assume this wouldn't be a problem.

Also, it would seem that Vundofix did not create a log file. It did report three 'vundos' that it then told me that it had sucessfully removed. I cannot tell you what they were however; I did not make a note of them as I was expecting Vundofix to create a log.

As I had previously downloaded and had run Vundofix because I was following directions in another forum about tackling my problems, and i have posted the log that that scan generated. I appreciate that this will probably not be helpful, but i didn't want to run Vundofix a third time due to your warning about doing things in the correct order.

Logs follow:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 19:46:23 16/02/2007

+ Scan result:



C:\windows\system32\hggdcba.dll -> Adware.Virtumonde : No action taken.
C:\Documents and Settings\All Users\Application Data\svchost.exe -> Logger.Agent.or : No action taken.
C:\Documents and Settings\Gregory\Local Settings\Application Data\svchost.exe -> Logger.Agent.or : No action taken.
C:\Program Files\Common Files\svchost.exe -> Logger.Agent.or : No action taken.
C:\Documents and Settings\Sys Admin\Cookies\sys admin@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Gregory\Cookies\gregory@atdmt[1].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\Sys Admin\Cookies\sys admin@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\Gregory\Cookies\gregory@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : No action taken.
C:\Documents and Settings\Sys Admin\Cookies\sys admin@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : No action taken.
C:\Documents and Settings\Gregory\Cookies\gregory@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\Sys Admin\Cookies\sys admin@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\Gregory\Cookies\gregory@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : No action taken.
C:\Documents and Settings\Sys Admin\Cookies\sys admin@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : No action taken.
C:\Documents and Settings\Gregory\Cookies\gregory@ehg-hollywoodmedia.hitbox[1].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Gregory\Cookies\gregory@hitbox[2].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Sys Admin\Cookies\sys admin@ehg-hollywoodmedia.hitbox[1].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Sys Admin\Cookies\sys admin@hitbox[2].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Sys Admin\Cookies\sys admin@server.iad.liveperson[2].txt -> TrackingCookie.Liveperson : No action taken.
C:\Documents and Settings\Sys Admin\Cookies\sys admin@mediaplex[1].txt -> TrackingCookie.Mediaplex : No action taken.
C:\Documents and Settings\Sys Admin\Cookies\sys admin@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : No action taken.
C:\Documents and Settings\Sys Admin\Cookies\sys admin@serving-sys[1].txt -> TrackingCookie.Serving-sys : No action taken.
C:\Documents and Settings\Sys Admin\Cookies\sys admin@nsads.valuead[2].txt -> TrackingCookie.Valuead : No action taken.
C:\Documents and Settings\Gregory\Cookies\gregory@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : No action taken.


::Report end



ComboScan v20070212.14 run by Sys Admin on 2007-02-16 at 19:50:21
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Restore was disabled; re-enabling.
Failed to create restore point: System Restore is disabled (service is not running).
Performed disk cleanup.


-- HijackThis log (run as Sys Admin.com) ----------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 19:50:32, on 16/02/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\basfipm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\NILaunch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Sys Admin\Desktop\comboscan.exe
C:\DOCUME~1\SYSADM~1\LOCALS~1\Temp\~ztitpye.tmp\Sys Admin.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://mail.bigyellowfeet.com:8383/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: OKI LPR Utility.lnk = C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\windows\system32\ZoneLabs\vsmon.exe


-- HijackThis Fixed Entries (C:\Program Files\HijackThis\backups\) --------------

backup-20070216-192457-173 O2 - BHO: (no name) - {F51B3CD6-1757-4C1C-AD33-9F9A1FE65374} - C:\WINDOWS\System32\mljge.dll (file missing)
backup-20070216-192457-315 O20 - Winlogon Notify: xxyyvwu - xxyyvwu.dll (file missing)
backup-20070216-192457-383 O4 - HKLM\..\Run: [syswin] C:\WINDOWS\System32\v6.exe
backup-20070216-192457-393 O2 - BHO: (no name) - {7DCAA553-F574-4A55-B924-FBBA9F988BD3} - C:\WINDOWS\System32\gebcc.dll (file missing)
backup-20070216-192457-476 O2 - BHO: (no name) - {010FF400-8DFB-439D-987B-DCDE5195F4D8} - C:\WINDOWS\System32\xxyyvwu.dll (file missing)
backup-20070216-192457-568 O4 - HKLM\..\Run: [{14139C83-0AE9-1033-0917-04040713002c}] "C:\Program Files\Common Files\{14139C83-0AE9-1033-0917-04040713002c}\Update.exe" mc-110-12-0000272
backup-20070216-192457-736 O20 - Winlogon Notify: winbjt32 - winbjt32.dll (file missing)


-- File Associations ------------------------------------------------------------

.bat - batfile - "%1" %*
.chm - chm.file - "C:\WINDOWS\hh.exe" %1
.com - comfile - "%1" %*
.exe - exefile - "%1" %*
.hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1
.inf - inffile - %SystemRoot%\System32\NOTEPAD.EXE %1
.ini - inifile - %SystemRoot%\System32\NOTEPAD.EXE %1
.js - JSFile - %SystemRoot%\System32\WScript.exe "%1" %*
.lnk - lnkfile - {00021401-0000-0000-C000-000000000046}
.pif - piffile - "%1" %*
.reg - regfile - regedit.exe "%1"
.scr - scrfile - "%1" /S
.txt - txtfile - %SystemRoot%\system32\NOTEPAD.EXE %1
.vbs - VBSFile - %SystemRoot%\System32\WScript.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ----------------------

4 abp480n5 - \SystemRoot\System32\DRIVERS\ABP480N5.SYS
4 adpu160m - \SystemRoot\System32\DRIVERS\adpu160m.sys
3 aeaudio - system32\drivers\aeaudio.sys
4 agpCPQ (Compaq AGP Bus Filter) - \SystemRoot\System32\DRIVERS\agpCPQ.sys
4 Aha154x - \SystemRoot\System32\DRIVERS\aha154x.sys
4 aic78u2 - \SystemRoot\System32\DRIVERS\aic78u2.sys
4 aic78xx - \SystemRoot\System32\DRIVERS\aic78xx.sys
4 AliIde - \SystemRoot\System32\DRIVERS\aliide.sys
4 alim1541 (ALI AGP Bus Filter) - \SystemRoot\System32\DRIVERS\alim1541.sys
4 amdagp (AMD AGP Bus Filter Driver) - \SystemRoot\System32\DRIVERS\amdagp.sys
4 amsint - \SystemRoot\System32\DRIVERS\amsint.sys
4 asc - \SystemRoot\System32\DRIVERS\asc.sys
4 asc3350p - \SystemRoot\System32\DRIVERS\asc3350p.sys
4 asc3550 - \SystemRoot\System32\DRIVERS\asc3550.sys
3 ati2mtag - System32\DRIVERS\ati2mtag.sys
1 AVG Anti-Spyware Driver - \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys
1 AvgAsCln (AVG Anti-Spyware Clean Driver) - System32\DRIVERS\AvgAsCln.sys
3 b57w2k (Broadcom NetXtreme 57xx Gigabit Controller) - System32\DRIVERS\b57xp32.sys
2 BASFND - \??\C:\WINDOWS\System32\Drivers\BASFND.sys
4 cbidf - \SystemRoot\System32\DRIVERS\cbidf2k.sys
4 cd20xrnt - \SystemRoot\System32\DRIVERS\cd20xrnt.sys
4 CmdIde - \SystemRoot\System32\DRIVERS\cmdide.sys
4 Cpqarray - \SystemRoot\System32\DRIVERS\cpqarray.sys
4 dac2w2k - \SystemRoot\System32\DRIVERS\dac2w2k.sys
4 dac960nt - \SystemRoot\System32\DRIVERS\dac960nt.sys
4 dpti2o - \SystemRoot\System32\DRIVERS\dpti2o.sys
0 drvmcdb - system32\drivers\drvmcdb.sys
2 drvnddm - system32\drivers\drvnddm.sys
3 EL90XBC (3Com EtherLink XL 90XB/C Adapter Driver) - System32\DRIVERS\el90xbc5.sys
3 HidUsb (Microsoft HID Class Driver) - System32\DRIVERS\hidusb.sys
4 hpn - \SystemRoot\System32\DRIVERS\hpn.sys
4 i2omp - \SystemRoot\System32\DRIVERS\i2omp.sys
3 i81x - System32\DRIVERS\i81xnt5.sys
3 iAimFP0 - System32\DRIVERS\wADV01nt.sys
3 iAimFP1 - System32\DRIVERS\wADV02NT.sys
3 iAimFP2 - System32\DRIVERS\wADV05NT.sys
3 iAimFP3 - System32\DRIVERS\wSiINTxx.sys
3 iAimFP4 - System32\DRIVERS\wVchNTxx.sys
3 iAimTV0 - System32\DRIVERS\wATV01nt.sys
3 iAimTV1 - System32\DRIVERS\wATV02NT.sys
3 iAimTV2 - System32\DRIVERS\wATV03nt.sys
3 iAimTV3 - System32\DRIVERS\wATV04nt.sys
3 iAimTV4 - System32\DRIVERS\wCh7xxNT.sys
4 ini910u - \SystemRoot\System32\DRIVERS\ini910u.sys
1 kbdhid (Keyboard HID Driver) - System32\DRIVERS\kbdhid.sys
3 mouhid (Mouse HID Driver) - System32\DRIVERS\mouhid.sys
4 mraid35x - \SystemRoot\System32\DRIVERS\mraid35x.sys
1 omci (OMCI WDM Device Driver) - System32\DRIVERS\omci.sys
0 PCIIde - System32\DRIVERS\pciide.sys
4 perc2 - \SystemRoot\System32\DRIVERS\perc2.sys
4 perc2hib - \SystemRoot\System32\DRIVERS\perc2hib.sys
0 PxHelp20 - System32\Drivers\PxHelp20.sys
4 ql1080 - \SystemRoot\System32\DRIVERS\ql1080.sys
4 Ql10wnt - \SystemRoot\System32\DRIVERS\ql10wnt.sys
4 ql12160 - \SystemRoot\System32\DRIVERS\ql12160.sys
4 ql1240 - \SystemRoot\System32\DRIVERS\ql1240.sys
4 ql1280 - \SystemRoot\System32\DRIVERS\ql1280.sys
3 Sfloppy (High-Capacity Floppy Disk Drive) - System32\DRIVERS\sfloppy.sys
4 sisagp (SIS AGP Bus Filter) - \SystemRoot\System32\DRIVERS\sisagp.sys
3 smwdm - system32\drivers\smwdm.sys
4 Sparrow - \SystemRoot\System32\DRIVERS\sparrow.sys
0 srescan - System32\ZoneLabs\srescan.sys
1 sscdbhk5 - system32\drivers\sscdbhk5.sys
1 ssrtln - system32\drivers\ssrtln.sys
4 symc810 - \SystemRoot\System32\DRIVERS\symc810.sys
4 symc8xx - \SystemRoot\System32\DRIVERS\symc8xx.sys
4 sym_hi - \SystemRoot\System32\DRIVERS\sym_hi.sys
4 sym_u3 - \SystemRoot\System32\DRIVERS\sym_u3.sys
2 tfsnboio - system32\dla\tfsnboio.sys
2 tfsncofs - system32\dla\tfsncofs.sys
2 tfsndrct - system32\dla\tfsndrct.sys
2 tfsndres - system32\dla\tfsndres.sys
2 tfsnifs - system32\dla\tfsnifs.sys
2 tfsnopio - system32\dla\tfsnopio.sys
2 tfsnpool - system32\dla\tfsnpool.sys
2 tfsnudf - system32\dla\tfsnudf.sys
2 tfsnudfa - system32\dla\tfsnudfa.sys
2 tmcomm - \??\C:\WINDOWS\System32\drivers\tmcomm.sys
4 TosIde - \SystemRoot\System32\DRIVERS\toside.sys
4 ultra - \SystemRoot\System32\DRIVERS\ultra.sys
3 usbehci (Microsoft USB 2.0 Enhanced Host Controller Miniport Driver) - System32\DRIVERS\usbehci.sys
3 usbprint (Microsoft USB PRINTER Class) - System32\DRIVERS\usbprint.sys
3 usbscan (USB Scanner Driver) - System32\DRIVERS\usbscan.sys
3 USBSTOR (USB Mass Storage Driver) - System32\DRIVERS\USBSTOR.SYS
4 viaagp (VIA AGP Bus Filter) - \SystemRoot\System32\DRIVERS\viaagp.sys
4 ViaIde - \SystemRoot\System32\DRIVERS\viaide.sys
1 vsdatant - System32\vsdatant.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

3 Adobe LM Service - "C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"
2 aswUpdSv (avast! iAVS4 Control Service) - "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"
2 Ati HotKey Poller - %SystemRoot%\System32\Ati2evxx.exe
2 avast! Antivirus - "C:\Program Files\Alwil Software\Avast4\ashServ.exe"
3 avast! Mail Scanner - "C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service
3 avast! Web Scanner - "C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service
2 AVG Anti-Spyware Guard - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
2 BAsfIpM (Broadcom ASF IP monitoring service v6.0.4) - C:\WINDOWS\System32\basfipm.exe
2 Fax - %systemroot%\system32\fxssvc.exe
3 gusvc (Google Updater Service) - "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
3 SCardDrv (Smart Card Helper) - %SystemRoot%\System32\SCardSvr.exe
2 uploadmgr (Upload Manager) - %SystemRoot%\System32\svchost.exe -k netsvcs
2 vsmon (TrueVector Internet Monitor) - C:\windows\system32\ZoneLabs\vsmon.exe -service
2 WmdmPmSp (Portable Media Serial Number) - %SystemRoot%\System32\svchost.exe -k netsvcs


-- Scheduled Tasks --------------------------------------------------------------

2007-02-08 14:54:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job<APPLES~1.JOB>


-- Files created between 2007-01-16 and 2007-02-16 ------------------------------

2007-02-16 19:31:16 3968 --a------ C:\WINDOWS\System32\drivers\AvgAsCln.sys<Unsigned: GRISOFT, s.r.o.>
2007-02-16 16:50:45 1087216 --a------ C:\WINDOWS\System32\zpeng24.dll<Signed: Python Software Foundation>
2007-02-16 16:50:43 0 d-------- C:\WINDOWS\System32\ZoneLabs
2007-02-16 15:58:53 4212 ---h----- C:\WINDOWS\System32\zllictbl.dat
2007-02-16 15:58:38 11264 --a------ C:\WINDOWS\System32\SpOrder.dll<Unsigned: Microsoft Corporation>
2007-02-16 15:57:18 0 d-------- C:\WINDOWS\Internet Logs<INTERN~1>
2007-02-16 15:50:55 85952 --a------ C:\WINDOWS\System32\drivers\aswmon.sys<Unsigned: ALWIL Software>
2007-02-16 15:50:52 90112 --a------ C:\WINDOWS\System32\AVASTSS.scr
2007-02-16 15:50:52 689280 --a------ C:\WINDOWS\System32\aswBoot.exe<Signed: n/a>
2007-02-16 15:50:49 0 d-------- C:\Program Files\Alwil Software<ALWILS~1>
2007-02-16 11:44:53 0 d-------- C:\Program Files\HijackThis<HIJACK~1>
2007-02-15 20:55:35 0 d-------- C:\bintheredunthat<BINTHE~1>
2007-02-15 19:29:09 44177 --a------ C:\WINDOWS\System32\eledwwuu.dll<Unsigned: n/a>
2007-02-15 19:29:02 0 d-------- C:\Program Files\VSAdd-in
2007-02-15 19:29:01 0 --a------ C:\WINDOWS\System32\dokcnmjb.exe<Unsigned: n/a>
2007-02-15 19:28:58 0 --a------ C:\WINDOWS\System32\npaxfiko.dll<Unsigned: n/a>
2007-02-15 19:19:04 0 d-------- C:\BFU
2007-02-15 19:13:04 0 d-------- C:\Program Files\Grisoft
2007-02-15 12:27:38 0 d-------- C:\VundoFix Backups<VUNDOF~1>
2007-02-14 15:24:44 2824 --a------ C:\WINDOWS\System32\tmp.reg
2007-02-14 15:24:28 79360 --a------ C:\WINDOWS\System32\swxcacls.exe<Unsigned: SteelWerX>
2007-02-14 15:24:28 40960 --a------ C:\WINDOWS\System32\swsc.exe<Unsigned: n/a>
2007-02-14 15:24:28 135168 --a------ C:\WINDOWS\System32\swreg.exe<Unsigned: SteelWerX>
2007-02-14 15:24:28 288417 --a------ C:\WINDOWS\System32\SrchSTS.exe<Unsigned: S!Ri>
2007-02-14 15:24:28 53248 --a------ C:\WINDOWS\System32\Process.exe<Unsigned: http://www.beyondlogic.org>
2007-02-14 15:24:28 51200 --a------ C:\WINDOWS\System32\dumphive.exe<Unsigned: n/a>
2007-02-14 15:23:41 0 d--hs---- C:\WINDOWS\CSC
2007-02-14 14:43:27 0 d-------- C:\WINDOWS\System32\ActiveScan<ACTIVE~1>
2007-02-14 14:09:15 44165 --a------ C:\WINDOWS\System32\wbkdlyry.dll<Unsigned: n/a>
2007-02-14 14:05:52 22743 ---hs---- C:\WINDOWS\System32\hggdcba.dll<Unsigned: n/a>
2007-02-14 13:37:39 0 --a------ C:\WINDOWS\System32\lggvoigr.dll<Unsigned: n/a>
2007-02-14 13:37:30 44165 --a------ C:\WINDOWS\System32\knvjvfmt.dll<Unsigned: n/a>
2007-02-14 13:21:41 0 d-------- C:\Program Files\Outerinfo<OUTERI~1>
2007-02-14 13:21:22 70656 --a------ C:\WINDOWS\System32\ssifmui.dll<Unsigned: n/a>
2007-02-14 13:21:21 93696 --a------ C:\WINDOWS\System32\untdfsn.dll<Unsigned: n/a>
2007-02-14 12:37:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy<SPYBOT~1>
2007-02-13 18:14:14 0 ---h----- C:\Program Files\Common Files\svchost.exe<Unsigned: n/a>
2007-02-13 18:01:39 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2007-02-13 17:57:09 0 ---h----- C:\Documents and Settings\All Users\Application Data\svchost.exe<Unsigned: n/a>
2007-02-13 15:07:05 0 d--h----- C:\Program Files\Common Files\Uninstall Information<UNINST~1>
2007-02-13 14:05:24 0 d--hs---- C:\WINDOWS\R3JlZ29yeQ<R3JLZ2~1>
2007-02-13 13:37:11 0 --a------ C:\WINDOWS\System32\silailop.dll<Unsigned: n/a>
2007-02-13 13:37:08 76412 --a------ C:\WINDOWS\System32\hsguspwm.dll<Unsigned: n/a>
2007-02-13 13:15:14 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe


-- Find3M Report ----------------------------------------------------------------

2007-02-16 15:30:56 0 d-------- C:\Documents and Settings\Sys Admin\Application Data\Lavasoft
2007-02-16 13:06:37 0 d-------- C:\Program Files\QuickTime<QUICKT~1>
2007-02-16 13:04:48 0 d-------- C:\Program Files\Google
2007-02-13 20:54:39 0 d-------- C:\Program Files\Dell
2007-02-13 20:47:38 76560 --a------ C:\WINDOWS\System32\drivers\tmcomm.sys<Signed: Trend Micro Inc.>
2007-02-13 13:17:16 0 d-------- C:\Documents and Settings\Sys Admin\Application Data\Adobe
2007-02-13 13:15:38 0 d-------- C:\Program Files\Common Files\Adobe
2007-01-11 15:32:33 0 d-------- C:\Program Files\Mozilla Firefox<MOZILL~1>
2007-01-11 15:31:48 1168 --a------ C:\WINDOWS\mozver.dat
2007-01-11 15:24:47 0 --a------ C:\WINDOWS\nsreg.dat
2007-01-11 15:24:46 0 d-------- C:\Documents and Settings\Sys Admin\Application Data\Mozilla


-- Registry Dump ----------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"Net-It Launcher"="C:\\WINDOWS\\System32\\NILaunch.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Omnipage"="C:\\Program Files\\ScanSoft\\OmniPageSE\\opware32.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{010FF400-8DFB-439D-987B-DCDE5195F4D8}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"svchost.exe"=""

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_AVG_ANTI-SPYWARE_GUARD


-- End of ComboScan: finished at 2007-02-16 at 19:54:48 -------------------------




VundoFix V6.2.5

Checking Java version...

Java version is 1.4.2.3

Java version is 1.5.0.6

Scan started at 12:27:38 15/02/2007

Listing files found while scanning....

C:\WINDOWS\System32\gebcc.dll
C:\WINDOWS\System32\ccbeg.ini
C:\WINDOWS\System32\ccbeg.bak1
C:\WINDOWS\System32\ccbeg.bak2

Beginning removal...

Attempting to delete C:\WINDOWS\System32\gebcc.dll
C:\WINDOWS\System32\gebcc.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\ccbeg.ini
C:\WINDOWS\System32\ccbeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\ccbeg.bak1
C:\WINDOWS\System32\ccbeg.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\System32\ccbeg.bak2
C:\WINDOWS\System32\ccbeg.bak2 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.5

Checking Java version...

Java version is 1.4.2.3

Java version is 1.5.0.6

Scan started at 14:53:12 15/02/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.2.5

Checking Java version...

Java version is 1.4.2.3

Java version is 1.5.0.6

Scan started at 15:47:08 15/02/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.2.5

Checking Java version...

Java version is 1.4.2.3

Java version is 1.5.0.6

Scan started at 19:11:37 16/02/2007

Listing files found while scanning....

C:\WINDOWS\System32\mljge.dll
C:\WINDOWS\System32\egjlm.ini
C:\WINDOWS\System32\egjlm.bak1

Beginning removal...

Attempting to delete C:\WINDOWS\System32\mljge.dll
C:\WINDOWS\System32\mljge.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\egjlm.ini
C:\WINDOWS\System32\egjlm.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\egjlm.bak1
C:\WINDOWS\System32\egjlm.bak1 Has been deleted!

Performing Repairs to the registry.
Done!
Big Yellow Feet
The production company

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:35 AM

Posted 16 February 2007 - 04:01 PM

Hello,

I see you didn't perform the AVG Antispyware scan as described... Because it didn't delete anything... It says: No action taken

Most probably you forgot next step:

# Then click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine.......

and

# AVG Antispyware will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Antispyware will display "All actions have been applied" on the right hand side.

So, run AVG Antispyware again afterwards.

Your Hijackthislog looks clean again, but we are not finished yet...

Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Please hide your hidden files and folders afterwards again, when we are done with this thread and your problems are solved, because above instructions to set your system to show all files, unhide legit files and folders as well.
And I don't want you to delete them because they may look suspicious. To hide them again, just perform the above instructions in the opposite way.


Browse to and delete next folders and files:

C:\bintheredunthat <== folder
C:\WINDOWS\System32\eledwwuu.dll
C:\Program Files\VSAdd-in <== folder
C:\WINDOWS\System32\dokcnmjb.exe
C:\WINDOWS\System32\npaxfiko.dll
C:\VundoFix Backups <== folder
C:\WINDOWS\System32\wbkdlyry.dll
C:\WINDOWS\System32\hggdcba.dll
C:\WINDOWS\System32\lggvoigr.dll
C:\WINDOWS\System32\knvjvfmt.dll
C:\Program Files\Outerinfo <== folder
C:\WINDOWS\System32\ssifmui.dll
C:\WINDOWS\System32\untdfsn.dll
C:\Program Files\Common Files\svchost.exe
C:\Documents and Settings\All Users\Application Data\svchost.exe
C:\Documents and Settings\Gregory\Local Settings\Application Data\svchost.exe
C:\WINDOWS\R3JlZ29yeQ <== folder
C:\WINDOWS\System32\silailop.dll
C:\WINDOWS\System32\hsguspwm.dll

If you're having problems wuth removing some, try it in Windows Safe mode.
°To get into the Windows Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times.
Choose Safe Mode from the menu that will appear and press Enter.

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{010FF400-8DFB-439D-987B-DCDE5195F4D8}"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"svchost.exe"=-

[-HKEY_CLASSES_ROOT\CLSID\{010FF400-8DFB-439D-987B-DCDE5195F4D8}]

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

Let me know in your next reply how things are running now.

Edit..

I don't know in what order you will perform this, but in case you run AVG Antispyware before, you won't able to find next files anymore to delete afterwards:

C:\WINDOWS\System32\hggdcba.dll
C:\Program Files\Common Files\svchost.exe
C:\Documents and Settings\All Users\Application Data\svchost.exe
C:\Documents and Settings\Gregory\Local Settings\Application Data\svchost.exe

This since AVG Antispyware is actually supposed to delete them as I saw in your AVG log:

C:\windows\system32\hggdcba.dll -> Adware.Virtumonde : No action taken.
C:\Documents and Settings\All Users\Application Data\svchost.exe -> Logger.Agent.or : No action taken.
C:\Documents and Settings\Gregory\Local Settings\Application Data\svchost.exe -> Logger.Agent.or : No action taken.
C:\Program Files\Common Files\svchost.exe -> Logger.Agent.or : No action taken.


Edited by miekiemoes, 16 February 2007 - 04:15 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:35 AM

Posted 16 February 2007 - 04:44 PM

In case Spybot still flags the command, (must be the legacy_cmdservice it's flagging all the time), do next:

Please download delcmdservice (by Marckie), and save it to your Desktop.
  • Unzip the content to your Desktop (a folder named delcmdservice)
  • Double-click on the delcmdservice folder
  • Double-click on delreg.bat to launch the tool
  • When the tool has finished, please reboot your computer

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 byonic

byonic
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:35 AM

Posted 19 February 2007 - 09:37 AM

Hello,

I have worked my way through the instructions in the last two posts.

Apologies for the AVG mixup, my only excuse for missing that part of the instruction is the multiple system restarts which meant reading your post little by little. Whilst the post was closed i did the AVG scan but forgot to perform the settings change. oops!

Anyway, I did the AVG scan again, with the changes made. I then searched through the files listed to delete.

The following files were missing:

C:\WINDOWS\System32\dokcnmjb.exe
C:\WINDOWS\System32\npaxfiko.dll
C:\WINDOWS\System32\hggdcba.dll
C:\WINDOWS\System32\lggvoigr.dll
C:\Program Files\Common Files\svchost.exe
C:\Documents and Settings\All Users\Application Data\svchost.exe
C:\Documents and Settings\Gregory\Local Settings\Application Data\svchost.exe
C:\WINDOWS\System32\silailop.dll
C:\WINDOWS\System32\hsguspwm.dll

I know you said that AVG would remove some of them, but is the disappearance of the rest a problem?


After deleting the files that I could find, I carried out the next step of creating the fix.reg file.
That merged successfully with the registry, and I restarted the machine.

I ran Spybot S&D, and it found the Command program again. So I then downloaded the delcmdservice program and ran it.

I restarted my machine and ran Spybot again, this time it reported no problems!

Hurray! :flowers:


What is reassuring is that I can no longer hear my hard disk whirring away when the machine isn't actually supposed to be doing anything. It runs quietly again. Which is nice.

Is it now safe to put things back to normal now? Can I hide my folders and allow Teatimer to function again?

Also, do you recommend I install microsoft updates now?

And would you like to see another log file to ensure my machine is clean?

Many thanks miekiemoes for your help with this problem. You truly are worthy of the moniker malware slayer! :thumbsup:
Big Yellow Feet
The production company

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:35 AM

Posted 19 February 2007 - 09:53 AM

Hi,

Yes, it's possible that you couldn't find some files anymore to delete... as I already said, your AVG Antispwyware should actually remove them, but since you performed instructions in another order previously or scanned with scanners afterwards, after the Comboscan output, that may explain why you couldn't find some anymore since they were already removed. :thumbsup:

But yes, it wouldn't hurt to rescan again with Comboscan and post the log, so we can doublecheck. (No need to post a new Hijackthislog, since Comboscan already makes a Hijackthislog as well)

Wait for hiding your folders/files again and enabling teatimer - this in case your Comboscan still shows some leftovers and we have to delete some again. :flowers:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 byonic

byonic
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:35 AM

Posted 19 February 2007 - 11:23 AM

it appears that my celebration smiley was a little premature. There is still something here doing strange things. I decided to run Spybot again, but this time, it told me that the user had stopped the scan- but I hadn't stopped it!

I didn't like that. :thumbsup:

Anyway, my Comboscan log:


ComboScan v20070212.14 run by Sys Admin on 2007-02-19 at 16:13:50
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Successfully created restore point.
Performed disk cleanup.


-- HijackThis log (run as Sys Admin.com) ----------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 16:13:58, on 19/02/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\basfipm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\System32\NILaunch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Sys Admin\Desktop\comboscan.exe
C:\DOCUME~1\SYSADM~1\LOCALS~1\Temp\~exfnmwu.tmp\Sys Admin.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://mail.bigyellowfeet.com:8383/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: OKI LPR Utility.lnk = C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\windows\system32\ZoneLabs\vsmon.exe


-- HijackThis Fixed Entries (C:\Program Files\HijackThis\backups\) --------------

backup-20070216-192457-173 O2 - BHO: (no name) - {F51B3CD6-1757-4C1C-AD33-9F9A1FE65374} - C:\WINDOWS\System32\mljge.dll (file missing)
backup-20070216-192457-315 O20 - Winlogon Notify: xxyyvwu - xxyyvwu.dll (file missing)
backup-20070216-192457-383 O4 - HKLM\..\Run: [syswin] C:\WINDOWS\System32\v6.exe
backup-20070216-192457-393 O2 - BHO: (no name) - {7DCAA553-F574-4A55-B924-FBBA9F988BD3} - C:\WINDOWS\System32\gebcc.dll (file missing)
backup-20070216-192457-476 O2 - BHO: (no name) - {010FF400-8DFB-439D-987B-DCDE5195F4D8} - C:\WINDOWS\System32\xxyyvwu.dll (file missing)
backup-20070216-192457-568 O4 - HKLM\..\Run: [{14139C83-0AE9-1033-0917-04040713002c}] "C:\Program Files\Common Files\{14139C83-0AE9-1033-0917-04040713002c}\Update.exe" mc-110-12-0000272
backup-20070216-192457-736 O20 - Winlogon Notify: winbjt32 - winbjt32.dll (file missing)


-- File Associations ------------------------------------------------------------

.bat - batfile - "%1" %*
.chm - chm.file - "C:\WINDOWS\hh.exe" %1
.com - comfile - "%1" %*
.exe - exefile - "%1" %*
.hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1
.inf - inffile - %SystemRoot%\System32\NOTEPAD.EXE %1
.ini - inifile - %SystemRoot%\System32\NOTEPAD.EXE %1
.js - JSFile - %SystemRoot%\System32\WScript.exe "%1" %*
.lnk - lnkfile - {00021401-0000-0000-C000-000000000046}
.pif - piffile - "%1" %*
.reg - regfile - regedit.exe "%1"
.scr - scrfile - "%1" /S
.txt - txtfile - %SystemRoot%\system32\NOTEPAD.EXE %1
.vbs - VBSFile - %SystemRoot%\System32\WScript.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ----------------------

4 abp480n5 - \SystemRoot\System32\DRIVERS\ABP480N5.SYS
4 adpu160m - \SystemRoot\System32\DRIVERS\adpu160m.sys
3 aeaudio - system32\drivers\aeaudio.sys
4 agpCPQ (Compaq AGP Bus Filter) - \SystemRoot\System32\DRIVERS\agpCPQ.sys
4 Aha154x - \SystemRoot\System32\DRIVERS\aha154x.sys
4 aic78u2 - \SystemRoot\System32\DRIVERS\aic78u2.sys
4 aic78xx - \SystemRoot\System32\DRIVERS\aic78xx.sys
4 AliIde - \SystemRoot\System32\DRIVERS\aliide.sys
4 alim1541 (ALI AGP Bus Filter) - \SystemRoot\System32\DRIVERS\alim1541.sys
4 amdagp (AMD AGP Bus Filter Driver) - \SystemRoot\System32\DRIVERS\amdagp.sys
4 amsint - \SystemRoot\System32\DRIVERS\amsint.sys
4 asc - \SystemRoot\System32\DRIVERS\asc.sys
4 asc3350p - \SystemRoot\System32\DRIVERS\asc3350p.sys
4 asc3550 - \SystemRoot\System32\DRIVERS\asc3550.sys
3 ati2mtag - System32\DRIVERS\ati2mtag.sys
1 AVG Anti-Spyware Driver - \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys
1 AvgAsCln (AVG Anti-Spyware Clean Driver) - System32\DRIVERS\AvgAsCln.sys
3 b57w2k (Broadcom NetXtreme 57xx Gigabit Controller) - System32\DRIVERS\b57xp32.sys
2 BASFND - \??\C:\WINDOWS\System32\Drivers\BASFND.sys
4 cbidf - \SystemRoot\System32\DRIVERS\cbidf2k.sys
4 cd20xrnt - \SystemRoot\System32\DRIVERS\cd20xrnt.sys
4 CmdIde - \SystemRoot\System32\DRIVERS\cmdide.sys
4 Cpqarray - \SystemRoot\System32\DRIVERS\cpqarray.sys
4 dac2w2k - \SystemRoot\System32\DRIVERS\dac2w2k.sys
4 dac960nt - \SystemRoot\System32\DRIVERS\dac960nt.sys
4 dpti2o - \SystemRoot\System32\DRIVERS\dpti2o.sys
0 drvmcdb - system32\drivers\drvmcdb.sys
2 drvnddm - system32\drivers\drvnddm.sys
3 EL90XBC (3Com EtherLink XL 90XB/C Adapter Driver) - System32\DRIVERS\el90xbc5.sys
3 HidUsb (Microsoft HID Class Driver) - System32\DRIVERS\hidusb.sys
4 hpn - \SystemRoot\System32\DRIVERS\hpn.sys
4 i2omp - \SystemRoot\System32\DRIVERS\i2omp.sys
3 i81x - System32\DRIVERS\i81xnt5.sys
3 iAimFP0 - System32\DRIVERS\wADV01nt.sys
3 iAimFP1 - System32\DRIVERS\wADV02NT.sys
3 iAimFP2 - System32\DRIVERS\wADV05NT.sys
3 iAimFP3 - System32\DRIVERS\wSiINTxx.sys
3 iAimFP4 - System32\DRIVERS\wVchNTxx.sys
3 iAimTV0 - System32\DRIVERS\wATV01nt.sys
3 iAimTV1 - System32\DRIVERS\wATV02NT.sys
3 iAimTV2 - System32\DRIVERS\wATV03nt.sys
3 iAimTV3 - System32\DRIVERS\wATV04nt.sys
3 iAimTV4 - System32\DRIVERS\wCh7xxNT.sys
4 ini910u - \SystemRoot\System32\DRIVERS\ini910u.sys
1 kbdhid (Keyboard HID Driver) - System32\DRIVERS\kbdhid.sys
3 mouhid (Mouse HID Driver) - System32\DRIVERS\mouhid.sys
4 mraid35x - \SystemRoot\System32\DRIVERS\mraid35x.sys
1 omci (OMCI WDM Device Driver) - System32\DRIVERS\omci.sys
0 PCIIde - System32\DRIVERS\pciide.sys
4 perc2 - \SystemRoot\System32\DRIVERS\perc2.sys
4 perc2hib - \SystemRoot\System32\DRIVERS\perc2hib.sys
0 PxHelp20 - System32\Drivers\PxHelp20.sys
4 ql1080 - \SystemRoot\System32\DRIVERS\ql1080.sys
4 Ql10wnt - \SystemRoot\System32\DRIVERS\ql10wnt.sys
4 ql12160 - \SystemRoot\System32\DRIVERS\ql12160.sys
4 ql1240 - \SystemRoot\System32\DRIVERS\ql1240.sys
4 ql1280 - \SystemRoot\System32\DRIVERS\ql1280.sys
3 Sfloppy (High-Capacity Floppy Disk Drive) - System32\DRIVERS\sfloppy.sys
4 sisagp (SIS AGP Bus Filter) - \SystemRoot\System32\DRIVERS\sisagp.sys
3 smwdm - system32\drivers\smwdm.sys
4 Sparrow - \SystemRoot\System32\DRIVERS\sparrow.sys
0 srescan - System32\ZoneLabs\srescan.sys
1 sscdbhk5 - system32\drivers\sscdbhk5.sys
1 ssrtln - system32\drivers\ssrtln.sys
4 symc810 - \SystemRoot\System32\DRIVERS\symc810.sys
4 symc8xx - \SystemRoot\System32\DRIVERS\symc8xx.sys
4 sym_hi - \SystemRoot\System32\DRIVERS\sym_hi.sys
4 sym_u3 - \SystemRoot\System32\DRIVERS\sym_u3.sys
2 tfsnboio - system32\dla\tfsnboio.sys
2 tfsncofs - system32\dla\tfsncofs.sys
2 tfsndrct - system32\dla\tfsndrct.sys
2 tfsndres - system32\dla\tfsndres.sys
2 tfsnifs - system32\dla\tfsnifs.sys
2 tfsnopio - system32\dla\tfsnopio.sys
2 tfsnpool - system32\dla\tfsnpool.sys
2 tfsnudf - system32\dla\tfsnudf.sys
2 tfsnudfa - system32\dla\tfsnudfa.sys
2 tmcomm - \??\C:\WINDOWS\System32\drivers\tmcomm.sys
4 TosIde - \SystemRoot\System32\DRIVERS\toside.sys
4 ultra - \SystemRoot\System32\DRIVERS\ultra.sys
3 usbehci (Microsoft USB 2.0 Enhanced Host Controller Miniport Driver) - System32\DRIVERS\usbehci.sys
3 usbprint (Microsoft USB PRINTER Class) - System32\DRIVERS\usbprint.sys
3 usbscan (USB Scanner Driver) - System32\DRIVERS\usbscan.sys
3 USBSTOR (USB Mass Storage Driver) - System32\DRIVERS\USBSTOR.SYS
4 viaagp (VIA AGP Bus Filter) - \SystemRoot\System32\DRIVERS\viaagp.sys
4 ViaIde - \SystemRoot\System32\DRIVERS\viaide.sys
1 vsdatant - System32\vsdatant.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

3 Adobe LM Service - "C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"
2 aswUpdSv (avast! iAVS4 Control Service) - "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"
2 Ati HotKey Poller - %SystemRoot%\System32\Ati2evxx.exe
2 avast! Antivirus - "C:\Program Files\Alwil Software\Avast4\ashServ.exe"
3 avast! Mail Scanner - "C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service
3 avast! Web Scanner - "C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service
2 AVG Anti-Spyware Guard - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
2 BAsfIpM (Broadcom ASF IP monitoring service v6.0.4) - C:\WINDOWS\System32\basfipm.exe
2 Fax - %systemroot%\system32\fxssvc.exe
3 gusvc (Google Updater Service) - "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
3 SCardDrv (Smart Card Helper) - %SystemRoot%\System32\SCardSvr.exe
2 uploadmgr (Upload Manager) - %SystemRoot%\System32\svchost.exe -k netsvcs
2 vsmon (TrueVector Internet Monitor) - C:\windows\system32\ZoneLabs\vsmon.exe -service
2 WmdmPmSp (Portable Media Serial Number) - %SystemRoot%\System32\svchost.exe -k netsvcs


-- Scheduled Tasks --------------------------------------------------------------

2007-02-08 14:54:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job<APPLES~1.JOB>


-- Files created between 2007-01-19 and 2007-02-19 ------------------------------

2007-02-16 19:31:16 3968 --a------ C:\WINDOWS\System32\drivers\AvgAsCln.sys<Unsigned: GRISOFT, s.r.o.>
2007-02-16 16:50:45 1087216 --a------ C:\WINDOWS\System32\zpeng24.dll<Signed: Python Software Foundation>
2007-02-16 16:50:43 0 d-------- C:\WINDOWS\System32\ZoneLabs
2007-02-16 15:58:53 4212 ---h----- C:\WINDOWS\System32\zllictbl.dat
2007-02-16 15:58:38 11264 --a------ C:\WINDOWS\System32\SpOrder.dll<Unsigned: Microsoft Corporation>
2007-02-16 15:57:18 0 d-------- C:\WINDOWS\Internet Logs<INTERN~1>
2007-02-16 15:50:55 85952 --a------ C:\WINDOWS\System32\drivers\aswmon.sys<Unsigned: ALWIL Software>
2007-02-16 15:50:52 90112 --a------ C:\WINDOWS\System32\AVASTSS.scr
2007-02-16 15:50:52 689280 --a------ C:\WINDOWS\System32\aswBoot.exe<Signed: n/a>
2007-02-16 15:50:49 0 d-------- C:\Program Files\Alwil Software<ALWILS~1>
2007-02-16 11:44:53 0 d-------- C:\Program Files\HijackThis<HIJACK~1>
2007-02-15 19:19:04 0 d-------- C:\BFU
2007-02-15 19:13:04 0 d-------- C:\Program Files\Grisoft
2007-02-14 15:24:44 2824 --a------ C:\WINDOWS\System32\tmp.reg
2007-02-14 15:24:28 79360 --a------ C:\WINDOWS\System32\swxcacls.exe<Unsigned: SteelWerX>
2007-02-14 15:24:28 40960 --a------ C:\WINDOWS\System32\swsc.exe<Unsigned: n/a>
2007-02-14 15:24:28 135168 --a------ C:\WINDOWS\System32\swreg.exe<Unsigned: SteelWerX>
2007-02-14 15:24:28 288417 --a------ C:\WINDOWS\System32\SrchSTS.exe<Unsigned: S!Ri>
2007-02-14 15:24:28 53248 --a------ C:\WINDOWS\System32\Process.exe<Unsigned: http://www.beyondlogic.org>
2007-02-14 15:24:28 51200 --a------ C:\WINDOWS\System32\dumphive.exe<Unsigned: n/a>
2007-02-14 15:23:41 0 d--hs---- C:\WINDOWS\CSC
2007-02-14 14:43:27 0 d-------- C:\WINDOWS\System32\ActiveScan<ACTIVE~1>
2007-02-14 12:37:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy<SPYBOT~1>
2007-02-13 18:01:39 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2007-02-13 15:07:05 0 d--h----- C:\Program Files\Common Files\Uninstall Information<UNINST~1>
2007-02-13 13:15:14 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe


-- Find3M Report ----------------------------------------------------------------

2007-02-16 15:30:56 0 d-------- C:\Documents and Settings\Sys Admin\Application Data\Lavasoft
2007-02-16 13:06:37 0 d-------- C:\Program Files\QuickTime<QUICKT~1>
2007-02-16 13:04:48 0 d-------- C:\Program Files\Google
2007-02-13 20:54:39 0 d-------- C:\Program Files\Dell
2007-02-13 20:47:38 76560 --a------ C:\WINDOWS\System32\drivers\tmcomm.sys<Signed: Trend Micro Inc.>
2007-02-13 13:17:16 0 d-------- C:\Documents and Settings\Sys Admin\Application Data\Adobe
2007-02-13 13:15:38 0 d-------- C:\Program Files\Common Files\Adobe
2007-01-11 15:32:33 0 d-------- C:\Program Files\Mozilla Firefox<MOZILL~1>
2007-01-11 15:31:48 1168 --a------ C:\WINDOWS\mozver.dat
2007-01-11 15:24:47 0 --a------ C:\WINDOWS\nsreg.dat
2007-01-11 15:24:46 0 d-------- C:\Documents and Settings\Sys Admin\Application Data\Mozilla


-- Registry Dump ----------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"Net-It Launcher"="C:\\WINDOWS\\System32\\NILaunch.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Omnipage"="C:\\Program Files\\ScanSoft\\OmniPageSE\\opware32.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



-- End of ComboScan: finished at 2007-02-19 at 16:14:23 -------------------------
Big Yellow Feet
The production company

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:35 AM

Posted 19 February 2007 - 11:44 AM

Hi,

The logs look clean though. I can't see anything suspicious anymore.
Yes, it may happen that Spybot displays that message, although you didn't stop the scan. Had this as well previously.
In anyway, it wouldn't hurt to reinstall Spybot s&d, because I see that this entry is missing from your log:

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

It was present in your First log though and I don't see that you fixed that one by accident in Hijackthis, because comboscan should show it in the -- HijackThis Fixed Entries (C:\Program Files\HijackThis\backups\) -------------- part of the log.

That's why I recommend you uninstall and reinstall Spybot s&d again (make sure it's the latest version you install)

Also, Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6.0.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 6
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 byonic

byonic
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:35 AM

Posted 20 February 2007 - 06:29 AM

hello,

I removed Spybot S&D then reinstalled a freshly downloaded Spybot S&D, and ran it.

It found one infection which I asked it to remove, which it did successfully.


I then removed all old versions of the Java Runtime Environment as instructed and installed the version linked to in your last post.
When running the setup program I was given the message 'this version of Java RE is not recommended for your operating system, etc.' but I asked it to carry on. Is this wise?

:thumbsup:
Please find Comboscan log following:

ComboScan v20070212.14 run by Sys Admin on 2007-02-20 at 11:12:51
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Restore was disabled; re-enabling.
Failed to create restore point: System Restore is disabled (service is not running).
Performed disk cleanup.


-- HijackThis log (run as Sys Admin.com) ----------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 11:12:58, on 20/02/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\basfipm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\NILaunch.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Sys Admin\Desktop\comboscan.exe
C:\DOCUME~1\SYSADM~1\LOCALS~1\Temp\~rgehupx.tmp\Sys Admin.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://mail.bigyellowfeet.com:8383/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: OKI LPR Utility.lnk = C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\windows\system32\ZoneLabs\vsmon.exe


-- HijackThis Fixed Entries (C:\Program Files\HijackThis\backups\) --------------

backup-20070216-192457-173 O2 - BHO: (no name) - {F51B3CD6-1757-4C1C-AD33-9F9A1FE65374} - C:\WINDOWS\System32\mljge.dll (file missing)
backup-20070216-192457-315 O20 - Winlogon Notify: xxyyvwu - xxyyvwu.dll (file missing)
backup-20070216-192457-383 O4 - HKLM\..\Run: [syswin] C:\WINDOWS\System32\v6.exe
backup-20070216-192457-393 O2 - BHO: (no name) - {7DCAA553-F574-4A55-B924-FBBA9F988BD3} - C:\WINDOWS\System32\gebcc.dll (file missing)
backup-20070216-192457-476 O2 - BHO: (no name) - {010FF400-8DFB-439D-987B-DCDE5195F4D8} - C:\WINDOWS\System32\xxyyvwu.dll (file missing)
backup-20070216-192457-568 O4 - HKLM\..\Run: [{14139C83-0AE9-1033-0917-04040713002c}] "C:\Program Files\Common Files\{14139C83-0AE9-1033-0917-04040713002c}\Update.exe" mc-110-12-0000272
backup-20070216-192457-736 O20 - Winlogon Notify: winbjt32 - winbjt32.dll (file missing)


-- File Associations ------------------------------------------------------------

.bat - batfile - "%1" %*
.chm - chm.file - "C:\WINDOWS\hh.exe" %1
.com - comfile - "%1" %*
.exe - exefile - "%1" %*
.hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1
.inf - inffile - %SystemRoot%\System32\NOTEPAD.EXE %1
.ini - inifile - %SystemRoot%\System32\NOTEPAD.EXE %1
.js - JSFile - %SystemRoot%\System32\WScript.exe "%1" %*
.lnk - lnkfile - {00021401-0000-0000-C000-000000000046}
.pif - piffile - "%1" %*
.reg - regfile - regedit.exe "%1"
.scr - scrfile - "%1" /S
.txt - txtfile - %SystemRoot%\system32\NOTEPAD.EXE %1
.vbs - VBSFile - %SystemRoot%\System32\WScript.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ----------------------

4 abp480n5 - \SystemRoot\System32\DRIVERS\ABP480N5.SYS
4 adpu160m - \SystemRoot\System32\DRIVERS\adpu160m.sys
3 aeaudio - system32\drivers\aeaudio.sys
4 agpCPQ (Compaq AGP Bus Filter) - \SystemRoot\System32\DRIVERS\agpCPQ.sys
4 Aha154x - \SystemRoot\System32\DRIVERS\aha154x.sys
4 aic78u2 - \SystemRoot\System32\DRIVERS\aic78u2.sys
4 aic78xx - \SystemRoot\System32\DRIVERS\aic78xx.sys
4 AliIde - \SystemRoot\System32\DRIVERS\aliide.sys
4 alim1541 (ALI AGP Bus Filter) - \SystemRoot\System32\DRIVERS\alim1541.sys
4 amdagp (AMD AGP Bus Filter Driver) - \SystemRoot\System32\DRIVERS\amdagp.sys
4 amsint - \SystemRoot\System32\DRIVERS\amsint.sys
4 asc - \SystemRoot\System32\DRIVERS\asc.sys
4 asc3350p - \SystemRoot\System32\DRIVERS\asc3350p.sys
4 asc3550 - \SystemRoot\System32\DRIVERS\asc3550.sys
3 ati2mtag - System32\DRIVERS\ati2mtag.sys
1 AVG Anti-Spyware Driver - \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys
1 AvgAsCln (AVG Anti-Spyware Clean Driver) - System32\DRIVERS\AvgAsCln.sys
3 b57w2k (Broadcom NetXtreme 57xx Gigabit Controller) - System32\DRIVERS\b57xp32.sys
2 BASFND - \??\C:\WINDOWS\System32\Drivers\BASFND.sys
4 cbidf - \SystemRoot\System32\DRIVERS\cbidf2k.sys
4 cd20xrnt - \SystemRoot\System32\DRIVERS\cd20xrnt.sys
4 CmdIde - \SystemRoot\System32\DRIVERS\cmdide.sys
4 Cpqarray - \SystemRoot\System32\DRIVERS\cpqarray.sys
4 dac2w2k - \SystemRoot\System32\DRIVERS\dac2w2k.sys
4 dac960nt - \SystemRoot\System32\DRIVERS\dac960nt.sys
4 dpti2o - \SystemRoot\System32\DRIVERS\dpti2o.sys
0 drvmcdb - system32\drivers\drvmcdb.sys
2 drvnddm - system32\drivers\drvnddm.sys
3 EL90XBC (3Com EtherLink XL 90XB/C Adapter Driver) - System32\DRIVERS\el90xbc5.sys
3 HidUsb (Microsoft HID Class Driver) - System32\DRIVERS\hidusb.sys
4 hpn - \SystemRoot\System32\DRIVERS\hpn.sys
4 i2omp - \SystemRoot\System32\DRIVERS\i2omp.sys
3 i81x - System32\DRIVERS\i81xnt5.sys
3 iAimFP0 - System32\DRIVERS\wADV01nt.sys
3 iAimFP1 - System32\DRIVERS\wADV02NT.sys
3 iAimFP2 - System32\DRIVERS\wADV05NT.sys
3 iAimFP3 - System32\DRIVERS\wSiINTxx.sys
3 iAimFP4 - System32\DRIVERS\wVchNTxx.sys
3 iAimTV0 - System32\DRIVERS\wATV01nt.sys
3 iAimTV1 - System32\DRIVERS\wATV02NT.sys
3 iAimTV2 - System32\DRIVERS\wATV03nt.sys
3 iAimTV3 - System32\DRIVERS\wATV04nt.sys
3 iAimTV4 - System32\DRIVERS\wCh7xxNT.sys
4 ini910u - \SystemRoot\System32\DRIVERS\ini910u.sys
1 kbdhid (Keyboard HID Driver) - System32\DRIVERS\kbdhid.sys
3 mouhid (Mouse HID Driver) - System32\DRIVERS\mouhid.sys
4 mraid35x - \SystemRoot\System32\DRIVERS\mraid35x.sys
1 omci (OMCI WDM Device Driver) - System32\DRIVERS\omci.sys
0 PCIIde - System32\DRIVERS\pciide.sys
4 perc2 - \SystemRoot\System32\DRIVERS\perc2.sys
4 perc2hib - \SystemRoot\System32\DRIVERS\perc2hib.sys
0 PxHelp20 - System32\Drivers\PxHelp20.sys
4 ql1080 - \SystemRoot\System32\DRIVERS\ql1080.sys
4 Ql10wnt - \SystemRoot\System32\DRIVERS\ql10wnt.sys
4 ql12160 - \SystemRoot\System32\DRIVERS\ql12160.sys
4 ql1240 - \SystemRoot\System32\DRIVERS\ql1240.sys
4 ql1280 - \SystemRoot\System32\DRIVERS\ql1280.sys
3 Sfloppy (High-Capacity Floppy Disk Drive) - System32\DRIVERS\sfloppy.sys
4 sisagp (SIS AGP Bus Filter) - \SystemRoot\System32\DRIVERS\sisagp.sys
3 smwdm - system32\drivers\smwdm.sys
4 Sparrow - \SystemRoot\System32\DRIVERS\sparrow.sys
0 srescan - System32\ZoneLabs\srescan.sys
1 sscdbhk5 - system32\drivers\sscdbhk5.sys
1 ssrtln - system32\drivers\ssrtln.sys
4 symc810 - \SystemRoot\System32\DRIVERS\symc810.sys
4 symc8xx - \SystemRoot\System32\DRIVERS\symc8xx.sys
4 sym_hi - \SystemRoot\System32\DRIVERS\sym_hi.sys
4 sym_u3 - \SystemRoot\System32\DRIVERS\sym_u3.sys
2 tfsnboio - system32\dla\tfsnboio.sys
2 tfsncofs - system32\dla\tfsncofs.sys
2 tfsndrct - system32\dla\tfsndrct.sys
2 tfsndres - system32\dla\tfsndres.sys
2 tfsnifs - system32\dla\tfsnifs.sys
2 tfsnopio - system32\dla\tfsnopio.sys
2 tfsnpool - system32\dla\tfsnpool.sys
2 tfsnudf - system32\dla\tfsnudf.sys
2 tfsnudfa - system32\dla\tfsnudfa.sys
2 tmcomm - \??\C:\WINDOWS\System32\drivers\tmcomm.sys
4 TosIde - \SystemRoot\System32\DRIVERS\toside.sys
4 ultra - \SystemRoot\System32\DRIVERS\ultra.sys
3 usbehci (Microsoft USB 2.0 Enhanced Host Controller Miniport Driver) - System32\DRIVERS\usbehci.sys
3 usbprint (Microsoft USB PRINTER Class) - System32\DRIVERS\usbprint.sys
3 usbscan (USB Scanner Driver) - System32\DRIVERS\usbscan.sys
3 USBSTOR (USB Mass Storage Driver) - System32\DRIVERS\USBSTOR.SYS
4 viaagp (VIA AGP Bus Filter) - \SystemRoot\System32\DRIVERS\viaagp.sys
4 ViaIde - \SystemRoot\System32\DRIVERS\viaide.sys
1 vsdatant - System32\vsdatant.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

3 Adobe LM Service - "C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"
2 aswUpdSv (avast! iAVS4 Control Service) - "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"
2 Ati HotKey Poller - %SystemRoot%\System32\Ati2evxx.exe
2 avast! Antivirus - "C:\Program Files\Alwil Software\Avast4\ashServ.exe"
3 avast! Mail Scanner - "C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service
3 avast! Web Scanner - "C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service
2 AVG Anti-Spyware Guard - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
2 BAsfIpM (Broadcom ASF IP monitoring service v6.0.4) - C:\WINDOWS\System32\basfipm.exe
2 Fax - %systemroot%\system32\fxssvc.exe
3 gusvc (Google Updater Service) - "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
3 SCardDrv (Smart Card Helper) - %SystemRoot%\System32\SCardSvr.exe
2 uploadmgr (Upload Manager) - %SystemRoot%\System32\svchost.exe -k netsvcs
2 vsmon (TrueVector Internet Monitor) - C:\windows\system32\ZoneLabs\vsmon.exe -service
2 WmdmPmSp (Portable Media Serial Number) - %SystemRoot%\System32\svchost.exe -k netsvcs


-- Scheduled Tasks --------------------------------------------------------------

2007-02-08 14:54:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job<APPLES~1.JOB>


-- Files created between 2007-01-20 and 2007-02-20 ------------------------------

2007-02-20 10:43:03 0 d-------- C:\Program Files\Common Files\Java
2007-02-16 19:31:16 3968 --a------ C:\WINDOWS\System32\drivers\AvgAsCln.sys<Unsigned: GRISOFT, s.r.o.>
2007-02-16 16:50:45 1087216 --a------ C:\WINDOWS\System32\zpeng24.dll<Signed: Python Software Foundation>
2007-02-16 16:50:43 0 d-------- C:\WINDOWS\System32\ZoneLabs
2007-02-16 15:58:53 4212 ---h----- C:\WINDOWS\System32\zllictbl.dat
2007-02-16 15:58:38 11264 --a------ C:\WINDOWS\System32\SpOrder.dll<Unsigned: Microsoft Corporation>
2007-02-16 15:57:18 0 d-------- C:\WINDOWS\Internet Logs<INTERN~1>
2007-02-16 15:50:55 85952 --a------ C:\WINDOWS\System32\drivers\aswmon.sys<Unsigned: ALWIL Software>
2007-02-16 15:50:52 90112 --a------ C:\WINDOWS\System32\AVASTSS.scr
2007-02-16 15:50:52 689280 --a------ C:\WINDOWS\System32\aswBoot.exe<Signed: n/a>
2007-02-16 15:50:49 0 d-------- C:\Program Files\Alwil Software<ALWILS~1>
2007-02-16 11:44:53 0 d-------- C:\Program Files\HijackThis<HIJACK~1>
2007-02-15 19:19:04 0 d-------- C:\BFU
2007-02-15 19:13:04 0 d-------- C:\Program Files\Grisoft
2007-02-14 15:24:44 2824 --a------ C:\WINDOWS\System32\tmp.reg
2007-02-14 15:24:28 79360 --a------ C:\WINDOWS\System32\swxcacls.exe<Unsigned: SteelWerX>
2007-02-14 15:24:28 40960 --a------ C:\WINDOWS\System32\swsc.exe<Unsigned: n/a>
2007-02-14 15:24:28 135168 --a------ C:\WINDOWS\System32\swreg.exe<Unsigned: SteelWerX>
2007-02-14 15:24:28 288417 --a------ C:\WINDOWS\System32\SrchSTS.exe<Unsigned: S!Ri>
2007-02-14 15:24:28 53248 --a------ C:\WINDOWS\System32\Process.exe<Unsigned: http://www.beyondlogic.org>
2007-02-14 15:24:28 51200 --a------ C:\WINDOWS\System32\dumphive.exe<Unsigned: n/a>
2007-02-14 15:23:41 0 d--hs---- C:\WINDOWS\CSC
2007-02-14 14:43:27 0 d-------- C:\WINDOWS\System32\ActiveScan<ACTIVE~1>
2007-02-14 12:37:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy<SPYBOT~1>
2007-02-13 18:01:39 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2007-02-13 15:07:05 0 d--h----- C:\Program Files\Common Files\Uninstall Information<UNINST~1>
2007-02-13 13:15:14 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe


-- Find3M Report ----------------------------------------------------------------

2007-02-20 10:43:03 0 d-------- C:\Program Files\Java
2007-02-16 15:30:56 0 d-------- C:\Documents and Settings\Sys Admin\Application Data\Lavasoft
2007-02-16 13:06:37 0 d-------- C:\Program Files\QuickTime<QUICKT~1>
2007-02-16 13:04:48 0 d-------- C:\Program Files\Google
2007-02-13 20:54:39 0 d-------- C:\Program Files\Dell
2007-02-13 20:47:38 76560 --a------ C:\WINDOWS\System32\drivers\tmcomm.sys<Signed: Trend Micro Inc.>
2007-02-13 13:17:16 0 d-------- C:\Documents and Settings\Sys Admin\Application Data\Adobe
2007-02-13 13:15:38 0 d-------- C:\Program Files\Common Files\Adobe
2007-01-11 15:32:33 0 d-------- C:\Program Files\Mozilla Firefox<MOZILL~1>
2007-01-11 15:31:48 1168 --a------ C:\WINDOWS\mozver.dat
2007-01-11 15:24:47 0 --a------ C:\WINDOWS\nsreg.dat
2007-01-11 15:24:46 0 d-------- C:\Documents and Settings\Sys Admin\Application Data\Mozilla


-- Registry Dump ----------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"Net-It Launcher"="C:\\WINDOWS\\System32\\NILaunch.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Omnipage"="C:\\Program Files\\ScanSoft\\OmniPageSE\\opware32.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



-- End of ComboScan: finished at 2007-02-20 at 11:13:32 -------------------------
Big Yellow Feet
The production company

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:35 AM

Posted 20 February 2007 - 08:48 AM

Hi,

Your logs look clean again.

When running the setup program I was given the message 'this version of Java RE is not recommended for your operating system, etc.' but I asked it to carry on. Is this wise?

Wel, you did download and install the right version as I can see from your log and it did install properly. So don't worry here.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 byonic

byonic
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:35 AM

Posted 20 February 2007 - 09:59 AM

Thanks miekiemoes,

I'm glad my logs look clean. Thank you for your help in the fix. Dank u wel!

just before I sign off for good though- a couple of asks:

Zone alarm tells me that MSN messenger is trying to act as a server soon after booting the machine. Is this normal? So far I have denied this action.

Zone Alarm also tells me that it has blocked another machine on my local network from accessing the internet. Is this normal? The machines both connect to the internet via a netgear router, so why are the machine trying to access via this one?

Also, I get microsoft office installer opening up and trying to do something, although I'm not sure what. Is this a result of the infections?

I would really appreciate one more piece of advice.

Many thanks :thumbsup:
Big Yellow Feet
The production company

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:35 AM

Posted 20 February 2007 - 10:20 AM

Hi,

I don't see MSN Messenger starting up here with Windows in your case, so not sure why Zonealarm displays that alert.
I guess it's rather the Messenger Service here that wants to connect and since you don't have Service Pack 2, this service is enabled by default.
This service is not recommended anyway, so you may disable it.

To do this, *Go to start >run and type: services.msc and click OK
Scroll down in that list until you find the service Messenger
Doubleclick on it. In the window that will appear, click on "Stop" (if not greyed out) and change the Startup Type to disabled.
Click apply and OK and close all open windows.

By the way, Netgear doesn't recommend Zonealarm though, since they may conflict. Also read here: http://kbserver.netgear.com/kb_web_files/N101177.asp
That's why your Zonealarm may display some alerts while there's nothing to worry about.

Also, I get microsoft office installer opening up and trying to do something, although I'm not sure what. Is this a result of the infections?

No, this hasn't anything to do with malware. This happens frequently when Office components are set to start up with Windows and it cannot immediately find the required files, so the installer opens, searches for the related files and runs them. When it couldn't find them, it will ask you for the cd.
In anyway, the only related one with office I see here that starts up with windows is OSA.exe, which I actually do not recommend to start up with Windows since it's a resource hog. So you may check and fix next entry in Hijackthis:

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

Please make sure your Teatimer doesn't interfere here when you fix that entry in Hijackthis, because Teatimer may block that change and place that entry back.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users