Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bitdefnder & Avg Anti-spy Logs


  • This topic is locked This topic is locked
25 replies to this topic

#1 Sydnyg

Sydnyg

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 01 May 2007 - 08:10 AM

AdAwareLog File_043007

Ad-Aware SE Build 1.06r1
Logfile Created on:Monday, April 30, 2007 7:11:58 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R168 30.04.2007
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):12 total references
Tracking Cookie(TAC index:3):11 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


4-30-2007 7:11:58 PM - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : C:\Documents and Settings\User\Application Data\microsoft\office\recent
Description : list of recently opened documents using microsoft office


MRU List Object Recognized!
Location: : C:\Documents and Settings\User\recent
Description : list of recently opened documents


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-484763869-842925246-682003330-1004\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-484763869-842925246-682003330-1004\software\microsoft\office\11.0\common\open find\microsoft office word\settings\open\file name mru
Description : list of recent documents opened by microsoft word


MRU List Object Recognized!
Location: : S-1-5-21-484763869-842925246-682003330-1004\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-484763869-842925246-682003330-1004\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: :


Thank you for any assistance you may provide.

~SydnyG~

BC AdBot (Login to Remove)

 


m

#2 Sydnyg

Sydnyg
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 01 May 2007 - 07:02 PM

Logfile of HijackThis v1.99.1
Scan saved at 7:50:02 PM, on 5/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\bcmntray.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Bomgar\Representative\www.freesdtrial.com\nsrep.exe
C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - CD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O2 - BHO: (no name) - pC8ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - ¨¨B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O2 - BHO: (no name) - ðB49E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Copernic Desktop Search 2 - {968631B6-4729-440D-9BF4-251F5593EC9A} - C:\Program Files\Copernic Desktop Search 2\DesktopSearchBand2526.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\bcmntray
O4 - HKLM\..\Run: [PRONoMgr.exe] "c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe"
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Copernic Desktop Search 2] "C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe" /tray
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: Bomgar Representative Client [www.freesdtrial.com].lnk = C:\Program Files\Bomgar\Representative\www.freesdtrial.com\nsrep.exe
O4 - Startup: VZAccess Manager.lnk = C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1159374420531
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} (OneCCCtl Class) - https://as00.estara.com/UI/proxyhttps.php?a...533921OneCC.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} (CInstallLPCtrl Object) - http://u3.sandisk.com/download/apps/LPInstaller.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C52439A0-2693-4E40-B141-9F9AD5257241} (Lexmark eDiagnostics Class) - https://ediagnostics.lexmark.com/serval.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by7fd.bay7.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{2BD69A6F-5CF0-4E50-9F1F-CA5A0322317B}: NameServer = 69.78.96.14 66.174.95.44
O17 - HKLM\System\CS1\Services\Tcpip\..\{2BD69A6F-5CF0-4E50-9F1F-CA5A0322317B}: NameServer = 69.78.96.14 66.174.95.44
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Sebring - c:\WINDOWS\system32\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: Modinmic - {CC40F480-373D-4429-952D-CD839053FC49} - C:\WINDOWS\system32\dbetole.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

#3 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:50 AM

Posted 05 May 2007 - 01:11 PM

Hello Sydnyg,

I am SifuMike and I will be helping you. :thumbsup:


Your Ad-Aware SE just show MRU's


MRU = most recently used

These are lists in the registry of files you have recently opened or programs you have recently run etc, (not malware and quite harmless) :flowers:



You will need to use Internet Explorer for this scan.
Disable your antivirus program and go here to run BitDefender Online Scan.
Click on I Agree.
Avoid clicking on other links as you don't need to try out the full install at this point, just the online scanner.

When the ActiveX Control has loaded, click on "Click here to scan".
Please be patient, as this scan may take a few hours. It all depends on the number of files on your computer.

NOTE: If you are running XP SP2, you may need to click on the Information Bar to allow the ActiveX to install and may need to repeat the BitDefender Online Scan.


When BitDefender completes the scan, select the "Detected Problems" tab.
Click on "Click here to export scan".
Save the file as an HTML to your Desktop.
Then click on the saved file and allow it to open with your browser.
Go to Edit - Select All then copy/paste that log back here.
Post the BitDefender log.


******************

Download ATF (Atribune Temp File) Cleaner© by Atribune DO NOT run it yet.

Download and install AVG Anti-Spyware 7.5 (formerly Ewido)
This is a 30 day trial of the program

AVG Anti-Spyware is designed to be used to both scan for and remove malicious files and also to run in real-time alongside, but not replace, your existing anti-virus program to give an added layer of protection.
Both the Resident Shield and Automatic Updates will only be available for the thirty day trial period, after that AVG Anti-Spyware will revert to a stand-alone scanner which you can keep and manually update for free and use in a similar way to Ad-Aware SE Personal, Spybot S&D etc.


1. After download, double click on the file to launch the install process.
2. Choose a language, click "OK" and then click "Next".
3. Read the "License Agreement" and click "I Agree".
4. Accept the default installation path: C:\Program Files\AVG Anti-Spyware 7.5 and click "Next", then click "Install".
5. After setup completes, click "Finish" to start the program automatically or launch ewido by double-clicking its icon on your desktop or in the system tray.
6. The main "Status" menu will appear. You can select "Change state" to inactivate 'Resident Sheild' and 'Automatic Updates'. If you choose to do this, then right click on AVG antispyware in the system tray and uncheck "Start with Windows".
7. Select the "Update" button and click "Start update".
If you are having problems with the updater, manually update with the AVG Antispyware Full database installer from here.
8. Exit AVG Anti-Spyware 7.5 when done - DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method so Windows will start with minimal drivers and running processes.
To do this restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly.
A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

1.) Double-click the small BLUE Garbage Can ATF-Cleaner.exe file to run the program.
2.) At the top, under Main choose: Select All
3.) Click the Empty Selected button.

If you use the Firefox browser:
1.) At the top, click Firefox and choose: Select All
2.) Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use the Opera browser:
1.) At the top, click Opera and choose: Select All
2.) Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.


Scan with AVG Anti-Spyware 7.5 as follows:

1. Launch AVG Anti-Spyware 7.5, click on the "Scanner" button and choose the "Settings" tab.

Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.

Under "How to Scan?" check all (default).

Under "Possibly unwanted software" check all (default).

Under "What to Scan?" make sure "Scan every file" is selected (default).

Under "Reports" select "Automatically generate report after every scan" and UNcheck "Only if threats were found".

2. Click the "Scan" tab to return to scanning options.
3. Click "Complete System Scan" to start.

4. IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.

Make sure that Set all elements to: shows Quarantine
(1)
, if not click on the link and choose Quarantine from the popup menu.
(2) At the bottom of the window click on the Apply all Actions button.
(3) When done, click the Save Scan Report button.
(4) Click the Save Report as button.
Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt.
Save to your desktop.
A copy of each report will also be saved in C:\Program Files\AVG Anti-Spyware 7.5\Reports\
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Reboot to Normal Mode.

When done, submit the BitDefender log, the [b]AVG Anti-Spyware 7.5
log and a fresh Hijackthis log.

Edited by SifuMike, 05 May 2007 - 01:12 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 Sydnyg

Sydnyg
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 05 May 2007 - 09:29 PM

BitDefender Online Scanner



Scan report generated at: Sat, May 05, 2007 - 22:17:27





Scan path: C:\;D:\;







Statistics

Time
01:52:52

Files
605590

Folders
5881

Boot Sectors
3

Archives
5698

Packed Files
35959




Results

Identified Viruses
5

Infected Files
10

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
10




Engines Info

Virus Definitions
504311

Engine build
AVCORE v1.0 (build 2397) (i386) (Feb 8 2007 14:24:08)

Scan plugins
14

Archive plugins
38

Unpack plugins
6

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Documents and Settings\User\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Email Password/mailpv.exe
Infected with: Trojan.Downloader.Small.74

C:\Documents and Settings\User\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Email Password/mailpv.exe
Disinfection failed

C:\Documents and Settings\User\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Email Password/mailpv.exe
Deleted

C:\Documents and Settings\User\pcbeginner-full.ISO
Update failed

C:\Documents and Settings\User\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Instant Messenger Password/mspass.exe
Infected with: Backdoor.Delf.Agf.28.D

C:\Documents and Settings\User\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Instant Messenger Password/mspass.exe
Disinfection failed

C:\Documents and Settings\User\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Instant Messenger Password/mspass.exe
Deleted

C:\Documents and Settings\User\pcbeginner-full.ISO
Update failed

C:\Documents and Settings\User\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Protected Storage Password/pspv.exe
Detected with: Application.Passview.A

C:\Documents and Settings\User\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Protected Storage Password/pspv.exe
Disinfection failed

C:\Documents and Settings\User\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Protected Storage Password/pspv.exe
Deleted

C:\Documents and Settings\User\pcbeginner-full.ISO
Update failed

C:\Documents and Settings\User\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Key Logger/Home Key Logger/HomeKeyLogger.exe=>(NSIS o)=>zlib_nsis0006
Infected with: Trojan.HKL

C:\Documents and Settings\User\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Key Logger/Home Key Logger/HomeKeyLogger.exe=>(NSIS o)=>zlib_nsis0006
Disinfection failed

C:\Documents and Settings\User\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Key Logger/Home Key Logger/HomeKeyLogger.exe=>(NSIS o)=>zlib_nsis0006
Deleted

C:\Documents and Settings\User\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Key Logger/Home Key Logger/HomeKeyLogger.exe=>(NSIS o)
Update failed

C:\Documents and Settings\User\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Key Logger/Professional Key Logger/CaptainMnemo.exe
Infected with: Trojan.Spy.Agent.BK

C:\Documents and Settings\User\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Key Logger/Professional Key Logger/CaptainMnemo.exe
Disinfection failed

C:\Documents and Settings\User\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Key Logger/Professional Key Logger/CaptainMnemo.exe
Deleted

C:\Documents and Settings\User\pcbeginner-full.ISO
Update failed

C:\Downloads\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Email Password/mailpv.exe
Infected with: Trojan.Downloader.Small.74

C:\Downloads\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Email Password/mailpv.exe
Disinfection failed

C:\Downloads\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Email Password/mailpv.exe
Deleted

C:\Downloads\pcbeginner-full.ISO
Update failed

C:\Downloads\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Instant Messenger Password/mspass.exe
Infected with: Backdoor.Delf.Agf.28.D

C:\Downloads\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Instant Messenger Password/mspass.exe
Disinfection failed

C:\Downloads\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Instant Messenger Password/mspass.exe
Deleted

C:\Downloads\pcbeginner-full.ISO
Update failed

C:\Downloads\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Protected Storage Password/pspv.exe
Detected with: Application.Passview.A

C:\Downloads\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Protected Storage Password/pspv.exe
Disinfection failed

C:\Downloads\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Protected Storage Password/pspv.exe
Deleted

C:\Downloads\pcbeginner-full.ISO
Update failed

C:\Downloads\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Key Logger/Home Key Logger/HomeKeyLogger.exe=>(NSIS o)=>zlib_nsis0006
Infected with: Trojan.HKL

C:\Downloads\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Key Logger/Home Key Logger/HomeKeyLogger.exe=>(NSIS o)=>zlib_nsis0006
Disinfection failed

C:\Downloads\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Key Logger/Home Key Logger/HomeKeyLogger.exe=>(NSIS o)=>zlib_nsis0006
Deleted

C:\Downloads\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Key Logger/Home Key Logger/HomeKeyLogger.exe=>(NSIS o)
Update failed

C:\Downloads\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Key Logger/Professional Key Logger/CaptainMnemo.exe
Infected with: Trojan.Spy.Agent.BK

C:\Downloads\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Key Logger/Professional Key Logger/CaptainMnemo.exe
Disinfection failed

C:\Downloads\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Key Logger/Professional Key Logger/CaptainMnemo.exe
Deleted

C:\Downloads\pcbeginner-full.ISO
Update failed

#5 Sydnyg

Sydnyg
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 06 May 2007 - 10:05 AM

BitDefender Online Scanner



Scan report generated at: Sat, May 05, 2007 - 22:17:27





Scan path: C:\;D:\;







Statistics

Time
01:52:52

Files
605590

Folders
5881

Boot Sectors
3

Archives
5698

Packed Files
35959




Results

Identified Viruses
5

Infected Files
10

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
10




Engines Info

Virus Definitions
504311

Engine build
AVCORE v1.0 (build 2397) (i386) (Feb 8 2007 14:24:08)

Scan plugins
14

Archive plugins
38

Unpack plugins
6

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Documents and Settings\User\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Email Password/mailpv.exe
Infected with: Trojan.Downloader.Small.74

C:\Documents and Settings\User\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Email Password/mailpv.exe
Disinfection failed

C:\Documents and Settings\User\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Email Password/mailpv.exe
Deleted

C:\Documents and Settings\User\pcbeginner-full.ISO
Update failed

C:\Documents and Settings\User\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Instant Messenger Password/mspass.exe
Infected with: Backdoor.Delf.Agf.28.D

C:\Documents and Settings\User\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Instant Messenger Password/mspass.exe
Disinfection failed

C:\Documents and Settings\User\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Instant Messenger Password/mspass.exe
Deleted

C:\Documents and Settings\User\pcbeginner-full.ISO
Update failed

C:\Documents and Settings\User\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Protected Storage Password/pspv.exe
Detected with: Application.Passview.A

C:\Documents and Settings\User\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Protected Storage Password/pspv.exe
Disinfection failed

C:\Documents and Settings\User\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Protected Storage Password/pspv.exe
Deleted

C:\Documents and Settings\User\pcbeginner-full.ISO
Update failed

C:\Documents and Settings\User\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Key Logger/Home Key Logger/HomeKeyLogger.exe=>(NSIS o)=>zlib_nsis0006
Infected with: Trojan.HKL

C:\Documents and Settings\User\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Key Logger/Home Key Logger/HomeKeyLogger.exe=>(NSIS o)=>zlib_nsis0006
Disinfection failed

C:\Documents and Settings\User\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Key Logger/Home Key Logger/HomeKeyLogger.exe=>(NSIS o)=>zlib_nsis0006
Deleted

C:\Documents and Settings\User\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Key Logger/Home Key Logger/HomeKeyLogger.exe=>(NSIS o)
Update failed

C:\Documents and Settings\User\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Key Logger/Professional Key Logger/CaptainMnemo.exe
Infected with: Trojan.Spy.Agent.BK

C:\Documents and Settings\User\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Key Logger/Professional Key Logger/CaptainMnemo.exe
Disinfection failed

C:\Documents and Settings\User\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Key Logger/Professional Key Logger/CaptainMnemo.exe
Deleted

C:\Documents and Settings\User\pcbeginner-full.ISO
Update failed

C:\Downloads\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Email Password/mailpv.exe
Infected with: Trojan.Downloader.Small.74

C:\Downloads\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Email Password/mailpv.exe
Disinfection failed

C:\Downloads\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Email Password/mailpv.exe
Deleted

C:\Downloads\pcbeginner-full.ISO
Update failed

C:\Downloads\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Instant Messenger Password/mspass.exe
Infected with: Backdoor.Delf.Agf.28.D

C:\Downloads\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Instant Messenger Password/mspass.exe
Disinfection failed

C:\Downloads\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Instant Messenger Password/mspass.exe
Deleted

C:\Downloads\pcbeginner-full.ISO
Update failed

C:\Downloads\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Protected Storage Password/pspv.exe
Detected with: Application.Passview.A

C:\Downloads\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Protected Storage Password/pspv.exe
Disinfection failed

C:\Downloads\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Protected Storage Password/pspv.exe
Deleted

C:\Downloads\pcbeginner-full.ISO
Update failed

C:\Downloads\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Key Logger/Home Key Logger/HomeKeyLogger.exe=>(NSIS o)=>zlib_nsis0006
Infected with: Trojan.HKL

C:\Downloads\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Key Logger/Home Key Logger/HomeKeyLogger.exe=>(NSIS o)=>zlib_nsis0006
Disinfection failed

C:\Downloads\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Key Logger/Home Key Logger/HomeKeyLogger.exe=>(NSIS o)=>zlib_nsis0006
Deleted

C:\Downloads\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Key Logger/Home Key Logger/HomeKeyLogger.exe=>(NSIS o)
Update failed

C:\Downloads\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Key Logger/Professional Key Logger/CaptainMnemo.exe
Infected with: Trojan.Spy.Agent.BK

C:\Downloads\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Key Logger/Professional Key Logger/CaptainMnemo.exe
Disinfection failed

C:\Downloads\pcbeginner-full.ISO=>WinTool/Password Management & Recovery/Password Recovery/Key Logger/Professional Key Logger/CaptainMnemo.exe
Deleted

C:\Downloads\pcbeginner-full.ISO
Update failed

**************************************************************************************************************************

AVG Anti spyware Log:

AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:13:30 AM 5/6/2007

+ Scan result:



C:\System Volume Information\_restore{573E1158-CF62-46D3-92F5-6BDCAAC19F51}\RP119\A0084200.dll -> Adware.GoodByeSpyware : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{573E1158-CF62-46D3-92F5-6BDCAAC19F51}\RP120\A0084238.dll -> Adware.GoodByeSpyware : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{573E1158-CF62-46D3-92F5-6BDCAAC19F51}\RP120\A0085431.dll -> Adware.GoodByeSpyware : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{573E1158-CF62-46D3-92F5-6BDCAAC19F51}\RP120\A0085434.exe -> Adware.SpywareRemover : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting\ExclusionList\\swsys.exe -> Not-A-Virus.Monitor.Win32.ActivityLogger : Cleaned with backup (quarantined).
HKLM\SOFTWARE\WinL -> Not-A-Virus.Monitor.Win32.ActivityLogger : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{573E1158-CF62-46D3-92F5-6BDCAAC19F51}\RP120\A0085532.exe -> Not-A-Virus.Monitor.Win32.EBlaster.b : Cleaned with backup (quarantined).


::Report end

Thank you, Mike, for helping to assist in hopefully ridding my computer of the transparent keylogger. Please let me know if the offending spy programs have been elimi nated. Best wishes. Sydny

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:50 AM

Posted 08 May 2007 - 11:57 AM

Hi Sydnyg,

Looks good so far. :thumbsup: Are you seeing any problems on your computer?

Lets do another scan.


1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply, along with a fresh Hijackthis log.
Please may sure you continue to post to this thread and not open a new thread. If you open a new thread I may not see it.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Disable script blocking if you have Norton Antivirus installed so it will not interfere with the fix.

To disable Norton AntiVirus Script Blocking
Start Norton AntiVirus. If Norton AntiVirus is installed as part of Norton SystemWorks or Norton Internet Security, then start that program.
Click Options. If you see a menu, click Norton AntiVirus.
In the left pane, click Script Blocking.
In the right pane, uncheck Enable Script Blocking (recommended).
Click OK

Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Sydnyg

Sydnyg
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 13 May 2007 - 09:36 PM

Hi Mike!

Am having trouble finding the download for HiJackThis, but included below is a copy of the log for the last security download - ComboFix:

"User" - 2007-05-13 20:57:20 Service Pack 2
ComboFix 07-05.13.V - Running from: "C:\Documents and Settings\User\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\DOWNLO~1.\Quarantine\ppqdb.dat
C:\WINDOWS\DOWNLO~1.\Quarantine\ppqsdb.dat
C:\WINDOWS\DOWNLO~1.\Quarantine


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\nm


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-13 ))))))))))))))))))))))))))))))))))


2007-05-11 14:24 109,782 --a------ C:\WINDOWS\CopernicAgentUninstall.exe
2007-05-11 14:24 <DIR> d-------- C:\Program Files\Copernic Agent
2007-05-11 14:24 <DIR> d-------- C:\Program Files\Common Files\Copernic
2007-05-11 14:24 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\Copernic
2007-05-09 09:02 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-05-09 09:02 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-05-09 09:01 <DIR> d-------- C:\Program Files\Picasa2
2007-05-09 02:21 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-05-07 18:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SecTaskMan
2007-05-05 22:46 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-05-05 22:37 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-05-05 17:29 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-04-30 00:21 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-04-29 23:42 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-04-27 21:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\HotSync
2007-04-27 21:44 53,248 --a------ C:\WINDOWS\PalmDevC.dll
2007-04-27 21:43 <DIR> d-------- C:\Program Files\palmOne
2007-04-27 21:39 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\HotSync
2007-04-24 23:03 <DIR> d-------- C:\DOCUME~1\User\Contacts
2007-04-24 23:01 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-04-22 16:14 <DIR> d-------- C:\Program Files\Bomgar
2007-04-21 18:38 <DIR> d-------- C:\Program Files\VMN
2007-04-21 18:38 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\vmntoolbar
2007-04-21 18:38 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\Visicom Media
2007-04-18 21:00 <DIR> d-------- C:\Program Files\Cryptigo


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-12 21:35:31 -------- d-----w C:\Program Files\Windows NT
2007-05-09 01:32:38 -------- d-----w C:\DOCUME~1\User\APPLIC~1\Image Zone Express
2007-05-07 23:12:22 -------- d-----w C:\Program Files\Lexmark 1200 Series
2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:41:55 85,952 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-30 15:41:42 94,552 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-30 15:39:41 23,416 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-30 15:38:51 43,176 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-30 15:37:23 26,888 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-04-28 02:43:14 -------- d-----w C:\DOCUME~1\User\APPLIC~1\Uniblue
2007-04-28 01:39:30 16,694 ----a-w C:\WINDOWS\system32\drivers\PalmUSBD.sys
2007-04-28 01:33:11 -------- d-----w C:\Program Files\Google
2007-04-26 08:00:45 -------- d-----w C:\Program Files\Windows Live Toolbar
2007-04-18 19:14:28 -------- d-----w C:\Program Files\Microsoft IntelliPoint
2007-04-09 20:57:49 -------- d-----w C:\Program Files\ABBYY FineReader 6.0
2007-04-09 20:53:06 -------- d-----w C:\Program Files\FaxTools
2007-04-09 20:52:53 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-07 17:54:11 -------- d-----w C:\DOCUME~1\User\APPLIC~1\AdobeUM
2007-04-07 00:35:05 -------- d-----w C:\Program Files\HP
2007-04-02 00:41:22 -------- d-----w C:\Program Files\MARS
2007-03-30 14:17:43 -------- d-----w C:\Program Files\Quicken
2007-03-30 14:14:38 -------- d-----w C:\Program Files\Common Files\Concord
2007-03-30 13:33:27 -------- d-----w C:\DOCUME~1\User\APPLIC~1\Intuit
2007-03-28 02:30:14 -------- d-----w C:\DOCUME~1\User\APPLIC~1\U3
2007-03-25 02:00:33 -------- d-----w C:\Program Files\Yahoo!
2007-03-24 23:43:59 -------- d-----w C:\DOCUME~1\User\APPLIC~1\FileMaker
2007-03-23 10:07:56 1,683,280 ------w C:\WINDOWS\system32\XpsSvcs.dll
2007-03-23 10:07:54 583,504 ------w C:\WINDOWS\system32\XPSSHHDR.dll
2007-03-23 06:04:54 -------- d-----w C:\Program Files\MSXML 4.0
2007-03-23 00:25:02 124,928 ------w C:\WINDOWS\system32\prntvpt.dll
2007-03-22 22:13:12 -------- d-----w C:\DOCUME~1\User\APPLIC~1\HP
2007-03-22 21:56:41 -------- d-----w C:\Program Files\FaxMailW
2007-03-22 20:14:32 117,132 ----a-w C:\WINDOWS\hpoins11.dat
2007-03-22 20:03:54 -------- d-----w C:\Program Files\Common Files\HP
2007-03-22 19:59:36 -------- d-----w C:\Program Files\Hewlett-Packard
2007-03-22 19:57:52 -------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2007-03-22 02:05:44 88 --sh--r C:\WINDOWS\system32\6E5BF933D0.sys
2007-03-22 02:05:44 3,766 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-03-22 02:05:22 -------- d-----w C:\DOCUME~1\User\APPLIC~1\Corel
2007-03-22 02:04:15 -------- d-----w C:\Program Files\WordPerfect Mail
2007-03-22 02:04:15 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-03-22 02:02:23 -------- d-----w C:\Program Files\WordPerfect Mail Setup
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-15 15:05:22 -------- d-----w C:\Program Files\KVS Availability Tool
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-02-15 05:48:58 192,512 ----a-w C:\WINDOWS\system32\NSNPShel.dll
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-10-26 10:28]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 20:33]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [2007-01-19 23:55]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}=C:\Program Files\Windows Live Toolbar\msntb.dll [2006-09-27 17:45]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"Broadcom Wireless Manager UI"="C:\\WINDOWS\\system32\\bcmntray"
"PRONoMgr.exe"="\"c:\\Program Files\\Intel\\PROSetWireless\\NCS\\PROSet\\PRONoMgr.exe\""
"LXCFCATS"="rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\LXCFtime.dll,_RunDLLEntry@16"
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\""
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\\Program Files\\Google\\Gmail Notifier\\gnotify.exe"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"Picasa Media Detector"="C:\\Program Files\\Picasa2\\PicasaMediaDetector.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-06-17 23:48]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\bcmntray" []
"PRONoMgr.exe"="c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2004-02-05 19:33]
"LXCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 15:47]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 04:50]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 17:48]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 11:42]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 02:46]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 06:03]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 06:03]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-04-27 08:30]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2006-10-07 08:20]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-05-02 02:08]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-09-13 17:17]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_9 -reboot 1"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ http://us.i1.yimg.com/us.yimg.com/i/us/pim...oon/shd_r_2.gif

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 10:13]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"{719B65FF-12CE-4277-989E-9879266FC755}"="C:\WINDOWS\system32\svriwmac.dll" [2006-07-05 06:55]


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter HTTPFilter\0\0
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
DcomLaunch DcomLaunch\0TermService\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0
WudfServiceGroup WUDFSvc\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E]
Shell\AutoRun\command E:\LaunchU3.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{72132ff9-5a20-11db-a589-000e358b7dcb}]
Shell\AutoRun\command E:\LaunchU3.exe -a

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1 Copernic Intra-Daily ~USER-60070D78FD User.job
C:\WINDOWS\tasks\2 Copernic Daily ~USER-60070D78FD User.job
C:\WINDOWS\tasks\3 Copernic Weekly ~USER-60070D78FD User.job
C:\WINDOWS\tasks\4 Copernic Monthly ~USER-60070D78FD User.job
C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-13 21:08:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-13 21:10:22 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-13 21:10

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:50 AM

Posted 13 May 2007 - 09:46 PM

Hi Sydnyg,

Am having trouble finding the download for HiJackThis


Download the latest version of Hijackthis from the following link:

HijackThis Download Site with installer
Just click on Hijackthis_sfx.exe file that you downloaded.
A WinZip self extractor screen appears with the default location of C:\Program Files\Hijackthis.
Then press the Unzip button.
Then close the Self-Extractor window.

Using My Computer/Windows Explorer, navigate to C:\Program Files\HijackThis and double click on HijackThis.exe to run it.
If you would like to make a shortcut for your Desktop so it's more easily accessable, right click HijackThis.exe and choose Send To > Desktop (create shortcut).

Please run the extracted HijackThis.exe from now on.

Please post a fresh Hijackthis log and telll me how your computer is running.

Edited by SifuMike, 13 May 2007 - 09:46 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Sydnyg

Sydnyg
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 13 May 2007 - 10:44 PM

Thanks Mike for your help. Please see if the Hacker has re-infested the keylogger on my HD.

Logfile of HijackThis v1.99.1
Scan saved at 11:35:19 PM, on 5/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\bcmntray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\bcmntray
O4 - HKLM\..\Run: [PRONoMgr.exe] "c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe"
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: VZAccess Manager.lnk = C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/17.17/uploader2.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1159374420531
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} (OneCCCtl Class) - https://as00.estara.com/UI/proxyhttps.php?a...533921OneCC.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} (CInstallLPCtrl Object) - http://u3.sandisk.com/download/apps/LPInstaller.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C52439A0-2693-4E40-B141-9F9AD5257241} (Lexmark eDiagnostics Class) - https://ediagnostics.lexmark.com/serval.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by7fd.bay7.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{2BD69A6F-5CF0-4E50-9F1F-CA5A0322317B}: NameServer = 69.78.96.14 66.174.95.44
O17 - HKLM\System\CS1\Services\Tcpip\..\{2BD69A6F-5CF0-4E50-9F1F-CA5A0322317B}: NameServer = 69.78.96.14 66.174.95.44
O17 - HKLM\System\CS2\Services\Tcpip\..\{2BD69A6F-5CF0-4E50-9F1F-CA5A0322317B}: NameServer = 69.78.96.14 66.174.95.44
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Sebring - c:\WINDOWS\system32\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: Aitint - {719B65FF-12CE-4277-989E-9879266FC755} - C:\WINDOWS\system32\svriwmac.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:50 AM

Posted 13 May 2007 - 11:08 PM

Hi Sydnyg,

You log looks clean, except for some minor cleanup.

Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial


*******************************************

In Normal Mode, select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix."

O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - (no file)

*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues button. This is a built-in registry cleaner. If you don’t know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
• Clean all entries in the "Internet Explorer" section except Cookies.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.

In the Applications Tab:
• Clean all except cookies in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************


Reboot your computer.

Let's do two more scans to make sure no keylogger is lurking. :thumbsup:

Please download, update and run (one at a time of course!)
Spybot 1.4 and Adaware SE 1.06.r1

Fix whatever they suggest.

If you need help running these tools, here are some helpful tutorials.
Spybot Tutorial
Adaware SE Tutorial

Be sure to run Adaware SE with a Full Scan in the Safe Mode.

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key. If that does not work this go to this site: http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/

After they are done, tell me how your computer is running.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:50 AM

Posted 20 May 2007 - 01:22 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:50 PM

Posted 20 May 2007 - 06:38 PM

I have reopened this topic at the user's request.

#13 Sydnyg

Sydnyg
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 20 May 2007 - 10:09 PM

Hello Lawence!

Please find below the results of the logs requested by "SifuMike", which apparently never made it to him. As I told him, I believe there has been another transparent keylogger attached to my HD, and I'm wondering if this current scan has picked it up? Thank you for assisting me, and I look forward to your reply.
~Sydny~
*****************************************************************************************************************************
"User" - 2007-05-13 20:57:20 Service Pack 2
ComboFix 07-05.13.V - Running from: "C:\Documents and Settings\User\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\DOWNLO~1.\Quarantine\ppqdb.dat
C:\WINDOWS\DOWNLO~1.\Quarantine\ppqsdb.dat
C:\WINDOWS\DOWNLO~1.\Quarantine


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\nm


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-13 ))))))))))))))))))))))))))))))))))


2007-05-11 14:24 109,782 --a------ C:\WINDOWS\CopernicAgentUninstall.exe
2007-05-11 14:24 <DIR> d-------- C:\Program Files\Copernic Agent
2007-05-11 14:24 <DIR> d-------- C:\Program Files\Common Files\Copernic
2007-05-11 14:24 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\Copernic
2007-05-09 09:02 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-05-09 09:02 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-05-09 09:01 <DIR> d-------- C:\Program Files\Picasa2
2007-05-09 02:21 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-05-07 18:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SecTaskMan
2007-05-05 22:46 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-05-05 22:37 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-05-05 17:29 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-04-30 00:21 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-04-29 23:42 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-04-27 21:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\HotSync
2007-04-27 21:44 53,248 --a------ C:\WINDOWS\PalmDevC.dll
2007-04-27 21:43 <DIR> d-------- C:\Program Files\palmOne
2007-04-27 21:39 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\HotSync
2007-04-24 23:03 <DIR> d-------- C:\DOCUME~1\User\Contacts
2007-04-24 23:01 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-04-22 16:14 <DIR> d-------- C:\Program Files\Bomgar
2007-04-21 18:38 <DIR> d-------- C:\Program Files\VMN
2007-04-21 18:38 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\vmntoolbar
2007-04-21 18:38 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\Visicom Media
2007-04-18 21:00 <DIR> d-------- C:\Program Files\Cryptigo


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-12 21:35:31 -------- d-----w C:\Program Files\Windows NT
2007-05-09 01:32:38 -------- d-----w C:\DOCUME~1\User\APPLIC~1\Image Zone Express
2007-05-07 23:12:22 -------- d-----w C:\Program Files\Lexmark 1200 Series
2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:41:55 85,952 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-30 15:41:42 94,552 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-30 15:39:41 23,416 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-30 15:38:51 43,176 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-30 15:37:23 26,888 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-04-28 02:43:14 -------- d-----w C:\DOCUME~1\User\APPLIC~1\Uniblue
2007-04-28 01:39:30 16,694 ----a-w C:\WINDOWS\system32\drivers\PalmUSBD.sys
2007-04-28 01:33:11 -------- d-----w C:\Program Files\Google
2007-04-26 08:00:45 -------- d-----w C:\Program Files\Windows Live Toolbar
2007-04-18 19:14:28 -------- d-----w C:\Program Files\Microsoft IntelliPoint
2007-04-09 20:57:49 -------- d-----w C:\Program Files\ABBYY FineReader 6.0
2007-04-09 20:53:06 -------- d-----w C:\Program Files\FaxTools
2007-04-09 20:52:53 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-07 17:54:11 -------- d-----w C:\DOCUME~1\User\APPLIC~1\AdobeUM
2007-04-07 00:35:05 -------- d-----w C:\Program Files\HP
2007-04-02 00:41:22 -------- d-----w C:\Program Files\MARS
2007-03-30 14:17:43 -------- d-----w C:\Program Files\Quicken
2007-03-30 14:14:38 -------- d-----w C:\Program Files\Common Files\Concord
2007-03-30 13:33:27 -------- d-----w C:\DOCUME~1\User\APPLIC~1\Intuit
2007-03-28 02:30:14 -------- d-----w C:\DOCUME~1\User\APPLIC~1\U3
2007-03-25 02:00:33 -------- d-----w C:\Program Files\Yahoo!
2007-03-24 23:43:59 -------- d-----w C:\DOCUME~1\User\APPLIC~1\FileMaker
2007-03-23 10:07:56 1,683,280 ------w C:\WINDOWS\system32\XpsSvcs.dll
2007-03-23 10:07:54 583,504 ------w C:\WINDOWS\system32\XPSSHHDR.dll
2007-03-23 06:04:54 -------- d-----w C:\Program Files\MSXML 4.0
2007-03-23 00:25:02 124,928 ------w C:\WINDOWS\system32\prntvpt.dll
2007-03-22 22:13:12 -------- d-----w C:\DOCUME~1\User\APPLIC~1\HP
2007-03-22 21:56:41 -------- d-----w C:\Program Files\FaxMailW
2007-03-22 20:14:32 117,132 ----a-w C:\WINDOWS\hpoins11.dat
2007-03-22 20:03:54 -------- d-----w C:\Program Files\Common Files\HP
2007-03-22 19:59:36 -------- d-----w C:\Program Files\Hewlett-Packard
2007-03-22 19:57:52 -------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2007-03-22 02:05:44 88 --sh--r C:\WINDOWS\system32\6E5BF933D0.sys
2007-03-22 02:05:44 3,766 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-03-22 02:05:22 -------- d-----w C:\DOCUME~1\User\APPLIC~1\Corel
2007-03-22 02:04:15 -------- d-----w C:\Program Files\WordPerfect Mail
2007-03-22 02:04:15 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-03-22 02:02:23 -------- d-----w C:\Program Files\WordPerfect Mail Setup
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-15 15:05:22 -------- d-----w C:\Program Files\KVS Availability Tool
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-02-15 05:48:58 192,512 ----a-w C:\WINDOWS\system32\NSNPShel.dll
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-10-26 10:28]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 20:33]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [2007-01-19 23:55]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}=C:\Program Files\Windows Live Toolbar\msntb.dll [2006-09-27 17:45]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"Broadcom Wireless Manager UI"="C:\\WINDOWS\\system32\\bcmntray"
"PRONoMgr.exe"="\"c:\\Program Files\\Intel\\PROSetWireless\\NCS\\PROSet\\PRONoMgr.exe\""
"LXCFCATS"="rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\LXCFtime.dll,_RunDLLEntry@16"
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\""
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\\Program Files\\Google\\Gmail Notifier\\gnotify.exe"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"Picasa Media Detector"="C:\\Program Files\\Picasa2\\PicasaMediaDetector.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-06-17 23:48]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\bcmntray" []
"PRONoMgr.exe"="c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2004-02-05 19:33]
"LXCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 15:47]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 04:50]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 17:48]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 11:42]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 02:46]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 06:03]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 06:03]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-04-27 08:30]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2006-10-07 08:20]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-05-02 02:08]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-09-13 17:17]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_9 -reboot 1"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ http://us.i1.yimg.com/us.yimg.com/i/us/pim...oon/shd_r_2.gif

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 10:13]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"{719B65FF-12CE-4277-989E-9879266FC755}"="C:\WINDOWS\system32\svriwmac.dll" [2006-07-05 06:55]


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter HTTPFilter\0\0
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
DcomLaunch DcomLaunch\0TermService\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0
WudfServiceGroup WUDFSvc\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E]
Shell\AutoRun\command E:\LaunchU3.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{72132ff9-5a20-11db-a589-000e358b7dcb}]
Shell\AutoRun\command E:\LaunchU3.exe -a

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1 Copernic Intra-Daily ~USER-60070D78FD User.job
C:\WINDOWS\tasks\2 Copernic Daily ~USER-60070D78FD User.job
C:\WINDOWS\tasks\3 Copernic Weekly ~USER-60070D78FD User.job
C:\WINDOWS\tasks\4 Copernic Monthly ~USER-60070D78FD User.job
C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-13 21:08:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-13 21:10:22 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-13 21:10

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:50 AM

Posted 20 May 2007 - 10:19 PM

Hi Sydnyg,

The ComboFix removed several malware. :thumbsup:
Did you run Spybot 1.4 and Ad-aware SE?

Why do you think you have a keylogger?

Edited by SifuMike, 20 May 2007 - 10:24 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 Sydnyg

Sydnyg
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 20 May 2007 - 10:27 PM

Hi Mike!

Yes, I ran all your suggested spyware. For your edification, I have Adware SE, Spybot, C Cleaner, and Avast installed on my computer. As directed, I put the computer into Safe Mode to run the Adware, but had already run the the others prior to that. I believe the result said there was no malware found, and did not produce a log. Does that make sense?

~Sydny~




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users