Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

I Think A Thing Called Spyaxe Has Infected The Computer


  • Please log in to reply
5 replies to this topic

#1 Guest_luke.simpson24_*

Guest_luke.simpson24_*

  • Guests
  • OFFLINE
  •  

Posted 07 June 2007 - 05:24 AM

command prompt keeps coming up on start up and telling me that i should contact craig.peacock@beyondlogic.org and
Killing PID winner32.exe and another thing thats pissing me off is a oreans Themida "anti-cracking technology Demo version. Please help.

Logfile of HijackThis v1.99.1
Scan saved at 8:05:44 PM, on 7/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\rnamfler\naomf.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Vet\CAVRID.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Vet\ISafe.exe
C:\Windows\System32\winner32.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\progra~1\intern~1\iexplore.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\rnamfler\radprcmp.exe
C:\Program Files\rnamfler\naofsvc.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Vet\VetMsg.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\msngr.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\MsiExec.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
F2 - REG:system.ini: Shell=explorer.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Encarta Web Companion Helper Object - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O3 - Toolbar: (no name) - {1a29a79a-b9c8-44a9-bedf-7fadde3cf33f} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\WINDOWS\system32\NeroCheck.exe"
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] "point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxtray] "C:\WINDOWS\system32\igfxtray.exe"
O4 - HKLM\..\Run: [igfxhkcmd] "C:\WINDOWS\system32\hkcmd.exe"
O4 - HKLM\..\Run: [igfxpers] "C:\WINDOWS\system32\igfxpers.exe"
O4 - HKLM\..\Run: [parentalcontrol] "C:\Program Files\parentalcontrol\parentalcontrol.exe" "C:\Program Files\parentalcontrol\parentalcontrol.dll" "parentalcontrol"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [WindowsModule] "C:\Windows\System32\winner32.exe"
O4 - HKLM\..\Run: [hpdrv] C:\WINDOWS\system32\drivers\etc\driver.bat
O4 - HKLM\..\Run: [wrna3ls] C:\Program Files\rnamfler\naomf.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Vet\CAVRID.exe"
O4 - HKLM\..\Run: [multi byte bows more] C:\Documents and Settings\All Users\Application Data\third mfcd multi byte\IDOL FIRST.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [VistaStartMenu] "C:\Program Files\Vista Start Menu\StartMenu.exe"
O4 - HKCU\..\Run: [WindowsModule] "C:\Windows\System32\winner32.exe"
O4 - HKCU\..\Run: [IdleBags] C:\DOCUME~1\Luke\APPLIC~1\AUDIOG~1\adminlies.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Scrambler - {2225A222-A789-11CE-86F8-0020AFD8C6DB} - C:\PROGRA~1\PASSWO~1\pwscr.dll
O9 - Extra 'Tools' menuitem: Password Scrambler... - {2225A222-A789-11CE-86F8-0020AFD8C6DB} - C:\PROGRA~1\PASSWO~1\pwscr.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} - https://www.windowsonecare.com/install/cli/...nSSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://intellectuallychallenged.spaces.liv...ad/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} - http://static.zangocash.com/cab/Zango/ie/b...a8a8b93e75306fe
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://upload.mediamax.com/Upload/XUpload.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live Mail desktop\mailcomm.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: bonspells - {11853d5f-f894-4cc7-bbc3-fc7a9dcfd896} - (no file)
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Vet\ISafe.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: RdnaoFlSvc - Unknown owner - C:\Program Files\rnamfler\naofsvc.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Vet\VetMsg.exe
O23 - Service: Windows Server Management Services (WSMSPSVC) - Unknown owner - C:\WINDOWS\msngr.exe

Edited by luke.simpson24, 07 June 2007 - 05:25 AM.


BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  

Posted 07 June 2007 - 08:23 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum luke.simpson24 :thumbsup:

Download KillBox,unzip/extract it to your desktop.
http://download.bleepingcomputer.com/spyware/KillBox.zip
Start up Killbox and place a check in 'Delete on Reboot'.
In the 'Full path of file to delete' box,copy and paste:

C:\Windows\System32\winner32.exe

Then press the red button with the white cross.
It will then provide a window for you to confirm the delete.
Next it will ask if you now wish to reboot,select YES.
Allow it to reboot.
If it does'nt reboot automatically,reboot manually.

*************************

Download SDFix.exe and save it to your desktop:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

* Double click on SDFix on your desktop,and install the fix to C:\

Please then reboot your computer into Safe Mode by doing the following:

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.

*************************

Download SmitfraudFix (by S!Ri), to your desktop.
Double click on Smitfraudfix.cmd
Select option #1 Search, by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy and paste the content of that report into your next reply.

*IMPORTANT:*
Do NOT run any other options until you are asked to do so!

*************************

Click on Start>Control Panel>Add/Remove Programs.
Uninstall/remove any of the following programs if listed:
Netpumper
Bitroll
Bitgrabber
Bitdownload
Torrent101
CiD Help / CiD Manager
Download Plugin for Internet Explorer
Search Plugin
WinZix
Zone Media

This is because they are often bundled with the malware you are dealing with.
Don't worry if none of them are present.
If you removed any of them please restart your pc.

******************************

Download NoLop.exe to your desktop.

* First close any other programs you have running as this will require a reboot.
* Double click NoLop.exe to run it.
* Then click the button labelled "Search and Destroy".
* When scanning is finished you will be prompted to reboot only if infected,click 'OK'.
* Now click the "REBOOT" Button.
* A Message should popup from NoLop, if not,double click the program again and it will finish.
Post the contents of C:\NoLop.log and a new Hijack This log into your next reply.

If you receive the error,that mscomctl.ocx or one of its dependencies are not correctly registered, please download this file to your 'System32' folder then rerun the program: http://www.boletrice.com/downloads/mscomctl.ocx

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 Guest_luke.simpson24_*

Guest_luke.simpson24_*

  • Guests
  • OFFLINE
  •  

Posted 14 June 2007 - 01:41 AM

I think it worked. thanks.

my HijackThis log is

Logfile of HijackThis v1.99.1
Scan saved at 4:37:33 PM, on 14/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\rnamfler\naomf.exe
C:\Vet\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Vet\ISafe.exe
C:\WINDOWS\system32\CTsvcCDA.exe
c:\program files\rnamfler\radprcmp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\rnamfler\naofsvc.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Vet\VetMsg.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Encarta Web Companion Helper Object - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O4 - HKLM\..\Run: [wrna3ls] C:\Program Files\rnamfler\naomf.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Vet\CAVRID.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Scrambler - {2225A222-A789-11CE-86F8-0020AFD8C6DB} - C:\PROGRA~1\PASSWO~1\pwscr.dll
O9 - Extra 'Tools' menuitem: Password Scrambler... - {2225A222-A789-11CE-86F8-0020AFD8C6DB} - C:\PROGRA~1\PASSWO~1\pwscr.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://intellectuallychallenged.spaces.liv...ad/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live Mail desktop\mailcomm.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Vet\ISafe.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: RdnaoFlSvc - Unknown owner - C:\Program Files\rnamfler\naofsvc.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Vet\VetMsg.exe

my SDFix report:

SDFix: Version 1.87

Run by Luke on Thu 14/06/2007 at 04:14 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
WSMSPSVC

ImagePath:
"C:\WINDOWS\msngr.exe"

WSMSPSVC - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\msngr.exe - Deleted
C:\DOCUME~1\Luke\LOCALS~1\Temp\tmp*.tmp - Deleted



Removing Temp Files...

ADS Check:

Checking C:\WINDOWS\
C:\WINDOWS
No streams found.

Checking C:\WINDOWS\system32
C:\WINDOWS\system32
No streams found.

Checking C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Checking C:\WINDOWS\system32\ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\TrackMania Sunrise Extreme Demo\\TmSunriseExtremeDemo.exe"="C:\\Program Files\\TrackMania Sunrise Extreme Demo\\TmSunriseExtremeDemo.exe:*:Enabled:TmSunriseExtremeDemo"
"C:\\WINDOWS\\system32\\rtcshare.exe"="C:\\WINDOWS\\system32\\rtcshare.exe:*:Enabled:RTC App Sharing"
"C:\\Program Files\\NetMeeting\\conf.exe"="C:\\Program Files\\NetMeeting\\conf.exe:*:Enabled:Windowsr NetMeetingr"
"C:\\downloads\\dplaysvr.exe"="C:\\downloads\\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Server "
"C:\\Program Files\\DAP\\DAP.exe"="C:\\Program Files\\DAP\\DAP.exe:*:Enabled:Download Accelerator Plus (DAP)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Disabled:LimeWire"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Disabled:LimeWire swarmed installer"
"C:\\Program Files\\Ascaron Entertainment\\Sacred Underworld\\GameServer.exe"="C:\\Program Files\\Ascaron Entertainment\\Sacred Underworld\\GameServer.exe:*:Enabled:Sacred Gameserver"
"C:\\Program Files\\Ascaron Entertainment\\Sacred Underworld\\Sacred.exe"="C:\\Program Files\\Ascaron Entertainment\\Sacred Underworld\\Sacred.exe:*:Enabled:Sacred"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"="C:\\Program Files\\Windows Media Player\\wmplayer.exe:*:Enabled:Windows Media Player"
"C:\\Team17\\Worms2\\frontend.exe"="C:\\Team17\\Worms2\\frontend.exe:*:Enabled:Worms 2 Frontend"
"E:\\AUTORUN\\GAME\\INSTALL\\BINARIES\\FRONTEND.EXE"="E:\\AUTORUN\\GAME\\INSTALL\\BINARIES\\FRONTEND.EXE:*:Enabled:Worms 2 Frontend"
"C:\\Team17\\Worms 2\\frontend.exe"="C:\\Team17\\Worms 2\\frontend.exe:*:Enabled:Worms 2 Frontend"
"C:\\Team17\\Worms World Party\\wwp.exe"="C:\\Team17\\Worms World Party\\wwp.exe:*:Enabled:Worms World Party"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\BitTorrent_DNA\\dna.exe"="C:\\Program Files\\BitTorrent_DNA\\dna.exe:*:Enabled:DNA"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\BitDownload\\BitDownload.exe"="C:\\Program Files\\BitDownload\\BitDownload.exe:*:Enabled:Warez3"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Listing Files with Hidden Attributes:

C:\Documents and Settings\Jenny\Local Settings\Application Data\Microsoft\Windows Live Mail desktop\intellectuallychallengedlightbulb@hotmail.com\sqmdata00.sqm
C:\Documents and Settings\Jenny\Local Settings\Application Data\Microsoft\Windows Live Mail desktop\intellectuallychallengedlightbulb@hotmail.com\sqmdata01.sqm
C:\Documents and Settings\Jenny\Local Settings\Application Data\Microsoft\Windows Live Mail desktop\intellectuallychallengedlightbulb@hotmail.com\sqmdata02.sqm
C:\Documents and Settings\Jenny\Local Settings\Application Data\Microsoft\Windows Live Mail desktop\intellectuallychallengedlightbulb@hotmail.com\sqmnoopt00.sqm
C:\Documents and Settings\Jenny\Local Settings\Application Data\Microsoft\Windows Live Mail desktop\intellectuallychallengedlightbulb@hotmail.com\sqmnoopt01.sqm
C:\Documents and Settings\Jenny\Local Settings\Application Data\Microsoft\Windows Live Mail desktop\intellectuallychallengedlightbulb@hotmail.com\sqmnoopt02.sqm
C:\Documents and Settings\Luke\Local Settings\Application Data\Microsoft\Windows Live Mail desktop\intellectuallychallengedlightbulb@hotmail.com\sqmdata00.sqm
C:\Documents and Settings\Luke\Local Settings\Application Data\Microsoft\Windows Live Mail desktop\intellectuallychallengedlightbulb@hotmail.com\sqmnoopt00.sqm
C:\Program Files\Screensavers.com\Wallpaper\Thumbs.db
C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Picasa2\setup.exe
C:\WINDOWS\system32\msgnmsger.exe
C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\3070351b7b7b1b5a00cb7c20e2fa282b\download\BIT4B.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\8dbf0f4424218c97fa801be8e5357ee6\BIT3A.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\8e8b5b7a1069eb0ba2436bf833b767d5\BIT37.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\9789aa1836af21d34531761e24f80865\BIT36.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\9b6de1cddd5d4d86811ab127dd0acdc6\download\BIT47.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\a3e5a43c595879ea0a9851ad8a82c80b\download\BIT4E.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\f9001093eecede98e61e55f611b2df2b\BIT4F.tmp

Listing User Accounts:

User accounts for \\JENNY-41F1FFAB6

Administrator ASPNET Guest
HelpAssistant Jenny Luke
SUPPORT_388945a0


Finished

My Smitfraud log:

SmitFraudFix v2.195

Scan done at 16:25:31.62, Thu 14/06/2007
Run from C:\Documents and Settings\Luke\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Vet\ISafe.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\rnamfler\naofsvc.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Vet\VetMsg.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\rnamfler\naomf.exe
C:\Vet\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
c:\program files\rnamfler\radprcmp.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Luke


C:\Documents and Settings\Luke\Application Data


Start Menu


C:\DOCUME~1\Luke\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{11853d5f-f894-4cc7-bbc3-fc7a9dcfd896}"="bonspells"



AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Rustock



DNS

Description: Marvell Yukon Gigabit Ethernet 10/100/1000Base-T Adapter, Copper RJ-45 - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.254

HKLM\SYSTEM\CCS\Services\Tcpip\..\{6203F72A-679C-4F7D-BC15-1AE8744C985D}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{6203F72A-679C-4F7D-BC15-1AE8744C985D}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS2\Services\Tcpip\..\{6203F72A-679C-4F7D-BC15-1AE8744C985D}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254


Scanning for wininet.dll infection


End

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 14 June 2007 - 02:38 AM

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktop and agree to merge it into the registry,then reboot.

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{11853d5f-f894-4cc7-bbc3-fc7a9dcfd896}"=-

*****************************

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.


Also post a new Hijackthis log please.
Posted Image
Posted Image

#5 Guest_luke.simpson24_*

Guest_luke.simpson24_*

  • Guests
  • OFFLINE
  •  

Posted 19 June 2007 - 03:05 AM

Hi. thanks for responding. the popup is gone! Though for some reason word 2003 wont run. Well it does but literally takes 20 minutes to load.

My combofix log:

ComboFix 07-06-18.2 - C:\Documents and Settings\Luke\Desktop\ComboFix.exe
"Luke" - 2007-06-19 17:46:23 - Service Pack 2 NTFS


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

msxml3a.dll


((((((((((((((((((((((((( Files Created from 2007-05-20 to 2007-06-20 )))))))))))))))))))))))))))))))


2007-06-20 10:38 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-19 08:43 <DIR> d-------- C:\Program Files\Blue Coat K9 Web Protection
2007-06-18 14:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Office Genuine Advantage
2007-06-17 05:03 <DIR> d-------- C:\Program Files\B Gone
2007-06-15 09:30 106 --a--c--- C:\delete.bat
2007-06-15 09:25 3,032 --a------ C:\WINDOWS\system32\tmp.reg
2007-06-15 09:24 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-06-15 09:24 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-06-15 09:24 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-06-14 11:13 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-06-14 11:00 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2007-06-14 11:00 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2007-06-14 11:00 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2007-06-14 10:28 <DIR> d-------- C:\Program Files\Windows Defender
2007-06-13 12:29 116,736 -r-hs---- C:\WINDOWS\system32\msgnmsger.exe
2007-06-12 13:01 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-12 12:33 <DIR> d-------- C:\Program Files\F-Group
2007-06-10 14:47 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-10 14:40 <DIR> d-------- C:\Program Files\Symantec
2007-06-10 14:40 <DIR> d-------- C:\Program Files\Norton AntiVirus
2007-06-10 09:13 <DIR> d-------- C:\DOCUME~1\Luke\APPLIC~1\TuneUp Software
2007-06-10 09:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TuneUp Software
2007-06-10 07:27 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-06-10 07:12 <DIR> d-------- C:\DOCUME~1\Luke\.housecall6.6
2007-06-10 06:28 <DIR> d----c--- C:\!KillBox
2007-06-08 09:01 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-06-07 10:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trojan Remover
2007-06-06 10:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\third mfcd multi byte
2007-06-04 13:01 <DIR> d-------- C:\Program Files\AdwareAlert
2007-06-04 13:01 <DIR> d-------- C:\DOCUME~1\Luke\APPLIC~1\AdwareAlert
2007-06-02 08:58 <DIR> d----c--- C:\REVEAL
2007-05-27 09:22 <DIR> d-------- C:\Program Files\RegistrySmart(2)
2007-05-27 08:41 <DIR> d-------- C:\DOCUME~1\Luke\APPLIC~1\RegistrySmart
2007-05-24 09:38 624,784 --a--c--- C:\WINDOWS\system32\SymNeti.dll
2007-05-24 09:38 242,320 --a--c--- C:\WINDOWS\system32\SymRedir.dll
2007-05-24 09:02 8,126,464 --a------ C:\DOCUME~1\Luke\ntuser.dat
2007-05-23 13:07 99,904 --a------ C:\WINDOWS\system32\isafeif.dll
2007-05-23 13:07 79,424 --a------ C:\WINDOWS\system32\vetredir.dll
2007-05-23 13:07 75,280 --a------ C:\WINDOWS\system32\isafprod.dll
2007-05-23 13:07 630,464 --a------ C:\WINDOWS\system32\drivers\vetefile.sys
2007-05-23 13:07 32,528 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2007-05-23 13:07 26,640 --a------ C:\WINDOWS\system32\drivers\vet-filt.sys
2007-05-23 13:07 21,648 --a------ C:\WINDOWS\system32\drivers\vetfddnt.sys
2007-05-23 13:07 21,392 --a------ C:\WINDOWS\system32\drivers\vet-rec.sys
2007-05-23 13:07 108,656 --a------ C:\WINDOWS\system32\drivers\veteboot.sys
2007-05-23 13:07 <DIR> d----c--- C:\Vet
2007-05-23 13:06 <DIR> d-------- C:\Program Files\CA
2007-05-21 14:25 22,112 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2007-05-21 12:29 176 --a------ C:\DOCUME~1\Luke\ms032ksc.dll
2007-05-21 06:16 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-05-20 09:07 8,873 --a------ C:\DOCUME~1\Luke\ms32131.scr
2007-05-20 06:26 810,063 --a------ C:\WINDOWS\system32\kill3.exe
2007-05-20 06:26 810,063 --a------ C:\WINDOWS\system32\kill3(1).exe
2007-05-20 04:30 48,776 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-05-20 04:30 115,000 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-05-20 04:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-05-20 04:28 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-19 22:41:24 -------- d--h--r C:\Program Files\rnamfler
2007-06-18 14:17:22 -------- d-----w C:\Program Files\No Trace
2007-06-18 14:13:34 724,992 ----a-w C:\WINDOWS\iun6002.exe
2007-06-16 19:05:14 -------- d-----w C:\DOCUME~1\Luke\APPLIC~1\ZipGenius
2007-06-14 01:25:56 -------- d-----w C:\Program Files\BitTorrent
2007-06-14 00:23:51 -------- d-----w C:\Program Files\Windows Desktop Search
2007-06-14 00:22:01 -------- d-----w C:\Program Files\LimeWire
2007-06-13 02:17:27 -------- d-----w C:\DOCUME~1\Luke\APPLIC~1\BitTorrent
2007-06-13 01:55:24 -------- d-----w C:\Program Files\MSN Messenger
2007-06-10 04:47:03 -------- d-----w C:\DOCUME~1\Luke\APPLIC~1\dvdcss
2007-06-10 04:38:13 -------- d-----w C:\Program Files\Musicnotes
2007-06-10 04:36:35 -------- d-----w C:\Program Files\Nodtronics
2007-06-02 03:16:46 -------- d-----w C:\DOCUME~1\Luke\APPLIC~1\Creative
2007-05-20 21:36:10 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-20 21:18:43 -------- d-----w C:\Program Files\Common Files\Real
2007-05-20 21:18:06 -------- d-----w C:\DOCUME~1\Luke\APPLIC~1\Real
2007-05-20 21:08:04 -------- d-----w C:\Program Files\IrfanView
2007-05-20 21:05:23 -------- d-----w C:\Program Files\Audible
2007-05-17 07:23:35 -------- d-----w C:\DOCUME~1\Luke\APPLIC~1\McAfee.com Personal Firewall
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-14 23:04:40 48,640 ----a-w C:\WINDOWS\system32\drivers\cwmtdi.sys
2007-05-09 00:24:22 -------- d-----w C:\DOCUME~1\Luke\APPLIC~1\Smilebox
2007-05-08 23:02:25 -------- d-----w C:\Program Files\Paint.NET
2007-05-06 20:56:28 -------- d-----w C:\DOCUME~1\Luke\APPLIC~1\ZoomBrowser EX
2007-05-06 20:48:00 -------- d-----w C:\Program Files\Canon
2007-05-06 20:44:09 -------- d-----w C:\Program Files\Common Files\Canon
2007-05-06 20:29:10 -------- d-----w C:\Program Files\Xilisoft
2007-05-04 03:24:06 -------- d-----w C:\Program Files\AJE Software
2007-05-04 00:16:26 -------- d-----w C:\Program Files\TubeSucker
2007-05-02 07:14:46 596 ----a-w C:\WINDOWS\system32\STARTUP.REG
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-23 02:40:23 -------- d-----w C:\Program Files\iTunes
2007-04-23 02:40:17 -------- d-----w C:\Program Files\iPod
2007-04-23 02:38:35 -------- d-----w C:\Program Files\QuickTime
2007-04-23 02:37:30 -------- d-----w C:\Program Files\Apple Software Update
2007-04-23 01:08:37 -------- d-----w C:\Program Files\SiteAdvisor
2007-04-23 01:07:08 -------- d-----w C:\DOCUME~1\Luke\APPLIC~1\SiteAdvisor
2007-04-23 01:04:00 -------- d-----w C:\Program Files\Picasa2
2007-04-23 01:02:45 -------- d-----w C:\Program Files\ArcSoft
2007-04-23 01:01:37 -------- d-----w C:\Program Files\XviD
2007-04-23 01:01:28 -------- d-----w C:\Program Files\VIDEOzilla
2007-04-23 01:01:23 -------- d-----w C:\Program Files\VideoEgg
2007-04-23 01:01:23 -------- d-----w C:\DOCUME~1\Luke\APPLIC~1\VideoEgg
2007-04-23 01:01:18 -------- d-----w C:\Program Files\MagicDVDCopier
2007-04-23 01:01:16 -------- d-----w C:\Program Files\Easy DVD Player
2007-04-23 01:00:22 -------- d-----w C:\Program Files\STOPzilla!
2007-04-23 01:00:12 -------- d-----w C:\Program Files\IZArc
2007-04-23 01:00:09 -------- d-----w C:\Program Files\Mozilla Thunderbird
2007-04-23 00:59:58 -------- d-----w C:\Program Files\Codemasters
2007-04-23 00:58:50 -------- d-----w C:\Program Files\iPod(2)
2007-04-23 00:58:08 -------- d-----w C:\DOCUME~1\Luke\APPLIC~1\Simply Super Software
2007-04-23 00:58:08 -------- d-----w C:\DOCUME~1\Luke\APPLIC~1\Elaborate Bytes
2007-04-23 00:58:02 -------- d-----w C:\Program Files\Ultra Video To iPod Converter(2)
2007-04-23 00:55:32 -------- d-----w C:\Program Files\TubeSucker(2)
2007-04-22 21:21:13 -------- d-----w C:\Program Files\TDK
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-13 14:38]
{089FD14D-132B-48FC-8861-0048AE113215}=C:\Program Files\SiteAdvisor\6066\SiteAdv.dll [2007-03-31 01:41]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 20:43]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-04-18 06:32]
{955BE0B8-BC85-4CAF-856E-8E0D8B610560}=C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL [2005-06-05 02:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wrna3ls"="C:\Program Files\rnamfler\naomf.exe" [2006-04-02 03:45]
"CAVRID"="C:\Vet\CAVRID.exe" [2007-05-23 13:16]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-06-17 04:34]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-04 11:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 22:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoResolveSearch"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\RestrictRun]
"1"=ISecureEntFW.exe
"2"=ISecureEnt.exe
"3"=ISecurePro.exe
"4"=ISecureStd.exe
"5"=ISecureLte.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 22:29]
path=
backup=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Absolute StartUp monitor]
C:\Program Files\F-Group\Absolute StartUp\ASMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IdleBags]
C:\DOCUME~1\Luke\APPLIC~1\AUDIOG~1\adminlies.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
"C:\WINDOWS\system32\hkcmd.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
"C:\WINDOWS\system32\igfxtray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliType]
"C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"C:\WINDOWS\system32\NeroCheck.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\POINTER]
"point32.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiteAdvisor]
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
"C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
"C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wrna3ls]
C:\Program Files\rnamfler\naomf.exe


Contents of the 'Scheduled Tasks' folder
2007-06-09 23:14:18 C:\WINDOWS\tasks\1-Click Maintenance.job
2007-06-06 00:03:12 C:\WINDOWS\tasks\AdwareAlert Scheduled Scan.job
2007-06-09 21:09:02 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2006-10-21 16:34:53 C:\WINDOWS\tasks\MP Scheduled Quick Scan.job
2007-06-20 00:47:16 C:\WINDOWS\tasks\MP Scheduled Scan.job
2007-05-26 22:41:51 C:\WINDOWS\tasks\RegistrySmart Scheduled Scan.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-20 17:53:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-20 17:55:28
C:\ComboFix-quarantined-files.txt ... 2007-06-20 17:55

--- E O F ---

My hijackthis log is:

Logfile of HijackThis v1.99.1
Scan saved at 5:58:02 PM, on 20/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Vet\ISafe.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\rnamfler\naofsvc.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Vet\VetMsg.exe
C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\rnamfler\naomf.exe
C:\Vet\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
c:\program files\rnamfler\radprcmp.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Encarta Web Companion Helper Object - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O4 - HKLM\..\Run: [wrna3ls] C:\Program Files\rnamfler\naomf.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Vet\CAVRID.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Scrambler - {2225A222-A789-11CE-86F8-0020AFD8C6DB} - C:\PROGRA~1\PASSWO~1\pwscr.dll
O9 - Extra 'Tools' menuitem: Password Scrambler... - {2225A222-A789-11CE-86F8-0020AFD8C6DB} - C:\PROGRA~1\PASSWO~1\pwscr.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://intellectuallychallenged.spaces.liv...ad/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live Mail desktop\mailcomm.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Vet\ISafe.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: RdnaoFlSvc - Unknown owner - C:\Program Files\rnamfler\naofsvc.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Vet\VetMsg.exe
O23 - Service: Blue Coat K9 Web Protection (WebFilter) - Unknown owner - C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe

thanks for your help. i cant find an area to post my word 2003 comment. plz tell me where if you know. thanks again

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  

Posted 19 June 2007 - 06:40 AM

Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktop and agree to merge it into the registry,then reboot.

REGEDIT4
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IdleBags]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\RestrictRun]

*****************************

Download Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following bold blue text in the Quote box below:

Files to delete:
C:\WINDOWS\system32\rhttpaa.dll
C:\WINDOWS\system32\kill3.exe
C:\WINDOWS\system32\kill3(1).exe

Folders to delete:
C:\DOCUME~1\ALLUSE~1\APPLIC~1\third mfcd multi byte

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.

Also post a new Hijackthis log please.
Let me know how your pc is running now.

Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users