Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Purity Scan And Other Malware


  • This topic is locked This topic is locked
9 replies to this topic

#1 naughtinnice

naughtinnice

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 25 June 2007 - 03:49 PM

Ok...so I have run adaware, spyware doctor and spybot search and destroy as well as mcafee's stinger, trend micro and bitdefender. I have emptied all my temp folders and everything else that the forums tell me to do. Still no progress. I am new to hijack this but have read the tutorials and hope that I will post it correctly. Any help that you all can give me will be greatly appreciated. Thanks, Paula


Many, many popups...keep getting an error message that says the program has quit responding and gives me the option of switch to or retry. Also, there is more than one taskmgr in my processes at times...using a lot of cpu...if i notice it there and close it no problem but if it stays there for to long I get a message that tells taskmgr has quit responding and needs to close. Any help again would be appreciated! Thanks!


Logfile of HijackThis v1.99.1
Scan saved at 12:50:25 PM, on 6/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\??mbols\t?skmgr.exe
C:\WINDOWS\system32\SCURIT~1\csrss.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: 207.210.117.53 www.winmx.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program Files\Yahoo!\Search\YSearchSuggest.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {62384F86-8211-D3EB-181B-F98DB82380BC} - C:\WINDOWS\system32\jmmq.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Sart] "C:\WINDOWS\system32\SCURIT~1\csrss.exe" -vt ndrv
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200705...ex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1179326215687
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/67/install/gtdownls.cab
O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O20 - Winlogon Notify: RegCompact - C:\WINDOWS\SYSTEM32\RegCompact.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:38 AM

Posted 25 June 2007 - 04:43 PM

Hello Paula,

I am SifuMike and I will be helping you. :thumbsup:


Go to start > control panel > software > add/remove programs and uninstall next if present:

OINS
Purityscan


If both are not listed there, download and use this uninstaller:
http://www.outerinfo.com/OiUninstaller.exe

Reboot afterwards.


1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post the ComboFix log and a fresh Hijackthis log in your next reply.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.

Edited by SifuMike, 25 June 2007 - 05:16 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 naughtinnice

naughtinnice
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 25 June 2007 - 07:15 PM

I have never used ComboFix so I hope this is correct. :thumbsup:


"Paula k" - 2007-06-25 19:19:59 - ComboFix 07-06-25.3 - Service Pack 2 NTFS


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\PAULAK~1\APPLIC~1.\macromedia\Flash Player\#SharedObjects\X4GYSNVU\www.broadcaster.com
C:\DOCUME~1\PAULAK~1\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\PAULAK~1\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\DOCUME~1\PAULAK~1\Desktop\internet.lnk
C:\Program Files\Common Files\dobe~1
C:\WINDOWS\system32\mbols~1
C:\WINDOWS\system32\mbols~1\t?skmgr.exe
C:\WINDOWS\system32\scurit~1\csrss.exe


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CLIENT_IP-IPX


((((((((((((((((((((((((( Files Created from 2007-05-25 to 2007-06-25 )))))))))))))))))))))))))))))))


2007-06-25 19:16 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-25 12:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-23 23:57 <DIR> d-------- C:\DOCUME~1\PAULAK~1\APPLIC~1\Bitdefender
2007-06-23 23:50 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2007-06-23 23:44 83,024 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-06-23 23:44 57,424 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-06-23 23:44 53,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-06-23 23:44 39,376 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-06-23 23:44 29,264 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-06-23 23:44 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-06-23 23:44 <DIR> d-------- C:\DOCUME~1\PAULAK~1\APPLIC~1\PC Tools
2007-06-23 23:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BitDefender
2007-06-23 23:43 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-06-23 22:46 60,928 --a------ C:\WINDOWS\system32\jmmq.dll
2007-06-23 21:17 0 -rahs---- C:\MSDOS.SYS
2007-06-23 21:17 0 -rahs---- C:\IO.SYS
2007-06-23 17:59 <DIR> d-------- C:\Program Files\Setup
2007-06-23 17:21 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-06-23 16:44 <DIR> d-------- C:\WINDOWS\ifwk
2007-06-23 16:42 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Yahoo!
2007-06-23 16:42 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Google
2007-06-23 16:10 <DIR> d-------- C:\NoLopBackups
2007-06-23 00:46 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-23 00:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-23 00:18 <DIR> d-------- C:\My Downloads
2007-06-23 00:13 <DIR> d-------- C:\DOCUME~1\PAULAK~1\APPLIC~1\WinRAR
2007-06-22 17:48 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-06-21 14:57 <DIR> d-------- C:\DOCUME~1\PAULAK~1\APPLIC~1\EA
2007-06-21 03:39 0 --a------ C:\WINDOWS\system32\mssurun.dat
2007-06-20 00:34 138,552 --a------ C:\WINDOWS\system32\RegCompact.dll
2007-06-20 00:34 <DIR> d-------- C:\Program Files\AMUST
2007-06-19 22:30 <DIR> d-------- C:\DOCUME~1\PAULAK~1\APPLIC~1\Ohana Games
2007-06-19 14:31 <DIR> d-------- C:\Program Files\Mgutil
2007-06-04 15:18 9,344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 15:17 8,320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 15:14 6,272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-06-01 02:52 69,632 --a------ C:\WINDOWS\realbap1.dll
2007-05-31 18:31 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-05-31 13:14 <DIR> d-------- C:\Program Files\mp3DirectCut
2007-05-31 13:09 69,632 --a------ C:\WINDOWS\system32\realbap1.dll
2007-05-31 13:09 45,568 --a------ C:\WINDOWS\system32\realbsf1.dll
2007-05-31 08:55 663,040 --a------ C:\WINDOWS\is-JH69B.exe
2007-05-31 02:41 89,088 --a------ C:\WINDOWS\system32\Shreder.dll
2007-05-31 02:41 73,728 --a------ C:\WINDOWS\system32\smh.dat
2007-05-31 02:41 6,144 --a------ C:\WINDOWS\system32\SuperRes.dll
2007-05-31 02:41 591,872 --a------ C:\WINDOWS\system32\context.dll
2007-05-31 02:41 43,936 --a------ C:\WINDOWS\system32\drivers\HWFProt.sys
2007-05-31 02:41 42 --a------ C:\WINDOWS\system32\vb6sock.dll
2007-05-31 02:41 269,824 --a------ C:\WINDOWS\system32\SuperMenuHook.dll
2007-05-31 02:41 269,824 --a------ C:\WINDOWS\system32\baksm.dll
2007-05-31 02:41 269,824 --a------ C:\WINDOWS\system32\baksm.dat
2007-05-31 02:41 2,273,280 --a------ C:\WINDOWS\system32\vbsbak.dat
2007-05-31 02:41 <DIR> d-------- C:\WINDOWS\system32\IOSUBSYS
2007-05-31 02:41 <DIR> d-------- C:\Program Files\SuperLogix
2007-05-30 23:42 21,840 --a------ C:\WINDOWS\system32\SIntfNT.dll
2007-05-30 23:42 17,212 --a------ C:\WINDOWS\system32\SIntf32.dll
2007-05-30 23:42 12,067 --a------ C:\WINDOWS\system32\SIntf16.dll
2007-05-30 23:34 <DIR> d-------- C:\Program Files\Sierra On-Line
2007-05-30 23:34 <DIR> d-------- C:\Impressions Games
2007-05-30 19:30 <DIR> d-------- C:\Program Files\Profitville
2007-05-30 18:01 <DIR> d-------- C:\Program Files\WinMX
2007-05-29 15:27 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-05-29 14:48 <DIR> d-------- C:\Program Files\Tilted Mill
2007-05-28 22:23 4,096 --a------ C:\WINDOWS\d3dx.dat
2007-05-28 22:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BigFishGamesCache
2007-05-28 19:52 <DIR> d-------- C:\bbe0e758e4345c9b70a38c8f
2007-05-27 18:54 <DIR> d-------- C:\Program Files\ReflexiveArcade
2007-05-27 18:54 <DIR> d-------- C:\Program Files\Burger Rush
2007-05-27 18:37 <DIR> d-------- C:\DOCUME~1\PAULAK~1\APPLIC~1\Morpheus
2007-05-25 19:40 <DIR> d-------- C:\Program Files\Easy Video Splitter
2007-05-25 19:34 <DIR> d-------- C:\DOCUME~1\PAULAK~1\APPLIC~1\Ahead
2007-05-25 19:15 <DIR> d-------- C:\Program Files\Nero
2007-05-25 19:15 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-05-25 19:09 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-05-25 19:02 57,344 --a------ C:\WINDOWS\system32\WNASPINT.DLL
2007-05-25 19:02 <DIR> d-------- C:\Program Files\CDRWIN


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-24 03:29:49 -------- d-----w C:\DOCUME~1\PAULAK~1\APPLIC~1\uTorrent
2007-06-23 22:00:24 -------- d-----w C:\Program Files\WinAce
2007-06-22 21:48:00 -------- d-----w C:\Program Files\Yahoo!
2007-06-22 01:37:04 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-22 01:36:39 -------- d-----w C:\Program Files\PlayFirst
2007-06-22 01:31:55 -------- d-----w C:\Program Files\MySpace
2007-06-20 05:48:26 -------- d-----w C:\DOCUME~1\PAULAK~1\APPLIC~1\PlayFirst
2007-06-20 01:46:47 -------- d-----w C:\Program Files\bfgclient
2007-06-19 20:16:41 -------- d-----w C:\Program Files\LimeWire
2007-06-19 20:16:41 -------- d-----w C:\Program Files\Incomplete
2007-06-19 20:16:41 -------- d-----w C:\DOCUME~1\PAULAK~1\APPLIC~1\LimeWire
2007-06-18 08:20:46 -------- d-----w C:\Program Files\Yahoo! Games
2007-05-25 23:09:31 -------- d-----w C:\DOCUME~1\PAULAK~1\APPLIC~1\U3
2007-05-24 11:52:28 -------- d--h--w C:\DOCUME~1\PAULAK~1\APPLIC~1\GTek
2007-05-23 18:16:33 -------- d-----w C:\Program Files\QuickTime
2007-05-23 03:32:56 -------- d-----w C:\DOCUME~1\PAULAK~1\APPLIC~1\vlc
2007-05-22 19:06:08 -------- d-----w C:\Program Files\Google
2007-05-22 18:45:56 -------- d-----w C:\Program Files\LexarMedia
2007-05-22 18:34:18 -------- d-----w C:\DOCUME~1\PAULAK~1\APPLIC~1\Google
2007-05-22 03:17:26 -------- d-----w C:\Program Files\VideoLAN
2007-05-22 02:46:19 -------- d-----w C:\DOCUME~1\PAULAK~1\APPLIC~1\Desktop Mechanic
2007-05-21 06:33:06 -------- d-----w C:\DOCUME~1\PAULAK~1\APPLIC~1\Paltalk
2007-05-21 06:31:42 -------- d-----w C:\Program Files\Paltalk Messenger
2007-05-18 20:08:57 -------- d-----w C:\DOCUME~1\PAULAK~1\APPLIC~1\Yahoo!
2007-05-18 20:05:25 -------- d-----w C:\Program Files\uTorrent
2007-05-18 05:35:20 -------- d-----w C:\Program Files\Creative
2007-05-18 02:02:22 24 ----a-w C:\WINDOWS\system32\DVCStateBkp-{00000000-00000000-0000000C-00001102-00000002-80321102}.dat
2007-05-18 02:02:22 24 ----a-w C:\WINDOWS\system32\DVCState-{00000000-00000000-0000000C-00001102-00000002-80321102}.dat
2007-05-18 00:13:09 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-05-17 23:52:58 8 ----a-w C:\DFIMB.DAT
2007-05-17 23:34:45 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-05-17 23:34:35 -------- d-----w C:\DOCUME~1\PAULAK~1\APPLIC~1\Leadertech
2007-05-17 22:23:31 -------- d-----w C:\Program Files\Buena Vista Games
2007-05-17 20:46:03 -------- d-----w C:\Program Files\VIA
2007-05-17 18:46:48 -------- d-----w C:\DOCUME~1\PAULAK~1\APPLIC~1\ATI
2007-05-17 18:43:12 -------- d-----w C:\Program Files\Common Files\ATI Technologies
2007-05-17 18:41:55 -------- d-----w C:\Program Files\ATI Technologies
2007-05-17 11:34:25 -------- d-----w C:\Program Files\MSBuild
2007-05-17 11:26:20 -------- d-----w C:\Program Files\Reference Assemblies
2007-05-17 11:24:26 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-05-17 11:10:50 -------- d-----w C:\Program Files\Messenger
2007-05-17 07:52:43 -------- d-----w C:\Program Files\Movie Maker
2007-05-17 07:50:13 -------- d-----w C:\Program Files\Windows NT
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-16 14:21:14 -------- d-----w C:\Program Files\Western Digital
2007-05-16 13:50:48 -------- d-----w C:\Program Files\microsoft frontpage
2007-05-16 13:49:11 -------- d-----w C:\Program Files\Online Services
2007-05-16 13:47:55 -------- d-----w C:\Program Files\Common Files\MSSoap
2007-05-16 13:47:22 21,640 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-05-16 13:46:35 -------- d--h--w C:\Program Files\WindowsUpdate
2007-05-16 13:46:23 -------- d-----w C:\Program Files\MSN Gaming Zone
2007-05-16 09:40:49 -------- d-----w C:\Program Files\Common Files\ODBC
2007-05-16 09:40:45 -------- d-----w C:\Program Files\Common Files\SpeechEngines
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-13 19:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4efb-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2007-03-20 17:39]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{5A263CF7-56A6-4D68-A8CF-345BE45BC911}=C:\Program Files\Yahoo!\Search\YSearchSuggest.dll [2007-02-23 19:04]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\Program Files\Yahoo!\Common\yiesrvc.dll [2006-10-31 16:33]
{62384F86-8211-D3EB-181B-F98DB82380BC}=C:\WINDOWS\system32\jmmq.dll [2007-06-20 10:49]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [2007-01-19 23:55]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-06-12 13:19]
"BDMCon"="C:\Program Files\Softwin\BitDefender10\bdmcon.exe" [2007-06-24 12:37]
"BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [2007-03-26 15:49]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=00000000
"ClearRecentDocsOnExit"=0000000000000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\RegCompact]
RegCompact.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=sockspy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalStart.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VIA RAID TOOL.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AudioHQ]
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]
RunDll32 cmicnfg.cpl,CMICtrlWnd

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Disc Detector]
C:\Program Files\Creative\ShareDLL\CtNotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
"C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\MSMSGS.EXE" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\regssettings]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Repwyp]
C:\WINDOWS\system32\??mbols\t?skmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sart]
"C:\WINDOWS\system32\SCURIT~1\csrss.exe" -vt ndrv

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
C:\WINDOWS\Updreg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{921c13e8-0687-11dc-bbb8-0001299c07f1}]
AutoRun\command- G:\LaunchU3.exe -a


Contents of the 'Scheduled Tasks' folder
2007-06-23 05:01:48 C:\WINDOWS\tasks\Paula k backup.job
2007-06-23 05:22:29 C:\WINDOWS\tasks\Paula k scan and fix.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-25 19:34:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-25 19:40:29 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-25 19:40

--- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 8:11:15 PM, on 6/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program Files\Yahoo!\Search\YSearchSuggest.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {62384F86-8211-D3EB-181B-F98DB82380BC} - C:\WINDOWS\system32\jmmq.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200705...ex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1179326215687
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/67/install/gtdownls.cab
O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O20 - Winlogon Notify: RegCompact - C:\WINDOWS\SYSTEM32\RegCompact.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:38 AM

Posted 26 June 2007 - 12:56 AM

Hi Paula,

We are going to back up the registry before we change it.

Go to Start > Run
Type:regedit
Click OK.
  • On the leftside, click to highlight My Computer at the top.
  • Go up to "File > Export"
    • Make sure in that window there is a tick next to "All" under Export Branch.
      Leave the "Save As Type" as "Registration Files".
      Under "Filename" put backup
  • Choose to save it to C:\ or somewhere else safe so that you will remember where you put it (don't put it on the desktop!)
  • Click save and then go to File > Exit.
This is so the registry can be restored to this point if we need it. It may take a minute. Just let it go until it's done.

Now we will get rid of two items in the registry.
  • Click Start » Run » type: Notepad » OK
  • Copy (Ctrl+C) and paste (Ctrl+V) the following text inside the code box below (starting with REGEDIT4) to Notepad. (Be sure to use Notepad, not Wordpad, otherwise it won't work).

    REGEDIT4 
    
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Repwyp]
    
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sart]


  • Make sure there are no blank spaces before REGEDIT4 and there should be one blank line at the end.
  • Click File at the top and then choose Save As.
  • Change Save As Type to All Files.
  • Name it FixME.reg and save it on your desktop.
  • Its icon should look like this : Posted Image
  • Double click FixME.reg. It will ask you if you want to merge it to the registry, click Yes.

You have a suspicious file we need to check.

You will need to configure Windows to show Hidden files.

Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\is-JH69B.exe

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.

Once scanned, copy and paste the results also in your next reply.

I usually enter my email address at virus total so they can send me the scan results. They usually only take a couple minutes to reply.
You can copy/paste the results of scan results here.

*******************************************

Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial


*******************************************

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key. If that does not work this go to this site: http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/



Please boot into Safe Mode and select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix."

O2 - BHO: (no name) - {62384F86-8211-D3EB-181B-F98DB82380BC} - C:\WINDOWS\system32\jmmq.dll
O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} -
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -



*******************************************

Next, we're going on a file hunt.
Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'

Using Windows Explorer, delete the following files/folders in bold (Do not be concerned if they do not exist)

C:\WINDOWS\system32\jmmq.dll <==file


*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues button. This is a built-in registry cleaner. If you don’t know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
• Clean all entries in the "Internet Explorer" section except Cookies.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.

In the Applications Tab:
• Clean all except cookies in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************


Finally, reboot to the Normal Mode ,

Run ComboFix and post the ComboFix log.


Post a new Hijackthis log, ComboFix log, the results of the VirusTotal scan and tell me how your computer is running.

Edited by SifuMike, 26 June 2007 - 12:59 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 naughtinnice

naughtinnice
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 26 June 2007 - 03:31 PM

Ok here is the series of logs you wanted to see. My pc is running better as in I dont have any more popups atm but my speed is reaalllllyyy slowwww. I am supposed to have 5 mg connection but you couldnt tell it as of late. Any suggestions? Thank you so much for the help so far....by far the most comprehensive instructions I have seen. Thanks!


ComboFix 07-06-18.2
"Paula k" - 2007-06-26 15:42:03 - Service Pack 2 NTFS


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\msxml3a.dll


((((((((((((((((((((((((( Files Created from 2007-05-26 to 2007-06-26 )))))))))))))))))))))))))))))))


2007-06-26 13:37 <DIR> d-------- C:\Program Files\CCleaner
2007-06-26 02:11 <DIR> d-------- C:\Program Files\LIUtilities
2007-06-25 19:16 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-25 12:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-23 23:57 <DIR> d-------- C:\DOCUME~1\PAULAK~1\APPLIC~1\Bitdefender
2007-06-23 23:50 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2007-06-23 23:44 83,024 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-06-23 23:44 57,424 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-06-23 23:44 53,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-06-23 23:44 39,376 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-06-23 23:44 29,264 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-06-23 23:44 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-06-23 23:44 <DIR> d-------- C:\DOCUME~1\PAULAK~1\APPLIC~1\PC Tools
2007-06-23 23:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BitDefender
2007-06-23 23:43 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-06-23 21:17 0 -rahs---- C:\MSDOS.SYS
2007-06-23 21:17 0 -rahs---- C:\IO.SYS
2007-06-23 17:59 <DIR> d-------- C:\Program Files\Setup
2007-06-23 17:21 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-06-23 16:44 <DIR> d-------- C:\WINDOWS\ifwk
2007-06-23 16:42 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Yahoo!
2007-06-23 16:42 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Google
2007-06-23 16:10 <DIR> d-------- C:\NoLopBackups
2007-06-23 00:46 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-23 00:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-23 00:18 <DIR> d-------- C:\My Downloads
2007-06-23 00:13 <DIR> d-------- C:\DOCUME~1\PAULAK~1\APPLIC~1\WinRAR
2007-06-22 17:48 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-06-21 14:57 <DIR> d-------- C:\DOCUME~1\PAULAK~1\APPLIC~1\EA
2007-06-21 03:39 0 --a------ C:\WINDOWS\system32\mssurun.dat
2007-06-20 00:34 138,552 --a------ C:\WINDOWS\system32\RegCompact.dll
2007-06-20 00:34 <DIR> d-------- C:\Program Files\AMUST
2007-06-19 22:30 <DIR> d-------- C:\DOCUME~1\PAULAK~1\APPLIC~1\Ohana Games
2007-06-19 14:31 <DIR> d-------- C:\Program Files\Mgutil
2007-06-04 15:18 9,344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 15:17 8,320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 15:14 6,272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-06-01 02:52 69,632 --a------ C:\WINDOWS\realbap1.dll
2007-05-31 18:31 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-05-31 13:14 <DIR> d-------- C:\Program Files\mp3DirectCut
2007-05-31 13:09 69,632 --a------ C:\WINDOWS\system32\realbap1.dll
2007-05-31 13:09 45,568 --a------ C:\WINDOWS\system32\realbsf1.dll
2007-05-31 08:55 663,040 --a------ C:\WINDOWS\is-JH69B.exe
2007-05-31 02:41 89,088 --a------ C:\WINDOWS\system32\Shreder.dll
2007-05-31 02:41 73,728 --a------ C:\WINDOWS\system32\smh.dat
2007-05-31 02:41 6,144 --a------ C:\WINDOWS\system32\SuperRes.dll
2007-05-31 02:41 591,872 --a------ C:\WINDOWS\system32\context.dll
2007-05-31 02:41 43,936 --a------ C:\WINDOWS\system32\drivers\HWFProt.sys
2007-05-31 02:41 42 --a------ C:\WINDOWS\system32\vb6sock.dll
2007-05-31 02:41 269,824 --a------ C:\WINDOWS\system32\SuperMenuHook.dll
2007-05-31 02:41 269,824 --a------ C:\WINDOWS\system32\baksm.dll
2007-05-31 02:41 269,824 --a------ C:\WINDOWS\system32\baksm.dat
2007-05-31 02:41 2,273,280 --a------ C:\WINDOWS\system32\vbsbak.dat
2007-05-31 02:41 <DIR> d-------- C:\WINDOWS\system32\IOSUBSYS
2007-05-31 02:41 <DIR> d-------- C:\Program Files\SuperLogix
2007-05-30 23:42 21,840 --a------ C:\WINDOWS\system32\SIntfNT.dll
2007-05-30 23:42 17,212 --a------ C:\WINDOWS\system32\SIntf32.dll
2007-05-30 23:42 12,067 --a------ C:\WINDOWS\system32\SIntf16.dll
2007-05-30 23:34 <DIR> d-------- C:\Program Files\Sierra On-Line
2007-05-30 23:34 <DIR> d-------- C:\Impressions Games
2007-05-30 19:30 <DIR> d-------- C:\Program Files\Profitville
2007-05-30 18:01 <DIR> d-------- C:\Program Files\WinMX
2007-05-29 15:27 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-05-29 14:48 <DIR> d-------- C:\Program Files\Tilted Mill
2007-05-28 22:23 4,096 --a------ C:\WINDOWS\d3dx.dat
2007-05-28 22:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BigFishGamesCache
2007-05-27 18:54 <DIR> d-------- C:\Program Files\ReflexiveArcade
2007-05-27 18:54 <DIR> d-------- C:\Program Files\Burger Rush
2007-05-27 18:37 <DIR> d-------- C:\DOCUME~1\PAULAK~1\APPLIC~1\Morpheus


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-24 03:29:49 -------- d-----w C:\DOCUME~1\PAULAK~1\APPLIC~1\uTorrent
2007-06-23 22:00:24 -------- d-----w C:\Program Files\WinAce
2007-06-22 21:48:00 -------- d-----w C:\Program Files\Yahoo!
2007-06-22 01:41:27 -------- d-----w C:\Program Files\Common Files\Ahead
2007-06-22 01:37:04 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-22 01:36:39 -------- d-----w C:\Program Files\PlayFirst
2007-06-22 01:31:55 -------- d-----w C:\Program Files\MySpace
2007-06-20 05:48:26 -------- d-----w C:\DOCUME~1\PAULAK~1\APPLIC~1\PlayFirst
2007-06-20 01:46:47 -------- d-----w C:\Program Files\bfgclient
2007-06-19 20:16:41 -------- d-----w C:\Program Files\LimeWire
2007-06-19 20:16:41 -------- d-----w C:\Program Files\Incomplete
2007-06-19 20:16:41 -------- d-----w C:\DOCUME~1\PAULAK~1\APPLIC~1\LimeWire
2007-06-18 08:20:46 -------- d-----w C:\Program Files\Yahoo! Games
2007-05-28 00:49:22 -------- d-----w C:\DOCUME~1\PAULAK~1\APPLIC~1\Ahead
2007-05-25 23:40:21 -------- d-----w C:\Program Files\Easy Video Splitter
2007-05-25 23:15:28 -------- d-----w C:\Program Files\Nero
2007-05-25 23:09:31 -------- d-----w C:\DOCUME~1\PAULAK~1\APPLIC~1\U3
2007-05-25 23:02:37 -------- d-----w C:\Program Files\CDRWIN
2007-05-24 11:52:28 -------- d--h--w C:\DOCUME~1\PAULAK~1\APPLIC~1\GTek
2007-05-23 18:16:33 -------- d-----w C:\Program Files\QuickTime
2007-05-23 03:32:56 -------- d-----w C:\DOCUME~1\PAULAK~1\APPLIC~1\vlc
2007-05-22 19:06:08 -------- d-----w C:\Program Files\Google
2007-05-22 18:45:56 -------- d-----w C:\Program Files\LexarMedia
2007-05-22 18:34:18 -------- d-----w C:\DOCUME~1\PAULAK~1\APPLIC~1\Google
2007-05-22 03:17:26 -------- d-----w C:\Program Files\VideoLAN
2007-05-22 02:46:19 -------- d-----w C:\DOCUME~1\PAULAK~1\APPLIC~1\Desktop Mechanic
2007-05-21 06:33:06 -------- d-----w C:\DOCUME~1\PAULAK~1\APPLIC~1\Paltalk
2007-05-21 06:31:42 -------- d-----w C:\Program Files\Paltalk Messenger
2007-05-18 20:08:57 -------- d-----w C:\DOCUME~1\PAULAK~1\APPLIC~1\Yahoo!
2007-05-18 20:05:25 -------- d-----w C:\Program Files\uTorrent
2007-05-18 05:35:20 -------- d-----w C:\Program Files\Creative
2007-05-18 02:02:22 24 ----a-w C:\WINDOWS\system32\DVCStateBkp-{00000000-00000000-0000000C-00001102-00000002-80321102}.dat
2007-05-18 02:02:22 24 ----a-w C:\WINDOWS\system32\DVCState-{00000000-00000000-0000000C-00001102-00000002-80321102}.dat
2007-05-18 00:13:09 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-05-17 23:52:58 8 ----a-w C:\DFIMB.DAT
2007-05-17 23:34:45 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-05-17 23:34:35 -------- d-----w C:\DOCUME~1\PAULAK~1\APPLIC~1\Leadertech
2007-05-17 20:46:03 -------- d-----w C:\Program Files\VIA
2007-05-17 18:46:48 -------- d-----w C:\DOCUME~1\PAULAK~1\APPLIC~1\ATI
2007-05-17 18:43:12 -------- d-----w C:\Program Files\Common Files\ATI Technologies
2007-05-17 18:41:55 -------- d-----w C:\Program Files\ATI Technologies
2007-05-17 11:34:25 -------- d-----w C:\Program Files\MSBuild
2007-05-17 11:26:20 -------- d-----w C:\Program Files\Reference Assemblies
2007-05-17 11:24:26 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-05-17 11:10:50 -------- d-----w C:\Program Files\Messenger
2007-05-17 07:52:43 -------- d-----w C:\Program Files\Movie Maker
2007-05-17 07:50:13 -------- d-----w C:\Program Files\Windows NT
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-16 14:21:14 -------- d-----w C:\Program Files\Western Digital
2007-05-16 13:50:48 -------- d-----w C:\Program Files\microsoft frontpage
2007-05-16 13:49:11 -------- d-----w C:\Program Files\Online Services
2007-05-16 13:47:55 -------- d-----w C:\Program Files\Common Files\MSSoap
2007-05-16 13:47:22 21,640 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-05-16 13:46:35 -------- d--h--w C:\Program Files\WindowsUpdate
2007-05-16 13:46:23 -------- d-----w C:\Program Files\MSN Gaming Zone
2007-05-16 09:40:49 -------- d-----w C:\Program Files\Common Files\ODBC
2007-05-16 09:40:45 -------- d-----w C:\Program Files\Common Files\SpeechEngines
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-13 19:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4efb-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2007-03-20 17:39]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{5A263CF7-56A6-4D68-A8CF-345BE45BC911}=C:\Program Files\Yahoo!\Search\YSearchSuggest.dll [2007-02-23 19:04]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\Program Files\Yahoo!\Common\yiesrvc.dll [2006-10-31 16:33]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [2007-01-19 23:55]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-06-12 13:19]
"BDMCon"="C:\Program Files\Softwin\BitDefender10\bdmcon.exe" [2007-06-24 12:37]
"BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [2007-03-26 15:49]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=00000000
"ClearRecentDocsOnExit"=0000000000000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\RegCompact]
RegCompact.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=sockspy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalStart.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VIA RAID TOOL.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AudioHQ]
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]
RunDll32 cmicnfg.cpl,CMICtrlWnd

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Disc Detector]
C:\Program Files\Creative\ShareDLL\CtNotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
"C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\MSMSGS.EXE" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\regssettings]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
C:\WINDOWS\Updreg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{921c13e8-0687-11dc-bbb8-0001299c07f1}]
AutoRun\command- G:\LaunchU3.exe -a


Contents of the 'Scheduled Tasks' folder
2007-06-23 05:01:48 C:\WINDOWS\tasks\Paula k backup.job
2007-06-23 05:22:29 C:\WINDOWS\tasks\Paula k scan and fix.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-26 15:46:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-26 15:48:45
C:\ComboFix-quarantined-files.txt ... 2007-06-26 15:48
C:\ComboFix2.txt ... 2007-06-25 19:40

--- E O F ---

Antivirus Version Update Result
AhnLab-V3 2007.6.27.0 06.26.2007 no virus found
AntiVir 7.4.0.34 06.26.2007 no virus found
Authentium 4.93.8 06.25.2007 no virus found
Avast 4.7.997.0 06.26.2007 no virus found
AVG 7.5.0.476 06.26.2007 no virus found
BitDefender 7.2 06.26.2007 no virus found
CAT-QuickHeal 9.00 06.26.2007 no virus found
ClamAV devel-20070416 06.26.2007 no virus found
DrWeb 4.33 06.26.2007 no virus found
eSafe 7.0.15.0 06.26.2007 no virus found
eTrust-Vet 30.8.3743 06.26.2007 no virus found
Ewido 4.0 06.26.2007 no virus found
FileAdvisor 1 06.26.2007 no virus found
Fortinet 2.91.0.0 06.26.2007 no virus found
F-Prot 4.3.2.48 06.25.2007 no virus found
F-Secure 6.70.13030.0 06.26.2007 no virus found
Ikarus T3.1.1.8 06.26.2007 no virus found
Kaspersky 4.0.2.24 06.26.2007 no virus found
McAfee 5061 06.26.2007 no virus found
Microsoft 1.2701 06.26.2007 no virus found
NOD32v2 2355 06.26.2007 no virus found
Norman 5.80.02 06.26.2007 no virus found
Panda 9.0.0.4 06.26.2007 no virus found
Sophos 4.19.0 06.24.2007 no virus found
Sunbelt 2.2.907.0 06.26.2007 no virus found
Symantec 10 06.26.2007 no virus found
TheHacker 6.1.6.137 06.26.2007 no virus found
VBA32 3.12.0.2 06.25.2007 no virus found

Logfile of HijackThis v1.99.1
Scan saved at 3:29:17 PM, on 6/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program Files\Yahoo!\Search\YSearchSuggest.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200705...ex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1179326215687
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/67/install/gtdownls.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: RegCompact - C:\WINDOWS\SYSTEM32\RegCompact.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:38 AM

Posted 26 June 2007 - 04:36 PM

Hi Paula,

Looks like you have a Red Sheriff infection. Not to worry, we will soon have it killed. :thumbsup:


In Normal Mode, select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix."

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com


Let's empty the temp files:

Run CCleaner.


Reboot your computer.

Lets check for hidden viruses.

Please perform this online scan: Kaspersky Webscan
This scan require Internet Explorer to run.
Read the Requirements and Privacy statement, then select "Accept"
A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
Select "Install" to download the ActiveX controls that allows ActiveScan to run.
When the download is complete it will say ready, click "Next"
Select a target to scan: Click on "My Computer"
When the scan is complete choose to save the results as "Save as Text"

Post the Kaspersky scan results in your next reply, along with a new Hijackthis log.


but my speed is reaalllllyyy slowwww. I am supposed to have 5 mg connection but you couldnt tell it as of late. Any suggestions?


It is probably you IP provider. I suggest you post at our Windows XP Home and Professional forum. Tell them you have had all your malware removed at the Hijackthis forum, but you are still have a slow internet connection.

Also read Slow Computer/browser? Check Here First; It May Not Be Malware
http://www.bleepingcomputer.com/forums/t/87058/slow-computerbrowser-check-here-first;-it-may-not-be-malware/
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 naughtinnice

naughtinnice
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 27 June 2007 - 12:45 AM

Ok....here it is again.....



1:26 AM 6/27/2007-Logfile of HijackThis v1.99.1
Scan saved at 1:22:06 AM, on 6/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program Files\Yahoo!\Search\YSearchSuggest.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200705...ex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1179326215687
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/67/install/gtdownls.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: RegCompact - C:\WINDOWS\SYSTEM32\RegCompact.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)










KASPERSKY ONLINE SCANNER REPORT
Wednesday, June 27, 2007 1:20:37 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 27/06/2007
Kaspersky Anti-Virus database records: 353996


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 36384
Number of viruses found 1
Number of infected objects 2
Number of suspicious objects 0
Duration of the scan process 01:20:17

Infected Object Name Virus Name Last Action
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Paula k\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Paula k\Desktop\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\Paula k\Desktop\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Paula k\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Paula k\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Paula k\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Paula k\Local Settings\History\History.IE5\MSHist012007062620070627\index.dat Object is locked skipped

C:\Documents and Settings\Paula k\Local Settings\Temp\~DF5F06.tmp Object is locked skipped

C:\Documents and Settings\Paula k\ntuser.dat Object is locked skipped

C:\Documents and Settings\Paula k\NTUSER.DAT.LOG Object is locked skipped

C:\QooBox\Quarantine\catchme2007-06-25_193422.79.zip/csrss.exe Infected: Trojan-Downloader.Win32.PurityScan.dx skipped

C:\QooBox\Quarantine\catchme2007-06-25_193422.79.zip ZIP: infected - 1 skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{8147A459-E85B-4BF9-99D3-41252638F5EA}\RP185\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\bdss.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\tmp000038ee\tmp00000000 Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:38 AM

Posted 27 June 2007 - 09:38 PM

Hi Paula,


Your log looks clean! :thumbsup: Good job on the cleanup! :flowers:

How is your computer running?

Let's reset you files so they are hidden and protected.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading deselect Show hidden files and folders.
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK


Let's clean your System Restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows.
The files in System Restore are protected to prevent any programs from changing those files.
This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK

2. Restart your computer.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
NOTE: only do this ONCE, NOT on a regular basis

System Restore will now be active again.


Please read and follow How did I get infected?, With steps so it does not happen again!

If you want to improve speed/system performance after malware removal, take a look here.

Edited by SifuMike, 27 June 2007 - 10:42 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:38 AM

Posted 28 June 2007 - 10:10 AM

Hi Paula,

Do you still have this folder C:\Qoobox\quarantine\?

If so please post the contents of it, as I need to check it.

Edited by SifuMike, 28 June 2007 - 10:11 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:38 AM

Posted 19 July 2007 - 05:55 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users