lesser-equity

Computer Juice Magazine
Go Back   Computer Juice > Computer Software > Virus, Spyware & Security
Reload this Page

Following malware removal instructions, have some questions.

Register Site Spy Member List Donate Unanswered Posts Search Today's Posts Mark Forums Read Forum Rules



Reply
Page 1 of 2 1 2
 
Thread Tools
  #1  
Old 5th Feb 2008, 10:24
Member Group
  
Posts: 11
Default Following malware removal instructions, have some questions.
I am in the process of trying to clean my computer following the malware removal instructions at the beginning of this forum, and I have a couple of questions before I move on. My biggest concern is that I did not follow quite perfectly the instructions when running the AVG anti spyware program. I screwed up by first running the scan in normal mode without rebooting and running in safe mode. I realized my mistake, and decided just in case to save the log of that scan without taking any action. I then rebooted in safe mode and ran the scan again. At the end, I did take action against the found threats, and then did not remember to save the scan report!! I am hoping that the report I did save while not in safe mode is enough, and if it isn't, what can I do from here to regenerate that report (if that's even possible). It took 8 hours to run a complete scan in safe mode, so I wonder if I can avoid having to do that again. Also, I went through all the steps up to Java updates before I noticed that my SpyBot S&D resident TeaTimer should have been turned off this whole time. I did turn it off at that point, but want to be sure that did not change the results that I should have gotten from running some of these tools. Thank you in advance for your help.

jcastell
  #2  
Old 5th Feb 2008, 11:03
Moderator Group
  
Skill Level: Advanced
Posts: 6,743
Default Following malware removal instructions, have some questions.
It sounds like you are doing fine so far. The guide can be daunting but it is worthwhile.

AVG Reports can be found in:
C:\Program Files\AVG Anti-Spyware 7.5\Reports\
Or in:
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine
On Vista platforms, the default scan report location for AVG Anti-Spyware is:

C:\Users\<user name>\AppData\Roaming\Grisoft\AVG Antispyware 7.5\Reports\

Don't worry about the Tea Timer for now. If you have turned it off at this point then that is fine.

Go ahead and post the logs including a new Hijackthis log.


__________________
  #3  
Old 6th Feb 2008, 18:04
Member Group
  
Posts: 11
Default Following malware removal instructions, have some questions.
Okay, so here is my overall problem. I have (?had) lots of adware installed that was causing popups like crazy. I ran through the steps in the removal instructions, I don't know how successful they were but I know it took a very long time! My startup was and still is very slow. There are multiple items in the list of add/remove programs which don't give me the option to uninstall or remove, including some of the java items I was supposed to be removing during the Java steps. Most of these appear to be remnants of programs which I have attempted to uninstall, and I just need to clean up the rest of these items. I am sure they are just needing to be removed elsewhere in my folders, but I am unsure how to remove them. That is all I have for now, I will post the logs and we'll see from there. Let me know if I can provide any more useful information.

Thanks again,
jcastell

SuperAntiSpyware log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 02/02/2008 at 01:35 PM
Application Version : 3.9.1008
Core Rules Database Version : 3393
Trace Rules Database Version: 1385
Scan type : Complete Scan
Total Scan Time : 16:33:46
Memory items scanned : 390
Memory threats detected : 0
Registry items scanned : 6452
Registry threats detected : 42
File items scanned : 75918
File threats detected : 70
Adware.Tracking Cookie
C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\Cookies\administrator@tribalfusion[1].txt
C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\Cookies\administrator@bs.serving-sys[2].txt
C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\Cookies\administrator@serving-sys[1].txt
C:\Documents and Settings\clucker\Cookies\clucker@2o7[2].txt
C:\Documents and Settings\clucker\Cookies\clucker@adprofile[2].txt
C:\Documents and Settings\clucker\Cookies\clucker@ads.pointroll[2].txt
C:\Documents and Settings\clucker\Cookies\clucker@advertising[1].txt
C:\Documents and Settings\clucker\Cookies\clucker@atdmt[2].txt
C:\Documents and Settings\clucker\Cookies\clucker@atwola[1].txt
C:\Documents and Settings\clucker\Cookies\clucker@bluestreak[1].txt
C:\Documents and Settings\clucker\Cookies\clucker@c.enhance[1].txt
C:\Documents and Settings\clucker\Cookies\clucker@c.goclick[2].txt
C:\Documents and Settings\clucker\Cookies\clucker@casalemedia[1].txt
C:\Documents and Settings\clucker\Cookies\clucker@doubleclick[1].txt
C:\Documents and Settings\clucker\Cookies\clucker@edge.ru4[1].txt
C:\Documents and Settings\clucker\Cookies\clucker@mediaplex[2].txt
C:\Documents and Settings\clucker\Cookies\clucker@metareward[2].txt
C:\Documents and Settings\clucker\Cookies\clucker@nextag[2].txt
C:\Documents and Settings\clucker\Cookies\clucker@pt.crossmediaserv ices[1].txt
C:\Documents and Settings\clucker\Cookies\clucker@questionmarket[1].txt
C:\Documents and Settings\clucker\Cookies\clucker@revenue[1].txt
C:\Documents and Settings\clucker\Cookies\clucker@servedby.advertis ing[2].txt
C:\Documents and Settings\clucker\Cookies\clucker@serving-sys[2].txt
C:\Documents and Settings\clucker\Cookies\clucker@stats2.clicktrack s[1].txt
C:\Documents and Settings\clucker\Cookies\clucker@statse.webtrendsl ive[2].txt
C:\Documents and Settings\clucker\Cookies\clucker@windowsmedia[2].txt
C:\Documents and Settings\clucker\Cookies\clucker@www.directnetadve rtising[1].txt
C:\Documents and Settings\LocalService\Cookies\system@2o7[1].txt
C:\Documents and Settings\LocalService\Cookies\system@adlegend[1].txt
C:\Documents and Settings\LocalService\Cookies\system@adopt.specifi cclick[1].txt
C:\Documents and Settings\LocalService\Cookies\system@ads.pointroll[1].txt
C:\Documents and Settings\LocalService\Cookies\system@ads2.drivelin emedia[2].txt
C:\Documents and Settings\LocalService\Cookies\system@adserver.easy ad[1].txt
C:\Documents and Settings\LocalService\Cookies\system@bs.serving-sys[2].txt
C:\Documents and Settings\LocalService\Cookies\system@dealtime[1].txt
C:\Documents and Settings\LocalService\Cookies\system@enhance[1].txt
C:\Documents and Settings\LocalService\Cookies\system@findwhat[1].txt
C:\Documents and Settings\LocalService\Cookies\system@perf.overture[1].txt
C:\Documents and Settings\LocalService\Cookies\system@questionmarke t[1].txt
C:\Documents and Settings\LocalService\Cookies\system@realmedia[1].txt
C:\Documents and Settings\LocalService\Cookies\system@revsci[2].txt
C:\Documents and Settings\LocalService\Cookies\system@rotator.dex.a djuggler[2].txt
C:\Documents and Settings\LocalService\Cookies\system@server.iad.li veperson[2].txt
C:\Documents and Settings\LocalService\Cookies\system@serving-sys[2].txt
C:\Documents and Settings\LocalService\Cookies\system@sexual-health[1].txt
C:\Documents and Settings\LocalService\Cookies\system@specificclick[2].txt
C:\Documents and Settings\LocalService\Cookies\system@stat.dealtime[2].txt
C:\Documents and Settings\LocalService\Cookies\system@tacoda[2].txt
C:\Documents and Settings\LocalService\Cookies\system@thunderbolt.a djuggler[2].txt
C:\Documents and Settings\LocalService\Cookies\system@trafficmp[1].txt
C:\Documents and Settings\LocalService\Cookies\system@tribalfusion[1].txt
C:\Documents and Settings\LocalService\Cookies\system@upspiral[2].txt
C:\Documents and Settings\LocalService\Cookies\system@waterfrontmed ia.112.2o7[1].txt
C:\Documents and Settings\LocalService\Cookies\system@www.clicksmar t[1].txt
Adware.ClickSpring
HKLM\Software\ClickSpring
HKLM\Software\ClickSpring#UBWKR
Trojan.NetMon/DNSChange
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NET WORK_MONITOR
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NET WORK_MONITOR#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NET WORK_MONITOR\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NET WORK_MONITOR\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NET WORK_MONITOR\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NET WORK_MONITOR\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NET WORK_MONITOR\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NET WORK_MONITOR\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NET WORK_MONITOR\0000#DeviceDesc
Trojan.cmdService
HKLM\SYSTEM\CurrentControlSet\Services\cmdService
HKLM\SYSTEM\CurrentControlSet\Services\cmdService# Type
HKLM\SYSTEM\CurrentControlSet\Services\cmdService# Start
HKLM\SYSTEM\CurrentControlSet\Services\cmdService# ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\cmdService# ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\cmdService# DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\cmdService# ObjectName
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\ Security
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\ Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\ SYSTEM
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\ SYSTEM\CurrentControlSet
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\ SYSTEM\CurrentControlSet\Services
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\ SYSTEM\CurrentControlSet\Services\mchInjDrv
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\ Enum
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\ Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\ Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\ Enum#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMD SERVICE
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMD SERVICE#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMD SERVICE\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMD SERVICE\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMD SERVICE\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMD SERVICE\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMD SERVICE\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMD SERVICE\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMD SERVICE\0000#DeviceDesc
Adware.Adservs
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
Adware.Zango Toolbar/Hb
HKCR\Interface\{85E06077-C824-43D0-A8DC-5EFB17BC348A}
HKCR\Interface\{85E06077-C824-43D0-A8DC-5EFB17BC348A}\ProxyStubClsid
HKCR\Interface\{85E06077-C824-43D0-A8DC-5EFB17BC348A}\ProxyStubClsid32
HKCR\Interface\{85E06077-C824-43D0-A8DC-5EFB17BC348A}\TypeLib
HKCR\Interface\{85E06077-C824-43D0-A8DC-5EFB17BC348A}\TypeLib#Version
RootKit.TnCore/Trace
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
Adware.Unknown Origin
C:\PROGRAM FILES\COMMON FILES\FMRF\FMRFD\CLASS-BARREL
C:\PROGRAM FILES\COMMON FILES\FMRF\FMRFD\VOCABULARY
Adware.ClickSpring/Yazzle
C:\PROGRAM FILES\COMMON FILES\YAZZLE1122OINUNINSTALLER.EXE
Trojan.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AD7656EF-278A-4282-B6FD-85EB7BA57C4B}\RP276\A0052810.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AD7656EF-278A-4282-B6FD-85EB7BA57C4B}\RP277\A0052847.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AD7656EF-278A-4282-B6FD-85EB7BA57C4B}\RP278\A0057848.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AD7656EF-278A-4282-B6FD-85EB7BA57C4B}\RP281\A0060952.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AD7656EF-278A-4282-B6FD-85EB7BA57C4B}\RP282\A0063952.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AD7656EF-278A-4282-B6FD-85EB7BA57C4B}\RP283\A0063985.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AD7656EF-278A-4282-B6FD-85EB7BA57C4B}\RP284\A0065026.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AD7656EF-278A-4282-B6FD-85EB7BA57C4B}\RP287\A0067032.EXE
C:\WINDOWS\SYSTEM32\WNSCPICOMSV32.EXE


AVG log:
[2/4/2008 11:32:46 AM] application start was blocked because of several instances
[2/4/2008 11:36:38 AM] synchronize database and filecache
[2/4/2008 17:08:25 PM] application start was blocked because of several instances
[2/4/2008 17:09:22 PM] application start was blocked because of several instances
[2/4/2008 17:10:15 PM] application start was blocked because of several instances
[2/5/2008 9:36:07 AM] Timer deletion failed, Value: 000003E5
[2/5/2008 9:41:23 AM] synchronize database and filecache
[2/5/2008 10:06:34 AM] application start was blocked because of several instances
[2/5/2008 10:21:04 AM] Timer deletion failed, Value: 000003E5
[2/5/2008 20:53:07 PM] application start was blocked because of several instances
[2/6/2008 10:00:34 AM] synchronize database and filecache

ESET Online Scan:
# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2844 (20080201)
# vers_arch_module=1.063 (20080117)
# vers_adv_heur_module=1.060 (20070601)
# EOSSerial=bc08b9334035cf42b0aeea78541cfb82
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-02-04 09:07:21
# local_time=2008-02-04 02:07:21 (-0700, Mountain Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=282536
# found=0
# scan_time=16727

New HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:28:36 PM, on 2/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\sniper.exe\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {37F27A15-E3A4-912B-A038-EF2B2893DFCE} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\sw g.dll
O2 - BHO: (no name) - {AF7B6EBD-AD0C-8F88-0C22-FE9AF3FF4D96} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [F5D9050] C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Qurteyl] "C:\Program Files\s?stem32\w?auboot.exe"
O4 - HKCU\..\Run: [Gdcp] C:\WINDOWS\system32\F?nts\?srss.exe
O4 - HKCU\..\Run: [Qwyem] C:\WINDOWS\??mantec\j?vaw.exe
O4 - HKCU\..\Run: [Kae] "C:\Program Files\?dobe\n?tdde.exe"
O4 - HKCU\..\Run: [Pdx] "C:\Program Files\A?pPatch\l?ass.exe"
O4 - HKCU\..\Run: [Plz] "C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\Application Data\F?nts\l?ass.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://my.juno.com/s/sp?r=al&cf=sp
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/re...s/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...23/mcgdmgr.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bej...loader_v10.cab
O20 - AppInit_DLLs: WIKI.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SysEnforce - Unknown owner - C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - http://myspace-857.vo.llnwd.net/0029...99462857_m.gif
O24 - Desktop Component 1: (no name) - http://myspace-979.vo.llnwd.net/0032...20417979_m.jpg
--
End of file - 9019 bytes
  #4  
Old 6th Feb 2008, 22:40
Moderator Group
  
Skill Level: Advanced
Posts: 6,743
Default Following malware removal instructions, have some questions.
It looks like the scans are doing some good. The SuperAntispyware cleaned up some particularly nasty entries. Still work to do. Things should be easier now.

----------

Open Hijackthis and select Do a system scan only.

Place a check mark next to the following entries:
  • O2 - BHO: (no name) - {37F27A15-E3A4-912B-A038-EF2B2893DFCE} - (no file)
  • O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
  • O2 - BHO: (no name) - {AF7B6EBD-AD0C-8F88-0C22-FE9AF3FF4D96} - (no file)
  • O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
  • O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
  • O20 - AppInit_DLLs: WIKI.DLL
Important: Close all windows except for Hijackthis and then click Fix checked.

Exit Hijackthis.

----------

Now run CCleaner.

----------

Download DrWeb CureIt & save it to your desktop.

Scan with DrWeb-CureIt as follows:
  • Double-click on drweb-cureit.exe and then click Start.
  • An Express Scan of your PC notice will appear.
  • Under Start the Express Scan Now Click OK to start.
    • This is a short scan that will scan the files currently running in memory.
    • If or when something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the Scan tab and UNcheck Heuristic analysis and click OK
  • Back at the main window, select the Complete scan button.
  • Then click the Green Arrow Start Scanning button on the right and the scan will start.
    • Click Yes to all if it asks if you want to cure/move any file(s).
  • When the scan is done.
  • In the Dr.Web CureIt menu on top left, click File and choose Save report list.
  • Save the DrWeb.csv report to your Desktop.
  • Exit Dr.Web Cureit.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad
  • Copy and paste that log in the next reply
----------

Download SDFix.exe and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard).
  • Finally add the contents of the Report.txt in your next post.
----------

After Dr Web and SDFix are done run a new Hijackthis scan and post the log.

----------

Next post please add
Dr Web log
SDFix log
NEW Hijackthis log
__________________
  #5  
Old 12th Feb 2008, 19:52
Member Group
  
Posts: 11
Default Following malware removal instructions, have some questions.
OK Here are the logs:

Dr. Web Log:
A0069123.reg;C:\System Volume Information\_restore{AD7656EF-278A-4282-B6FD-85EB7BA57C4B}\RP289;Trojan.StartPage.1505;Deleted. ;
A0075804.reg;C:\System Volume Information\_restore{AD7656EF-278A-4282-B6FD-85EB7BA57C4B}\RP306;Trojan.StartPage.1505;Deleted. ;
A0077615.reg;C:\System Volume Information\_restore{AD7656EF-278A-4282-B6FD-85EB7BA57C4B}\RP313;Trojan.StartPage.1505;Deleted. ;
A0079126.reg;C:\System Volume Information\_restore{AD7656EF-278A-4282-B6FD-85EB7BA57C4B}\RP315;Trojan.StartPage.1505;Deleted. ;

SDFix Log:

SDFix: Version 1.141
Run by Administrator on Tue 02/12/2008 at 07:39 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix\SDFix
Safe Mode:
Checking Services:
Name:
core
Path:
system32\drivers\core.sys
core - Deleted

Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...

Normal Mode:
Checking Files:
Trojan Files Found:
C:\WINDOWS\wr.txt - Deleted


Removing Temp Files...
ADS Check:


Final Check:
catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-12 20:16:34
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\AutoplayHandlers\CancelAutopla y\CLSID]
"\30 A?E?2?A?E?D?8?F?-?5?6?9?5?-?4?a?6?d?-?9?7?0?9?-?1?4?E?5?1?C?D?1?7?B?1?C?'?"=""
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services:
------------------

Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\ \Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Ena bled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Progra m Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Ya hoo! FT Server"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Progra m Files\\Real\\RealPlayer\\realplay.exe:*:Disabled:R ealPlayer"
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"="C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe:*:Enabled:Kodak Software Updater"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.e xe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
Remaining Files:
---------------
File Backups: - C:\SDFix\SDFix\backups\backups.zip
Files with Hidden Attributes:
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy2\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy2\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy2\TeaTimer.exe"
Sat 15 Oct 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 15 Oct 2005 401 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv14.bak"
Thu 24 Nov 2005 245,248 A..HR --- "C:\WINDOWS\system32\ReinstallBackups\0011\DriverF iles\rt73.sys"
Finished!

New HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:42:09 PM, on 2/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SM1BG.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\sniper.exe\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\sw g.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [F5D9050] C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Qurteyl] "C:\Program Files\s?stem32\w?auboot.exe"
O4 - HKCU\..\Run: [Gdcp] C:\WINDOWS\system32\F?nts\?srss.exe
O4 - HKCU\..\Run: [Qwyem] C:\WINDOWS\??mantec\j?vaw.exe
O4 - HKCU\..\Run: [Kae] "C:\Program Files\?dobe\n?tdde.exe"
O4 - HKCU\..\Run: [Pdx] "C:\Program Files\A?pPatch\l?ass.exe"
O4 - HKCU\..\Run: [Plz] "C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\Application Data\F?nts\l?ass.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://my.juno.com/s/sp?r=al&cf=sp
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/re...s/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...23/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/webgames/popcaploader_v10.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SysEnforce - Unknown owner - C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - http://myspace-857.vo.llnwd.net/0029...99462857_m.gif
O24 - Desktop Component 1: (no name) - http://myspace-979.vo.llnwd.net/0032...20417979_m.jpg
--
End of file - 8598 bytes

Thanks again, I really appreciate it!
  #6  
Old 12th Feb 2008, 21:53
Moderator Group
  
Skill Level: Advanced
Posts: 6,743
Default Following malware removal instructions, have some questions.
Looking much better but some of the entries I was worried about are still there..

----------

Open Hijackthis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

Important: Close all windows except for Hijackthis and then click Fix checked.

Exit Hijackthis.

----------

Please download Combofix by sUBs from one of the below links.
(Try all three if necessary)Important! Combofix.exe MUST be saved to and ran from the Desktop.
  • Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting Combofix.
  • Important! Temporarily disable your antivirus, script blocking and any antispyware real time protection before performing a scan.
    • Click this link to see a list of security programs that should be disabled and how to disable them.
    • If yours is not listed and you don't know how to disable it, please ask.
  • Warning: Combofix disconnects your computer from the internet. The connection is automatically restored before Combofix completes its run.
  • Double click combofix.exe & follow the prompts.
    • From the keyboard select 1 and press Enter
  • When finished, it will produce a log for you.
  • Post that log in your next reply.
Warning: Do not mouseclick combofix's window while it is running. That may cause it to stall
  • If Combofix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your computer.
  • Important: Remember to re-enable your antivirus and antispyware before reconnecting to the Internet.

----------

Run a New HJT scan and post the log

----------

Next post
Combofix log
NEW Hijackthis log
__________________
  #7  
Old 13th Feb 2008, 19:15
Member Group
  
Posts: 11
Default Following malware removal instructions, have some questions.
OK here are the logs:

Combofix:
ComboFix 08-02-14.1 - Administrator 2008-02-13 19:08:32.1 - NTFSx86
Running from: C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\Application Data\DOBE~1
C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\Application Data\FNTS~1
C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\Application Data\FNTS~2
C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\Application Data\ICROSO~1
C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\Application Data\MCROSO~1.NET
C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\Application Data\SCURIT~1
C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\Application Data\SEMBLY~1
C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\Application Data\SKS~1
C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\Application Data\SMBOLS~1
C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\My Documents\ASKS~1
C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\My Documents\CROSOF~1.NET
C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\My Documents\DOBE~1
C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\My Documents\ECURIT~1
C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\My Documents\TSKS~1
C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\My Documents\YSTEM~1
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Program Files\appatc~1
C:\Program Files\Common Files\crosof~1.net
C:\Program Files\Common Files\dobe~1
C:\Program Files\Common Files\fnts~2
C:\Program Files\Common Files\icroso~1.net
C:\Program Files\Common Files\ppatch~1
C:\Program Files\Common Files\sembly~1
C:\Program Files\Common Files\sks~1
C:\Program Files\Common Files\smbols~1
C:\Program Files\crosof~1
C:\Program Files\dobe~1
C:\Program Files\dobe~2
C:\Program Files\pppatc~1
C:\Program Files\sks~1
C:\Program Files\sstem3~1
C:\Program Files\wnsxs~1
C:\WINDOWS\crosof~1
C:\WINDOWS\dobe~1
C:\WINDOWS\fnts~1
C:\WINDOWS\mantec~1
C:\WINDOWS\racle~1
C:\WINDOWS\racle~2
C:\WINDOWS\sks~1
C:\WINDOWS\sks~2
C:\WINDOWS\smbols~1
C:\WINDOWS\sstem3~1
C:\WINDOWS\stem32~1
C:\WINDOWS\system32\asembl~1
C:\WINDOWS\system32\dobe~1
C:\WINDOWS\system32\fnts~1
C:\WINDOWS\system32\icroso~1
C:\WINDOWS\system32\icroso~1.net
C:\WINDOWS\system32\smante~1
C:\WINDOWS\system32\wnsxs~1
C:\WINDOWS\ymante~1
----- BITS: Possible infected sites -----
hxxp://au.dowõj+|Cü¤Ì›v÷+È@™JŸ:®½‰NêGD_©½ºD˜QÄ{¶Àz ÎÝcxLÍØ÷J‚ï…SÀ¶@Ä(tˆ|ŒµtI¾«h×fŸ!WU Client Download S-1-5-18`€HT4?? 6ÚVwoQZC¬¬D¢HÿóM6ÚVwoQZC¬¬D¢HÿóMXuЇö¯ mÈЇö¯mÈЇö¯mÈð­ºÐ‡ö¯mÈД´ßh´Èð­ºÝcxLÍØ ÷J‚ï…SÀ¶@ÄGD_©½ºD˜QÄ{¶ÀzÎGD_©½ºD˜QÄ{¶ÀzÎGD_©½ºD˜QÄ {¶ÀzÎ÷+È@™JŸ:®½‰Nêõj+|Cü¤Ì›vblob•
.
((((((((((((((((((((((((( Files Created from 2008-01-14 to 2008-02-14 )))))))))))))))))))))))))))))))
.
2008-02-13 10:40 . 2008-02-13 10:43 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-02-12 19:29 . 2008-02-12 19:30 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-12 19:18 . 2008-02-13 19:04 <DIR> d-------- C:\SDFix
2008-02-06 17:07 . 2008-02-06 17:07 <DIR> d-------- C:\Program Files\VS Revo Group
2008-02-05 11:47 . 2008-02-05 11:47 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-05 11:46 . 2008-02-05 12:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-04 11:30 . 2008-02-04 11:30 <DIR> d-------- C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\Application Data\Grisoft
2008-02-04 11:29 . 2008-02-04 11:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-04 11:29 . 2007-05-30 05:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-04 10:35 . 2008-02-04 10:41 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-03 21:24 . 2008-02-04 02:07 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-01-31 21:48 . 2008-01-31 21:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-31 21:47 . 2008-02-03 20:35 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-31 21:47 . 2008-01-31 21:47 <DIR> d-------- C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\Application Data\SUPERAntiSpyware.com
2008-01-31 21:44 . 2008-02-05 11:43 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-31 21:28 . 2008-01-31 21:29 <DIR> d-------- C:\Program Files\CCleaner
2008-01-31 21:27 . 2008-01-31 21:28 671,752 --a------ C:\ccsetup204_slim.exe
2008-01-30 23:35 . 2008-01-30 23:36 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy2
2008-01-30 22:55 . 2008-01-30 22:57 9,722,720 --a------ C:\spybotsd152.exe
2008-01-29 22:48 . 2006-04-13 22:05 159,744 --a------ C:\WINDOWS\system32\hasher.dll
2008-01-29 22:47 . 2008-01-29 22:47 <DIR> d-------- C:\Program Files\Trisnap Technologies
2008-01-29 18:22 . 2008-01-29 18:22 <DIR> d-------- C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\DoctorWeb
2008-01-24 10:21 . 2007-12-04 07:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-24 10:21 . 2007-12-04 07:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-24 10:21 . 2007-12-04 07:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-24 10:20 . 2007-12-04 07:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-24 10:20 . 2007-12-04 07:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-24 10:19 . 2007-12-04 06:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-24 10:19 . 2004-01-09 02:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-24 10:19 . 2007-12-04 05:54 95,608 --a------ C:\WINDOWS\system32\AVASTSS.scr
2008-01-24 10:18 . 2008-01-24 10:18 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-23 22:36 . 2007-03-29 05:56 409,600 -----c--- C:\WINDOWS\system32\dllcache\qmgr.dll
2008-01-23 22:36 . 2007-03-29 05:56 18,944 -----c--- C:\WINDOWS\system32\dllcache\qmgrprxy.dll
2008-01-23 22:36 . 2007-03-29 05:56 8,192 -----c--- C:\WINDOWS\system32\dllcache\bitsprx2.dll
2008-01-23 22:36 . 2007-03-29 05:56 7,168 -----c--- C:\WINDOWS\system32\dllcache\bitsprx4.dll
2008-01-23 22:36 . 2007-03-29 05:56 7,168 -----c--- C:\WINDOWS\system32\dllcache\bitsprx3.dll
2008-01-23 22:36 . 2007-03-29 05:56 7,168 --------- C:\WINDOWS\system32\bitsprx4.dll
2008-01-23 19:52 . 2007-12-06 19:21 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-01-23 19:52 . 2007-06-30 20:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-01-23 19:52 . 2007-06-30 20:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-01-23 19:52 . 2007-12-06 19:21 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-01-23 19:52 . 2007-12-06 19:21 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-01-23 19:52 . 2007-12-06 19:21 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-01-23 19:52 . 2007-12-06 19:21 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-01-23 19:52 . 2007-12-06 19:21 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-01-23 19:52 . 2007-12-06 04:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-01-23 19:18 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2008-01-23 18:29 . 2008-01-23 18:29 <DIR> d-------- C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\Application Data\RegistrySmart
2008-01-20 23:48 . 2008-01-23 20:06 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-01-16 23:43 . 2008-01-16 23:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PopCap
2008-01-16 00:11 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-15 23:20 . 2008-01-15 23:26 <DIR> d-------- C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\Application Data\Image Zone Express
2008-01-15 20:08 . 2008-01-15 20:08 20,747 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2008-01-15 20:07 . 2008-01-15 20:07 <DIR> d-------- C:\Program Files\Belkin
2008-01-15 20:07 . 2004-04-30 15:12 40,960 --a------ C:\WINDOWS\system32\F5D9050.dll
2008-01-15 20:07 . 2005-06-15 04:35 36,864 --a------ C:\WINDOWS\system32\ss.dll
2008-01-15 20:07 . 2005-06-18 02:48 19,968 --a------ C:\WINDOWS\system32\drivers\ss.sys
2008-01-14 16:18 . 2005-11-24 19:51 245,248 --a------ C:\WINDOWS\system32\drivers\rt73.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-02-05 18:03 --------- d-----w C:\Program Files\Java
2008-01-31 17:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-30 23:22 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-01-21 22:11 --------- d-----w C:\Program Files\Absolute Poker
2008-01-16 07:49 --------- d-----w C:\Program Files\Common Files\fmrf
2008-01-15 06:21 --------- d-----w C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\Application Data\Roxio
2008-01-11 02:54 --------- d-----w C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\Application Data\Snapfish
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-02-08 03:02 722,176 ----a-w C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\gotomypc_428.exe
2007-02-03 01:17 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2003-08-27 21:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"Qurteyl"="C:\Program Files\s?stem32\w?auboot.exe" [ ]
"Gdcp"="C:\WINDOWS\system32\F?nts\?srss.exe" [ ]
"Qwyem"="C:\WINDOWS\??mantec\j?vaw.exe" [ ]
"Kae"="C:\Program Files\?dobe\n?tdde.exe" [ ]
"Pdx"="C:\Program Files\A?pPatch\l?ass.exe" [ ]
"Plz"="C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\Application Data\F?nts\l?ass.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2007-06-14 15:44 68856]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 00:56 143360]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-05 21:05 339968]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2003-08-27 14:20 94208]
"KernelFaultCheck"="C:\WINDOWS\system32\dumpre p 0 -k" [ ]
"F5D9050"="C:\Program Files\Belkin\F5D9050\Belkinwcui.exe" [2006-03-14 16:52 1585152]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp. exe" [2007-12-04 06:00 79224]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
"combofix"="C:\WINDOWS\system32\kmd.exe" [2004-08-04 00:56 388608]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2007-06-14 15:44 68856]
[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
backup=C:\WINDOWS\pss\Exif Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 10:09 63712 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 02:06 40048 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-05-11 22:12 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-11-05 20:37 155648 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2005-03-08 21:13 1695744 C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-06-14 15:44 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ERSvc"=2 (0x2)
R3 O2SCBUS;O2Micro SmartCardBus Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys [2004-07-09 13:47]
S3 EL3C589;3Com Megahertz LAN PC Card Driver;C:\WINDOWS\system32\DRIVERS\el589nd5.sys [2001-08-17 12:10]
S3 FA411;NETGEAR FA411 PCMCIA Mobile Adapter;C:\WINDOWS\system32\DRIVERS\FA411ND5.sys [2001-03-28 20:15]
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\start.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-02-09 10:30:04 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job"
- C:\Program Files\RegistrySmart\RegistrySmart.ex
- C:\Program Files\RegistrySmart
.
************************************************** ************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-13 19:28:17
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
.
************************************************** ************************
.
Completion time: 2008-02-13 19:36:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-14 02:35:49
.
2008-02-13 17:51:52 --- E O F ---


Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:07:08 PM, on 2/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\sniper.exe\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\sw g.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [F5D9050] C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Qurteyl] "C:\Program Files\s?stem32\w?auboot.exe"
O4 - HKCU\..\Run: [Gdcp] C:\WINDOWS\system32\F?nts\?srss.exe
O4 - HKCU\..\Run: [Qwyem] C:\WINDOWS\??mantec\j?vaw.exe
O4 - HKCU\..\Run: [Kae] "C:\Program Files\?dobe\n?tdde.exe"
O4 - HKCU\..\Run: [Pdx] "C:\Program Files\A?pPatch\l?ass.exe"
O4 - HKCU\..\Run: [Plz] "C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\Application Data\F?nts\l?ass.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://my.juno.com/s/sp?r=al&cf=sp
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/re...s/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...23/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/webgames/popcaploader_v10.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SysEnforce - Unknown owner - C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - http://myspace-857.vo.llnwd.net/0029...99462857_m.gif
O24 - Desktop Component 1: (no name) - http://myspace-979.vo.llnwd.net/0032...20417979_m.jpg
--
End of file - 8243 bytes

Let me know what next!

Many thanks, once again!
  #8  
Old 14th Feb 2008, 09:25
Moderator Group
  
Skill Level: Advanced
Posts: 6,743
Default Following malware removal instructions, have some questions.
Download ViewpointKiller
  • Unzip the program and all of the contents of ViewpointKiller.zip to a location such as your desktop.
  • Double click the ViewpointKiller icon to run ViewpointKiller.exe.
  • Select the File menu, and select Check to see if you have Viewpoint installed.
  • If ViewpointKiller indicates that any of the Viewpoint variants are installed, select the proper Kill option in the File menu.
  • Follow the prompts and instructions very carefully, answering Yes or No depending on which option you are most comfortable with.
  • The MsConfig instructions are very important, so be sure to read them carefully.
  • Note: When done with ViewpointKiller right click and delete all files that were unzipped.
----------

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
  • Click Start , then Run
  • Type notepad.exe in the Run Box.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code:
File::
C:\WINDOWS\imsins.BAK

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Qurteyl"=-
"Gdcp"=-
"Qwyem"=-
"Kae"=-
"Pdx"=-
"Plz"=-
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to freeze

----------

Click Start > Run and type in: services.msc
Click OK
In the Services window find: SysEnforce
Select/highlight and right click the entry, and choose: Properties
On the General tab, under Service Status click the Stop button
Beside: Startup Type, in the drop menu, select: Disabled
Click Apply, then OK

Now, go to Start > Run, and copy/paste the following into the Open box:

sc delete SysEnforce

Click: OK

----------

Open Hijackthis and select Do a system scan only.

Place a check mark next to the following entries: (if there)
  • O4 - HKCU\..\Run: [Gdcp] C:\WINDOWS\system32\F?nts\?srss.exe
  • O4 - HKCU\..\Run: [Kae] "C:\Program Files\?dobe\n?tdde.exe"
  • O4 - HKCU\..\Run: [Pdx] "C:\Program Files\A?pPatch\l?ass.exe"
  • O4 - HKCU\..\Run: [Plz] "C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\Application Data\F?nts\l?ass.exe"
  • O23 - Service: SysEnforce - Unknown owner - C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE (file missing)
Important: Close all windows except for Hijackthis and then click Fix checked.

Exit Hijackthis.

----------

Next post please add
Combofix log
NEW Hijackthis log
__________________
  #9  
Old 14th Feb 2008, 18:34
Member Group
  
Posts: 11
Default Following malware removal instructions, have some questions.
Uh, oh! I hope I didn't really screw up: I did everything right, but I didn't disable my antispyware etc. before I dropped the program into combofix!!! I went ahead and ran another Hijack scan and saved the log. I will post both of them here. Let me know what to do.

Combofix:
ComboFix 08-02-14.1 - Administrator 2008-02-14 12:05:03.2 - NTFSx86
Running from: C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\Desktop\CFScript.txt
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE
C:\WINDOWS\imsins.BAK
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\imsins.BAK
.
((((((((((((((((((((((((( Files Created from 2008-01-14 to 2008-02-14 )))))))))))))))))))))))))))))))
.
2008-02-12 19:29 . 2008-02-12 19:30 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-12 19:18 . 2008-02-13 19:04 <DIR> d-------- C:\SDFix
2008-02-06 17:07 . 2008-02-06 17:07 <DIR> d-------- C:\Program Files\VS Revo Group
2008-02-05 11:47 . 2008-02-05 11:47 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-05 11:46 . 2008-02-05 12:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-04 11:30 . 2008-02-04 11:30 <DIR> d-------- C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\Application Data\Grisoft
2008-02-04 11:29 . 2008-02-04 11:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-04 11:29 . 2007-05-30 05:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-04 10:35 . 2008-02-04 10:41 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-03 21:24 . 2008-02-04 02:07 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-01-31 21:48 . 2008-01-31 21:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-31 21:47 . 2008-02-03 20:35 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-31 21:47 . 2008-01-31 21:47 <DIR> d-------- C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\Application Data\SUPERAntiSpyware.com
2008-01-31 21:44 . 2008-02-05 11:43 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-31 21:28 . 2008-01-31 21:29 <DIR> d-------- C:\Program Files\CCleaner
2008-01-31 21:27 . 2008-01-31 21:28 671,752 --a------ C:\ccsetup204_slim.exe
2008-01-30 23:35 . 2008-01-30 23:36 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy2
2008-01-30 22:55 . 2008-01-30 22:57 9,722,720 --a------ C:\spybotsd152.exe
2008-01-29 22:48 . 2006-04-13 22:05 159,744 --a------ C:\WINDOWS\system32\hasher.dll
2008-01-29 22:47 . 2008-01-29 22:47 <DIR> d-------- C:\Program Files\Trisnap Technologies
2008-01-29 18:22 . 2008-01-29 18:22 <DIR> d-------- C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\DoctorWeb
2008-01-24 10:21 . 2007-12-04 07:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-24 10:21 . 2007-12-04 07:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-24 10:21 . 2007-12-04 07:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-24 10:20 . 2007-12-04 07:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-24 10:20 . 2007-12-04 07:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-24 10:19 . 2007-12-04 06:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-24 10:19 . 2004-01-09 02:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-24 10:19 . 2007-12-04 05:54 95,608 --a------ C:\WINDOWS\system32\AVASTSS.scr
2008-01-24 10:18 . 2008-01-24 10:18 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-23 22:36 . 2007-03-29 05:56 409,600 -----c--- C:\WINDOWS\system32\dllcache\qmgr.dll
2008-01-23 22:36 . 2007-03-29 05:56 18,944 -----c--- C:\WINDOWS\system32\dllcache\qmgrprxy.dll
2008-01-23 22:36 . 2007-03-29 05:56 8,192 -----c--- C:\WINDOWS\system32\dllcache\bitsprx2.dll
2008-01-23 22:36 . 2007-03-29 05:56 7,168 -----c--- C:\WINDOWS\system32\dllcache\bitsprx4.dll
2008-01-23 22:36 . 2007-03-29 05:56 7,168 -----c--- C:\WINDOWS\system32\dllcache\bitsprx3.dll
2008-01-23 22:36 . 2007-03-29 05:56 7,168 --------- C:\WINDOWS\system32\bitsprx4.dll
2008-01-23 19:52 . 2007-12-06 19:21 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-01-23 19:52 . 2007-06-30 20:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-01-23 19:52 . 2007-06-30 20:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-01-23 19:52 . 2007-12-06 19:21 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-01-23 19:52 . 2007-12-06 19:21 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-01-23 19:52 . 2007-12-06 19:21 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-01-23 19:52 . 2007-12-06 19:21 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-01-23 19:52 . 2007-12-06 19:21 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-01-23 19:52 . 2007-12-06 04:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-01-23 19:18 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2008-01-23 18:29 . 2008-01-23 18:29 <DIR> d-------- C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\Application Data\RegistrySmart
2008-01-20 23:48 . 2008-01-23 20:06 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-01-16 23:43 . 2008-01-16 23:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PopCap
2008-01-16 00:11 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-15 23:20 . 2008-01-15 23:26 <DIR> d-------- C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\Application Data\Image Zone Express
2008-01-15 20:08 . 2008-01-15 20:08 20,747 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2008-01-15 20:07 . 2008-01-15 20:07 <DIR> d-------- C:\Program Files\Belkin
2008-01-15 20:07 . 2004-04-30 15:12 40,960 --a------ C:\WINDOWS\system32\F5D9050.dll
2008-01-15 20:07 . 2005-06-15 04:35 36,864 --a------ C:\WINDOWS\system32\ss.dll
2008-01-15 20:07 . 2005-06-18 02:48 19,968 --a------ C:\WINDOWS\system32\drivers\ss.sys
2008-01-14 16:18 . 2005-11-24 19:51 245,248 --a------ C:\WINDOWS\system32\drivers\rt73.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-02-05 18:03 --------- d-----w C:\Program Files\Java
2008-01-31 17:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-30 23:22 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-01-21 22:11 --------- d-----w C:\Program Files\Absolute Poker
2008-01-16 07:49 --------- d-----w C:\Program Files\Common Files\fmrf
2008-01-15 06:21 --------- d-----w C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\Application Data\Roxio
2008-01-11 02:54 --------- d-----w C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\Application Data\Snapfish
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-02-08 03:02 722,176 ----a-w C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\gotomypc_428.exe
2007-02-03 01:17 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2003-08-27 21:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"Qurteyl"="C:\Program Files\s?stem32\w?auboot.exe" [ ]
"Gdcp"="C:\WINDOWS\system32\F?nts\?srss.exe" [ ]
"Qwyem"="C:\WINDOWS\??mantec\j?vaw.exe" [ ]
"Kae"="C:\Program Files\?dobe\n?tdde.exe" [ ]
"Pdx"="C:\Program Files\A?pPatch\l?ass.exe" [ ]
"Plz"="C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\Application Data\F?nts\l?ass.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2007-06-14 15:44 68856]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 00:56 143360]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-05 21:05 339968]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2003-08-27 14:20 94208]
"F5D9050"="C:\Program Files\Belkin\F5D9050\Belkinwcui.exe" [2006-03-14 16:52 1585152]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp. exe" [2007-12-04 06:00 79224]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
"combofix"="C:\WINDOWS\system32\kmd.exe" [2004-08-04 00:56 388608]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2007-06-14 15:44 68856]
[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
backup=C:\WINDOWS\pss\Exif Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 10:09 63712 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 02:06 40048 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-05-11 22:12 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-11-05 20:37 155648 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2005-03-08 21:13 1695744 C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-06-14 15:44 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ERSvc"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\start.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-02-09 10:30:04 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job"
- C:\Program Files\RegistrySmart\RegistrySmart.ex
- C:\Program Files\RegistrySmart
.
************************************************** ************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-14 12:35:07
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
.
************************************************** ************************
.
Completion time: 2008-02-14 12:43:25 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-14 19:43:07
ComboFix2.txt 2008-02-14 02:36:03
.
2008-02-13 17:51:52 --- E O F ---

Hijackthis!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:24:14 PM, on 2/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\sniper.exe\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\sw g.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [F5D9050] C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://my.juno.com/s/sp?r=al&cf=sp
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/re...s/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...23/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/webgames/popcaploader_v10.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O24 - Desktop Component 0: (no name) - http://myspace-857.vo.llnwd.net/0029...99462857_m.gif
O24 - Desktop Component 1: (no name) - http://myspace-979.vo.llnwd.net/0032...20417979_m.jpg
--
End of file - 7586 bytes
  #10  
Old 14th Feb 2008, 19:53
Moderator Group
  
Skill Level: Advanced
Posts: 6,743
Default Following malware removal instructions, have some questions.
Now download The Avenger By Swandog46, and save it to your Desktop.
  • Extract avenger.exe from the Zip file and save it to your desktop
  • Run avenger.exe by double-clicking on it.
  • Check the Input script manually box.
  • Click on the Magnifying Glass Icon which will open a new window titled View/edit script
  • Copy everything in the Quote box below, and paste it in the box that opens:
Code:
Registry keys to delete:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qurteyl

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdcp

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qwyem

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kae

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pdx

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Plz
Note: the above instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system
  • Now click the 'Done' button.
  • Click on the Green Light and OK the prompt.
  • You will be prompted to restart, click OK at the prompt and your PC should reboot, if not, reboot it yourself.
  • A log file from Avenger will be produced at C:\avenger.txt
The Avenger will automatically do the following:
  • It will Restart your computer. (In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger's actions.
  • This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  • Please attach the C:\avenger.txt in your next post.
__________________

Please support this forum, donate towards our running costs.
Reply
Page 1 of 2 1 2

Similar Threads
Thread Thread Starter Forum Replies Last Post
Malware Removal - Help VNani Virus, Spyware & Security 23 9th Apr 2008 17:29
Malware Removal Guide - Please Read Before Posting evilfantasy Virus, Spyware & Security 6 4th Mar 2008 10:35
Malware log antbann Virus, Spyware & Security 4 1st Mar 2008 13:31
I need instructions before changing CPU DownSyndromeBoi CPUs, Motherboards & RAM 1 2nd Jan 2008 17:01
Killing Off My Spyware/Malware (take 2) Thumbtack Virus, Spyware & Security 7 1st Dec 2007 09:34

Tags
instructions, malware, questions, removal

Bookmarks
Thread Tools



Arabic Bulgarian Chinese (Simplified) Chinese (Traditional) Croatian Czech Danish Dutch English Finnish French German Greek Hebrew Hungarian Italian Japanese Korean Norwegian Polish Portuguese Romanian Russian Serbian Slovak Spanish Swedish Thai Turkish

Copyright ©2006 - 2009 Computer Juice.
Contact - Sitemap - Tags - Privacy - Top

Powered by vBulletin® Copyright ©2000 - 2009 Jelsoft Enterprises Ltd. SEO by vBSEO ©2009, Crawlability, Inc.