Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

I have a pair of BODACIOUS BREASTS on my desktop...

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

I have a pair of BODACIOUS BREASTS on my desktop...

Unread postby StilettoRed » March 4th, 2007, 5:58 pm

however, I did not put them there and I would like them removed. The shortcut on the desktop is labeled "Instant Access."

I have a couple of problems. I have a hard time using a firewall as I have diffuculty differentiating the good from the bad. When I deny too many apps my email does not work. If I allow too many or disable the firewall I get unwanted visitors. What to do, what to do? Can I use a hardware router and will that provide the security I need? I only use one desktop PC and occasionally a laptop on a dial-up connection. I assume the router will work with just one computer as well as a network?

Right now my email is not working and I am getting an error message:

POP3 Proxy Server: Cannot connect to the mail server!', Port: 110, Secure(SSL): No, Server Error: 0x800CCC90, Error Number: 0x800CCC90

I think there may be something wrong with my Windows Ap rather than a virus or malware. I was having problems after a prior malware infection that was similar to some of the hiccups I get now, such as having lock-ups and going to Task Manager and having to end the program due to lack of response.

Thanks for any help you can provide.

Running:
AVG anti-virus and malware.
Comodo firewall - presently disabled.
Spyware Blaster
SpyBot Search and Destroy
Adaware
CCleaner

Here are my logs:

Logfile of HijackThis v1.99.1
Scan saved at 3:45:40 PM, on 3/4/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\mgabg.exe
C:\WINNT\system32\pctspk.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\PDesk\PDesk.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Outlook Express\MSIMN.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.siliconinvestor.com/subjectmarks.aspx
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPagePro11.0\opware32.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINNT\system32\tbctray.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} - http://inst.c-wss.com/135p/html/gtdownlr.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} (Merriam-Webster Online Toolbar) - http://www.m-w.com/toolbar/webinstall.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {69565A48-8A92-11D9-8BDE-F66BAD1E3F3A} (BridgeChannel v3.2) - http://channel.bridge.com/bc/java/rbc33_i.cab
O16 - DPF: {8E6AA867-94D4-4B4F-8791-1B048F8C122A} - https://fastsend.com/products/Fsplugin.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BCB608CD-D33D-41BB-98A1-AE59195CFF09}: NameServer = 209.151.92.2 209.151.112.2
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINNT\System32\mgabg.exe

Sunday, March 04, 2007 2:53:31 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 4/03/2007
Kaspersky Anti-Virus database records: 275781


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\

Scan Statistics
Total number of scanned objects 43018
Number of viruses found 4
Number of infected objects 14 / 0
Number of suspicious objects 0
Duration of the scan process 02:20:17

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Comodo\Personal Firewall\Logs\cpf.lock Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\Robert Cummins\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Robert Cummins\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Robert Cummins\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Robert Cummins\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Robert Cummins\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped

C:\Documents and Settings\Robert Cummins\Desktop\SmitfraudFix.exe PE_Patch.UPX: infected - 2 skipped

C:\Documents and Settings\Robert Cummins\Local Settings\Application Data\Identities\{277AA6B9-5804-4859-BCCF-88D80D3B6A22}\Microsoft\Outlook Express\Deleted Items.dbx/[From "Fifth Third Bank" ][Date Sat, 24 Feb 2007 05:53:55 -0600 (CST)]/UNNAMED/html Infected: Trojan-Spy.HTML.Bankfraud.qy skipped

C:\Documents and Settings\Robert Cummins\Local Settings\Application Data\Identities\{277AA6B9-5804-4859-BCCF-88D80D3B6A22}\Microsoft\Outlook Express\Deleted Items.dbx/[From "Fifth Third Bank" ][Date Sat, 24 Feb 2007 05:53:55 -0600 (CST)]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.qy skipped

C:\Documents and Settings\Robert Cummins\Local Settings\Application Data\Identities\{277AA6B9-5804-4859-BCCF-88D80D3B6A22}\Microsoft\Outlook Express\Deleted Items.dbx/[From "Branch Banking and Trust" ][Date Wed, 28 Feb 2007 17:36:39 -0600 (CST)]/UNNAMED/UNNAMED/html Infected: Trojan-Spy.HTML.Bankfraud.ra skipped

C:\Documents and Settings\Robert Cummins\Local Settings\Application Data\Identities\{277AA6B9-5804-4859-BCCF-88D80D3B6A22}\Microsoft\Outlook Express\Deleted Items.dbx/[From "Branch Banking and Trust" ][Date Wed, 28 Feb 2007 17:36:39 -0600 (CST)]/UNNAMED/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.ra skipped

C:\Documents and Settings\Robert Cummins\Local Settings\Application Data\Identities\{277AA6B9-5804-4859-BCCF-88D80D3B6A22}\Microsoft\Outlook Express\Deleted Items.dbx/[From "Branch Banking and Trust" ][Date Wed, 28 Feb 2007 17:36:39 -0600 (CST)]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.ra skipped

C:\Documents and Settings\Robert Cummins\Local Settings\Application Data\Identities\{277AA6B9-5804-4859-BCCF-88D80D3B6A22}\Microsoft\Outlook Express\Deleted Items.dbx Mail MS Outlook 5: infected - 5 skipped

C:\Documents and Settings\Robert Cummins\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Robert Cummins\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Robert Cummins\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Robert Cummins\Local Settings\History\History.IE5\MSHist012007030420070305\index.dat Object is locked skipped

C:\Documents and Settings\Robert Cummins\Local Settings\Temp\~DFE369.tmp Object is locked skipped

C:\Documents and Settings\Robert Cummins\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Robert Cummins\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Robert Cummins\NTUSER.DAT.LOG Object is locked skipped

C:\Program Files\WinBudget\bin\crap.1169173812.old/EXE-file Infected: not-a-virus:AdWare.Win32.BHO.by skipped

C:\Program Files\WinBudget\bin\crap.1169173812.old Embedded EXE: infected - 1 skipped

C:\Program Files\WinBudget\bin\matrix.dll Infected: not-a-virus:AdWare.Win32.BHO.by skipped

C:\WINNT\CSC\00000001 Object is locked skipped

C:\WINNT\Debug\ipsecpa.log Object is locked skipped

C:\WINNT\Debug\oakley.log Object is locked skipped

C:\WINNT\Debug\PASSWD.LOG Object is locked skipped

C:\WINNT\ModemLog_HSP56 MicroModem.txt Object is locked skipped

C:\WINNT\SchedLgU.Txt Object is locked skipped

C:\WINNT\SoftwareDistribution\EventCache\{55FBFD0D-C9B2-47A5-9025-1EC4FE9E9526}.bin Object is locked skipped

C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINNT\Sti_Trace.log Object is locked skipped

C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped

C:\WINNT\system32\config\default Object is locked skipped

C:\WINNT\system32\config\default.LOG Object is locked skipped

C:\WINNT\system32\config\SAM Object is locked skipped

C:\WINNT\system32\config\SAM.LOG Object is locked skipped

C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped

C:\WINNT\system32\config\SECURITY Object is locked skipped

C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped

C:\WINNT\system32\config\software Object is locked skipped

C:\WINNT\system32\config\software.LOG Object is locked skipped

C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped

C:\WINNT\system32\config\system Object is locked skipped

C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped

C:\WINNT\WindowsUpdate.log Object is locked skipped

Scan process completed.
StilettoRed
Regular Member
 
Posts: 34
Joined: January 30th, 2007, 7:31 pm
Advertisement
Register to Remove

Unread postby Kimberly » March 5th, 2007, 11:33 am

Hello and welcome,

KAV scan isn't too bad, it's more the Instant Access which is a high premium rate dialer. Let's see if still present. We will take care of the other items later on.

Download Blacklight Beta from here:
http://www.f-secure.com/blacklight
  • Hit I accept. It will take you to the download page.
  • Download blbeta.exe and save it to your Desktop.
  • Once saved... double click blbeta.exe to install the program.
  • Click accept agreement and Click scan.
    This application may fire off a warning from antivirus. Let the driver load.
    Wait for it to finish.
  • If it displays any items ... don't do anything with them yet. Just hit exit (close).
  • It will drop a log on your Desktop that starts with fsbl....big number.
Please post contents of log together with a fresh hijackthis log.

I have a couple of problems. I have a hard time using a firewall as I have diffuculty differentiating the good from the bad. When I deny too many apps my email does not work. If I allow too many or disable the firewall I get unwanted visitors. What to do, what to do? Can I use a hardware router and will that provide the security I need? I only use one desktop PC and occasionally a laptop on a dial-up connection. I assume the router will work with just one computer as well as a network?

Well a hardware router will protect you from unwanted visitors that involve port scanning and hacking but it won't prevent you from bad downloads, bad activex controls, bugs and exploits in webpages ... It sure will help but a hardware router needs rules too if you want your messenger program to work. Maybe use a different firewall than Commodo ? Router works with 1 PC or network (often up to 4 computers). It is good to have, at least you're protected from intrusion attempts.

Right now my email is not working and I am getting an error message:

POP3 Proxy Server: Cannot connect to the mail server!', Port: 110, Secure(SSL): No, Server Error: 0x800CCC90, Error Number: 0x800CCC90

Might be related to many things, let's first check out if Instant Access is running or not. Which email client do you use ?

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby StilettoRed » March 5th, 2007, 1:35 pm

Thanks Kimberly,

Blacklight found nothing.

BL Log:

03/05/07 11:13:28 [Info]: BlackLight Engine 1.0.55 initialized
03/05/07 11:13:28 [Info]: OS: 5.0 build 2195 (Service Pack 4)
03/05/07 11:13:30 [Note]: 7019 4
03/05/07 11:13:30 [Note]: 7005 0
03/05/07 11:13:38 [Note]: 7006 0
03/05/07 11:13:38 [Note]: 7011 1048
03/05/07 11:13:40 [Note]: 7026 0
03/05/07 11:13:41 [Note]: 7026 0
03/05/07 11:13:54 [Note]: FSRAW library version 1.7.1021
03/05/07 11:22:21 [Note]: 7007 0

HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 11:23:26 AM, on 3/5/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\mgabg.exe
C:\WINNT\system32\pctspk.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\PDesk\PDesk.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Outlook Express\MSIMN.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.siliconinvestor.com/subjectmarks.aspx
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPagePro11.0\opware32.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINNT\system32\tbctray.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} - http://inst.c-wss.com/135p/html/gtdownlr.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} (Merriam-Webster Online Toolbar) - http://www.m-w.com/toolbar/webinstall.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {69565A48-8A92-11D9-8BDE-F66BAD1E3F3A} (BridgeChannel v3.2) - http://channel.bridge.com/bc/java/rbc33_i.cab
O16 - DPF: {8E6AA867-94D4-4B4F-8791-1B048F8C122A} - https://fastsend.com/products/Fsplugin.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BCB608CD-D33D-41BB-98A1-AE59195CFF09}: NameServer = 209.151.92.2 209.151.112.2
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINNT\System32\mgabg.exe

Maybe use a different firewall than Commodo ?

I have tried Zone Alarm prior to Comodo and prefer the Comodo. Firewalls and I just don't get along. I guess I will have to try and find a primer on how to discern which is good and which is bad.

The ISP has been having server problems this weekend and today. Have not been able to receive email today and suspected the problem was theirs. Finally got through to them and they confirmed. So that issue goes away.

Still think I have Windows problems because of the way things seem to work, or I should say not work.
StilettoRed
Regular Member
 
Posts: 34
Joined: January 30th, 2007, 7:31 pm

Unread postby Kimberly » March 5th, 2007, 2:35 pm

Hello,

Blacklight log is clear indeed, Instant Access doesn't run because bl would show it. (It uses hidden processes)

I have tried Zone Alarm prior to Comodo and prefer the Comodo. Firewalls and I just don't get along. I guess I will have to try and find a primer on how to discern which is good and which is bad.

Ok, I'll see if I could find a tutorial on Comodo, it might help you. It is really important to have a firewall. If you can't get along well with settings, try at least a hardware router. Mail won't give you problems, programs like messenger can config themselves too if you have a UPNP router.

The ISP has been having server problems this weekend and today. Have not been able to receive email today and suspected the problem was theirs. Finally got through to them and they confirmed. So that issue goes away.

Thanks for letting me know. Keep an eye on it tho, the error can mean different things, ISP trouble, bad username and or password, corrupted OE profile ...

Still think I have Windows problems because of the way things seem to work, or I should say not work.


Can you expand a little bit ? A part from the desktop glitch, what else is locking up or not working ? Any popups during surfing ? Redirects ?

KAV shows a couple of things, let's fix those. Deleted mail is infected so we'll just delete the file, it was be recreated automatically.

Make sure that you can see hidden files.
  1. Click Start.
  2. Click My Computer.
  3. Select the Tools menu and click Folder Options.
  4. Select the View Tab.
  5. Under the Hidden files and folders heading select Show hidden files and folders.
  6. Uncheck the Hide protected operating system files (recommended) option.
  7. Click Yes to confirm.
  8. Uncheck the Hide file extensions for known file types.
  9. Click OK.
______________________________

Click on Start, Control Panel, click on Add/Remove Programs
Look through the installed programs for the following items and remove them if present:

WinBudget

During the uninstall process, you might be presented with several prompts to guide you through uninstalling the product. Read these carefully to make sure you are actually choosing to uninstall rather than keep the software.
______________________________

Using Windows Explorer, Search and Delete these Folders if listed:

C:\Program Files\WinBudget

Using Windows Explorer, Search and Delete these Files if listed:

C:\Documents and Settings\Robert Cummins\Local Settings\Application Data\Identities\{277AA6B9-5804-4859-BCCF-88D80D3B6A22}\Microsoft\Outlook Express\Deleted Items.dbx

Keep Outlook Express closed while deleting this file.

If you get an error when deleting a file, right click on the file and check to see if the read only attribute is checked. If it is uncheck it and try again.
______________________________

Let's see if we discover anything else ...

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.exe

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.
______________________________

Please post c:\rapport.txt

Questions :

Do you have a folder called Instant Access or EdgeAcces in Program files ?
Can you change the wallpaper on your desktop ?

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby StilettoRed » March 5th, 2007, 4:38 pm

Kim,

try at least a hardware router.

I will look into one. Any one brand better than another?

tutorial on Comodo

No need for you to spend your time doing this, I can look into it. I have posted on Comodo's forum and will see what might be available. I want to clear all the permissions I have now so I can start with a fresh slate.

Can you expand a little bit ? A part from the desktop glitch, what else is locking up or not working ? Any popups during surfing ? Redirects ?

Page loads are slow. Programs are slow to load. Email, when switching mail boxes is slow. As I mentioned, Task Manager sometimes shows the process to be running and sometimes it shows no response. Many times after waiting and then going to task manager the page or app will display.

I have adequate memory.

No pop-ups or redirects.

Winbudget was not in programs to be uninstalled. I found a folder and deleted it.

Deleted one "deleted items.dbx. However, I have four mailboxes, are the other three OK? (I get more Spam than you can imagine.)

SmitFraudFix v2.137

Scan done at 13:56:17.26, Mon 03/05/2007
Run from C:\Documents and Settings\Robert Cummins\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Robert Cummins


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Robert Cummins\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ROBERT~2\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

No folders labeled "InstantAccess" or "EdgeAccess"

I do have the desktop Icon labeled "InstantAccess" remaining.

I have the ability to change wallpaper.

Thanks
StilettoRed
Regular Member
 
Posts: 34
Joined: January 30th, 2007, 7:31 pm

Unread postby Kimberly » March 5th, 2007, 5:54 pm

Hello :)

I will look into one. Any one brand better than another?

I personally did opt for a Netgear. The user interface is user friendly, not too complicated to understand and it does it's job very well. Mine is a wired one using network cards and cat5 cables, not the wireless model (aka WI-FI). Linksys maybe, although it has some vulnerabilities. D-Link models are easy to set up also. Cisco are very good but orientated more towards a professional / advanced use and thus a bit more complex to set up. Don't take an SMC one, it's a pain to set up and portforwarding is a hassle imo.
Some tech info about routers : http://en.wikipedia.org/wiki/Router

No need for you to spend your time doing this, I can look into it. I have posted on Comodo's forum and will see what might be available. I want to clear all the permissions I have now so I can start with a fresh slate.

Ok, kinda reset all settings. :)

Page loads are slow. Programs are slow to load. Email, when switching mail boxes is slow. As I mentioned, Task Manager sometimes shows the process to be running and sometimes it shows no response. Many times after waiting and then going to task manager the page or app will display.

Hmm, either something damaged by previous malware (and eventually it's cleanup), either a conflict between programs ... it is hard to tell.
As for Outlook Express being slow, is that when you navigate between the Inbox, Outgoing mail ... or switching different identities ?. Mailbox may be too big, it tends to get corrupt then. Any idea of it's size ? Listing the folder C:\Documents and Settings\Robert Cummins\Local Settings\Application Data\Identities\{277AA6B9-5804-4859-BCCF-88D80D3B6A22}\Microsoft\Outlook Express\ and select details in the Explorer View menu will show the size of the folders.
Which process takes the most of cpu when you bring up TaskManager ? Which program or task is listed with no response ?

A suggestion ... what if you turn off the AVG Anti-Spyware 7.5 realtime protection ? Webpages and apps "should" load faster.
Open AVG Anti Spyware and Click on Change state next to Resident shield. It should now change to inactive. See if that improves speed or not.

I have adequate memory.

May I ask how much memory you have ?

No pop-ups or redirects.

Thanks for checking that. Logs don't show malware running either but I wanted to be sure.

Winbudget was not in programs to be uninstalled. I found a folder and deleted it.

Perfect. :)

Deleted one "deleted items.dbx. However, I have four mailboxes, are the other three OK? (I get more Spam than you can imagine.)

Yes they are ok. It's the inbox, outgoing mail ... etc. The "bad mails" were in the deleted items, so there is no need to delete other emails or boxes.
Spam is a pain nowadays. :(
My regular ISP doesn't filter mail / spam so I get quite a couple too. Mailwasher can help you to filter mail, Outlook Express can filter it too but you have to create rules yourself. It's not always easy. To prevent infections, reading email in plain text is a handy feature and never click attachments you don't recognize.

SmitFraudFix log is ok, nothing special.

No folders labeled "InstantAccess" or "EdgeAccess"
I do have the desktop Icon labeled "InstantAccess" remaining.
I have the ability to change wallpaper.

You may delete the icon on the desktop and change wallpaper. I don't see any leftovers of those programs.

Now, the tool below will show me a couple of things. It will not damage or fix your computer but just give me some insight on a few things.

Download Systemscan.exe and save it to the desktop.
http://www.suspectfile.com/upload/files ... emscan.exe

Double click it to run.
Check the following items:

- suspicious files: compressed with UPX, FSG, Polycrypt, Upack and others
All the rest are already checked.
OK the prompt.
Click "scan now"
OK the prompt.

**Note
This scan will take a while so please be patient.
This tool does not fix anything. it just does a scan and generates a log.
Once done the log should pop up.

C:\suspectfile\report.txt

Post log please. It may take 3 posts to get whole logs in.

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby StilettoRed » March 5th, 2007, 11:20 pm

Kim, I will give investigate Netgear and give it a try.

I uninstalled and reinstalled Comodo. After 10 minutes I had 4 high severity events, after 5 hours 78. My PC is evidently a magnet for this crap.

As for Outlook Express being slow, is that when you navigate between the Inbox, Outgoing mail ... or switching different identities ?.

Switching identities I think. These problems do not occur constantly, but more or less intermittently.

Mail box is 39mb - too big huh? I compact my folders but I guess I should remove some.

Which process takes the most of cpu when you bring up TaskManager ? Which program or task is listed with no response ?

Can't tell you - will have to make notes when it occurs.

Memory = 523,740 KB This is an older computer about vintage 2000 w/1gb processor, maybe its just getting tired. -g-

Mailwasher can help you to filter mail

I don't know if I could trust using one of those programs. The ISP started indicating possible spam for incoming mail, but many of those marked are legitimate mail.

Suspect file log link:

http://rapidshare.com/files/19620437/re ... 5.txt.html[/quote]
StilettoRed
Regular Member
 
Posts: 34
Joined: January 30th, 2007, 7:31 pm

Unread postby Kimberly » March 6th, 2007, 11:20 am

Hello StilettoRed,

I uninstalled and reinstalled Comodo. After 10 minutes I had 4 high severity events, after 5 hours 78. My PC is evidently a magnet for this crap.

Not specially ... rather normal ratio. I bet most of them are simple portscans.

Switching identities I think. These problems do not occur constantly, but more or less intermittently.

Mail box is 39mb - too big huh? I compact my folders but I guess I should remove some.

Yep a little bit too big to be honest. Delay is prolly due to that.

Can't tell you - will have to make notes when it occurs.
Memory = 523,740 KB This is an older computer about vintage 2000 w/1gb processor, maybe its just getting tired. -g-

Well for running Win 2000 that is still correct. I would watch out for AVG AntiSpyware real time protection though, that one is gonna slow down surfing.

I don't know if I could trust using one of those programs. The ISP started indicating possible spam for incoming mail, but many of those marked are legitimate mail.

Mailwasher checks with spam databases, and has a learning mechanism too. You teach it to recognize spam and legit mail. I like it a lot as it shows emails and headers but you can't get infected when seeing them. Outlook is way more dangerous in that point of view.


Thanks for the uploading the log. RapidShare was a good idea for a long log.

Couple of things I did notice ...

1. You ran Gmer and Combofix early february. Particular programs / infections ? Can I see that Combofix log please as it is still on your PC.
C:\combofix.txt
Any chance your have that Gmer log around ?

2. You have Norton leftovers, they are gonna slow down the PC. Download the tool below and save to your desktop.
ftp://ftp.symantec.com/public/english_u ... l_Tool.exe

Run the tool, follow instructions. Norton leftovers will be removed.

Webpage : http://service1.symantec.com/SUPPORT/ts ... 3108162039


3. I suspect you had trojan / rbot / sbot problems before seeing a modified registry entry. Let's fix that.

Copy/paste the following text into a new Notepad document. Make sure that you have one blank line at the end of the document as shown in the quoted text.

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa]
"enabledcom"=-


Save it to your desktop as Fixme.reg. Save it as :
File Type: All Files (not as a text document or it wont work).
Name: Fixme.reg

Locate Fixme.reg on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the merged successfully prompt.


4. Next ... The things below do worry me. They might indicate the presence of AWF trojan or a previous presence. (Downloader.Agent.awf)

Startup :

4) "QuickTime Task"
---> CMD = "C:\Program Files\QuickTime\qttask.exe" -atboottime
---> FILE = (NOT EXISTS)

8) "COMODO Firewall Pro"
---> CMD = "C:\Program Files\Comodo\Firewall\CPF.exe" /background
---> FILE = (NOT EXISTS)

Commodo pid is empty too, it does not show dll's loaded which is strange. AWF trojan is a file infector. Normally KAV should have spotted the files.

Line below does make me think of it too when I see the IP.

IEXPLORE.EXE pid: 680
Command line: iexplore.exe hxxp://88.80.5.36/70/in/html1173144267.html?cid=17135765&aid=10087&time=C:\DOCUME~1\ROBERT~2\LOCALS~1\Temp\1173143352&fw=0&v=70&m=1&vm=0

So download and save to desktop
http://noahdfear.geekstogo.com/FindAWF.exe
Run the program and post awf.txt please.

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby ChrisRLG » March 6th, 2007, 6:56 pm

The last post to this generated a bounced email from StilettoRed's email host - so he will not have received any notification. :(
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby StilettoRed » March 6th, 2007, 10:47 pm

Kim, sorry to take so long to get back to you, but it has been a busy day with no computer time to speak of. As you know my ISP is still down - since Saturday. -ng-

Here is the combofix log:

"Robert Cummins" - Mon 02/05/2007 20:44:27 Service Pack 4
ComboFix 07.02.04 - Running from: "C:\Documents and Settings\Robert Cummins\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2007-01-05 to 2007-02-05 ))))))))))))))))))))))))))))))))))


2007-02-05 07:22 <DIR> d-------- C:\WINNT\system32\ZoneLabs
2007-02-04 23:03 <DIR> d-------- C:\!KillBox
2007-02-04 22:19 79,360 --a------ C:\WINNT\system32\swxcacls.exe
2007-02-04 22:19 53,248 --a------ C:\WINNT\system32\Process.exe
2007-02-04 22:19 51,200 --a------ C:\WINNT\system32\dumphive.exe
2007-02-04 22:19 40,960 --a------ C:\WINNT\system32\swsc.exe
2007-02-04 22:19 288,417 --a------ C:\WINNT\system32\SrchSTS.exe
2007-02-04 22:19 135,168 --a------ C:\WINNT\system32\swreg.exe
2007-02-04 20:36 3,968 --a------ C:\WINNT\system32\drivers\AvgAsCln.sys
2007-02-04 20:36 <DIR> d-------- C:\Program Files\Grisoft
2007-02-04 15:00 <DIR> d-------- C:\WINNT\system32\Kaspersky Lab
2007-01-31 12:30 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2007-01-30 18:09 <DIR> d-------- C:\DOCUME~1\ROBERT~2\Application Data\TrojanHunter
2007-01-30 16:54 <DIR> d-------- C:\Program Files\TrojanHunter 4.6
2007-01-28 20:46 63 --a------ C:\WINNT\system\SYSRegC.dll
2007-01-28 20:46 143,360 --a------ C:\WINNT\system32\GetHardDiskNo.dll
2007-01-28 20:46 1,126,400 --a------ C:\WINNT\system32\VchReg.dll
2007-01-28 18:10 2,514 --a------ C:\WINNT\system32\tmp.reg
2007-01-28 18:09 <DIR> d-------- C:\Program Files\SmitfraudFix
2007-01-28 12:48 <DIR> d-------- C:\Program Files\HijackThis
2007-01-26 08:43 <DIR> d-------- C:\Program Files\CCleaner
2007-01-18 20:30 <DIR> d-------- C:\Program Files\WinBudget
2007-01-18 19:30 <DIR> d-------- C:\WINNT\system32\bak


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-02-05 18:37 -------- d-------- C:\DOCUME~1\ROBERT~2\Application Data\adobeum
2007-02-04 19:03 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-02-04 13:15 -------- d-------- C:\DOCUME~1\ROBERT~2\Application Data\u3
2007-02-01 09:15 -------- d-------- C:\DOCUME~1\ROBERT~2\Application Data\adobe
2007-01-30 20:41 -------- d-------- C:\Program Files\google
2007-01-28 17:47 -------- d-------- C:\Program Files\uiu
2007-01-28 15:16 -------- d-------- C:\Program Files\lavasoft
2007-01-28 15:16 -------- d-------- C:\DOCUME~1\ROBERT~2\Application Data\lavasoft
2007-01-28 12:52 -------- d--h----- C:\Program Files\installshield installation information
2007-01-28 12:52 -------- d-------- C:\Program Files\hewlett-packard
2007-01-22 13:41 -------- d-------- C:\Program Files\Common Files\adobe
2007-01-18 20:28 -------- d-------- C:\Program Files\quicktime
2007-01-18 20:28 -------- d-------- C:\Program Files\picasa2
2007-01-18 20:26 38412 --a------ C:\WINNT\system32\tbctray.exe
2006-12-27 14:24 -------- d-------- C:\Program Files\dbf viewer 2000
2006-12-27 14:17 -------- d-------- C:\DOCUME~1\ROBERT~2\Application Data\mailwasherpro


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.908.5008\\GoogleToolbarNotifier.exe"
"LDM"="\\Program\\BackWeb-8876480.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"
"Matrox Powerdesk"="C:\\WINNT\\System32\\PDesk\\PDesk.exe /Autolaunch"
"Omnipage"="C:\\Program Files\\ScanSoft\\OmniPagePro11.0\\opware32.exe"
"Logitech Utility"="Logi_MwX.Exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Picasa Media Detector"="C:\\Program Files\\Picasa2\\PicasaMediaDetector.exe"
"TraySantaCruz"="C:\\WINNT\\system32\\tbctray.exe"
"THGuard"="\"C:\\Program Files\\TrojanHunter 4.6\\THGuard.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

SafeBoot registry key needs to be repaired. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
rpcss REG_MULTI_SZ RpcSs\0\0
wugroup REG_MULTI_SZ wuauserv\0\0
BITSgroup REG_MULTI_SZ BITS\0\0

HKLM\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
WmdmPmSN



Contents of the 'Scheduled Tasks' folder
C:\WINNT\tasks\ScanDisc.job


********************************************************************

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

? [1056]
? [1088]

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...


scan completed successfully
hidden processes: 2
hidden services: 0
hidden files: 0

********************************************************************

Completion time: Mon 2007-02-05 20:47:24


Here is the gmer log, seems kind of short?

GMER 1.0.12.12027 - http://www.gmer.net
Rootkit scan 2007-03-06 20:04:04
Windows 5.0.2195 Service Pack 4


---- System - GMER 1.0.12 ----

SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwConnectPort
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwCreateFile
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwCreatePort
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwCreateSection
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwCreateThread
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwDeleteFile
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwDeleteKey
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwDeleteValueKey
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwOpenSection
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwOpenThread
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwSetContextThread
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwSetInformationFile
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwSetValueKey
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwShutdownSystem
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwWriteFile
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwWriteFileGather

---- Kernel code sections - GMER 1.0.12 ----

.text NTDLL.DLL!NtClose 77F881F8 5 Bytes JMP 7203407A
.text NTDLL.DLL!NtCreateProcess 77F88308 5 Bytes JMP 72034205
.text NTDLL.DLL!NtCreateSection 77F88328 5 Bytes JMP 72034098

---- User code sections - GMER 1.0.12 ----

.text C:\Program Files\Comodo\Firewall\CPF.exe[1224] ntdll.dll!LdrLoadDll 77F85B2C 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Program Files\Comodo\Firewall\CPF.exe[1224] kernel32.dll!LoadLibraryExW 7C590565 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]

---- Devices - GMER 1.0.12 ----

Device \Driver\CmdMon \Device\ComodoRawIpFilter IRP_MJ_INTERNAL_DEVICE_CONTROL [F253085A] avgtdi.sys
Device \Driver\CmdMon \Device\ComodoUdpFilter IRP_MJ_INTERNAL_DEVICE_CONTROL [F253085A] avgtdi.sys
Device \Driver\CmdMon \Device\ComodoTcpFilter IRP_MJ_INTERNAL_DEVICE_CONTROL [F253085A] avgtdi.sys
Device \Driver\CmdMon \Device\ComodoIpFilter IRP_MJ_INTERNAL_DEVICE_CONTROL [F253085A] avgtdi.sys

---- Registry - GMER 1.0.12 ----

Reg \Registry\USER\S-1-5-21-1801674531-1060284298-1343024091-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9D79B17E-AC30-D578-2635-E328566EA031}@dacjgdcj? 0x63 0x61 0x61 0x6F ...
Reg \Registry\USER\S-1-5-21-1801674531-1060284298-1343024091-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9D79B17E-AC30-D578-2635-E328566EA031}@fabjbdnojbad? 0x63 0x61 0x68 0x6F ...

---- EOF - GMER 1.0.12 ----

I used the Norton removal tool, but it didn't get everything as I ran across a Symantec update file that I also deleted. I have been wanting to get rid of that stuff for ages. Thanks.

Noahdfear log:

Find AWF report by noahdfear ©2006


21504 byte files found
~~~~~~~~~~~~~



21504 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



25600 byte files found
~~~~~~~~~~~~~



25600 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



26450 byte files found
~~~~~~~~~~~~~



26450 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\PICASA2\BAK

10/03/2006 03:14p 249,927 PicasaMediaDetector.exe
1 File(s) 249,927 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

05/24/2005 04:52p 98,304 qttask.exe
1 File(s) 98,304 bytes

Directory of C:\WINNT\SYSTEM32\BAK

05/17/2002 06:16p 290,816 tbctray.exe
1 File(s) 290,816 bytes

Directory of C:\PROGRA~1\SCANSOFT\OMNIPA~1.0\BAK

05/25/2001 11:56p 49,152 opware32.exe
1 File(s) 49,152 bytes

Directory of C:\WINNT\SYSTEM32\PDESK\BAK

08/03/2001 11:37a 622,592 PDesk.exe
1 File(s) 622,592 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~2\12908~1.500\BAK

10/17/2006 05:25p 163,576 GoogleToolbarNotifier.exe
1 File(s) 163,576 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

3322920 Sep 13 2005 "C:\Program Files\picasa2-setup-1884.exe"
499776 Oct 3 2006 "C:\Program Files\Picasa2\PicasaUpdate.exe"
249927 Oct 3 2006 "C:\Program Files\Picasa2\bak\PicasaMediaDetector.exe"
553035 Oct 3 2006 "C:\Program Files\Picasa2\cdautorun\PicasaRestore.exe"
38412 Jan 18 2007 "C:\Program Files\QuickTime\qttask.exe"
98304 May 24 2005 "C:\Program Files\QuickTime\bak\qttask.exe"
38412 Jan 18 2007 "C:\WINNT\system32\tbctray.exe"
290816 May 17 2002 "C:\WINNT\system32\bak\tbctray.exe"
290816 May 17 2002 "C:\Ibmtools\Drivers\909Z06US\Drivers\WDM\TbcTray.exe"
290816 May 17 2002 "C:\Program Files\Turtle Beach\Santa Cruz\Drivers\WDM\TbcTray.exe"
38412 Jan 18 2007 "C:\Program Files\ScanSoft\OmniPagePro11.0\opware32.exe"
49152 May 25 2001 "C:\Program Files\ScanSoft\OmniPagePro11.0\bak\opware32.exe"
38412 Jan 18 2007 "C:\WINNT\system32\PDesk\PDesk.exe"
622592 Aug 3 2001 "C:\WINNT\system32\PDesk\bak\PDesk.exe"
38412 Jan 18 2007 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe"
163576 Oct 17 2006 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\bak\GoogleToolbarNotifier.exe"


end of report

I think I got everything you asked for.

Tomorrow is not going to be a good day as I have a cow missing. She was having a problem having her calf and I can't find her so I will be out looking again.
StilettoRed
Regular Member
 
Posts: 34
Joined: January 30th, 2007, 7:31 pm

Unread postby Kimberly » March 7th, 2007, 12:34 am

Hello StilettoRed,

Thanks for posting those logs, it covers everything I asked for indeed. I'll post a fix tomorrow, it's rather late now here.

Tomorrow is not going to be a good day as I have a cow missing. She was having a problem having her calf and I can't find her so I will be out looking again.

I'm very sorry to hear that, I hope that you will be able to locate her. Don't worry, I'm getting notified when you reply and things in real life are more important than fixing PC stuff.

I used the Norton removal tool, but it didn't get everything as I ran across a Symantec update file that I also deleted. I have been wanting to get rid of that stuff for ages. Thanks.

You're welcome. It may leave indeed a few files behind, like liveupdate files, reglive files but at least all services are removed from the PC and that is the most important. :)
The tool works rather well I must say, Norton is a pain to uninstall usually.

Here is the gmer log, seems kind of short?

No, not at all. The shorter the better as a matter of fact. It shows hidden processes or files on the PC. Some are legit, others are rootkits. Gmer log is ok.


FindAWF did confirm what I suspected, Downloader.Agent.awf. I'll wrap up a fix for that don't worry. That explains a lot of hickups of the PC.

I need to know something before though ... The combofix log shows :

SafeBoot registry key needs to be repaired. This machine cannot enter Safe Mode.

Is that true ? Can you get into Safe Mode or not ? (See procedure below)
Did anyone gave you a fix for that ?

Boot into Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • When you see the black-and-white Starting Windows bar at the bottom of the screen, start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
Let me know please.

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby StilettoRed » March 7th, 2007, 8:49 am

Kim, the combofix log was an old log. I had the problem previously and it was fixed. I should have noticed that and told you.

However, I checked and it is back again. I cannot enter safe mode.

Another thing I forgot to mention was that when I ran the gmer.exe the PC shhut down. Second time it ran OK.

Also, I have not been able to install my MSFT updates. I thought it was because of the ISP situation? That probably is not true as they indicate they are downloaded and have to be installed.

I made the register fix which I also failed to mention.

Later
StilettoRed
Regular Member
 
Posts: 34
Joined: January 30th, 2007, 7:31 pm

Unread postby Kimberly » March 7th, 2007, 3:07 pm

Hello

Kim, the combofix log was an old log. I had the problem previously and it was fixed. I should have noticed that and told you.

Yep I saw it was an older log. I wanted to see what had been done before.

Another thing I forgot to mention was that when I ran the gmer.exe the PC shhut down. Second time it ran OK.

That's a common behavior, it crashes the PC from time to time.

Also, I have not been able to install my MSFT updates. I thought it was because of the ISP situation? That probably is not true as they indicate they are downloaded and have to be installed.

Could be the malware affecting it. If you ISP is only having issues with mail then it shouldn't be affected by that. We will try to handle that when PC is clean from AWF.

Ok, here is how we are gonna proceed. We'll first try to fix Safe Mode.

If that goes well and you can boot into Safe Mode, run the fix as described under method 1.

If you can't get into Safe Mode, follow the part under method 2.

In both cases, keep Internet Explorer closed and stay disconnected from Internet once you did download the tools. Once method 1 or 2 used, connect to Internet and post the requested info please. Also let me know if Safe Mode did work.
______________________________

Download http://www.mvps.org/winhelp2002/DelDomains.inf and place it on desktop. Don't use it yet.
______________________________

Download: ResetProtocolDefaults.reg
http://www.mvps.org/winhelp2002/ResetPr ... faults.reg
Don't use it yet.
______________________________

Copy/paste the following text into a new Notepad document.

@echo off
if exist "C:\Program Files\Picasa2\PicasaMediaDetector.exe" del /q "C:\Program Files\Picasa2\PicasaMediaDetector.exe"
copy /y "C:\Program Files\Picasa2\bak\PicasaMediaDetector.exe" "C:\Program Files\Picasa2\PicasaMediaDetector.exe"
if exist "C:\Program Files\QuickTime\qttask.exe" del /q "C:\Program Files\QuickTime\qttask.exe"
copy /y "C:\Program Files\QuickTime\bak\qttask.exe" "C:\Program Files\QuickTime\qttask.exe"
if exist "C:\WINNT\system32\tbctray.exe" del /q "C:\WINNT\system32\tbctray.exe"
copy /y "C:\WINNT\system32\bak\tbctray.exe" "C:\WINNT\system32\tbctray.exe"
if exist "C:\Program Files\ScanSoft\OmniPagePro11.0\opware32.exe" del /q "C:\Program Files\ScanSoft\OmniPagePro11.0\opware32.exe"
copy /y "C:\Program Files\ScanSoft\OmniPagePro11.0\bak\opware32.exe" "C:\Program Files\ScanSoft\OmniPagePro11.0\opware32.exe"
if exist "C:\WINNT\system32\PDesk\PDesk.exe" del /q "C:\WINNT\system32\PDesk\PDesk.exe"
copy /y "C:\WINNT\system32\PDesk\bak\PDesk.exe" "C:\WINNT\system32\PDesk\PDesk.exe"
if exist "C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe" del /q "C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe"
copy /y "C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\bak\GoogleToolbarNotifier.exe" "C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe"



Save it to your desktop as cleanme.bat. Save it as:
File Type: All Files (not as a text document or it wont work).
Name: cleanme.bat
Don't use yet.
______________________________

Update AVG Anti-Spyware to the latest definitions.

On the main screen under Your Computer's security.
  • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
  • Wait until you see the Update succesfull message.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
______________________________

Download avz4en.zip (might take some time, connection is slow)
http://z-oleg.com/avz4en.zip

Unzip it to a folder on your desktop
Double click on AVZ.exe
Click on the File Tab and then click on System Recovery
Put a checkmark next to Restore SafeBoot Registry Keys
Click on Execute Selected Operations

Let me know if that fixes the Safe Boot problem when you post your logs.
______________________________

Method 1

Boot into Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • When you see the black-and-white Starting Windows bar at the bottom of the screen, start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
______________________________

Using Windows Explorer, Navigate to C:\WINNT\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Make sure you have delete all the files in C:\Documents and Settings\Robert Cummins\Local Settings\Temp
______________________________

Quit Internet Explorer, all browsers and quit any instances of Windows Explorer.

For Internet Explorer 7
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete... under Browsing History.
  • Next to Temporary Internet Files, click Delete files, and then click OK.
  • Next to Cookies, click Delete cookies, and then click OK.
  • Next to History, click Delete history, and then click OK.
  • Click the Close button.
  • Click OK.
For Internet Explorer 4.x - 6.x
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box, and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
For Netscape 4.x and Up
  • Click Edit from the Netscape menubar.
  • Click Preferences... from the Edit menu.
  • Expand the Advanced menu by clicking the triangle sign.
  • Click Cache.
  • Click both the Clear Memory Cache and the Clear Disk Cache buttons.
For Mozilla 1.x and Up
  • Click Edit from the Mozilla menubar.
  • Click Preferences... from the Edit menu.
  • Expand the Advanced menu by clicking the plus sign.
  • Click Cache.
  • Click the Clear Cache button.
For Opera
  • Click File from the Opera menubar.
  • Click Preferences... from the File menu.
  • Click the History and Cache menu.
  • Click the two Clear buttons next to Typed in addresses and Visited addresses (history) and click the Empty now button to clear the Disk cache.
  • Click Ok to close the Preferences menu.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

Double click cleanme.bat on your desktop. A CMD window will open / close, this is normal.
______________________________

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
______________________________

Locate FindAWF.exe and run the program again.


END OF METHOD 1
____________________________________________________________

Method 2

Run HijackThis, close ALL windows except HijackThis
Click on Open the Misc Tools Section, click on Open Process manager.
Hold down CTRL and select the following processes if still running by clicking on them:

C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\tbctray.exe
C:\Program Files\ScanSoft\OmniPagePro11.0\opware32.exe
C:\WINNT\system32\PDesk\PDesk.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe

Press Kill Process and hit the Refresh Button. Repeat until ALL processes listed above are killed.
Close HijackThis.

Double click cleanme.bat on your desktop. A CMD window will open / close, this is normal.
______________________________

Using Windows Explorer, Navigate to C:\WINNT\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Make sure you have delete all the files in C:\Documents and Settings\Robert Cummins\Local Settings\Temp
______________________________

Quit Internet Explorer, all browsers and quit any instances of Windows Explorer.

For Internet Explorer 7
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete... under Browsing History.
  • Next to Temporary Internet Files, click Delete files, and then click OK.
  • Next to Cookies, click Delete cookies, and then click OK.
  • Next to History, click Delete history, and then click OK.
  • Click the Close button.
  • Click OK.
For Internet Explorer 4.x - 6.x
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box, and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
For Netscape 4.x and Up
  • Click Edit from the Netscape menubar.
  • Click Preferences... from the Edit menu.
  • Expand the Advanced menu by clicking the triangle sign.
  • Click Cache.
  • Click both the Clear Memory Cache and the Clear Disk Cache buttons.
For Mozilla 1.x and Up
  • Click Edit from the Mozilla menubar.
  • Click Preferences... from the Edit menu.
  • Expand the Advanced menu by clicking the plus sign.
  • Click Cache.
  • Click the Clear Cache button.
For Opera
  • Click File from the Opera menubar.
  • Click Preferences... from the File menu.
  • Click the History and Cache menu.
  • Click the two Clear buttons next to Typed in addresses and Visited addresses (history) and click the Empty now button to clear the Disk cache.
  • Click Ok to close the Preferences menu.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

Locate DelDomains.inf on your desktop right click the file and select install, that will reset the zone settings that have been altered.

Locate "ResetProtocolDefaults.reg"
Right-click and select: Merge (Ok the prompt)

Reboot the PC. Don't connect to Internet yet.
______________________________

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
______________________________

Locate FindAWF.exe and run the program again.

END OF METHOD 2
______________________________

Please post:
  1. AVG log
  2. awf.txt
  3. A new HijackThis log
Your may need several replies to post the requested logs, otherwise they might get cut off.

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby StilettoRed » March 7th, 2007, 11:12 pm

Kim,

Safe Mode clean-up worked. Booted and used Method 1.

Downloaded MVPS DelDomains and ResetProtocol.

Cleanme.bat saved.

AVG Spyware updated and scanned.

AVZ.exe worked to fix Safe Boot problem.

C:\WINNT\Temp - Done

C:\Documents and Settings\All Users\Local Settings\Temp - niohing in folder to delete.

C:\Documents and Settings\Robert CumminsLocal settings\Temp - Done

Deleted Internet Files and Cookies - Adios passwords and Logins -ng-

Ran AVG Anti-Spyware

Ran FindAWF.exe

Was checking back through and thought I screwed up and missed the Deldomains.inf in the order sequence posted - tried to run it after AVG and installation failed.

Same thing with the Reset Protocoal thought I missed it and it made the change.

Then realized both of these were part of method 2. Did I invalidate everything?

Here are Logs:

AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:24:28 PM 3/7/2007

+ Scan result:



C:\RECYCLER\S-1-5-21-1801674531-1060284298-1343024091-1000\Dc56.exe -> Heuristic.Win32.Dialer : Cleaned with backup (quarantined).


::Report end

Find AWF report by noahdfear ©2006


21504 byte files found
~~~~~~~~~~~~~



21504 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



25600 byte files found
~~~~~~~~~~~~~



25600 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



26450 byte files found
~~~~~~~~~~~~~



26450 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\PICASA2\BAK

10/03/2006 03:14p 249,927 PicasaMediaDetector.exe
1 File(s) 249,927 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

05/24/2005 04:52p 98,304 qttask.exe
1 File(s) 98,304 bytes

Directory of C:\WINNT\SYSTEM32\BAK

05/17/2002 06:16p 290,816 tbctray.exe
1 File(s) 290,816 bytes

Directory of C:\PROGRA~1\SCANSOFT\OMNIPA~1.0\BAK

05/25/2001 11:56p 49,152 opware32.exe
1 File(s) 49,152 bytes

Directory of C:\WINNT\SYSTEM32\PDESK\BAK

08/03/2001 11:37a 622,592 PDesk.exe
1 File(s) 622,592 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~2\12908~1.500\BAK

10/17/2006 05:25p 163,576 GoogleToolbarNotifier.exe
1 File(s) 163,576 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

3322920 Sep 13 2005 "C:\Program Files\picasa2-setup-1884.exe"
499776 Oct 3 2006 "C:\Program Files\Picasa2\PicasaUpdate.exe"
249927 Oct 3 2006 "C:\Program Files\Picasa2\bak\PicasaMediaDetector.exe"
553035 Oct 3 2006 "C:\Program Files\Picasa2\cdautorun\PicasaRestore.exe"
38412 Jan 18 2007 "C:\Program Files\QuickTime\qttask.exe"
98304 May 24 2005 "C:\Program Files\QuickTime\bak\qttask.exe"
38412 Jan 18 2007 "C:\WINNT\system32\tbctray.exe"
290816 May 17 2002 "C:\WINNT\system32\bak\tbctray.exe"
290816 May 17 2002 "C:\Ibmtools\Drivers\909Z06US\Drivers\WDM\TbcTray.exe"
290816 May 17 2002 "C:\Program Files\Turtle Beach\Santa Cruz\Drivers\WDM\TbcTray.exe"
38412 Jan 18 2007 "C:\Program Files\ScanSoft\OmniPagePro11.0\opware32.exe"
49152 May 25 2001 "C:\Program Files\ScanSoft\OmniPagePro11.0\bak\opware32.exe"
38412 Jan 18 2007 "C:\WINNT\system32\PDesk\PDesk.exe"
622592 Aug 3 2001 "C:\WINNT\system32\PDesk\bak\PDesk.exe"
38412 Jan 18 2007 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe"
163576 Oct 17 2006 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\bak\GoogleToolbarNotifier.exe"


end of report

Logfile of HijackThis v1.99.1
Scan saved at 8:34:10 PM, on 3/7/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\mgabg.exe
C:\WINNT\system32\pctspk.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\PDesk\PDesk.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.siliconinvestor.com/subjectmarks.aspx
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPagePro11.0\opware32.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINNT\system32\tbctray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} - http://inst.c-wss.com/135p/html/gtdownlr.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} (Merriam-Webster Online Toolbar) - http://www.m-w.com/toolbar/webinstall.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {69565A48-8A92-11D9-8BDE-F66BAD1E3F3A} (BridgeChannel v3.2) - http://channel.bridge.com/bc/java/rbc33_i.cab
O16 - DPF: {8E6AA867-94D4-4B4F-8791-1B048F8C122A} - https://fastsend.com/products/Fsplugin.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BCB608CD-D33D-41BB-98A1-AE59195CFF09}: NameServer = 209.151.92.2 209.151.112.2
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINNT\System32\mgabg.exe
StilettoRed
Regular Member
 
Posts: 34
Joined: January 30th, 2007, 7:31 pm

Unread postby Kimberly » March 8th, 2007, 1:09 am

Hello StilettoRed,

Thanks for the detailed report. Good to see that Safe Boot is working again. :)

Then realized both of these were part of method 2. Did I invalidate everything?

No it's ok, no worries.

Is that a new FindAWF log ? I don't see the files replaced. Did you run cleanme.bat in Safe Mode as asked ?

If not, boot into Safe Mode. Run cleanme.bat
Reboot in Normal Mode.
Use Deldomains.inf again (don't worry if error)
Use ResetProtocol.reg

Delete awf.txt and run FindAWF.exe again please. Post the log.

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 33 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware