Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Browser popups and slow computer, HJT log. Please help.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Browser popups and slow computer, HJT log. Please help.

Unread postby bashdogg » October 6th, 2007, 2:36 am

Hello,
The last few days, while I'm using Firefox, Internet Explorer windows keep popping up with ad sites. Just today Firefox started doing the same thing with the pop-ups.
I've run a few different ad-ware scanning programs - Spyware doctor, Spybot S&D, Ad-aware SE - with no success.
It is also no surprise that, since the pop-ups started, my computer is also running very slow and giving me program errors every once in a while.
I would appreciate any help I can get. The Hijack This log is posted below. Thanks!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\mgrs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Moose\Desktop\HiJackThis_v2.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://desktop.google.com/uninstall-feedback.html?hl=en
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0778AC78-B626-491B-B5C9-B3CF02B6B2D3} - C:\Program Files\ComPlus Applications\savejop4444.dll
O2 - BHO: (no name) - {4403F104-9DB5-46CC-8DC4-740DFF2A3923} - C:\Program Files\ComPlus Applications\savejop83122.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5634BD64-1AFE-42CC-B59A-7AE5B99C0701} - C:\WINDOWS\system32\sysinv32.dll
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\system32\tacdmfar.dll
O2 - BHO: (no name) - {8FB585F6-EDE9-4CBD-AB7C-0342130E0AF8} - C:\WINDOWS\system32\vtsts.dll
O2 - BHO: BndDrive2 BHO Class - {8FB5B012-E8CB-46cd-B6D2-ED428FAE9043} - C:\Program Files\ISM\BndDrive5.dll (file missing)
O2 - BHO: (no name) - {A4877148-AAC4-45FF-B3BE-0A987A28C85D} - C:\WINDOWS\system32\ddcyx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: 0 - {AE99C290-5A6E-44BB-6DB7-A202954600DD} - C:\Program Files\Windows Media Player\wohucaqug.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {B73C5A69-1314-4306-94A4-7899406023DE} - C:\WINDOWS\system32\pmkjk.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: (no name) - {cbfed6dd-a49b-454b-b704-932962a2569a} - C:\WINDOWS\system32\etlkege.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\uxvdrcsg.dll",sitypnow
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator 1.3.1.22) -
O20 - Winlogon Notify: hggffcd - C:\WINDOWS\SYSTEM32\hggffcd.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe (file missing)
O24 - Desktop Component 0: (no name) - C:\Program Files\Windows Media Player\baqyqykefs.html

--
bashdogg
Active Member
 
Posts: 9
Joined: October 6th, 2007, 2:08 am
Advertisement
Register to Remove

Unread postby Trogan » October 7th, 2007, 1:26 pm

Hi bashdogg!

Your computer is heavily infected, and you don't even have an Anti-Virus or Firewalll program. :(

Please download one Firewall from the list below - They are Free!

Comodo
Zone Alarm
Sunbelt Kerio PF
Outpost Firewall

Please download one Anti-Virus from the list below - They are Free!

AntiVir << I recommend this
AVG Free Edition
avast! 4 Home Edition

Run a Full Scan with your chosen Anti-Virus and allow it to clean whatever it finds.

Post back a new HijackThis log, including the header which you didn't post initially. Depending on the version you are using, it should look like this:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:25, on 2007-10-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Unread postby bashdogg » October 8th, 2007, 12:49 am

Hi Trogan! Thanks for the links to the firewall and anti-virus programs. I ran Avira Antivir and cleaned a bunch of stuff off and I am currently running ZoneAlarm firewall.
Here is my new HJT log, with the header. Thanks for your time and effort.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:40:06 PM, on 10/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Documents and Settings\Moose\Desktop\HiJackThis_v2.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://desktop.google.com/uninstall-feedback.html?hl=en
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0778AC78-B626-491B-B5C9-B3CF02B6B2D3} - C:\Program Files\ComPlus Applications\savejop4444.dll
O2 - BHO: (no name) - {4403F104-9DB5-46CC-8DC4-740DFF2A3923} - C:\Program Files\ComPlus Applications\savejop83122.dll
O2 - BHO: (no name) - {4AEEAE20-0AAA-40A2-AA8B-D2BE76B42302} - C:\WINDOWS\system32\ddayy.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5634BD64-1AFE-42CC-B59A-7AE5B99C0701} - C:\WINDOWS\system32\sysinv32.dll (file missing)
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\system32\tacdmfar.dll (file missing)
O2 - BHO: (no name) - {8FB585F6-EDE9-4CBD-AB7C-0342130E0AF8} - C:\WINDOWS\system32\vtsts.dll (file missing)
O2 - BHO: BndDrive2 BHO Class - {8FB5B012-E8CB-46cd-B6D2-ED428FAE9043} - C:\Program Files\ISM\BndDrive5.dll (file missing)
O2 - BHO: (no name) - {A4877148-AAC4-45FF-B3BE-0A987A28C85D} - C:\WINDOWS\system32\ddcyx.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: 0 - {AE99C290-5A6E-44BB-6DB7-A202954600DD} - C:\Program Files\Windows Media Player\wohucaqug.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: (no name) - {cbfed6dd-a49b-454b-b704-932962a2569a} - C:\WINDOWS\system32\etlkege.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator 1.3.1.22) -
O20 - Winlogon Notify: hggffcd - C:\WINDOWS\SYSTEM32\hggffcd.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\ofahjofu.exe (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe (file missing)
O24 - Desktop Component 0: (no name) - C:\Program Files\Windows Media Player\baqyqykefs.html

--
End of file - 7235 bytes
bashdogg
Active Member
 
Posts: 9
Joined: October 6th, 2007, 2:08 am

Unread postby Trogan » October 8th, 2007, 7:07 am

Hi bashdogg,

Please do the following...

1. Please download ComboFix to your Desktop.
  • Double click on Combofix.exe & follow the prompts.
  • When the scan has finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

2. You are using an old version of HijackThis. Please uninstall HijackThis from Add/Remove in Control Panel.

Then download and install the latest verion HJTInstall.exe to your Desktop.
  • Doubleclick HJTInstall.exe to install it.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Save the log to a convenient location as you'll need to post it soon.
  • Don't use the Analyse This button, its findings are dangerous if misinterpreted.
  • Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
3. I need to see another log from HijackThis.
  • Run Hijackthis.
  • Click on Open the Misc Tools section.
  • Next click on Open uninstall manager.
  • Press the Save list button.
  • Save the file to your desktop, with the default name of uninstall_list
  • Copy & Paste the entire contents of that file in your in your next post.


4. Please post the following...

Uninstall list
ComboFix log
New HijackThis log
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Unread postby bashdogg » October 8th, 2007, 3:13 pm

Hi Trogan,
Here are the logs from all three actions you requested...


ComboFix

ComboFix 07-10-07.2 - Moose 2007-10-08 11:06:41.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.186 [GMT -7:00]
Running from: C:\Documents and Settings\Moose\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\Program Files\ComPlus Applications\savejop4444.dll
C:\Program Files\ComPlus Applications\savejop83122.dll
C:\Program Files\folder.js\
C:\Program Files\ini.ini\
C:\Program Files\TTC.dll
C:\Program Files\Windows Media Player\baqyqykefs.html
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\etlkege.dll
C:\WINDOWS\system32\z12

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-09-08 to 2007-10-08 )))))))))))))))))))))))))))))))
.

2007-10-08 11:01 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-07 12:33 5,773,344 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-10-07 11:51 <DIR> d-------- C:\Program Files\Avira
2007-10-07 11:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2007-10-07 11:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-10-07 11:45 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-10-07 11:45 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-10-07 11:45 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-10-07 11:43 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-10-07 11:43 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-10-07 11:42 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-10-07 11:31 6,473 ---hs---- C:\WINDOWS\system32\yyadd.bak1
2007-10-05 19:56 6,465 ---hs---- C:\WINDOWS\system32\kjkmp.bak1
2007-10-05 19:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-05 18:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-05 18:25 6,465 ---hs---- C:\WINDOWS\system32\bbadd.bak1
2007-10-05 18:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-05 17:57 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-05 17:07 <DIR> d---s---- C:\Documents and Settings\Moose\UserData
2007-10-05 09:56 1,514,497 ---hs---- C:\WINDOWS\system32\ststv.bak2
2007-10-04 21:08 269,824 --a------ C:\WINDOWS\system32\baksm.dll
2007-10-03 23:32 0 --a------ C:\WINDOWS\system32\suupdate.dat
2007-10-03 23:32 0 --a------ C:\WINDOWS\system32\mssurun.dat
2007-10-03 23:31 43,936 --a------ C:\WINDOWS\system32\drivers\HWFProt.sys
2007-10-03 23:31 <DIR> d-------- C:\WINDOWS\system32\IOSUBSYS
2007-10-03 23:30 89,088 --a------ C:\WINDOWS\system32\Shreder.dll
2007-10-03 23:30 73,728 --a------ C:\WINDOWS\system32\smh.dat
2007-10-03 23:30 6,144 --a------ C:\WINDOWS\system32\SuperRes.dll
2007-10-03 23:30 591,872 --a------ C:\WINDOWS\system32\context.dll
2007-10-03 23:30 42 --a------ C:\WINDOWS\system32\vb6sock.dll
2007-10-03 23:30 269,824 --a------ C:\WINDOWS\system32\supermenuhook.dll
2007-10-03 23:30 269,824 --a------ C:\WINDOWS\system32\baksm.dat
2007-10-03 23:30 2,281,472 --a------ C:\WINDOWS\system32\vbsbak.dat
2007-10-03 23:30 <DIR> d-------- C:\Program Files\SuperLogix
2007-10-03 18:18 1,516,478 ---hs---- C:\WINDOWS\system32\xycdd.ini2
2007-10-03 16:30 1,515,894 ---hs---- C:\WINDOWS\system32\xycdd.bak2
2007-10-02 20:52 6,473 ---hs---- C:\WINDOWS\system32\ghkmp.bak1
2007-10-02 12:20 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-02 12:19 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-10-02 11:47 36,352 --a------ C:\WINDOWS\system32\qomjklj.dll
2007-10-02 11:46 <DIR> d--hs---- C:\WINDOWS\TW9vc2U
2007-10-02 11:46 <DIR> d-------- C:\Program Files\Temporary
2007-10-02 11:44 <DIR> d-------- C:\WINDOWS\system32\ss9
2007-10-02 11:44 <DIR> d-------- C:\WINDOWS\system32\rev1
2007-10-02 11:44 <DIR> d-------- C:\WINDOWS\system32\ep1
2007-10-02 11:44 <DIR> d-------- C:\WINDOWS\system32\abc2
2007-10-02 11:44 <DIR> d-------- C:\Program Files\ISM2
2007-10-02 11:43 36,352 --a------ C:\WINDOWS\system32\hggffcd.dll
2007-10-02 11:43 <DIR> d-------- C:\WINDOWS\system32\vMW02a
2007-10-02 11:43 <DIR> d-------- C:\Temp\xOe
2007-10-02 11:43 <DIR> d-------- C:\Temp
2007-10-01 22:44 <DIR> d-------- C:\Program Files\Adware Agent
2007-09-11 22:58 <DIR> d-------- C:\Program Files\OverDrive Media Console

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-08 11:34 68684 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-10-05 19:52 76 --a------ C:\Program Files\ini.ini
2007-10-01 23:08 --------- d-------- C:\Program Files\Serials 2000 7.1 Plus
2007-08-30 22:03 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-30 22:03 --------- d-------- C:\Program Files\Oracle
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll
2007-06-14 02:22 2231 --a------ C:\Program Files\folder.js
2006-04-16 11:42 256 --a------ C:\Program Files\Install.log
2004-06-28 11:51 5398575 --a------ C:\Program Files\fcc32.exe
2004-06-24 13:41 1213 --a------ C:\Program Files\ReadMe.txt
2001-08-23 07:00 486400 --a------ C:\Program Files\dbghelp.dll
2001-04-03 13:41 49152 --a------ C:\Program Files\fcsmapi.dll
2006-03-19 19:20:34 104 --sh--r C:\WINDOWS\system32\B2E7A73324.sys
2006-03-19 19:20:44 6,580 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4AEEAE20-0AAA-40A2-AA8B-D2BE76B42302}]
C:\WINDOWS\system32\ddayy.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5634BD64-1AFE-42CC-B59A-7AE5B99C0701}]
C:\WINDOWS\system32\sysinv32.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8FB585F6-EDE9-4CBD-AB7C-0342130E0AF8}]
C:\WINDOWS\system32\vtsts.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8FB5B012-E8CB-46cd-B6D2-ED428FAE9043}]
C:\Program Files\ISM\BndDrive5.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A4877148-AAC4-45FF-B3BE-0A987A28C85D}]
C:\WINDOWS\system32\ddcyx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AE99C290-5A6E-44BB-6DB7-A202954600DD}]
C:\Program Files\Windows Media Player\wohucaqug.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 19:46]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 15:19]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 16:24]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-04 17:22]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 05:36]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-09-01 16:24]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-08-31 12:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-22 12:08]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-08-05 13:24:46]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-08-05 13:24:46]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-01-28 23:40:38]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{178D4E6A-BA5A-4ECB-8521-F7B8393FDB97}"= C:\WINDOWS\system32\hggffcd.dll [2007-10-02 11:43 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggffcd]
hggffcd.dll 2007-10-02 11:43 36352 C:\WINDOWS\system32\hggffcd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\tsitra1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
"C:\Program Files\Spyware Doctor\SDTrayApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchIndexer]
rundll32.exe "C:\WINDOWS\system32\myyriqpr.dll",sitypnow

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Super Utilities]
C:\Program Files\SuperLogix\Super Utilities\SuperUtil.exe /min

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"NICCONFIGSVC"=2 (0x2)
"IDriverT"=3 (0x3)
"gusvc"=3 (0x3)
"DomainService"=2 (0x2)
"sdCoreService"=2 (0x2)
"sdAuxService"=2 (0x2)

R0 HWFProt;Hywave File Protector HWFProt;C:\WINDOWS\system32\Drivers\HWFProt.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{49dc885a-dbf7-11db-a4bf-00142297d2da}]
AutoRun\command- F:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-10-02 17:18:46 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-08 11:49:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-08 11:55:01 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-08 11:54
.
--- E O F ---

HJT Log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:00:18 PM, on 10/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Avira\AntiVir PersonalEdition Classic\update.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avnotify.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://desktop.google.com/uninstall-feedback.html?hl=en
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4AEEAE20-0AAA-40A2-AA8B-D2BE76B42302} - C:\WINDOWS\system32\ddayy.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5634BD64-1AFE-42CC-B59A-7AE5B99C0701} - C:\WINDOWS\system32\sysinv32.dll (file missing)
O2 - BHO: (no name) - {8FB585F6-EDE9-4CBD-AB7C-0342130E0AF8} - C:\WINDOWS\system32\vtsts.dll (file missing)
O2 - BHO: BndDrive2 BHO Class - {8FB5B012-E8CB-46cd-B6D2-ED428FAE9043} - C:\Program Files\ISM\BndDrive5.dll (file missing)
O2 - BHO: (no name) - {A4877148-AAC4-45FF-B3BE-0A987A28C85D} - C:\WINDOWS\system32\ddcyx.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: 0 - {AE99C290-5A6E-44BB-6DB7-A202954600DD} - C:\Program Files\Windows Media Player\wohucaqug.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator 1.3.1.22) -
O20 - Winlogon Notify: hggffcd - C:\WINDOWS\SYSTEM32\hggffcd.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe (file missing)

--
End of file - 6621 bytes


Uninstall List

Ad-Aware 2007
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player Plugin
Adobe Photoshop 5.5
Adobe Photoshop 7.0
Adobe Reader 7.0.8
AOLIcon
Avid Codecs LE
Avira AntiVir PersonalEdition Classic
BitTornado 0.3.7
Broadcom 802.11 Wireless LAN Adapter
Broadcom Management Programs
Broadcom Wireless Utility
Conexant HDA D110 MDC V.92 Modem
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Support 3.1
Digital Content Portal
Digital Line Detect
DivX Web Player
ELIcon
ExamView Pro
FirstClass® Client
FLAC 1.1.4b (remove only)
GiPo@MoveOnBoot 1.9.5
Google AFE
Google Earth
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Intel(R) Graphics Media Accelerator Driver for Mobile
Internal Network Card Power Management
iPod for Windows 2006-03-23
iTunes
Java 2 Runtime Environment, SE v1.4.2_03
Jimmy Sokoban 1.5 Demo
Kazaa Lite K++ v2.4.3
Kazaa Lite Resurrection 0.0.7.6 F
K-Lite Mega Codec Pack 1.53
Learn2 Player (Uninstall Only)
Macromedia Shockwave Player
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Office Standard Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Modem Helper
Mozilla Firefox (2.0.0.7)
MSN Messenger 7.5
Musicmatch for Windows Media Player
Nero 6 Ultra Edition
NetWaiting
Oracle JInitiator 1.3.1.22
OverDrive Media Console
PodUtil 3.0.2
PowerDVD 5.5
QuickSet
QuickTime
Risk WarZone Client
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Serials 2000 7.1+
SimCity 2000® Special Edition
Spybot - Search & Destroy
Super Utilities Pro 7.66
Synaptics Pointing Device Driver
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
WarZone Client
Webshots Desktop
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
WinRAR archiver
ZoneAlarm



Thanks again. Let me know what's next!
bashdogg
Active Member
 
Posts: 9
Joined: October 6th, 2007, 2:08 am

Unread postby Trogan » October 8th, 2007, 3:56 pm

Hi bashdogg,

I see you have P2P programs on your computer. Any time you are running any type of P2P application, you are FAR more prone to infection by malware. Your current infections are likely due to P2P use. At the VERY LEAST, please refrain from using any p2p programs while we are cleaning your computer.

Please do the following...

1. Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 update3.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement."
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove the following...
    • Java 2 Runtime Environment, SE v1.4.2_03
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.
2. Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: (no name) - {4AEEAE20-0AAA-40A2-AA8B-D2BE76B42302} - C:\WINDOWS\system32\ddayy.dll (file missing)
O2 - BHO: (no name) - {5634BD64-1AFE-42CC-B59A-7AE5B99C0701} - C:\WINDOWS\system32\sysinv32.dll (file missing)
O2 - BHO: (no name) - {8FB585F6-EDE9-4CBD-AB7C-0342130E0AF8} - C:\WINDOWS\system32\vtsts.dll (file missing)
O2 - BHO: BndDrive2 BHO Class - {8FB5B012-E8CB-46cd-B6D2-ED428FAE9043} - C:\Program Files\ISM\BndDrive5.dll (file missing)
O2 - BHO: (no name) - {A4877148-AAC4-45FF-B3BE-0A987A28C85D} - C:\WINDOWS\system32\ddcyx.dll (file missing)
O2 - BHO: 0 - {AE99C290-5A6E-44BB-6DB7-A202954600DD} - C:\Program Files\Windows Media Player\wohucaqug.dll (file missing)

O20 - Winlogon Notify: hggffcd - C:\WINDOWS\SYSTEM32\hggffcd.dll


- Close ALL open windows (especially Internet Explorer!)
- Click Fix Checked
Close HiajckThis

3. Run HijackThis again and click on Open the Misc Tools section.
Click on Delete a file on reboot...
Copy and paste the following into the "File name:" text box and then click Open:

C:\WINDOWS\SYSTEM32\hggffcd.dll

When you are asked "Do you want to restart your computer now?", click OK.

Your PC MUST reboot to delete the file!

4. You may wish to Print or Save the following instructions, as the internet will not be available once in Safe Mode!

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
  • Install AVG Anti-Spyware by double clicking the installer.
  • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
Once in Safe Mode:

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Do not automatically generate reports
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot back into Normal Mode and post a new HijackThis log, along with the AVG Anti-Spyware log.
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Unread postby bashdogg » October 9th, 2007, 12:53 pm

Okay Trogan, I've done all those things. Here are my log files...

HTJ Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:44:16 AM, on 10/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://desktop.google.com/uninstall-feedback.html?hl=en
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator 1.3.1.22) -
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe (file missing)

--
End of file - 5413 bytes


AVG Spyware Log

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:07:54 AM 10/9/2007

+ Scan result:



C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP451\A0044440.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP452\A0044474.dll -> Adware.CommAd : Cleaned with backup (quarantined).
C:\Documents and Settings\Moose\Local Settings\Temporary Internet Files\Content.IE5\60KG8T7T\ucleaner_setup[1].exe -> Adware.UltimateDefender : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP458\A0048711.exe -> Adware.UltimateDefender : Cleaned with backup (quarantined).
C:\Documents and Settings\Moose\Local Settings\Temporary Internet Files\Content.IE5\R6N771J4\s2f[1].exe -> Downloader.Alphabet.aa : Cleaned with backup (quarantined).
C:\Program Files\folder.js -> Hijacker.Small.jf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP458\A0048707.exe -> Not-A-Virus.Downloader.Win32.Agent.q : Cleaned with backup (quarantined).
C:\Documents and Settings\Moose\Local Settings\Temporary Internet Files\Content.IE5\60KG8T7T\SystemDoctor2006FreeInstall[1].cab/USDR6_0001_D19M2108NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.q : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP452\A0044463.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned with backup (quarantined).
:mozilla.264:C:\Documents and Settings\Moose\Application Data\Mozilla\Firefox\Profiles\tgh0a4wu.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.50:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\qrm1luvx.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.51:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\qrm1luvx.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.53:C:\Documents and Settings\Moose\Application Data\Mozilla\Firefox\Profiles\tgh0a4wu.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.54:C:\Documents and Settings\Moose\Application Data\Mozilla\Firefox\Profiles\tgh0a4wu.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.55:C:\Documents and Settings\Moose\Application Data\Mozilla\Firefox\Profiles\tgh0a4wu.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.56:C:\Documents and Settings\Moose\Application Data\Mozilla\Firefox\Profiles\tgh0a4wu.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Moose\Cookies\moose@homestore.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Moose\Cookies\moose@www.abcsearch[1].txt -> TrackingCookie.Abcsearch : Cleaned.
C:\Documents and Settings\Moose\Cookies\moose@roi.admarketplace[1].txt -> TrackingCookie.Admarketplace : Cleaned.
C:\Documents and Settings\Moose\Cookies\moose@roi.admarketplace[2].txt -> TrackingCookie.Admarketplace : Cleaned.
C:\Documents and Settings\Moose\Cookies\moose@media.adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Pheff\Cookies\pheff@media.adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Moose\Cookies\moose@www.adtrak[2].txt -> TrackingCookie.Adtrak : Cleaned.
:mozilla.43:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\qrm1luvx.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.48:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\qrm1luvx.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.49:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\qrm1luvx.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Pheff\Cookies\pheff@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.23:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\qrm1luvx.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.43:C:\Documents and Settings\Moose\Application Data\Mozilla\Firefox\Profiles\tgh0a4wu.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Moose\Cookies\moose@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Moose\Cookies\moose@atdmt[3].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Pheff\Cookies\pheff@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.699:C:\Documents and Settings\Moose\Application Data\Mozilla\Firefox\Profiles\tgh0a4wu.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned.
:mozilla.688:C:\Documents and Settings\Pheff\Application Data\Mozilla\Firefox\Profiles\vk83uit3.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.625:C:\Documents and Settings\Moose\Application Data\Mozilla\Firefox\Profiles\tgh0a4wu.default\cookies.txt -> TrackingCookie.Clickhype : Cleaned.
:mozilla.340:C:\Documents and Settings\Moose\Application Data\Mozilla\Firefox\Profiles\tgh0a4wu.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.22:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\qrm1luvx.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Moose\Cookies\moose@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Moose\Cookies\moose@enhance[2].txt -> TrackingCookie.Enhance : Cleaned.
:mozilla.608:C:\Documents and Settings\Pheff\Application Data\Mozilla\Firefox\Profiles\vk83uit3.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.609:C:\Documents and Settings\Pheff\Application Data\Mozilla\Firefox\Profiles\vk83uit3.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.370:C:\Documents and Settings\Pheff\Application Data\Mozilla\Firefox\Profiles\vk83uit3.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Moose\Cookies\moose@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Moose\Cookies\moose@findwhat[1].txt -> TrackingCookie.Findwhat : Cleaned.
C:\Documents and Settings\Moose\Cookies\moose@goclick[2].txt -> TrackingCookie.Goclick : Cleaned.
:mozilla.400:C:\Documents and Settings\Pheff\Application Data\Mozilla\Firefox\Profiles\vk83uit3.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
C:\Documents and Settings\Moose\Cookies\moose@counter.hitslink[1].txt -> TrackingCookie.Hitslink : Cleaned.
:mozilla.469:C:\Documents and Settings\Pheff\Application Data\Mozilla\Firefox\Profiles\vk83uit3.default\cookies.txt -> TrackingCookie.Information : Cleaned.
:mozilla.406:C:\Documents and Settings\Pheff\Application Data\Mozilla\Firefox\Profiles\vk83uit3.default\cookies.txt -> TrackingCookie.Live : Cleaned.
:mozilla.407:C:\Documents and Settings\Pheff\Application Data\Mozilla\Firefox\Profiles\vk83uit3.default\cookies.txt -> TrackingCookie.Live : Cleaned.
:mozilla.408:C:\Documents and Settings\Pheff\Application Data\Mozilla\Firefox\Profiles\vk83uit3.default\cookies.txt -> TrackingCookie.Live : Cleaned.
:mozilla.668:C:\Documents and Settings\Moose\Application Data\Mozilla\Firefox\Profiles\tgh0a4wu.default\cookies.txt -> TrackingCookie.Msn : Cleaned.
:mozilla.669:C:\Documents and Settings\Moose\Application Data\Mozilla\Firefox\Profiles\tgh0a4wu.default\cookies.txt -> TrackingCookie.Msn : Cleaned.
:mozilla.670:C:\Documents and Settings\Moose\Application Data\Mozilla\Firefox\Profiles\tgh0a4wu.default\cookies.txt -> TrackingCookie.Msn : Cleaned.
:mozilla.81:C:\Documents and Settings\Moose\Application Data\Mozilla\Firefox\Profiles\tgh0a4wu.default\cookies.txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\Moose\Cookies\moose@overture[1].txt -> TrackingCookie.Overture : Cleaned.
:mozilla.148:C:\Documents and Settings\Moose\Application Data\Mozilla\Firefox\Profiles\tgh0a4wu.default\cookies.txt -> TrackingCookie.Paypal : Cleaned.
:mozilla.440:C:\Documents and Settings\Pheff\Application Data\Mozilla\Firefox\Profiles\vk83uit3.default\cookies.txt -> TrackingCookie.Paypal : Cleaned.
C:\Documents and Settings\Moose\Cookies\moose@www.paypal[1].txt -> TrackingCookie.Paypal : Cleaned.
:mozilla.24:C:\Documents and Settings\Moose\Application Data\Mozilla\Firefox\Profiles\tgh0a4wu.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.25:C:\Documents and Settings\Moose\Application Data\Mozilla\Firefox\Profiles\tgh0a4wu.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.26:C:\Documents and Settings\Moose\Application Data\Mozilla\Firefox\Profiles\tgh0a4wu.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.27:C:\Documents and Settings\Moose\Application Data\Mozilla\Firefox\Profiles\tgh0a4wu.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.28:C:\Documents and Settings\Moose\Application Data\Mozilla\Firefox\Profiles\tgh0a4wu.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.29:C:\Documents and Settings\Moose\Application Data\Mozilla\Firefox\Profiles\tgh0a4wu.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.36:C:\Documents and Settings\Moose\Application Data\Mozilla\Firefox\Profiles\tgh0a4wu.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.37:C:\Documents and Settings\Moose\Application Data\Mozilla\Firefox\Profiles\tgh0a4wu.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.38:C:\Documents and Settings\Moose\Application Data\Mozilla\Firefox\Profiles\tgh0a4wu.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Moose\Cookies\moose@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.107:C:\Documents and Settings\Moose\Application Data\Mozilla\Firefox\Profiles\tgh0a4wu.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.112:C:\Documents and Settings\Moose\Application Data\Mozilla\Firefox\Profiles\tgh0a4wu.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.113:C:\Documents and Settings\Moose\Application Data\Mozilla\Firefox\Profiles\tgh0a4wu.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.115:C:\Documents and Settings\Moose\Application Data\Mozilla\Firefox\Profiles\tgh0a4wu.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.211:C:\Documents and Settings\Pheff\Application Data\Mozilla\Firefox\Profiles\vk83uit3.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.212:C:\Documents and Settings\Pheff\Application Data\Mozilla\Firefox\Profiles\vk83uit3.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.216:C:\Documents and Settings\Pheff\Application Data\Mozilla\Firefox\Profiles\vk83uit3.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.217:C:\Documents and Settings\Pheff\Application Data\Mozilla\Firefox\Profiles\vk83uit3.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.218:C:\Documents and Settings\Pheff\Application Data\Mozilla\Firefox\Profiles\vk83uit3.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.219:C:\Documents and Settings\Pheff\Application Data\Mozilla\Firefox\Profiles\vk83uit3.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.220:C:\Documents and Settings\Pheff\Application Data\Mozilla\Firefox\Profiles\vk83uit3.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.221:C:\Documents and Settings\Pheff\Application Data\Mozilla\Firefox\Profiles\vk83uit3.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.222:C:\Documents and Settings\Pheff\Application Data\Mozilla\Firefox\Profiles\vk83uit3.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.223:C:\Documents and Settings\Pheff\Application Data\Mozilla\Firefox\Profiles\vk83uit3.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.224:C:\Documents and Settings\Pheff\Application Data\Mozilla\Firefox\Profiles\vk83uit3.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.225:C:\Documents and Settings\Pheff\Application Data\Mozilla\Firefox\Profiles\vk83uit3.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.226:C:\Documents and Settings\Pheff\Application Data\Mozilla\Firefox\Profiles\vk83uit3.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.227:C:\Documents and Settings\Pheff\Application Data\Mozilla\Firefox\Profiles\vk83uit3.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.228:C:\Documents and Settings\Pheff\Application Data\Mozilla\Firefox\Profiles\vk83uit3.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.229:C:\Documents and Settings\Pheff\Application Data\Mozilla\Firefox\Profiles\vk83uit3.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.230:C:\Documents and Settings\Pheff\Application Data\Mozilla\Firefox\Profiles\vk83uit3.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.231:C:\Documents and Settings\Pheff\Application Data\Mozilla\Firefox\Profiles\vk83uit3.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.409:C:\Documents and Settings\Pheff\Application Data\Mozilla\Firefox\Profiles\vk83uit3.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.44:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\qrm1luvx.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.45:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\qrm1luvx.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.46:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\qrm1luvx.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.47:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\qrm1luvx.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Moose\Cookies\moose@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned.
:mozilla.108:C:\Documents and Settings\Moose\Application Data\Mozilla\Firefox\Profiles\tgh0a4wu.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.109:C:\Documents and Settings\Moose\Application Data\Mozilla\Firefox\Profiles\tgh0a4wu.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.110:C:\Documents and Settings\Moose\Application Data\Mozilla\Firefox\Profiles\tgh0a4wu.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.111:C:\Documents and Settings\Moose\Application Data\Mozilla\Firefox\Profiles\tgh0a4wu.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.114:C:\Documents and Settings\Moose\Application Data\Mozilla\Firefox\Profiles\tgh0a4wu.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.265:C:\Documents and Settings\Pheff\Application Data\Mozilla\Firefox\Profiles\vk83uit3.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.266:C:\Documents and Settings\Pheff\Application Data\Mozilla\Firefox\Profiles\vk83uit3.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.267:C:\Documents and Settings\Pheff\Application Data\Mozilla\Firefox\Profiles\vk83uit3.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.286:C:\Documents and Settings\Pheff\Application Data\Mozilla\Firefox\Profiles\vk83uit3.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Moose\Cookies\moose@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned.
C:\Documents and Settings\Pheff\Cookies\pheff@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned.
:mozilla.204:C:\Documents and Settings\Moose\Application Data\Mozilla\Firefox\Profiles\tgh0a4wu.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.205:C:\Documents and Settings\Moose\Application Data\Mozilla\Firefox\Profiles\tgh0a4wu.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.206:C:\Documents and Settings\Moose\Application Data\Mozilla\Firefox\Profiles\tgh0a4wu.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.207:C:\Documents and Settings\Moose\Application Data\Mozilla\Firefox\Profiles\tgh0a4wu.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.208:C:\Documents and Settings\Moose\Application Data\Mozilla\Firefox\Profiles\tgh0a4wu.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.209:C:\Documents and Settings\Moose\Application Data\Mozilla\Firefox\Profiles\tgh0a4wu.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.210:C:\Documents and Settings\Moose\Application Data\Mozilla\Firefox\Profiles\tgh0a4wu.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.82:C:\Documents and Settings\Moose\Application Data\Mozilla\Firefox\Profiles\tgh0a4wu.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.97:C:\Documents and Settings\Moose\Application Data\Mozilla\Firefox\Profiles\tgh0a4wu.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.98:C:\Documents and Settings\Moose\Application Data\Mozilla\Firefox\Profiles\tgh0a4wu.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Moose\Cookies\moose@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Moose\Cookies\moose@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP452\A0044461.dll -> Trojan.BHO.b : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP460\A0051021.exe -> Trojan.BHO.b : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP452\A0044462.vbs -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP452\A0044470.vbs -> Trojan.Small : Cleaned with backup (quarantined).


::Report end


Thanks again. Let me know what's next!
bashdogg
Active Member
 
Posts: 9
Joined: October 6th, 2007, 2:08 am

Unread postby Trogan » October 9th, 2007, 2:03 pm

Looking much better! :)

Can you run a new scan with ComboFix and post its log please.
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Unread postby bashdogg » October 9th, 2007, 3:33 pm

Good to hear! Here's the new combofix log

ComboFix 07-10-07.2 - Moose 2007-10-09 12:08:08.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.242 [GMT -7:00]
Running from: C:\Documents and Settings\Moose\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\ini.ini\

.
((((((((((((((((((((((((( Files Created from 2007-09-09 to 2007-10-09 )))))))))))))))))))))))))))))))
.

2007-10-08 23:55 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-08 11:59 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-08 11:01 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-07 12:33 5,894,176 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-10-07 11:51 <DIR> d-------- C:\Program Files\Avira
2007-10-07 11:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2007-10-07 11:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-10-07 11:45 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-10-07 11:45 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-10-07 11:45 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-10-07 11:43 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-10-07 11:43 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-10-07 11:42 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-10-07 11:31 6,473 ---hs---- C:\WINDOWS\system32\yyadd.bak1
2007-10-05 19:56 6,465 ---hs---- C:\WINDOWS\system32\kjkmp.bak1
2007-10-05 19:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-05 18:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-05 18:25 6,465 ---hs---- C:\WINDOWS\system32\bbadd.bak1
2007-10-05 18:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-05 17:57 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-05 17:07 <DIR> d---s---- C:\Documents and Settings\Moose\UserData
2007-10-05 09:56 1,514,497 ---hs---- C:\WINDOWS\system32\ststv.bak2
2007-10-04 21:08 269,824 --a------ C:\WINDOWS\system32\baksm.dll
2007-10-03 23:32 0 --a------ C:\WINDOWS\system32\suupdate.dat
2007-10-03 23:32 0 --a------ C:\WINDOWS\system32\mssurun.dat
2007-10-03 23:31 43,936 --a------ C:\WINDOWS\system32\drivers\HWFProt.sys
2007-10-03 23:31 <DIR> d-------- C:\WINDOWS\system32\IOSUBSYS
2007-10-03 23:30 89,088 --a------ C:\WINDOWS\system32\Shreder.dll
2007-10-03 23:30 73,728 --a------ C:\WINDOWS\system32\smh.dat
2007-10-03 23:30 6,144 --a------ C:\WINDOWS\system32\SuperRes.dll
2007-10-03 23:30 591,872 --a------ C:\WINDOWS\system32\context.dll
2007-10-03 23:30 42 --a------ C:\WINDOWS\system32\vb6sock.dll
2007-10-03 23:30 269,824 --a------ C:\WINDOWS\system32\supermenuhook.dll
2007-10-03 23:30 269,824 --a------ C:\WINDOWS\system32\baksm.dat
2007-10-03 23:30 2,281,472 --a------ C:\WINDOWS\system32\vbsbak.dat
2007-10-03 23:30 <DIR> d-------- C:\Program Files\SuperLogix
2007-10-03 18:18 1,516,478 ---hs---- C:\WINDOWS\system32\xycdd.ini2
2007-10-03 16:30 1,515,894 ---hs---- C:\WINDOWS\system32\xycdd.bak2
2007-10-02 20:52 6,473 ---hs---- C:\WINDOWS\system32\ghkmp.bak1
2007-10-02 12:20 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-02 12:19 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-10-02 11:46 <DIR> d--hs---- C:\WINDOWS\TW9vc2U
2007-10-02 11:46 <DIR> d-------- C:\Program Files\Temporary
2007-10-02 11:44 <DIR> d-------- C:\WINDOWS\system32\ss9
2007-10-02 11:44 <DIR> d-------- C:\WINDOWS\system32\rev1
2007-10-02 11:44 <DIR> d-------- C:\WINDOWS\system32\ep1
2007-10-02 11:44 <DIR> d-------- C:\WINDOWS\system32\abc2
2007-10-02 11:44 <DIR> d-------- C:\Program Files\ISM2
2007-10-02 11:43 <DIR> d-------- C:\WINDOWS\system32\vMW02a
2007-10-02 11:43 <DIR> d-------- C:\Temp\xOe
2007-10-02 11:43 <DIR> d-------- C:\Temp
2007-10-01 22:44 <DIR> d-------- C:\Program Files\Adware Agent
2007-10-01 22:23 <DIR> d-------- C:\Documents and Settings\Moose\Application Data\AdwareAlert
2007-09-11 22:58 <DIR> d-------- C:\Program Files\OverDrive Media Console
2007-09-11 22:58 <DIR> d-------- C:\Documents and Settings\Moose\Application Data\OverDrive

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-09 00:01 69740 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-10-08 23:18 --------- d-------- C:\Program Files\Google
2007-10-08 23:02 --------- d-------- C:\Documents and Settings\All Users\Application Data\Google
2007-10-05 19:52 76 --a------ C:\Program Files\ini.ini
2007-10-02 13:06 --------- d-------- C:\Documents and Settings\Moose\Application Data\U3
2007-10-01 23:08 --------- d-------- C:\Program Files\Serials 2000 7.1 Plus
2007-10-01 22:18 --------- d--h----- C:\Documents and Settings\Moose\Application Data\Move Networks
2007-09-01 18:17 --------- d-------- C:\Documents and Settings\Moose\Application Data\Google
2007-08-30 22:03 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-30 22:03 --------- d-------- C:\Program Files\Oracle
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll
2006-04-16 11:42 256 --a------ C:\Program Files\Install.log
2004-06-28 11:51 5398575 --a------ C:\Program Files\fcc32.exe
2004-06-24 13:41 1213 --a------ C:\Program Files\ReadMe.txt
2001-08-23 07:00 486400 --a------ C:\Program Files\dbghelp.dll
2001-04-03 13:41 49152 --a------ C:\Program Files\fcsmapi.dll
2006-03-19 19:20:34 104 --sh--r C:\WINDOWS\system32\B2E7A73324.sys
2006-03-19 19:20:44 6,580 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2007-10-08_11.53.22.90 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 135,168 2007-09-25 05:30:28 C:\WINDOWS\system32\java.exe
----a-w 135,168 2007-09-25 05:30:30 C:\WINDOWS\system32\javaw.exe
----a-w 139,264 2007-09-25 06:31:42 C:\WINDOWS\system32\javaws.exe
.
----a-w 24,681 2003-11-19 22:36:26 C:\WINDOWS\system32\java.exe
----a-w 28,779 2003-11-19 22:36:30 C:\WINDOWS\system32\javaw.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 19:46]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 15:19]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 16:24]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-04 17:22]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 05:36]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-09-01 16:24]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-08-31 12:25]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

C:\Documents and Settings\Pheff\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2006-02-03 00:43:16]

C:\Documents and Settings\Moose\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2006-02-03 00:43:16]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-08-05 13:24:46]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-08-05 13:24:46]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-01-28 23:40:38]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{178D4E6A-BA5A-4ECB-8521-F7B8393FDB97}"= C:\WINDOWS\system32\hggffcd.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\tsitra1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
"C:\Program Files\Spyware Doctor\SDTrayApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchIndexer]
rundll32.exe "C:\WINDOWS\system32\myyriqpr.dll",sitypnow

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Super Utilities]
C:\Program Files\SuperLogix\Super Utilities\SuperUtil.exe /min

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"NICCONFIGSVC"=2 (0x2)
"IDriverT"=3 (0x3)
"gusvc"=3 (0x3)
"DomainService"=2 (0x2)
"sdCoreService"=2 (0x2)
"sdAuxService"=2 (0x2)

R0 HWFProt;Hywave File Protector HWFProt;C:\WINDOWS\system32\Drivers\HWFProt.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{49dc885a-dbf7-11db-a4bf-00142297d2da}]
AutoRun\command- F:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-10-02 17:18:46 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-09 12:19:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-09 12:24:21
C:\ComboFix-quarantined-files.txt ... 2007-10-09 12:24
C:\ComboFix2.txt ... 2007-10-08 11:55
.
--- E O F ---
bashdogg
Active Member
 
Posts: 9
Joined: October 6th, 2007, 2:08 am

Unread postby Trogan » October 9th, 2007, 6:00 pm

Hi bashdogg! Well, there is still some work to do.

Please do the following...

1. I'd need you to scan some files...
  • Go to VirusTotal
  • Copy and paste the following file path into the Search Box in the middle of the page:
  • C:\WINDOWS\system32\supermenuhook.dll
  • Now, click on the Send File button
  • Save a copy of the Anti-Virus results. Post the results in your next reply.
Do the same for the following file:

C:\WINDOWS\system32\baksm.dll

2. Open Notepad and copy/paste the text in the Quote Box below into it:

File::
C:\WINDOWS\system32\yyadd.bak1
C:\WINDOWS\system32\kjkmp.bak1
C:\WINDOWS\system32\bbadd.bak1
C:\WINDOWS\system32\ststv.bak2
C:\WINDOWS\system32\xycdd.ini2
C:\WINDOWS\system32\xycdd.bak2
C:\WINDOWS\system32\ghkmp.bak1
C:\Program Files\ini.ini
C:\WINDOWS\system32\B2E7A73324.sys
C:\WINDOWS\system32\hggffcd.dll
C:\WINDOWS\tsitra1000106.exe
C:\WINDOWS\system32\myyriqpr.dll

Folder::
C:\WINDOWS\TW9vc2U
C:\WINDOWS\system32\ss9
C:\WINDOWS\system32\rev1
C:\WINDOWS\system32\ep1
C:\WINDOWS\system32\abc2
C:\Program Files\ISM2
C:\Program Files\ISM
C:\WINDOWS\system32\vMW02a
C:\Temp\xOe
C:\Program Files\Adware Agent
C:\Documents and Settings\Moose\Application Data\AdwareAlert

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{178D4E6A-BA5A-4ECB-8521-F7B8393FDB97}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchIndexer]


Save this as CFScript.txt to your Desktop

Image

Referring to the picture above, drag CFScript.txt into ComboFix.exe

This will start ComboFix again. After reboot, (in case it asks to reboot). Post the contents of Combofix.txt in your next reply together with a new HijackThis log, and the VirusTotal results.
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Unread postby bashdogg » October 9th, 2007, 7:44 pm

Okay, here are the logs...

HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:37:55 PM, on 10/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://desktop.google.com/uninstall-feedback.html?hl=en
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator 1.3.1.22) -
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe (file missing)

--
End of file - 5323 bytes



Combofix Log

ComboFix 07-10-07.2 - Moose 2007-10-09 16:10:28.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.208 [GMT -7:00]
Running from: C:\Documents and Settings\Moose\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Moose\Desktop\CFScript.txt

FILE::
C:\Program Files\ini.ini
C:\WINDOWS\system32\B2E7A73324.sys
C:\WINDOWS\system32\bbadd.bak1
C:\WINDOWS\system32\ghkmp.bak1
C:\WINDOWS\system32\hggffcd.dll
C:\WINDOWS\system32\kjkmp.bak1
C:\WINDOWS\system32\myyriqpr.dll
C:\WINDOWS\system32\ststv.bak2
C:\WINDOWS\system32\xycdd.bak2
C:\WINDOWS\system32\xycdd.ini2
C:\WINDOWS\system32\yyadd.bak1
C:\WINDOWS\tsitra1000106.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Moose\Application Data\AdwareAlert
C:\Documents and Settings\Moose\Application Data\AdwareAlert\Log\2007 Oct 01 - 10_23_44 PM_812.log
C:\Documents and Settings\Moose\Application Data\AdwareAlert\Log\2007 Oct 01 - 10_23_51 PM_781.log
C:\Documents and Settings\Moose\Application Data\AdwareAlert\Log\2007 Oct 01 - 10_49_30 PM_328.log
C:\Documents and Settings\Moose\Application Data\AdwareAlert\Log\2007 Oct 01 - 10_49_52 PM_093.log
C:\Documents and Settings\Moose\Application Data\AdwareAlert\Log\2007 Oct 02 - 10_18_45 AM_234.log
C:\Documents and Settings\Moose\Application Data\AdwareAlert\rs.dat
C:\Documents and Settings\Moose\Application Data\AdwareAlert\Settings\CustomScan.stg
C:\Documents and Settings\Moose\Application Data\AdwareAlert\Settings\IgnoreList.stg
C:\Documents and Settings\Moose\Application Data\AdwareAlert\Settings\ScanInfo.stg
C:\Documents and Settings\Moose\Application Data\AdwareAlert\Settings\ScanResults.stg
C:\Documents and Settings\Moose\Application Data\AdwareAlert\Settings\SelectedFolders.stg
C:\Documents and Settings\Moose\Application Data\AdwareAlert\Settings\Settings.stg
C:\Program Files\Adware Agent
C:\Program Files\Adware Agent\aa.tmp.20
C:\Program Files\Adware Agent\programs.txt
C:\Program Files\Adware Agent\startup.txt
C:\Program Files\ini.ini
C:\Program Files\ini.ini\
C:\Program Files\ISM2
C:\Program Files\ISM2\dictionary.gz
C:\Program Files\ISM2\ISMPack6.exe
C:\Program Files\ISM2\targets.gz
C:\Temp\xOe
C:\Temp\xOe\tOasF.log
C:\WINDOWS\system32\abc2
C:\WINDOWS\system32\B2E7A73324.sys
C:\WINDOWS\system32\bbadd.bak1
C:\WINDOWS\system32\ep1
C:\WINDOWS\system32\ghkmp.bak1
C:\WINDOWS\system32\kjkmp.bak1
C:\WINDOWS\system32\rev1
C:\WINDOWS\system32\rev1\gbb83122.exe
C:\WINDOWS\system32\ss9
C:\WINDOWS\system32\ststv.bak2
C:\WINDOWS\system32\vMW02a
C:\WINDOWS\system32\xycdd.bak2
C:\WINDOWS\system32\xycdd.ini2
C:\WINDOWS\system32\yyadd.bak1
C:\WINDOWS\TW9vc2U

.
((((((((((((((((((((((((( Files Created from 2007-09-09 to 2007-10-09 )))))))))))))))))))))))))))))))
.

2007-10-08 23:55 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-08 11:59 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-08 11:01 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-07 12:33 5,926,944 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-10-07 11:51 <DIR> d-------- C:\Program Files\Avira
2007-10-07 11:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2007-10-07 11:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-10-07 11:45 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-10-07 11:45 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-10-07 11:45 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-10-07 11:43 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-10-07 11:43 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-10-07 11:42 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-10-05 19:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-05 18:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-05 18:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-05 17:57 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-05 17:07 <DIR> d---s---- C:\Documents and Settings\Moose\UserData
2007-10-04 21:08 269,824 --a------ C:\WINDOWS\system32\baksm.dll
2007-10-03 23:32 0 --a------ C:\WINDOWS\system32\suupdate.dat
2007-10-03 23:32 0 --a------ C:\WINDOWS\system32\mssurun.dat
2007-10-03 23:31 43,936 --a------ C:\WINDOWS\system32\drivers\HWFProt.sys
2007-10-03 23:31 <DIR> d-------- C:\WINDOWS\system32\IOSUBSYS
2007-10-03 23:30 89,088 --a------ C:\WINDOWS\system32\Shreder.dll
2007-10-03 23:30 73,728 --a------ C:\WINDOWS\system32\smh.dat
2007-10-03 23:30 6,144 --a------ C:\WINDOWS\system32\SuperRes.dll
2007-10-03 23:30 591,872 --a------ C:\WINDOWS\system32\context.dll
2007-10-03 23:30 42 --a------ C:\WINDOWS\system32\vb6sock.dll
2007-10-03 23:30 269,824 --a------ C:\WINDOWS\system32\supermenuhook.dll
2007-10-03 23:30 269,824 --a------ C:\WINDOWS\system32\baksm.dat
2007-10-03 23:30 2,281,472 --a------ C:\WINDOWS\system32\vbsbak.dat
2007-10-03 23:30 <DIR> d-------- C:\Program Files\SuperLogix
2007-10-02 12:20 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-02 12:19 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-10-02 11:46 <DIR> d-------- C:\Program Files\Temporary
2007-10-02 11:43 <DIR> d-------- C:\Temp
2007-09-11 22:58 <DIR> d-------- C:\Program Files\OverDrive Media Console
2007-09-11 22:58 <DIR> d-------- C:\Documents and Settings\Moose\Application Data\OverDrive

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-09 00:01 69740 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-10-08 23:18 --------- d-------- C:\Program Files\Google
2007-10-08 23:02 --------- d-------- C:\Documents and Settings\All Users\Application Data\Google
2007-10-02 13:06 --------- d-------- C:\Documents and Settings\Moose\Application Data\U3
2007-10-01 23:08 --------- d-------- C:\Program Files\Serials 2000 7.1 Plus
2007-10-01 22:18 --------- d--h----- C:\Documents and Settings\Moose\Application Data\Move Networks
2007-09-01 18:17 --------- d-------- C:\Documents and Settings\Moose\Application Data\Google
2007-08-30 22:03 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-30 22:03 --------- d-------- C:\Program Files\Oracle
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll
2006-04-16 11:42 256 --a------ C:\Program Files\Install.log
2004-06-28 11:51 5398575 --a------ C:\Program Files\fcc32.exe
2004-06-24 13:41 1213 --a------ C:\Program Files\ReadMe.txt
2001-08-23 07:00 486400 --a------ C:\Program Files\dbghelp.dll
2001-04-03 13:41 49152 --a------ C:\Program Files\fcsmapi.dll
2006-03-19 19:20:44 6,580 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2007-10-08_11.53.22.90 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 135,168 2007-09-25 05:30:28 C:\WINDOWS\system32\java.exe
----a-w 135,168 2007-09-25 05:30:30 C:\WINDOWS\system32\javaw.exe
----a-w 139,264 2007-09-25 06:31:42 C:\WINDOWS\system32\javaws.exe
.
----a-w 24,681 2003-11-19 22:36:26 C:\WINDOWS\system32\java.exe
----a-w 28,779 2003-11-19 22:36:30 C:\WINDOWS\system32\javaw.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 19:46]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 15:19]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 16:24]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-04 17:22]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 05:36]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-09-01 16:24]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-08-31 12:25]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

C:\Documents and Settings\Pheff\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2006-02-03 00:43:16]

C:\Documents and Settings\Moose\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2006-02-03 00:43:16]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-08-05 13:24:46]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-08-05 13:24:46]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-01-28 23:40:38]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
"C:\Program Files\Spyware Doctor\SDTrayApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Super Utilities]
C:\Program Files\SuperLogix\Super Utilities\SuperUtil.exe /min

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"NICCONFIGSVC"=2 (0x2)
"IDriverT"=3 (0x3)
"gusvc"=3 (0x3)
"DomainService"=2 (0x2)
"sdCoreService"=2 (0x2)
"sdAuxService"=2 (0x2)

R0 HWFProt;Hywave File Protector HWFProt;C:\WINDOWS\system32\Drivers\HWFProt.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{49dc885a-dbf7-11db-a4bf-00142297d2da}]
AutoRun\command- F:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-10-02 17:18:46 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-09 16:19:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-09 16:24:52
C:\ComboFix-quarantined-files.txt ... 2007-10-09 16:24
C:\ComboFix2.txt ... 2007-10-09 12:24
C:\ComboFix3.txt ... 2007-10-08 11:55
.
--- E O F ---


Virustotal logs

Results for C:\WINDOWS\system32\supermenuhook.dll

Antivirus Version Last Update Result
AhnLab-V3 2007.10.10.0 2007.10.09 -
AntiVir 7.6.0.20 2007.10.09 -
Authentium 4.93.8 2007.10.09 -
Avast 4.7.1051.0 2007.10.09 -
AVG 7.5.0.488 2007.10.09 -
BitDefender 7.2 2007.10.10 -
CAT-QuickHeal 9.00 2007.10.09 -
ClamAV 0.91.2 2007.10.09 -
DrWeb 4.44.0.09170 2007.10.09 -
eSafe 7.0.15.0 2007.10.09 -
eTrust-Vet 31.2.5199 2007.10.10 -
Ewido 4.0 2007.10.09 -
FileAdvisor 1 2007.10.10 -
Fortinet 3.11.0.0 2007.10.09 -
F-Prot 4.3.2.48 2007.10.09 -
F-Secure 6.70.13030.0 2007.10.09 -
Ikarus T3.1.1.12 2007.10.09 -
Kaspersky 7.0.0.125 2007.10.10 -
McAfee 5137 2007.10.09 -
Microsoft 1.2908 2007.10.10 -
NOD32v2 2582 2007.10.09 -
Norman 5.80.02 2007.10.09 -
Panda 9.0.0.4 2007.10.09 -
Prevx1 V2 2007.10.10 -
Rising 19.44.12.00 2007.10.09 -
Sophos 4.22.0 2007.10.09 -
Sunbelt 2.2.907.0 2007.10.10 -
Symantec 10 2007.10.09 -
TheHacker 6.2.6.080 2007.10.09 -
VBA32 3.12.2.4 2007.10.08 -
VirusBuster 4.3.26:9 2007.10.09 -
Webwasher-Gateway 6.0.1 2007.10.09 Win32.Malware.gen!84 (suspicious)
Additional information
File size: 269824 bytes
MD5: 26a1592c74a90cfeadf3b00265b2e585
SHA1: 8fd5201c7b793e02782c4b2cb5db081f942dde12
packers: Aspack
packers: ASPack




Results for C:\WINDOWS\system32\baksm.dll

Antivirus Version Last Update Result
AhnLab-V3 2007.10.10.0 2007.10.09 -
AntiVir 7.6.0.20 2007.10.09 -
Authentium 4.93.8 2007.10.09 -
Avast 4.7.1051.0 2007.10.09 -
AVG 7.5.0.488 2007.10.09 -
BitDefender 7.2 2007.10.10 -
CAT-QuickHeal 9.00 2007.10.09 -
ClamAV 0.91.2 2007.10.09 -
DrWeb 4.44.0.09170 2007.10.09 -
eSafe 7.0.15.0 2007.10.09 -
eTrust-Vet 31.2.5199 2007.10.10 -
Ewido 4.0 2007.10.09 -
FileAdvisor 1 2007.10.10 -
Fortinet 3.11.0.0 2007.10.09 -
F-Prot 4.3.2.48 2007.10.09 -
F-Secure 6.70.13030.0 2007.10.09 -
Ikarus T3.1.1.12 2007.10.09 -
Kaspersky 7.0.0.125 2007.10.10 -
McAfee 5137 2007.10.09 -
Microsoft 1.2908 2007.10.10 -
NOD32v2 2582 2007.10.09 -
Norman 5.80.02 2007.10.09 -
Panda 9.0.0.4 2007.10.09 -
Prevx1 V2 2007.10.10 -
Rising 19.44.12.00 2007.10.09 -
Sophos 4.22.0 2007.10.09 -
Sunbelt 2.2.907.0 2007.10.10 -
Symantec 10 2007.10.10 -
TheHacker 6.2.6.080 2007.10.09 -
VBA32 3.12.2.4 2007.10.08 -
VirusBuster 4.3.26:9 2007.10.09 -
Webwasher-Gateway 6.0.1 2007.10.09 Win32.Malware.gen!84 (suspicious)
Additional information
File size: 269824 bytes
MD5: 26a1592c74a90cfeadf3b00265b2e585
SHA1: 8fd5201c7b793e02782c4b2cb5db081f942dde12
packers: Aspack
packers: ASPack


Thanks!
bashdogg
Active Member
 
Posts: 9
Joined: October 6th, 2007, 2:08 am

Unread postby Trogan » October 9th, 2007, 9:04 pm

Hi bashdogg! Just a little left to do now.

Please do the following...

1. Click Start > Run > type in appwiz.cpl and hit enter. From the list uninstall the following, if present:

Adobe Reader 7.0.8

2. Now download the latest version of Adobe Reader

3. Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

- Close ALL open windows (especially Internet Explorer!)
- Click Fix Checked
Close HiajckThis

4. Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended (if available otherwise Standard)
    • Scan Options:
      Scan Archives
      Scan Mail Bases

  • Click OK
  • Now under select a target to scan:
      Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.

5. Please post the Kaspersky report, along with a new HijackThis log.
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Unread postby bashdogg » October 10th, 2007, 1:12 pm

Okay, here are the kaspersky scan and a new HTJ log. Thanks!


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, October 10, 2007 10:03:58 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 10/10/2007
Kaspersky Anti-Virus database records: 430253
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 59879
Number of viruses found: 3
Number of infected objects: 23
Number of suspicious objects: 0
Duration of the scan process: 09:37:03

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Moose\Application Data\Mozilla\Firefox\Profiles\tgh0a4wu.default\cert8.db Object is locked skipped
C:\Documents and Settings\Moose\Application Data\Mozilla\Firefox\Profiles\tgh0a4wu.default\history.dat Object is locked skipped
C:\Documents and Settings\Moose\Application Data\Mozilla\Firefox\Profiles\tgh0a4wu.default\key3.db Object is locked skipped
C:\Documents and Settings\Moose\Application Data\Mozilla\Firefox\Profiles\tgh0a4wu.default\parent.lock Object is locked skipped
C:\Documents and Settings\Moose\Application Data\Mozilla\Firefox\Profiles\tgh0a4wu.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Moose\Application Data\Mozilla\Firefox\Profiles\tgh0a4wu.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Moose\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Moose\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Moose\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Moose\Local Settings\Application Data\Mozilla\Firefox\Profiles\tgh0a4wu.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Moose\Local Settings\Application Data\Mozilla\Firefox\Profiles\tgh0a4wu.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Moose\Local Settings\Application Data\Mozilla\Firefox\Profiles\tgh0a4wu.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Moose\Local Settings\Application Data\Mozilla\Firefox\Profiles\tgh0a4wu.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Moose\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Moose\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Moose\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Moose\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\qoobox\Quarantine\C\Program Files\ComPlus Applications\savejop4444.dll.vir Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\qoobox\Quarantine\C\Program Files\ComPlus Applications\savejop83122.dll.vir Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\qoobox\Quarantine\C\Program Files\TTC.dll.vir Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\rev1\gbb83122.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\rev1\gbb83122.exe.vir NSIS: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP452\A0044468.exe Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP454\A0048544.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP454\A0048544.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP454\A0048547.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP457\A0048691.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP457\A0048691.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP458\A0048709.dll Infected: not-a-virus:AdWare.Win32.AdBand.a skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP458\A0048953.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP458\A0048953.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP458\A0048962.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP458\A0049953.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP458\A0049953.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP458\A0049959.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP460\A0051082.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP460\A0051083.dll Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP460\A0051086.dll Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP460\A0051088.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP460\A0051089.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP460\A0051090.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP460\A0051091.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP461\A0051145.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP461\A0051146.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP461\A0051147.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP464\A0051518.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP464\A0051518.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP466\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\LAPPY.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{D848F3CF-F778-465E-92EA-BBBF5AE61D93}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\dtscsi.sys Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd3117.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT02480.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT024bb.TMP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:05:14 AM, on 10/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://desktop.google.com/uninstall-feedback.html?hl=en
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator 1.3.1.22) -
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe (file missing)

--
End of file - 5423 bytes
bashdogg
Active Member
 
Posts: 9
Joined: October 6th, 2007, 2:08 am

Unread postby Trogan » October 10th, 2007, 1:46 pm

Hi bashdogg,

Everything looks good now.

You can delete ComboFix, C:\ComboFix2.txt and C:\ComboFix3.txt.

How is the computer?
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Unread postby bashdogg » October 10th, 2007, 1:56 pm

Trogan, it's running much faster now - and with no pop-ups! I had no idea it took so many steps to debug all that stuff!

Thank you so much for taking the time to examine my logs and walk me through each step. I really appreciate all your patience.
I do have a question about some of the stuff I downloaded, though. I am running Avira AntiVir and Zone Alarm, but what about the other stuff that I downloaded, like Ad-aware, AVG, and ComboFix? Should I keep them installed? Thanks!
bashdogg
Active Member
 
Posts: 9
Joined: October 6th, 2007, 2:08 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 63 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware