Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Problems with Spybot

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Problems with Spybot

Unread postby Fireman Sam » July 21st, 2008, 5:19 pm

SDFix: Version 1.207
Run by Darren on 21/07/2008 at 22:00

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\ADDAD32.EXE - Deleted
C:\WINDOWS\SYSTEM32\ADDGC32.EXE - Deleted
C:\WINDOWS\SYSTEM32\ADDGF32.EXE - Deleted
C:\WINDOWS\SYSTEM32\ADDGN32.EXE - Deleted
C:\WINDOWS\SYSTEM32\ADDOS.EXE - Deleted
C:\WINDOWS\SYSTEM32\ADDSY.EXE - Deleted
C:\WINDOWS\SYSTEM32\ADDTB32.EXE - Deleted
C:\WINDOWS\SYSTEM32\APIHK.EXE - Deleted
C:\WINDOWS\SYSTEM32\APIKT.EXE - Deleted
C:\WINDOWS\SYSTEM32\APIUH.EXE - Deleted
C:\WINDOWS\SYSTEM32\APPAN.EXE - Deleted
C:\WINDOWS\SYSTEM32\APPEK.EXE - Deleted
C:\WINDOWS\SYSTEM32\APPIX32.EXE - Deleted
C:\WINDOWS\SYSTEM32\APPNE.EXE - Deleted
C:\WINDOWS\SYSTEM32\APPUL32.EXE - Deleted
C:\WINDOWS\SYSTEM32\APPWN32.EXE - Deleted
C:\WINDOWS\SYSTEM32\ATLCR32.EXE - Deleted
C:\WINDOWS\SYSTEM32\ATLDQ.EXE - Deleted
C:\WINDOWS\SYSTEM32\ATLEW32.EXE - Deleted
C:\WINDOWS\SYSTEM32\ATLEY.EXE - Deleted
C:\WINDOWS\SYSTEM32\ATLIZ32.EXE - Deleted
C:\WINDOWS\SYSTEM32\ATLPB.EXE - Deleted
C:\WINDOWS\SYSTEM32\ATLTB.EXE - Deleted
C:\WINDOWS\SYSTEM32\ATLVP32.EXE - Deleted
C:\WINDOWS\SYSTEM32\ATLZQ.EXE - Deleted
C:\WINDOWS\SYSTEM32\ATLZW.EXE - Deleted
C:\WINDOWS\SYSTEM32\CRAR32.EXE - Deleted
C:\WINDOWS\SYSTEM32\CRCQ32.EXE - Deleted
C:\WINDOWS\SYSTEM32\CRDL.EXE - Deleted
C:\WINDOWS\SYSTEM32\CRNA32.EXE - Deleted
C:\WINDOWS\SYSTEM32\CRPB32.EXE - Deleted
C:\WINDOWS\SYSTEM32\D3CY.EXE - Deleted
C:\WINDOWS\SYSTEM32\D3KC32.EXE - Deleted
C:\WINDOWS\SYSTEM32\D3KQ32.EXE - Deleted
C:\WINDOWS\SYSTEM32\D3VA32.EXE - Deleted
C:\WINDOWS\SYSTEM32\D3ZR.EXE - Deleted
C:\WINDOWS\SYSTEM32\IEAO.EXE - Deleted
C:\WINDOWS\SYSTEM32\IEKG32.EXE - Deleted
C:\WINDOWS\SYSTEM32\IEKS32.EXE - Deleted
C:\WINDOWS\SYSTEM32\IENW32.EXE - Deleted
C:\WINDOWS\SYSTEM32\IEPB.EXE - Deleted
C:\WINDOWS\SYSTEM32\IESJ.EXE - Deleted
C:\WINDOWS\SYSTEM32\IPGL.EXE - Deleted
C:\WINDOWS\SYSTEM32\IPQC32.EXE - Deleted
C:\WINDOWS\SYSTEM32\IPRG.EXE - Deleted
C:\WINDOWS\SYSTEM32\IPVC.EXE - Deleted
C:\WINDOWS\SYSTEM32\IPWE.EXE - Deleted
C:\WINDOWS\SYSTEM32\JAVAAL.EXE - Deleted
C:\WINDOWS\SYSTEM32\JAVADG.EXE - Deleted
C:\WINDOWS\SYSTEM32\JAVAFT32.EXE - Deleted
C:\WINDOWS\SYSTEM32\JAVAJF.EXE - Deleted
C:\WINDOWS\SYSTEM32\JAVAKF.EXE - Deleted
C:\WINDOWS\SYSTEM32\JAVAVU.EXE - Deleted
C:\WINDOWS\SYSTEM32\JAVAZH32.EXE - Deleted
C:\WINDOWS\SYSTEM32\MFCAT.EXE - Deleted
C:\WINDOWS\SYSTEM32\MFCHY32.EXE - Deleted
C:\WINDOWS\SYSTEM32\MFCJQ.EXE - Deleted
C:\WINDOWS\SYSTEM32\MFCKH32.EXE - Deleted
C:\WINDOWS\SYSTEM32\MFCTF.EXE - Deleted
C:\WINDOWS\SYSTEM32\MFCTW32.EXE - Deleted
C:\WINDOWS\SYSTEM32\MFCXC.EXE - Deleted
C:\WINDOWS\SYSTEM32\MFCXC32.EXE - Deleted
C:\WINDOWS\SYSTEM32\MFCZU32.EXE - Deleted
C:\WINDOWS\SYSTEM32\MSDO32.EXE - Deleted
C:\WINDOWS\SYSTEM32\MSRC32.EXE - Deleted
C:\WINDOWS\SYSTEM32\MSVH32.EXE - Deleted
C:\WINDOWS\SYSTEM32\NETBR.EXE - Deleted
C:\WINDOWS\SYSTEM32\NETEL32.EXE - Deleted
C:\WINDOWS\SYSTEM32\NETKB.EXE - Deleted
C:\WINDOWS\SYSTEM32\NETKW32.EXE - Deleted
C:\WINDOWS\SYSTEM32\NETOX.EXE - Deleted
C:\WINDOWS\SYSTEM32\NETSE.EXE - Deleted
C:\WINDOWS\SYSTEM32\NETXA.EXE - Deleted
C:\WINDOWS\SYSTEM32\NTDD.EXE - Deleted
C:\WINDOWS\SYSTEM32\NTDW32.EXE - Deleted
C:\WINDOWS\SYSTEM32\NTIE32.EXE - Deleted
C:\WINDOWS\SYSTEM32\NTIW.EXE - Deleted
C:\WINDOWS\SYSTEM32\NTNG.EXE - Deleted
C:\WINDOWS\SYSTEM32\NTPD.EXE - Deleted
C:\WINDOWS\SYSTEM32\NTPJ32.EXE - Deleted
C:\WINDOWS\SYSTEM32\NTXL32.EXE - Deleted
C:\WINDOWS\SYSTEM32\SDKDZ.EXE - Deleted
C:\WINDOWS\SYSTEM32\SDKHP.EXE - Deleted
C:\WINDOWS\SYSTEM32\SDKRY32.EXE - Deleted
C:\WINDOWS\SYSTEM32\SDKSV32.EXE - Deleted
C:\WINDOWS\SYSTEM32\SYSCM32.EXE - Deleted
C:\WINDOWS\SYSTEM32\SYSFY32.EXE - Deleted
C:\WINDOWS\SYSTEM32\SYSMM.EXE - Deleted
C:\WINDOWS\SYSTEM32\SYSSL.EXE - Deleted
C:\WINDOWS\SYSTEM32\SYSYV.EXE - Deleted
C:\WINDOWS\SYSTEM32\WINGJ.EXE - Deleted
C:\WINDOWS\SYSTEM32\WINOC.EXE - Deleted
C:\WINDOWS\SYSTEM32\WINXK32.EXE - Deleted
C:\WINDOWS\SYSTEM32\YF.EXE - Deleted
C:\WINDOWS\ADDGS.EXE - Deleted
C:\WINDOWS\ADDMJ32.EXE - Deleted
C:\WINDOWS\ADDPY.EXE - Deleted
C:\WINDOWS\ADDRH.EXE - Deleted
C:\WINDOWS\ADDRI32.EXE - Deleted
C:\WINDOWS\ADDRT.EXE - Deleted
C:\WINDOWS\ADDZI.EXE - Deleted
C:\WINDOWS\APIFA.EXE - Deleted
C:\WINDOWS\APINO.EXE - Deleted
C:\WINDOWS\APIRK.EXE - Deleted
C:\WINDOWS\APISI32.EXE - Deleted
C:\WINDOWS\APPAW.EXE - Deleted
C:\WINDOWS\APPFB32.EXE - Deleted
C:\WINDOWS\APPFE32.EXE - Deleted
C:\WINDOWS\APPLH32.EXE - Deleted
C:\WINDOWS\APPLS32.EXE - Deleted
C:\WINDOWS\APPOM.EXE - Deleted
C:\WINDOWS\APPTG.EXE - Deleted
C:\WINDOWS\ATLHV.EXE - Deleted
C:\WINDOWS\ATLJM32.EXE - Deleted
C:\WINDOWS\ATLOX.EXE - Deleted
C:\WINDOWS\ATLTH.EXE - Deleted
C:\WINDOWS\ATLUK.EXE - Deleted
C:\WINDOWS\ATLZR.EXE - Deleted
C:\WINDOWS\CRAB32.EXE - Deleted
C:\WINDOWS\CRIX.EXE - Deleted
C:\WINDOWS\CROB.EXE - Deleted
C:\WINDOWS\CROL32.EXE - Deleted
C:\WINDOWS\CROR32.EXE - Deleted
C:\WINDOWS\CRRQ32.EXE - Deleted
C:\WINDOWS\CRWC.EXE - Deleted
C:\WINDOWS\D3AP32.EXE - Deleted
C:\WINDOWS\D3CY32.EXE - Deleted
C:\WINDOWS\D3HD32.EXE - Deleted
C:\WINDOWS\D3KM32.EXE - Deleted
C:\WINDOWS\D3NJ.EXE - Deleted
C:\WINDOWS\D3OS.EXE - Deleted
C:\WINDOWS\D3VD32.EXE - Deleted
C:\WINDOWS\D3VW32.EXE - Deleted
C:\WINDOWS\D3VX.EXE - Deleted
C:\WINDOWS\D3YX32.EXE - Deleted
C:\WINDOWS\IEMS.EXE - Deleted
C:\WINDOWS\IENM.EXE - Deleted
C:\WINDOWS\IEPQ.EXE - Deleted
C:\WINDOWS\IESJ32.EXE - Deleted
C:\WINDOWS\IETB32.EXE - Deleted
C:\WINDOWS\IEXU.EXE - Deleted
C:\WINDOWS\IEYG.EXE - Deleted
C:\WINDOWS\IPCG32.EXE - Deleted
C:\WINDOWS\IPCL32.EXE - Deleted
C:\WINDOWS\IPEN32.EXE - Deleted
C:\WINDOWS\IPLN.EXE - Deleted
C:\WINDOWS\IPSK32.EXE - Deleted
C:\WINDOWS\IPTI.EXE - Deleted
C:\WINDOWS\JAVAAV.EXE - Deleted
C:\WINDOWS\JAVALB32.EXE - Deleted
C:\WINDOWS\JAVALH.EXE - Deleted
C:\WINDOWS\JAVAQF.EXE - Deleted
C:\WINDOWS\JAVAYZ32.EXE - Deleted
C:\WINDOWS\MFCEH32.EXE - Deleted
C:\WINDOWS\MFCEQ32.EXE - Deleted
C:\WINDOWS\MFCHU32.EXE - Deleted
C:\WINDOWS\MFCID.EXE - Deleted
C:\WINDOWS\MFCNR32.EXE - Deleted
C:\WINDOWS\MFCQH32.EXE - Deleted
C:\WINDOWS\MFCSG32.EXE - Deleted
C:\WINDOWS\MFCSR.EXE - Deleted
C:\WINDOWS\MFCWJ32.EXE - Deleted
C:\WINDOWS\MFCYN.EXE - Deleted
C:\WINDOWS\MFCZK.EXE - Deleted
C:\WINDOWS\MFCZL.EXE - Deleted
C:\WINDOWS\MSGD.EXE - Deleted
C:\WINDOWS\MSKB.EXE - Deleted
C:\WINDOWS\MSQI.EXE - Deleted
C:\WINDOWS\MSWJ.EXE - Deleted
C:\WINDOWS\NETEX.EXE - Deleted
C:\WINDOWS\NETIK.EXE - Deleted
C:\WINDOWS\NETMJ.EXE - Deleted
C:\WINDOWS\NETOQ.EXE - Deleted
C:\WINDOWS\NETPK32.EXE - Deleted
C:\WINDOWS\NTDD32.EXE - Deleted
C:\WINDOWS\NTDO32.EXE - Deleted
C:\WINDOWS\NTIS32.EXE - Deleted
C:\WINDOWS\NTJF.EXE - Deleted
C:\WINDOWS\NTVQ.EXE - Deleted
C:\WINDOWS\NTXA32.EXE - Deleted
C:\WINDOWS\SDKAU32.EXE - Deleted
C:\WINDOWS\SDKDY.EXE - Deleted
C:\WINDOWS\SDKFC.EXE - Deleted
C:\WINDOWS\SDKIE.EXE - Deleted
C:\WINDOWS\SDKIY32.EXE - Deleted
C:\WINDOWS\SDKLL.EXE - Deleted
C:\WINDOWS\SDKLU32.EXE - Deleted
C:\WINDOWS\SDKLV.EXE - Deleted
C:\WINDOWS\SDKPF.EXE - Deleted
C:\WINDOWS\SDKUS.EXE - Deleted
C:\WINDOWS\SYSDU.EXE - Deleted
C:\WINDOWS\SYSFM.EXE - Deleted
C:\WINDOWS\SYSGX32.EXE - Deleted
C:\WINDOWS\SYSIS32.EXE - Deleted
C:\WINDOWS\SYSJF.EXE - Deleted
C:\WINDOWS\SYSRN32.EXE - Deleted
C:\WINDOWS\SYSSA32.EXE - Deleted
C:\WINDOWS\SYSSF.EXE - Deleted
C:\WINDOWS\SYSVZ32.EXE - Deleted
C:\WINDOWS\SYSWD32.EXE - Deleted
C:\WINDOWS\WINGO32.EXE - Deleted
C:\WINDOWS\WINMD.EXE - Deleted
C:\WINDOWS\WINOJ.EXE - Deleted
C:\WINDOWS\WINQW.EXE - Deleted
C:\WINDOWS\WINRX.EXE - Deleted
C:\WINDOWS\WINUR32.EXE - Deleted
C:\WINDOWS\WINUT.EXE - Deleted
C:\WINDOWS\system32\c.bat - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-21 22:06:51
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\lo-2062960390.exe"="C:\\lo-2062960390.exe:*:Enabled:Windows Update"
"C:\\WINDOWS\\lo-2062960390.exe"="C:\\WINDOWS\\lo-2062960390.exe:*:Enabled:Windows Update"
"C:\\Program Files\\Common Files\\System\\MSASP32.exe"="C:\\Program Files\\Common Files\\System\\MSASP32.exe:*:Enabled:Microsoft ASP"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 5 Aug 2002 49,222 A..H. --- "C:\Program Files\AOL 7.0\aolphx.exe"
Mon 5 Aug 2002 32,842 A..H. --- "C:\Program Files\AOL 7.0\aoltray.exe"
Fri 10 May 2002 40,960 A..H. --- "C:\Program Files\AOL 7.0\RBM.exe"
Mon 5 Aug 2002 180,290 A..H. --- "C:\Program Files\AOL 7.0\waol.exe"
Wed 25 Feb 2004 54,384 A..H. --- "C:\Program Files\AOL 9.0\aolphx.exe"
Mon 10 May 2004 156,784 A..H. --- "C:\Program Files\AOL 9.0\aoltray.exe"
Wed 25 Feb 2004 31,344 A..H. --- "C:\Program Files\AOL 9.0\RBM.exe"
Mon 5 Aug 2002 49,224 A..H. --- "C:\Program Files\AOL 7.0\COMIT\cswitch.exe"
Wed 16 Jul 2008 62,168 ..SHR --- "C:\Program Files\Common Files\System\MSASP32.exe"
Fri 2 Nov 2007 404 A..H. --- "C:\Program Files\Common Files\AOL\IPHSend\IPH.BAK"
Wed 9 Jul 2008 62,168 A.SHR --- "C:\_OTMoveIt\MovedFiles\07132008_111157\Program Files\Common Files\System\MSASP32.exe"
Sun 3 Apr 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"

Finished!

Deckard's System Scanner v20071014.68
Run by Darren on 2008-07-21 22:10:56
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Darren.exe) ----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 22:11:02, on 21/07/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\System\MSASP32.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\AOL\1175040655\ee\aolsoftware.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Documents and Settings\Darren\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\Darren.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wnxx.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1175040655\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcg ... cgdmgr.cab
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O23 - Service: Advance Service Process - Unknown owner - C:\Program Files\Common Files\System\MSASP32.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe


-- Files created between 2008-06-21 and 2008-07-21 -----------------------------

2008-07-21 21:55:29 0 d-------- C:\WINDOWS\ERUNT
2008-07-18 13:43:42 0 d-------- C:\Program Files\Panda Security
2008-07-15 14:41:39 71 --a------ C:\WINDOWS\System32\.pif
2008-07-15 12:57:31 0 d-------- C:\Program Files\Java
2008-07-15 12:57:27 0 d-------- C:\Program Files\Common Files\Java
2008-07-15 12:57:04 0 d-------- C:\Documents and Settings\Darren\Application Data\Sun
2008-07-13 11:08:25 62168 --a------ C:\WINDOWS\System32\nb.exe
2008-07-12 14:22:34 62168 --a------ C:\WINDOWS\System32\aq.exe
2008-07-11 13:20:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-07-06 16:30:17 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-06 16:30:01 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-07-06 16:30:01 0 d-------- C:\Documents and Settings\Darren\Application Data\SUPERAntiSpyware.com
2008-07-06 16:29:11 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard


-- Find3M Report ---------------------------------------------------------------

2008-07-21 12:35:08 0 d-------- C:\Program Files\Paint Shop Pro 5
2008-07-16 12:16:06 0 d-------- C:\Documents and Settings\Darren\Application Data\Adobe
2008-07-15 12:57:27 0 d-------- C:\Program Files\Common Files
2008-07-13 15:02:25 0 d-------- C:\Program Files\FinePixViewer
2008-07-11 08:32:35 0 d-------- C:\Documents and Settings\Darren\Application Data\AVG7


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [20/01/2003 01:29]
"SoundMan"="SOUNDMAN.EXE" [20/01/2003 10:48 C:\WINDOWS\SOUNDMAN.EXE]
"NeroCheck"="C:\WINDOWS\System32\\NeroCheck.exe" [09/07/2001 11:50]
"VOBRegCheck"="C:\WINDOWS\System32\VOBREGCheck.exe" [09/01/2003 00:55]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [19/02/2003 01:33]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [07/12/2007 16:30]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/09/2006 16:57]
"DSLSTATEXE"="C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe" [28/06/2003 17:10]
"DSLAGENTEXE"="C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe" [19/08/2003 14:47]
"%FP%Friendly fts.exe"="C:\Program Files\VoyagerTest\fts.exe" [06/05/2003 10:28]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [18/04/2008 19:15]
"HostManager"="C:\Program Files\Common Files\AOL\1175040655\ee\AOLSoftware.exe" [17/11/2006 14:21]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [04/02/2002 23:32]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 22:16]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [10/06/2008 04:27]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [29/08/2002 13:00]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [17/07/2002 20:00]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [28/05/2008 10:33]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ixproxy"=C:\WINDOWS\lo-2062960390.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AOL 9.0 Tray Icon.lnk - C:\Program Files\AOL 9.0\aoltray.exe [01/06/2004 18:14:06]
ExifLauncher2.lnk - C:\Program Files\FinePixViewer\QuickDCF2.exe [29/03/2008 11:20:54]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IEXPLORE.EXE]
C:\Program Files\Internet Explorer\IEXPLORE.EXE




-- End of Deckard's System Scanner: finished at 2008-07-21 22:11:18 ------------
Fireman Sam
Regular Member
 
Posts: 22
Joined: July 6th, 2008, 6:43 pm
Advertisement
Register to Remove

Re: Problems with Spybot

Unread postby muuli » July 23rd, 2008, 8:56 am

Hi,

Step 1

Please open Notepad and copy all of the items in the code box below.
Change the "Save As Type" to "All Files". Save it as delete.bat on your Desktop

Code: Select all
@ECHO OFF
SC STOP "Advance Service Process"
SC DELETE "Advance Service Process"
REG DELETE "HKEY_CURRENT_USER\software\microsoft\internet explorer\main\hpded" /F
REG DELETE "HKEY_CURRENT_USER\software\microsoft\internet explorer\main\spded" /F
REG DELETE HKEY_CLASSES_ROOT\Interface\{E1E7E702-E22C-40A1-A936-3F8EF75C71F5} /F
REG DELETE HKEY_CLASSES_ROOT\TypeLib\{9A9C9133-E640-4CA7-81C1-123FAC78855F} /F
REG DELETE HKEY_USERS\.default\software\microsoft\windows\currentversion\run /V ixproxy /F
REG DELETE HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list /V "C:\\Program Files\\Common Files\\System\\MSASP32.exe" /F
EXIT


It should look like this -> Image

Double click on delete.bat.
A window will open and close this is normal.

Step 2

Remove files with OtMoveIt2.

Double click on OTMoveIt2.exe to run it.

Copy and paste the following in the Code box into OTMoveIt (1).

Note: Do not type it out to minimize the risk of typo error.

Code: Select all
C:\WINDOWS\System32\.pif
C:\WINDOWS\System32\nb.exe
C:\WINDOWS\System32\aq.exe
C:\WINDOWS\lo-2062960390.exe
C:\Program Files\Common Files\System\MSASP32.exe


Click on MoveIt! (2).

When done, click on Exit (3).

Note: If a file or folder can't be moved immediately, you may asked to restart your computer. Please choose Yes.

Please refer to this picture for using OTMoveIt.

Image

The log will be produced at C:\_OTMoveIt\MovedFiles\date_time.log, where date_time are numbers. Please post this log in your next reply.

Step 3

Press Start->Run, copy/paste the following command into the box and press OK:
Code: Select all
cmd /c dir C:\*.* /L /A /B /S|Find "~0000002.~"  >> "%userprofile%\desktop\look.txt"

A file called look.txt should appear on your Desktop. Please post the contents of this file.

Step 4

Scan again with DSS...
    Note: You must be logged onto an account with administrator privileges.
  1. Save all your work and close all opened programs.
  2. Double click on dss.exe to run it. Follow the prompts.
  3. When the scan is complete, a log file will be produced(main.txt).
  4. Please post that log in your next reply.

Step 5

Please post a DSS log(main.txt), OtMoveIt2 log and contents of look.txt file.
muuli
Regular Member
 
Posts: 690
Joined: February 8th, 2007, 4:01 pm
Location: Finland

Re: Problems with Spybot

Unread postby Fireman Sam » July 23rd, 2008, 2:03 pm

I am now getting problems with a program called Isas.exe asking to insert a disk into drive
\Device\Harddisk1\DR4, \Device\Harddisk2\DR5, \Device\Harddisk3\DR6, \Device\Harddisk4\DR7 .
Also AVG keeps finding a trojan horse in wmsoft(various numbers here).exe

C:\WINDOWS\System32\.pif moved successfully.
C:\WINDOWS\System32\nb.exe moved successfully.
C:\WINDOWS\System32\aq.exe moved successfully.
File/Folder C:\WINDOWS\lo-2062960390.exe not found.
C:\Program Files\Common Files\System\MSASP32.exe moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07232008_184846

Look.txt is totally empty

Deckard's System Scanner v20071014.68
Run by Darren on 2008-07-23 18:54:45
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Darren.exe) ----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 18:54:51, on 23/07/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\System\MSASP32.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\AOL\1175040655\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ftp.exe
C:\WINDOWS\system\lsas.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Darren\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\Darren.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wnxx.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1175040655\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Logistics] C:\WINDOWS\system\lsas.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcg ... cgdmgr.cab
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe


-- Files created between 2008-06-23 and 2008-07-23 -----------------------------

2008-07-23 18:50:19 189990 --a------ C:\WINDOWS\System32\wmsoft51536.exe
2008-07-23 18:49:31 203623 --a------ C:\WINDOWS\System32\wmsoft63440.exe
2008-07-23 18:47:53 227687 --a------ C:\WINDOWS\System32\wmsoft08344.exe
2008-07-23 18:43:51 203623 --a------ C:\WINDOWS\System32\wmsoft57665.exe
2008-07-23 18:43:32 61952 -r-hs---- C:\WINDOWS\system\lsas.exe
2008-07-23 18:43:24 0 --a------ C:\WINDOWS\System32\wmsoft00512.exe
2008-07-23 18:43:24 79 --a------ C:\WINDOWS\System32\i
2008-07-21 21:55:29 0 d-------- C:\WINDOWS\ERUNT
2008-07-18 13:43:42 0 d-------- C:\Program Files\Panda Security
2008-07-15 12:57:31 0 d-------- C:\Program Files\Java
2008-07-15 12:57:27 0 d-------- C:\Program Files\Common Files\Java
2008-07-15 12:57:04 0 d-------- C:\Documents and Settings\Darren\Application Data\Sun
2008-07-11 13:20:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-07-06 16:30:17 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-06 16:30:01 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-07-06 16:30:01 0 d-------- C:\Documents and Settings\Darren\Application Data\SUPERAntiSpyware.com
2008-07-06 16:29:11 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard


-- Find3M Report ---------------------------------------------------------------

2008-07-21 12:35:08 0 d-------- C:\Program Files\Paint Shop Pro 5
2008-07-16 12:16:06 0 d-------- C:\Documents and Settings\Darren\Application Data\Adobe
2008-07-15 12:57:27 0 d-------- C:\Program Files\Common Files
2008-07-13 15:02:25 0 d-------- C:\Program Files\FinePixViewer
2008-07-11 08:32:35 0 d-------- C:\Documents and Settings\Darren\Application Data\AVG7


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [20/01/2003 01:29]
"SoundMan"="SOUNDMAN.EXE" [20/01/2003 10:48 C:\WINDOWS\SOUNDMAN.EXE]
"NeroCheck"="C:\WINDOWS\System32\\NeroCheck.exe" [09/07/2001 11:50]
"VOBRegCheck"="C:\WINDOWS\System32\VOBREGCheck.exe" [09/01/2003 00:55]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [19/02/2003 01:33]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [07/12/2007 16:30]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/09/2006 16:57]
"DSLSTATEXE"="C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe" [28/06/2003 17:10]
"DSLAGENTEXE"="C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe" [19/08/2003 14:47]
"%FP%Friendly fts.exe"="C:\Program Files\VoyagerTest\fts.exe" [06/05/2003 10:28]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [18/04/2008 19:15]
"HostManager"="C:\Program Files\Common Files\AOL\1175040655\ee\AOLSoftware.exe" [17/11/2006 14:21]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [04/02/2002 23:32]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 22:16]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [10/06/2008 04:27]
"Windows Logistics"="C:\WINDOWS\system\lsas.exe" [23/07/2008 18:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [29/08/2002 13:00]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [17/07/2002 20:00]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [28/05/2008 10:33]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AOL 9.0 Tray Icon.lnk - C:\Program Files\AOL 9.0\aoltray.exe [01/06/2004 18:14:06]
ExifLauncher2.lnk - C:\Program Files\FinePixViewer\QuickDCF2.exe [29/03/2008 11:20:54]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IEXPLORE.EXE]
C:\Program Files\Internet Explorer\IEXPLORE.EXE




-- End of Deckard's System Scanner: finished at 2008-07-23 18:55:22 ------------
Fireman Sam
Regular Member
 
Posts: 22
Joined: July 6th, 2008, 6:43 pm

Re: Problems with Spybot

Unread postby muuli » July 23rd, 2008, 4:22 pm

Hi,

Step 1

Backup Your Registry with ERUNT
  • Please use the following link to download ERUNT
  • Use the setup program to install ERUNT on your computer
Click Erunt.exe to backup your registry to the folder of your choice.

Note:to restore your registry, go to the folder and start ERDNT.exe

Step 2

Remove files and folder with OtMoveIt2.

Double click on OTMoveIt2.exe to run it.

Copy and paste the following in the Code box into OTMoveIt (1).

Note: Do not type it out to minimize the risk of typo error.

Code: Select all
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Windows Logistics
C:\WINDOWS\System32\wmsoft*.exe
C:\WINDOWS\system\lsas.exe
C:\WINDOWS\System32\i


Click on MoveIt! (2).

When done, click on Exit (3).

Note: If a file or folder can't be moved immediately, you may asked to restart your computer. Please choose Yes.

Please refer to this picture for using OTMoveIt.

Image

The log will be produced at C:\_OTMoveIt\MovedFiles\date_time.log, where date_time are numbers. Please post this log in your next reply.

Step 3

  1. Please download Malwarebytes' Anti-Malware and save it to a convenient location.
  2. Double click on mbam-setup.exe to install it.
  3. Before clicking the Finish button, make sure that these 2 boxes are checked (ticked):
      Update Malwarebytes' Anti-Malware
      Launch Malwarebytes' Anti-Malware
  4. Malwarebytes' Anti-Malware will now check for updates. If your firewall prompts, please allow it. If you can't update it, select the Update tab. Under Update Mirror, select one of the websites and click on Check for Updates.
  5. Select the Scanner tab. Click on Perform full scan, then click on Scan.
  6. Leave the default options as it is and click on Start Scan.
  7. When done, you will be prompted. Click OK, then click on Show Results.
  8. Checked (ticked) all items and click on Remove Selected.
  9. After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.

Step 4

Please post a fresh HijackThis log, OtMoveIt2 log and Malwarebytes' Anti-Malware log.
muuli
Regular Member
 
Posts: 690
Joined: February 8th, 2007, 4:01 pm
Location: Finland

Re: Problems with Spybot

Unread postby Fireman Sam » July 25th, 2008, 3:26 pm

Hello again

MOVE IT LOG
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Windows Logistics >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Windows Logistics deleted successfully.
< C:\WINDOWS\System32\wmsoft*.exe >
C:\WINDOWS\System32\wmsoft00512.exe moved successfully.
C:\WINDOWS\System32\wmsoft03780.exe moved successfully.
C:\WINDOWS\System32\wmsoft08344.exe moved successfully.
C:\WINDOWS\System32\wmsoft14008.exe moved successfully.
C:\WINDOWS\System32\wmsoft18482.exe moved successfully.
C:\WINDOWS\System32\wmsoft32326.exe moved successfully.
C:\WINDOWS\System32\wmsoft51536.exe moved successfully.
C:\WINDOWS\System32\wmsoft53055.exe moved successfully.
C:\WINDOWS\System32\wmsoft57665.exe moved successfully.
C:\WINDOWS\System32\wmsoft63440.exe moved successfully.
C:\WINDOWS\System32\wmsoft85300.exe moved successfully.
C:\WINDOWS\system\lsas.exe moved successfully.
C:\WINDOWS\System32\i moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07252008_185016


MALWAREBYTES LOG

Malwarebytes' Anti-Malware 1.23
Database version: 992
Windows 5.1.2600 Service Pack 1

20:21:32 25/07/2008
mbam-log-7-25-2008 (20-21-32).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 147758
Time elapsed: 58 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\kvubtm.wprnvn (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\kvubtm.wprnvn.468 (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


HIJACK THIS LOG

Logfile of HijackThis v1.99.1
Scan saved at 20:23:47, on 25/07/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\AOL\1175040655\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system\lsas.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\system32\ftp.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wnxx.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
F2 - REG:system.ini: Shell=explorer.exe "C:\WINDOWS\Fonts\wmsncs.exe"
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1175040655\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Wmsncs Service] C:\WINDOWS\Fonts\wmsncs.exe
O4 - HKLM\..\Run: [NvidMediaCenter] C:\Program Files\Common Files\System\wmsncs.exe
O4 - HKLM\..\Run: [Spool Driver Service] C:\WINDOWS\System32\spool\drivers\wmsncs.exe
O4 - HKLM\..\Run: [Wins Service] C:\WINDOWS\System32\wins\wmsncs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
O4 - Global Startup: wmsncs.exe
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcg ... cgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D96F1292-7D49-4C90-A019-1EF17C9EB389}: NameServer = 92.31.241.20 92.31.241.21
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
Fireman Sam
Regular Member
 
Posts: 22
Joined: July 6th, 2008, 6:43 pm

Re: Problems with Spybot

Unread postby muuli » July 27th, 2008, 8:30 am

Hi,

Step 1

Open HijackThis, press Do a system scan only, checkmark following entries:
F2 - REG:system.ini: Shell=explorer.exe "C:\WINDOWS\Fonts\wmsncs.exe"
O4 - HKLM\..\Run: [Wmsncs Service] C:\WINDOWS\Fonts\wmsncs.exe
O4 - HKLM\..\Run: [NvidMediaCenter] C:\Program Files\Common Files\System\wmsncs.exe
O4 - HKLM\..\Run: [Spool Driver Service] C:\WINDOWS\System32\spool\drivers\wmsncs.exe
O4 - HKLM\..\Run: [Wins Service] C:\WINDOWS\System32\wins\wmsncs.exe
O4 - Global Startup: wmsncs.exe

Close all other windows including browser and press Fix checked.

Step 2

Remove files with OtMoveIt2.

Double click on OTMoveIt2.exe to run it.

Copy and paste the following in the Code box into OTMoveIt (1).

Note: Do not type it out to minimize the risk of typo error.

Code: Select all
C:\WINDOWS\Fonts\wmsncs.exe
C:\Program Files\Common Files\System\wmsncs.exe
C:\WINDOWS\System32\spool\drivers\wmsncs.exe
C:\WINDOWS\System32\wins\wmsncs.exe


Click on MoveIt! (2).

When done, click on Exit (3).

Note: If a file or folder can't be moved immediately, you may asked to restart your computer. Please choose Yes.

Please refer to this picture for using OTMoveIt.

Image

The log will be produced at C:\_OTMoveIt\MovedFiles\date_time.log, where date_time are numbers. Please post this log in your next reply.

Step 3

Download OTScanIt to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Open the OTScanIt folder and double-click on OTScanIt to start the program.
    • In the Files Created Within group click 30 days
    • In the Files Modified Within group select 30 days
    • In the File String Search group select Non-Microsoft
  • Now click the Run Scan button on the toolbar.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please post the resulting log here.

Step 4

Please post a fresh HijackThis, OtMoveIt2 log and OtScanIt log.
muuli
Regular Member
 
Posts: 690
Joined: February 8th, 2007, 4:01 pm
Location: Finland

Re: Problems with Spybot

Unread postby Fireman Sam » July 27th, 2008, 11:04 am

Hello again
I can't get past step 1 I get the following error message (all other windows are closed)

Unable to delete the file O4 - Global Startup: wmsncs.exe The file may be in use. Use Task Manager to shutdown the program and run Hijackthis again to delete file.

I have used the task manager but I can't find this program running.
Fireman Sam
Regular Member
 
Posts: 22
Joined: July 6th, 2008, 6:43 pm

Re: Problems with Spybot

Unread postby muuli » July 27th, 2008, 10:27 pm

Hi,

Okay...

Then don't remove that entry yet. Try to remove it with HijackThis after OtMoveIt2.
muuli
Regular Member
 
Posts: 690
Joined: February 8th, 2007, 4:01 pm
Location: Finland

Re: Problems with Spybot

Unread postby Fireman Sam » July 28th, 2008, 2:40 pm

Hello
I'm still getting the same error repot from Hijackthis here is the OtMoveIt2 log

C:\WINDOWS\Fonts\wmsncs.exe moved successfully.
C:\Program Files\Common Files\System\wmsncs.exe moved successfully.
C:\WINDOWS\System32\spool\drivers\wmsncs.exe moved successfully.
C:\WINDOWS\System32\wins\wmsncs.exe moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07282008_193414
Fireman Sam
Regular Member
 
Posts: 22
Joined: July 6th, 2008, 6:43 pm

Re: Problems with Spybot

Unread postby muuli » July 29th, 2008, 7:16 am

Hi,

Okay...

Press Start->Run, copy/paste the following command into the box and press OK:
Code: Select all
cmd /c dir C:\*.* /L /A /B /S|Find "wmsncs.exe"  >> "%userprofile%\desktop\look.txt"

A file called look.txt should appear on your Desktop. Please post the contents of this file.

After that please run OtScanIt and post the log here and also contents of look.txt file.
muuli
Regular Member
 
Posts: 690
Joined: February 8th, 2007, 4:01 pm
Location: Finland

Re: Problems with Spybot

Unread postby Fireman Sam » July 29th, 2008, 11:42 am

Hi

Look.txt log

c:\documents and settings\all users\start menu\programs\startup\wmsncs.exe
c:\program files\hijackthis\backups\backup-20080727-154019-466-wmsncs.exe
c:\program files\hijackthis\backups\backup-20080727-154154-300-wmsncs.exe
c:\program files\hijackthis\backups\backup-20080727-154440-514-wmsncs.exe
c:\program files\hijackthis\backups\backup-20080727-154544-581-wmsncs.exe
c:\program files\hijackthis\backups\backup-20080727-154640-478-wmsncs.exe
c:\program files\hijackthis\backups\backup-20080727-154757-402-wmsncs.exe
c:\program files\hijackthis\backups\backup-20080727-155038-303-wmsncs.exe
c:\program files\hijackthis\backups\backup-20080727-155323-814-wmsncs.exe
c:\program files\hijackthis\backups\backup-20080727-155528-291-wmsncs.exe
c:\program files\hijackthis\backups\backup-20080728-193459-983-wmsncs.exe
c:\program files\hijackthis\backups\backup-20080728-193740-551-wmsncs.exe
c:\documents and settings\all users\start menu\programs\startup\wmsncs.exe
c:\program files\hijackthis\backups\backup-20080727-154019-466-wmsncs.exe
c:\program files\hijackthis\backups\backup-20080727-154154-300-wmsncs.exe
c:\program files\hijackthis\backups\backup-20080727-154440-514-wmsncs.exe
c:\program files\hijackthis\backups\backup-20080727-154544-581-wmsncs.exe
c:\program files\hijackthis\backups\backup-20080727-154640-478-wmsncs.exe
c:\program files\hijackthis\backups\backup-20080727-154757-402-wmsncs.exe
c:\program files\hijackthis\backups\backup-20080727-155038-303-wmsncs.exe
c:\program files\hijackthis\backups\backup-20080727-155323-814-wmsncs.exe
c:\program files\hijackthis\backups\backup-20080727-155528-291-wmsncs.exe
c:\program files\hijackthis\backups\backup-20080728-193459-983-wmsncs.exe
c:\program files\hijackthis\backups\backup-20080728-193740-551-wmsncs.exe
c:\_otmoveit\movedfiles\07282008_193414\program files\common files\system\wmsncs.exe
c:\_otmoveit\movedfiles\07282008_193414\windows\fonts\wmsncs.exe
c:\_otmoveit\movedfiles\07282008_193414\windows\system32\spool\drivers\wmsncs.exe
c:\_otmoveit\movedfiles\07282008_193414\windows\system32\wins\wmsncs.exe


I cannot get OTScanIt to work I get as far as here

Open the OTScanIt folder and double-click on OTScanIt to start the program.

I then get the message
Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access.

AVG then declares it as a threat stating it is a Trojan Horse Generic 11.0W
Fireman Sam
Regular Member
 
Posts: 22
Joined: July 6th, 2008, 6:43 pm

Re: Problems with Spybot

Unread postby muuli » July 29th, 2008, 4:01 pm

Hi,

Step 1

Please download Silent Runners...
Right click here and select Save Link As... (In Internet Explorer it is Save Target As...). Save it to your desktop, but DON'T use it yet.

Step 2

Reboot your computer to Safe mode:
1. Restart your computer.
2. When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
3. Select the option for Safe Mode using the arrow keys. Don't choose Safe Mode with Networking.
4. Then press enter on your keyboard to boot into Safe Mode.

Step 3

When in safe mode...
Open HijackThis, press Do a system only, checkmark following entry:
O4 - Global Startup: wmsncs.exe
Close all other windows and press Fix checked.

Boot to normal mode.

Step 4

Run Silent Runners now...
  1. Double click on Silent Runners.vbs to run it.
  2. When prompted to Skip Supplementary Search?, click No.
  3. When prompted to Are you sure?, click Yes.
  4. Another dialog box will open. Just click OK.
  5. Once done, Notepad will open. Please post the contents of this Notepad file in your next reply.

Step 5

Please post a fresh HijackThis log and Silent Runners log.
muuli
Regular Member
 
Posts: 690
Joined: February 8th, 2007, 4:01 pm
Location: Finland

Re: Problems with Spybot

Unread postby Fireman Sam » July 29th, 2008, 5:29 pm

Hi
I have booted into safe mode as described but I'm still getting the error message

Unable to delete the file O4 - Global Startup: wmsncs.exe The file may be in use. Use Task Manager to shutdown the program and run Hijackthis again to delete file.
Fireman Sam
Regular Member
 
Posts: 22
Joined: July 6th, 2008, 6:43 pm

Re: Problems with Spybot

Unread postby muuli » July 31st, 2008, 6:23 am

Hi,

Step 1

Remove file with OtMoveIt2.

Double click on OTMoveIt2.exe to run it.

Copy and paste the following in the Code box into OTMoveIt (1).

Note: Do not type it out to minimize the risk of typo error.

Code: Select all
c:\documents and settings\all users\start menu\programs\startup\wmsncs.exe


Click on MoveIt! (2).

When done, click on Exit (3).

Note: If a file or folder can't be moved immediately, you may asked to restart your computer. Please choose Yes.

Please refer to this picture for using OTMoveIt.

Image

The log will be produced at C:\_OTMoveIt\MovedFiles\date_time.log, where date_time are numbers. Please post this log in your next reply.

Step 2

Run Silent Runners...
  1. Double click on Silent Runners.vbs to run it.
  2. When prompted to Skip Supplementary Search?, click No.
  3. When prompted to Are you sure?, click Yes.
  4. Another dialog box will open. Just click OK.
  5. Once done, Notepad will open. Please post the contents of this Notepad file in your next reply.

Step 3

Please post a fresh HijackThis log, Silent Runners log and OtMoveIt2 log.
muuli
Regular Member
 
Posts: 690
Joined: February 8th, 2007, 4:01 pm
Location: Finland

Re: Problems with Spybot

Unread postby Fireman Sam » July 31st, 2008, 2:38 pm

Hello again

c:\documents and settings\all users\start menu\programs\startup\wmsncs.exe moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07312008_182310


"Silent Runners.vbs", revision 58, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\System32\ctfmon.exe" [MS]
"MoneyAgent" = ""C:\Program Files\Microsoft Money\System\mnyexpr.exe"" [MS]
"updateMgr" = "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9" [file not found]
"SUPERAntiSpyware" = "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" ["SUPERAntiSpyware.com"]
"AdobeUpdater" = "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" ["Adobe Systems Incorporated"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"NeroCheck" = "C:\WINDOWS\System32\\NeroCheck.exe" ["Ahead Software Gmbh"]
"VOBRegCheck" = "C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg" [null data]
"RealTray" = "C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER" ["RealNetworks, Inc."]
"AOLDialer" = "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" ["AOL LLC"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"DSLSTATEXE" = "C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon" ["GlobespanVirata, Inc."]
"DSLAGENTEXE" = "C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe" [null data]
"%FP%Friendly fts.exe" = ""C:\Program Files\VoyagerTest\fts.exe"" ["Friendly Technologies"]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"HostManager" = "C:\Program Files\Common Files\AOL\1175040655\ee\AOLSoftware.exe" ["America Online, Inc."]
"REGSHAVE" = "C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN" ["FUJI PHOTO FILM CO., LTD."]
"Adobe Reader Speed Launcher" = ""C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"" ["Sun Microsystems, Inc."]

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)
\StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{F5D92341-0A64-11D0-9956-0000E8096023}" = "CD Copy Shell Extension"
-> {HKLM...CLSID} = "CD Copy Shell Extension"
\InProcServer32\(Default) = "C:\WINDOWS\System32\Shellext\CDWshext.dll" ["VoB Computersysteme GmbH"]
"{F5D92342-0A64-11D0-9956-0000E8096023}" = "CD Wizard Shell Extension"
-> {HKLM...CLSID} = "CD Wizard Shell Extension"
\InProcServer32\(Default) = "C:\WINDOWS\System32\Shellext\CDWshext.dll" ["VoB Computersysteme GmbH"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{AB77609F-2178-4E6F-9C4B-44AC179D937A}" = "a² Context Menu Shell Extension"
-> {HKLM...CLSID} = "a² Context Menu Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\A2FREE~1\A2CONT~1.DLL" [null data]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\
<<!>> ("" [file not found]) "SecurityProviders" = "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,"

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
a2ContMenu\(Default) = "{AB77609F-2178-4E6F-9C4B-44AC179D937A}"
-> {HKLM...CLSID} = "a² Context Menu Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\A2FREE~1\A2CONT~1.DLL" [null data]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]


Default executables:
--------------------

HKLM\SOFTWARE\Classes\.scr\(Default) = "scrfile"
<<!>> HKLM\SOFTWARE\Classes\scrfile\shell\open\command\(Default) = ""%1" %*" [file not found]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"NoDispAppearancePage" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\Documents and Settings\Darren\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\ACD Wallpaper.bmp"


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

BlankCDHandler\
"Provider" = "@C:\Program Files\Ahead\Nero\APHandler.dll,-101"
"InvokeProgID" = "APHandler.Handler.1"
"InvokeVerb" = "BlankCD"
HKLM\SOFTWARE\Classes\APHandler.Handler.1\shell\BlankCD\command\(Default) = "C:\Program Files\Ahead\Nero\\nero.exe /BlankCD" ["Ahead Software AG Karlsbad Germany Phone: ++49-7248-911-800 Fax: ++49-7248-911-888 e-mail: info@nero.com"]

CDAudioHandler\
"Provider" = "@C:\Program Files\Ahead\Nero\APHandler.dll,-101"
"InvokeProgID" = "APHandler.Handler.1"
"InvokeVerb" = "CDAudio"
HKLM\SOFTWARE\Classes\APHandler.Handler.1\shell\CDAudio\command\(Default) = "C:\Program Files\Ahead\Nero\\nero.exe /CDAudio" ["Ahead Software AG Karlsbad Germany Phone: ++49-7248-911-800 Fax: ++49-7248-911-888 e-mail: info@nero.com"]

FPVShowPicturesOnArrival\
"Provider" = "FinePixViewer"
"InvokeProgID" = "FinePixViewer.ShowPictures"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\FinePixViewer.ShowPictures\shell\Play\Command\(Default) = ""C:\Program Files\FinePixViewer\FinePixViewer.exe" "/d %1"" ["FUJIFILM Corporation"]

MSPictureItViewOnArrival\
"Provider" = "Microsoft Picture It! Photo 7.0"
"InvokeProgID" = "Microsoft.Picture.It.7.AutoPlay"
"InvokeVerb" = "AutoPlay"
HKLM\SOFTWARE\Classes\Microsoft.Picture.It.7.AutoPlay\shell\AutoPlay\Command\(Default) = ""C:\Program Files\Microsoft Picture It! 7\pip.exe" /invoke={D0551EC1-5A78-11cf-9DBE-00AA00A70BB5}" [MS]

PCinemaDCameraArrival\
"Provider" = "PowerCinema"
"InvokeProgID" = "Picture"
"InvokeVerb" = "PlayWithPowerCinema"
HKLM\SOFTWARE\Classes\Picture\shell\PlayWithPowerCinema\Command\(Default) = ""C:\Program Files\Medion Home CinemaXL\PowerCinema\PCM2.exe" DSC" [empty string]

PCinemaPlayCDAudioOnArrival\
"Provider" = "PowerCinema"
"InvokeProgID" = "AudioCD"
"InvokeVerb" = "PlayWithPowerCinema"
HKLM\SOFTWARE\Classes\AudioCD\shell\PlayWithPowerCinema\Command\(Default) = ""C:\Program Files\Medion Home CinemaXL\PowerCinema\PCM2.exe" CD "%L"" [empty string]

PCinemaPlayDVDMovieOnArrival\
"Provider" = "PowerCinema"
"InvokeProgID" = "DVD"
"InvokeVerb" = "PlayWithPowerCinema"
HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPowerCinema\Command\(Default) = ""C:\Program Files\Medion Home CinemaXL\PowerCinema\PCM2.exe" MOVIE "%L"" [empty string]

PDirDVArrival\
"Provider" = "@C:\Program Files\Medion Home CinemaXL\PowerDirector\PDrt.dll,-901"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = ""C:\Program Files\Medion Home CinemaXL\PowerDirector\PowerDirector.exe" /DV"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

PDVDPlayDVDMovieOnArrival\
"Provider" = "PowerDVD"
"InvokeProgID" = "DVD"
"InvokeVerb" = "PlayWithPowerDVD"
HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPowerDVD\Command\(Default) = ""C:\Program Files\Medion Home CinemaXL\PowerDVD\PowerDVD.exe" "%l"" ["CyberLink Corp."]


Startup items in "Darren" & "All Users" startup folders:
--------------------------------------------------------

C:\Documents and Settings\Darren\Start Menu\Programs\Startup
"ERUNT AutoBackup" -> shortcut to: "C:\Program Files\ERUNT\AUTOBACK.EXE %SystemRoot%\ERDNT\AutoBackup\#Date# /noconfirmdelete /noprogresswindow" [null data]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"AOL 9.0 Tray Icon" -> shortcut to: "C:\Program Files\AOL 9.0\aoltray.exe -check" ["America Online, Inc."]
"ExifLauncher2" -> shortcut to: "C:\Program Files\FinePixViewer\QuickDCF2.exe" ["FUJIFILM Corporation"]


Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -Task" ["Apple Computer, Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Real.com"
\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

HKLM\SOFTWARE\Classes\CLSID\{D6A116E7-5906-42E4-87F6-E7E15936415E}\(Default) = "Money Viewer"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\Microsoft Money\System\mnyside.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_07"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_07"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll" ["Sun Microsystems, Inc."]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\
"MenuText" = "Spybot - Search & Destroy Configuration"
"CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}"
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

{E023F504-0C5A-4750-A1E7-A9046DEA8A21}\
"ButtonText" = "Money Viewer"
"CLSIDExtension" = "{DD6687B5-CB43-4211-BFC9-2942CCBDCB3E}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Money\System\mnyside.dll" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.freeserve.com

Missing lines (compared with English-language version):
[Strings]: 1 line

HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\
<<H>> "blank" = "http://awebfind.biz/" [file not found]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Advance Service Process, Advance Service Process, ""C:\Program Files\Common Files\System\MSASP32.exe"" [null data]
AOL Connectivity Service, AOL ACS, ""C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe"" ["AOL LLC"]
AVG E-mail Scanner, AVGEMS, "C:\PROGRA~1\Grisoft\AVG7\avgemc.exe" ["GRISOFT, s.r.o."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe" ["GRISOFT, s.r.o."]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
WAN Miniport (ATW) Service, WANMiniportService, ""C:\WINDOWS\wanmpsvc.exe"" ["America Online, Inc."]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Canon BJ Language Monitor i250\Driver = "CNMLM50.DLL" ["CANON INC."]
Lexmark Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]


---------- (launch time: 2008-07-31 18:50:50)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 216 seconds.
---------- (total run time: 1845 seconds)



Logfile of HijackThis v1.99.1
Scan saved at 19:36:25, on 31/07/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\System\MSASP32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\1175040655\ee\AOLSoftware.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wnxx.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1175040655\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcg ... cgdmgr.cab
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O23 - Service: Advance Service Process - Unknown owner - C:\Program Files\Common Files\System\MSASP32.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NET Runtime Optimization Service v2.1.41329_X86 - Unknown owner - C:\WINDOWS\Fonts\wmsncs.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
Fireman Sam
Regular Member
 
Posts: 22
Joined: July 6th, 2008, 6:43 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 58 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware