Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

New Member: Drowning in Malware-Pls Analyze my HJT Log

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

New Member: Drowning in Malware-Pls Analyze my HJT Log

Unread postby Lakota » August 6th, 2008, 8:19 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:24:54 PM, on 8/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\SpywareDetector\SDActiveMonitor.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\DOCUME~1\Admin\LOCALS~1\Temp\clclean.0001
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avnotify.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\system32\blank.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&cli ... bd=1061013
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://pages.ebay.com/ebay_toolbar/app/congrats3.html
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "C:\WINDOWS\system32\nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Dell\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] "C:\WINDOWS\stsystra.exe"
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [MBMon] "C:\WINDOWS\system32\rundll32.exe" CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] "C:\WINDOWS\System32\DLA\DLACTRLW.EXE"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] "C:\WINDOWS\KHALMNPR.EXE"
O4 - HKLM\..\Run: [SDActiveMonitor] "C:\Program Files\SpywareDetector\SDActiveMonitor.exe" -AUTO
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [SetDefaultMIDI] "C:\WINDOWS\MIDIDef.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8
O4 - HKCU\..\Run: [Window Washer] "C:\Program Files\Webroot\Washer\wwDisp.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInCon ... ontrol.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h30155.www3.hp.com/ediags/dd/ins ... csxp2k.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} - http://h30155.www3.hp.com/ediags/dd/ins ... utions.cab
O20 - AppInit_DLLs: karina.dat c:\progra~1\google\google~1\goec62~1.dll
O21 - SSODL: msgproc - b{6643b857-df80-9ffb-cb0d-0082ed053567} - (no file)
O21 - SSODL: winproc - b{55711e4e-4128-f004-a203-0444e52dcd78} - (no file)
O21 - SSODL: monstrcom - {07976174-6CEF-2978-4431-0A4EC3FBE4A5} - (no file)
O21 - SSODL: eqvwamkl - {7B3FDA4B-BCB4-47A7-8BA8-200BAE65FE31} - C:\WINDOWS\eqvwamkl.dll
O21 - SSODL: wnslvxtf - {25951F2E-A77D-4990-8F7F-59F70819DAA8} - C:\WINDOWS\wnslvxtf.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Advanced System Products, Inc. - (no file)
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (http://www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 10859 bytes
Lakota
Regular Member
 
Posts: 26
Joined: August 6th, 2008, 8:03 pm
Advertisement
Register to Remove

Re: New Member: Drowning in Malware-Pls Analyze my HJT Log

Unread postby mjq424 » August 7th, 2008, 3:50 am

Hello, and welcome to Malware Removal Forums.
My name is Matt and I will be assisting you with your malware issues.
Please be patient as I need some time to review your HijackThis log and I will post back recommendations for repairs.
As I am still on training, everything that I post to you, must be checked by a Teacher. Thus, there may be a tiny bit of a delay between posts, but it shouldn't be too long.

  • Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • Continue to respond to this thread until I give you the All Clean! If you have any questions or you're stuck in there please reply it to me. I will try my best to help you! Not having symptoms of malware doesn't mean that you are clean!
  • Please do not carry out tasks on your own before I reply as this will only complicate things and may mean that my instructions are useless or dangerous!
  • Please bookmark or favourite this page. In case you need it as reference or etc.
User avatar
mjq424
Regular Member
 
Posts: 1502
Joined: April 14th, 2007, 10:20 am
Location: UK

Re: New Member: Drowning in Malware-Pls Analyze my HJT Log

Unread postby Lakota » August 7th, 2008, 11:23 am

Hello Matt:

Thank you for your quick response. From what I understand things can get busy here. Being a newby on this forum, I realized that I did not describe the actual problems I am experiencing in my original post when I posted the HJT log. So I will describe them now.

Almost overnight I went from a fairly smooth running computer to a situation where I had many many popups encouraging me to purchase antispyware software. I lost my wallpaper, and my screen went a bright blue. I had a large permanent popup, center screen, advising me that I had spyware and I needed to purchase an antispyware program. I also had popups for purchasing Antivirus 2008 , and Antivirus XP 2008. In frustration I purchased Spyzooka which I could not get to work at all. Then I purchased Spyware Doctor. Then I purchased some Webroot products such as Spy Sweeper and Virus Sweeper based on the recommendation of someone I trust. The webroot products seemed to clear my system of some of the more obvious ones such as Antivirus 2008, Antivirus XP 2008, and the large permanent popup and indicated I had a couple of Trojans such as Trojan.Zlob I believe those are gone, but now I get little popus that say, "Spyware Alert! Worm.win32.NetBooster" or "System Alert! System detected virus activities please use recommended antispyware software to protect system against parasites". These continually popup and are replaced as quickly as I delete them.

I have been using Lavasoft Ad Aware and a free antivirus program called Avira. I am worried about “Spyzooka” which I feel was a mistake now. I have since removed it. I also removed Lavasoft, removed Avira, removed Spyzooka and Spyware Doctor. I have replaced Avira and now run the Webroot products Spy Sweeper and their Antivirus program.

Currently, I have the following issues: I get a constant popup that says, " Microsoft.NetFrame > an unhandled exception has occurred in a component application" Another constant popup is an installation popup for something called "Photogallery" which I cannot get rid of. I get a popup that describes itself as a “Microsoft Installation” that is trying to install “Photogallery”. If I cancel it just continually pops up.
If I let it run it’s course it eventually gives an error message saying it cannot install it. I used to use Task Manager (control-alt delete) to end the installation but that is no longer a viable solution.

Now, When I go to Task Manager (control-alt delete) , I get a popup that says, "Task Manager has been Disabled by the System Administrator" so I have no Task Manager. It has been disabled by one of these virus's Even worse, The menu under "START" has been altered and I can no longer access "My Computer" "My Documents" "My Network Places" etc etc...they gone or hidden.

I have just started using Mozilla Firefox and wish I had done it sooner, but that's water under the bridge and down th river....but my Internet Explorer pops up or opens on it's own, continually, and has been altered. For example, overnight, I had 24 IE browsers open on their own, all offline with the message, "Cannot Display Webpage". These IE browser pages just keep opening up on their own.

When I try to proactively open an IE browser I get a URL that says, " http://runonce.msn.com/runonce3.aspx " and the browser says, "Welcome Back!" "Choose your Settings!"

Finally, when Windows sends notices saying that “Updates are available” or "Security Updates" I try to run the updates , but at some point they stop downloading and I get an error message saying that I cannot download the updates due to some issue. I have been able to use "Windows Defender" and ran it just last week. It did find and clean some items but still a long way from "fixed".

I can open Mozilla Firefox but it takes a VERY long time to get one up and running. Often I get a popup that says : "Because the last Mozilla closed unexpectedly do I wish to continue or start a new one?"
I always click “start a new one”... I can navigate with Firefox for a few minutes, get my email, go to websites, etc.......but usually within minutes the Firefox browser becomes UNresponsive and I lose the connection. Nonresponsive.

So~ those are my current issues. I am dismayed, but I must say that I feel fortunate to have accidentally stumbled upon this forum. I think I am going to learn alot here and I am so PO'd at this malware world I may very well become an anti-malware activist. I may even look into MR University and do my part in fighting this war. And War it is!

Thanks, Matt! Looking forward to your help and replies!
Bobby

p.s. I registered both at work and at home but I will only use my home registration (Username: Lakota) when I post logs or run items on the computer. I am using my work registration (username: treborkaisam) simply to access and review and read and learn from the website and for communique’s such as this one. I will never post a log from my work registration. I will only post logs such as the HJT log or run suggested programs under my home registration. I hope this is OK with you. Let me know if it is not…but I hope I can continue to access the Malware Removal website at work. I did not know if I could use one registration. I cannot access my home email at work so I did it this way.

Thank you for your help, Matt!
Lakota
Regular Member
 
Posts: 26
Joined: August 6th, 2008, 8:03 pm

Re: New Member: Drowning in Malware-Pls Analyze my HJT Log

Unread postby mjq424 » August 7th, 2008, 1:42 pm

Hi

Thanks for the additional info. I understand where you're coming from, seen it before myself.

Please download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
    ***IMPORTANT*** - If you cannot get into Safe Mode using this method, please STOP and tell me!
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
User avatar
mjq424
Regular Member
 
Posts: 1502
Joined: April 14th, 2007, 10:20 am
Location: UK

Re: New Member: Drowning in Malware-Pls Analyze my HJT Log

Unread postby Lakota » August 7th, 2008, 3:42 pm

Matt~

I am not able to reboot in Safemode. I have tried many times using the restart option and the shutdown option (in case that made a difference --which I figured it probably wouldn't!)

Apparently the use of the F8 key and the menu and the Safemode option have been taken away from me.

I noticed that the instructions say, "...after hearing your computer beep once during startup, but before the Windows icon appears..." I just wanted to say that I had the volume cranked up on my speakers but my computer did not "beep" at all.

Please advise.

Thanks!

Bobby
Lakota
Lakota
Regular Member
 
Posts: 26
Joined: August 6th, 2008, 8:03 pm

Re: New Member: Drowning in Malware-Pls Analyze my HJT Log

Unread postby mjq424 » August 8th, 2008, 8:30 am

Hi
I would just like to clarify something you said in a previous post:
Lakota wrote:I have been using Lavasoft Ad Aware and a free antivirus program called Avira. I am worried about “Spyzooka” which I feel was a mistake now. I have since removed it. I also removed Lavasoft, removed Avira, removed Spyzooka and Spyware Doctor. I have replaced Avira and now run the Webroot products Spy Sweeper and their Antivirus program.

What Antivirus program are you running? Is it the combined Webroot program as seen here? As the Avira program still looks to be running in your logs. This is important as it may change the way I present my fixes to you.
Thanks
User avatar
mjq424
Regular Member
 
Posts: 1502
Joined: April 14th, 2007, 10:20 am
Location: UK

Re: New Member: Drowning in Malware-Pls Analyze my HJT Log

Unread postby Lakota » August 8th, 2008, 10:26 am

Hi~

Right now I am running Avira and the Webroots Spysweeper with Antivirus and I believe I bought the Windows Washer product as well. I know that Spysweeper does a virus sweep but I am not sure if it is a virus gatekeeper like Norton. Avira is supposed to be a gatekeeper.

Your question brings up an issue that I have a question on. I notice that MRU recommends a handful of programs to help manage future malware. Examples being Lavasoft Ad Aware, SpyBot, Norton Antivirus, etc.

My question is fairly straightforward. Are the Webroots products specifically, Spysweeper, worthwhile? Is Avira a good program? I will uninstall / install or change what needs to be changed to achieve optimum results.

RECAP: I am running the combined program Webroots Spysweeper with Antivirus and Window Cleaner in combination with Avira
Lakota
Regular Member
 
Posts: 26
Joined: August 6th, 2008, 8:03 pm

Re: New Member: Drowning in Malware-Pls Analyze my HJT Log

Unread postby mjq424 » August 8th, 2008, 5:50 pm

Hi

Uninstall List
  • Open HijackThis.
  • Click on Open the Misc Tools section.
  • Look under System tools.
  • Click on the Open Uninstall Manager... button.
  • Click on the Save list... button.
  • It will prompt you to save. Save this log in a convenient location. By default it's named uninstall_list.txt.
  • Notepad will open. Please copy and paste the contents of this log in your next reply.
See this link for details.
http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg
User avatar
mjq424
Regular Member
 
Posts: 1502
Joined: April 14th, 2007, 10:20 am
Location: UK

Re: New Member: Drowning in Malware-Pls Analyze my HJT Log

Unread postby Lakota » August 8th, 2008, 7:36 pm

Hello Matt~

As instructed, here is my uninstall_list.notepad
*********************************************

Adobe Flash Player 9
Adobe Photoshop 7.0
Adobe Reader 7.1.0
Andrea VoiceCenter
AnswerWorks 4.0 Runtime - English
AOLIcon
Ask Toolbar
Avira AntiVir Personal - Free Antivirus
CDDRV_Installer
Conexant D850 56K V.9x DFVc Modem
Creative Audio Pack
Creative MediaSource
Creative MediaSource 5
Creative Removable Disk Manager
Creative System Information
Creative Zen MicroPhoto
Dell CinePlayer
Dell Digital Jukebox Driver
Dell Support 3.2
Digital Content Portal
Digital Line Detect
Documentation & Support Launcher
Drivers Install For Linksys Easylink Advisor
EarthLink setup files
EducateU
ELIcon
Games, Music, & Photos Launcher
Google Desktop
Google Toolbar for Firefox
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
HP Customer Participation Program 7.0
HP Document Viewer 7.0
HP Driver Diagnostics
HP Imaging Device Functions 7.0
HP Photosmart Premier Software 6.5
HP Photosmart, Officejet and Deskjet 7.0.A
Internet Service Offers Launcher
J2SE Runtime Environment 5.0 Update 6
KhalInstallWrapper
Learn2 Player (Uninstall Only)
Linksys EasyLink Advisor 1.6 (0032)
Logitech SetPoint
Magic ISO Maker v5.4 (build 0239)
Magic ISO Maker v5.4 (build 0251)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office Small Business Edition 2003
Microsoft Office XP Professional with FrontPage
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Modem Diagnostic Tool
Move Networks Player for Internet Explorer
Mozilla Firefox (2.0.0.16)
MSN
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Musicmatch® Jukebox
Nero 7 Ultra Edition
NetWaiting
NetZeroInstallers
NVIDIA Drivers
OCR Software by I.R.I.S 7.0
Quicken 2003 Premier Home & Business
QuickTime
RealPlayer
RegCure 1.5.0.0
Roxio DLA
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
SearchAssist
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Sonic Activation Module
Sonic Advanced Decoder
Sonic Update Manager
Sound Blaster ADVANCED MB Drivers
Sound Blaster Audigy ADVANCED MB
Sound Blaster Audigy ADVANCED MB Product Registration
Spy Sweeper
Spy Sweeper Core
TurboTax ItsDeductible 2006
TurboTax Premier 2007
TurboTax Premier Investments 2006
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
URL Assistant
WD Diagnostics
WebEx
Window Washer
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
WinRAR archiver
World Timetable
Yahoo! Toolbar

Lakota
Regular Member
 
Posts: 26
Joined: August 6th, 2008, 8:03 pm

Re: New Member: Drowning in Malware-Pls Analyze my HJT Log

Unread postby mjq424 » August 10th, 2008, 3:48 pm

Hi

Remove one of your Anti Virus programs.
You are operating your computer with multiple Anti Virus programs running in memory at once:
Avira
Webroot


Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. It is even likely that you will have less protection, because neither anti-virus will be able to function to the best of its capability, as one will interfere with the other. However, and more importantly, it is common for multiple AV programs to cause crashes and even file corruption. Anti-virus programs are far more complicated, much larger and more invasive than ever before. All anti-virus, firewall, and some anti-spyware programs patch deep into the system kernel. Running multiple AV programs may even cause enough damage to an operating system that reformatting may be required in order to restore the system back to working order.

Webroot will also impact the fixes I suggest. When you are clean you can go back to Webroot as long as you uninstall Avira AntiVir.

Until your computer is clean, please uninstall Webroot by doing the following:
  • Click Start > Control Panel
  • Select Add/Remove Programs
  • From the list click Webroot then Remove/Uninstall
  • Restart your PC


Next, please open HijackThis
Click Scan only
Place checkmarks against the following:
  • O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
  • O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
Close ALL open programs except HijackThis
Click Fix checked
Close HijackThis

SAFE BOOT REPAIR

Download & run this tool SafeBootKeyRepair-CF.

It shall only take a short moment for it to finish running. A log shall be produced at C:\SafeBoot_Repair.txt. Please post that in your next reply.

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
    The log can also be found here: C:\Documents and Settings\<User name>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Copy and Paste the log into your next reply

===============================
In your next reply can I please see the following:
  • SafeBoot_Repair.txt
  • mbam-log-date (time).txt
  • a new HijackThis log
User avatar
mjq424
Regular Member
 
Posts: 1502
Joined: April 14th, 2007, 10:20 am
Location: UK

Re: New Member: Drowning in Malware-Pls Analyze my HJT Log

Unread postby Lakota » August 11th, 2008, 1:58 am

First the log from Malwarebytes' Anti-malware: Running this scan was a real challenge...I had so many popups that the scan often went into a "Not Responding" mode. The first time afte a 3 hr scan I rebooted and started all over...the final scan took well over 4 hrs. and I had to "baby-sit" it .

Malwarebytes' Anti-Malware 1.24
Database version: 1038
Windows 5.1.2600 Service Pack 2

1:01:14 AM 8/11/2008
mbam-log-8-11-2008 (01-01-14).txt

Scan type: Full Scan (C:\|)
Objects scanned: 127886
Time elapsed: 4 hour(s), 26 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 14
Registry Values Infected: 3
Registry Data Items Infected: 16
Folders Infected: 23
Files Infected: 51

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\eqvwamkl.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\wnslvxtf.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{f0d4b230-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f0d4b23a-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f0d4b23c-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b15fd82e-85bc-430d-90cb-65db1b030510} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f0d4b231-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f0d4b23b-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{f0d4b23b-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\rhc5ruj0ea57 (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7b3fda4b-bcb4-47a7-8ba8-200bae65fe31} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e8ccb80d-8eec-4b38-a530-5d7cfb6508f5} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{25951f2e-a77d-4990-8f7f-59f70819daa8} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\eqvwamkl (Trojan.FakeAlert) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\wnslvxtf (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: (http://softwarereferral.com/jump.php?wm ... Ojg5&lid=2) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId (Trojan.FakeAlert) -> Bad: (VIRUS ALERT!) Good: (76477-OEM-0011903-00102) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\International\sTimeFormat (Trojan.FakeAlert) -> Bad: (HH:mm: VIRUS ALERT!) Good: (h:mm:ss tt) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMorePrograms (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives (Hijack.Drives) -> Bad: (12) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\rhc5ruj0ea57 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Susan Luling\Application Data\rhc5ruj0ea57 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Susan Luling\Application Data\rhc5ruj0ea57\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Susan Luling\Application Data\rhc5ruj0ea57\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Susan Luling\Application Data\rhc5ruj0ea57\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Susan Luling\Application Data\rhc5ruj0ea57\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Susan Luling\Application Data\rhc5ruj0ea57\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Susan Luling\Application Data\rhc5ruj0ea57\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Susan Luling\Application Data\rhc5ruj0ea57\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Susan Luling\Application Data\rhc5ruj0ea57\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Susan Luling\Application Data\rhc5ruj0ea57\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Susan Luling\Application Data\rhc5ruj0ea57\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Robert Masiak\Application Data\rhc5ruj0ea57 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Robert Masiak\Application Data\rhc5ruj0ea57\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Robert Masiak\Application Data\rhc5ruj0ea57\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Robert Masiak\Application Data\rhc5ruj0ea57\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Robert Masiak\Application Data\rhc5ruj0ea57\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Robert Masiak\Application Data\rhc5ruj0ea57\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Robert Masiak\Application Data\rhc5ruj0ea57\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Robert Masiak\Application Data\rhc5ruj0ea57\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Robert Masiak\Application Data\rhc5ruj0ea57\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Robert Masiak\Application Data\rhc5ruj0ea57\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Robert Masiak\Application Data\rhc5ruj0ea57\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL (Adware.AskSBAR) -> Delete on reboot.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP568\A0072248.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP568\A0072249.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP591\A0078790.cpl (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP601\A0082192.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP602\A0082275.cpl (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP605\A0104249.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP605\A0104250.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP605\A0104254.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP607\A0116295.cpl (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\eoel.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\rhc5ruj0ea57\database.dat (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhc5ruj0ea57\license.txt (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhc5ruj0ea57\MFC71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhc5ruj0ea57\MFC71ENU.DLL (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhc5ruj0ea57\msvcp71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhc5ruj0ea57\msvcr71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhc5ruj0ea57\rhc5ruj0ea57.exe.local (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhc5ruj0ea57\Uninstall.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sex2.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hxiwlgpm.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\taack.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\VBIEWER.OCX (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\eqvwamkl.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\fdkowvbp.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\grswptdl.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\wnslvxtf.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\blphc1ruj0ea57.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winivstr.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Desktop\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Desktop\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Desktop\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Favorites\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Favorites\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Favorites\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Susan Luling\Local Settings\Temporary Internet Files\okyjoxy.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Susan Luling\Local Settings\Temp\.tt8.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Robert Masiak\Local Settings\Temp\.tt7.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Robert Masiak\Local Settings\Temp\.ttF.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Susan Luling\Desktop\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Robert Masiak\Desktop\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Susan Luling\Desktop\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Robert Masiak\Desktop\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Susan Luling\Desktop\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Robert Masiak\Desktop\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Susan Luling\Favorites\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Robert Masiak\Favorites\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Susan Luling\Favorites\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Robert Masiak\Favorites\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Susan Luling\Favorites\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Robert Masiak\Favorites\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.


++++++++++++++++++++++++++++++++++++++++++++++
Now the safeboot log - a note here- I'm not sure if this is what you are looking for---
I ran SafeBootKeyRepair-CF but the log seemed too short or lacking...but then I wouldn't know...please let me know if you need me to run it again! Thanks for your help!

actually....I have a program called Antispyware 2008 on my screen and I am unable to close it or move it...right now I am unable to get at the log for SafeBoot. I might post what I have so far....shut it down -reboot- get the Safeboot log and post that in a separate post...

I think that's the only way right now..
Lakota
Regular Member
 
Posts: 26
Joined: August 6th, 2008, 8:03 pm

Re: New Member: Drowning in Malware-Pls Analyze my HJT Log

Unread postby Lakota » August 11th, 2008, 2:12 am

Sorry for two immediate posts one after the other but here is the notepad log from SafeBootKeyRepair:

Reg export of SafeBoot key after repair:
========================


As you can see, there's nothing there.....

Let me know if you need me to do more...

Thanks, Matt!
Lakota
Regular Member
 
Posts: 26
Joined: August 6th, 2008, 8:03 pm

Re: New Member: Drowning in Malware-Pls Analyze my HJT Log

Unread postby Lakota » August 11th, 2008, 7:28 am

I ran Malwarebytes one more time;

Malwarebytes' Anti-Malware 1.24
Database version: 1039
Windows 5.1.2600 Service Pack 2

6:38:04 AM 8/11/2008
mbam-log-8-11-2008 (06-38-04).txt

Scan type: Full Scan (C:\|)
Objects scanned: 127861
Time elapsed: 4 hour(s), 51 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Lakota
Regular Member
 
Posts: 26
Joined: August 6th, 2008, 8:03 pm

Re: New Member: Drowning in Malware-Pls Analyze my HJT Log

Unread postby mjq424 » August 11th, 2008, 1:34 pm

Hi
If you haven't already done so, please restart your computer to allow Malwarebytes' to finish removing malware.

Next, ComboFix. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.


A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
User avatar
mjq424
Regular Member
 
Posts: 1502
Joined: April 14th, 2007, 10:20 am
Location: UK

Re: New Member: Drowning in Malware-Pls Analyze my HJT Log

Unread postby Lakota » August 11th, 2008, 8:28 pm

I made a big mistake. I did not have the Windows CD- I should have gone to the Microsoft website to access the Recovery Console but I did not. I ended up running the ComboFix without it. I didn't know if I should stop it or not so I let it run. Here's the log:
********************************************************

omboFix 08-08-10.06 - Admin 2008-08-11 19:07:12.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.114 [GMT -5:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Admin\Application Data\macromedia\Flash Player\#SharedObjects\6N9URNZ4\interclick.com
C:\Documents and Settings\Admin\Application Data\macromedia\Flash Player\#SharedObjects\6N9URNZ4\interclick.com\ud.sol
C:\Documents and Settings\Admin\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Admin\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Documents and Settings\Robert Masiak\Application Data\macromedia\Flash Player\#SharedObjects\K9XWGR6G\interclick.com
C:\Documents and Settings\Robert Masiak\Application Data\macromedia\Flash Player\#SharedObjects\K9XWGR6G\interclick.com\ud.sol
C:\Documents and Settings\Robert Masiak\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Robert Masiak\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Robert Masiak\Local Settings\Temporary Internet Files\aser.inf
C:\Documents and Settings\Robert Masiak\Local Settings\Temporary Internet Files\qiwosohik.inf
C:\Documents and Settings\Robert Masiak\Local Settings\Temporary Internet Files\xaren._sy
C:\Documents and Settings\Susan Luling\Application Data\macromedia\Flash Player\#SharedObjects\B5QX2LKV\interclick.com
C:\Documents and Settings\Susan Luling\Application Data\macromedia\Flash Player\#SharedObjects\B5QX2LKV\interclick.com\ud.sol
C:\Documents and Settings\Susan Luling\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Susan Luling\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Susan Luling\Local Settings\Temporary Internet Files\vysyje.scr
C:\WINDOWS\Downloaded Program Files\setup.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SYSREST.SYS


((((((((((((((((((((((((( Files Created from 2008-07-12 to 2008-08-12 )))))))))))))))))))))))))))))))
.

2008-08-10 16:25 . 2008-08-10 16:25 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-10 16:25 . 2008-08-10 16:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-10 16:25 . 2008-08-10 16:25 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Malwarebytes
2008-08-10 16:25 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-10 16:25 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-10 16:16 . 2008-08-10 16:16 <DIR> d-------- C:\Program Files\Advanced Registry Optimizer
2008-08-10 16:16 . 2008-08-10 16:16 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Sammsoft
2008-08-10 15:18 . 2008-08-10 15:18 70,352 --a------ C:\Documents and Settings\Admin\Application Data\GDIPFONTCACHEV1.DAT
2008-08-06 19:24 . 2008-08-06 19:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-05 00:05 . 2008-08-05 00:06 <DIR> d-------- C:\Program Files\Common Files\Webroot Shared
2008-08-05 00:04 . 2007-11-26 14:47 194,888 --a------ C:\WINDOWS\Unwash6.exe
2008-08-03 23:38 . 2008-08-03 23:38 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-08-03 23:20 . 2008-08-03 23:20 <DIR> d-------- C:\Program Files\AskSBar
2008-08-03 17:55 . 2008-08-05 00:05 <DIR> d-------- C:\Program Files\Webroot
2008-08-03 17:55 . 2008-08-10 15:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-08-03 17:55 . 2008-08-10 15:48 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Webroot
2008-08-03 17:54 . 2008-08-03 23:20 164 --a------ C:\install.dat
2008-08-03 13:35 . 2008-08-03 13:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-08-02 17:08 . 2008-08-04 17:30 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-02 07:30 . 2008-08-02 07:30 <DIR> d-------- C:\Program Files\Avira
2008-08-02 07:30 . 2008-08-02 07:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-08-02 00:53 . 2008-08-02 00:53 19,679 --a------ C:\Documents and Settings\All Users\Application Data\oxycinid.bin
2008-08-02 00:53 . 2008-08-02 00:53 19,577 --a------ C:\WINDOWS\system32\agabofu.pif
2008-08-02 00:53 . 2008-08-02 00:53 19,397 --a------ C:\WINDOWS\system32\wujipucih.db
2008-08-02 00:53 . 2008-08-02 00:53 17,006 --a------ C:\Documents and Settings\All Users\Application Data\iqoqac.dat
2008-08-02 00:53 . 2008-08-02 00:53 13,637 --a------ C:\WINDOWS\osyde._sy
2008-08-02 00:53 . 2008-08-02 00:53 12,879 --a------ C:\WINDOWS\system32\orycocuq.vbs
2008-08-02 00:53 . 2008-08-02 00:53 12,557 --a------ C:\WINDOWS\qyto.vbs
2008-08-02 00:53 . 2008-08-02 00:53 11,002 --a------ C:\WINDOWS\fani.com
2008-08-02 00:53 . 2008-08-02 00:53 10,913 --a------ C:\Documents and Settings\All Users\Application Data\sizano.pif
2008-08-02 00:28 . 2008-08-02 00:28 <DIR> d-------- C:\Documents and Settings\Susan Luling\Application Data\TmpRecentIcons
2008-08-02 00:28 . 2008-08-02 00:28 18,558 --a------ C:\WINDOWS\pogipadu._sy
2008-08-02 00:28 . 2008-08-02 00:28 18,380 --a------ C:\Program Files\Common Files\vutuca.exe
2008-08-02 00:28 . 2008-08-02 00:28 18,020 --a------ C:\WINDOWS\veko.inf
2008-08-02 00:28 . 2008-08-02 00:28 14,591 --a------ C:\WINDOWS\nirax.sys
2008-08-02 00:28 . 2008-08-02 00:28 14,501 --a------ C:\WINDOWS\wiboxo.bin
2008-08-02 00:28 . 2008-08-02 00:28 13,867 --a------ C:\Documents and Settings\Susan Luling\Application Data\gaka.vbs
2008-08-02 00:28 . 2008-08-02 00:28 13,388 --a------ C:\WINDOWS\system32\cuqimowetu.dat
2008-08-02 00:28 . 2008-08-02 00:28 12,516 --a------ C:\Program Files\Common Files\yxyjeky.com
2008-08-02 00:28 . 2008-08-02 00:28 10,638 --a------ C:\WINDOWS\ajihyg.bat
2008-08-02 00:28 . 2008-08-02 00:28 10,335 --a------ C:\Documents and Settings\Susan Luling\Application Data\fatamurizy.bat
2008-08-02 00:28 . 2008-08-02 00:28 10,002 --a------ C:\Documents and Settings\Susan Luling\Application Data\ruwily.exe
2008-08-02 00:24 . 2008-08-02 00:24 18,689 --a------ C:\Program Files\Common Files\ywiho.bin
2008-08-02 00:24 . 2008-08-02 00:24 16,584 --a------ C:\Documents and Settings\All Users\Application Data\lupoc.scr
2008-08-02 00:24 . 2008-08-02 00:24 15,866 --a------ C:\Documents and Settings\All Users\Application Data\gedamyvin.dll
2008-08-02 00:24 . 2008-08-02 00:24 13,497 --a------ C:\Program Files\Common Files\tavavek.com
2008-08-02 00:06 . 2008-08-02 17:01 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-02 00:06 . 2008-08-02 16:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-01 23:24 . 2008-08-02 10:13 <DIR> d-------- C:\Documents and Settings\Robert Masiak\Application Data\TmpRecentIcons
2008-07-28 16:44 . 2008-07-28 16:44 166,512 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-07-28 16:44 . 2008-07-28 16:44 29,808 --a------ C:\WINDOWS\system32\drivers\ssfs0bbc.sys
2008-07-28 16:44 . 2008-07-28 16:44 23,152 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-07-27 14:07 . 2008-07-27 14:07 <DIR> d-------- C:\Program Files\KLM Royal Dutch Airlines
2008-07-27 14:07 . 2008-07-27 14:07 <DIR> d-------- C:\Documents and Settings\Robert Masiak\WINDOWS
2008-07-27 14:07 . 2008-07-27 14:07 145 --a------ C:\WINDOWS\Klmamsqo.ini
2008-07-22 23:21 . 2008-08-02 11:29 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\eBay
2008-07-21 10:42 . 2008-07-21 10:42 <DIR> d-------- C:\Documents and Settings\Susan Luling\Application Data\Sunbelt Software
2008-07-21 02:19 . 2008-07-21 02:19 0 --a------ C:\WINDOWS\system32\SBRC.dat
2008-07-21 02:19 . 2008-07-21 02:19 0 --a------ C:\WINDOWS\system32\SBFC.dat
2008-07-21 01:55 . 2008-07-21 01:55 <DIR> d-------- C:\Documents and Settings\Robert Masiak\Application Data\Sunbelt Software
2008-07-19 15:29 . 2008-07-19 15:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-07-19 15:28 . 2008-07-19 15:28 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-07-19 15:28 . 2008-07-20 09:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-07-19 13:32 . 2008-08-02 07:54 <DIR> d-------- C:\Program Files\SpyZooka
2008-07-19 12:45 . 2008-07-19 12:45 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-07-19 09:27 . 2008-08-05 06:31 <DIR> d-------- C:\Program Files\rjtneeg
2008-07-17 13:15 . 2008-07-17 13:15 <DIR> d-------- C:\Program Files\xkrevvf
2008-07-15 16:13 . 2008-08-09 01:14 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-15 16:13 . 2008-07-15 16:13 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-14 19:26 . 2008-08-05 06:31 <DIR> d-------- C:\Program Files\ngurrd
2008-07-14 19:26 . 2008-07-21 02:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\jkxqfwxc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-02 16:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-02 16:29 --------- d-----w C:\Program Files\eBay
2008-08-02 16:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\eBay
2008-08-02 16:27 --------- d-----w C:\Documents and Settings\Robert Masiak\Application Data\Lavasoft
2008-08-02 16:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\WholeSecurity
2008-08-02 15:02 --------- d-----w C:\Program Files\HP
2008-08-02 15:02 --------- d-----w C:\Program Files\Hewlett-Packard
2008-08-02 05:28 12,002 ----a-w C:\Program Files\Common Files\vuqiz.lib
2008-08-02 05:24 17,629 ----a-w C:\Program Files\Common Files\yxewy._dl
2008-08-02 05:24 14,713 ----a-w C:\WINDOWS\system32\ejixihav.bat
2008-08-02 05:24 13,783 ----a-w C:\Program Files\Common Files\gamig.lib
2008-08-02 05:24 13,297 ----a-w C:\WINDOWS\agowaqoco.dll
2008-08-02 05:24 12,095 ----a-w C:\WINDOWS\yxogohery.sys
2008-08-02 05:24 11,685 ----a-w C:\WINDOWS\lyvyrypiv.scr
2008-07-23 00:49 --------- d-----w C:\Program Files\SpywareDetector
2008-07-21 15:35 --------- d-----w C:\Program Files\MagicISO
2008-07-03 20:28 70,352 ----a-w C:\Documents and Settings\Susan Luling\Application Data\GDIPFONTCACHEV1.DAT
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 19:07 --------- d-----w C:\Program Files\WebEx
2008-06-13 19:07 --------- d-----w C:\Documents and Settings\Susan Luling\Application Data\webex
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-04-09 05:21 70,352 ----a-w C:\Documents and Settings\Robert Masiak\Application Data\GDIPFONTCACHEV1.DAT
2007-11-06 05:17 4,214,196 ----a-w C:\Documents and Settings\Robert Masiak\WDSyncV6.zip
2007-06-14 15:39 4,907,520 ----a-w C:\Documents and Settings\Robert Masiak\WDSync_v6_3_130.exe
2006-11-18 15:03 0 ----a-w C:\Documents and Settings\Robert Masiak\Application Data\wklnhst.dat
2006-12-10 03:25 88 --sh--r C:\WINDOWS\system32\0E7226A71C.sys
2006-12-10 03:25 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2008-08-03 23:20 66912]

[HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-07-16 21:29 389120]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-03 09:36 68856]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 19:04 139264]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 19:16 454784]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"Window Washer"="C:\Program Files\Webroot\Washer\wwDisp.exe" [2007-11-26 14:47 1206600]
"AROReminder"="C:\Program Files\Advanced Registry Optimizer\aro.exe" [2008-04-09 14:22 2135168]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 04:40 24576 C:\WINDOWS\MIDIDEF.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-23 12:12 7630848]
"nwiz"="C:\WINDOWS\system32\nwiz.exe" [2006-08-23 12:12 1617920]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-23 12:12 86016]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 03:12 94208]
"SigmatelSysTrayApp"="C:\WINDOWS\stsystra.exe" [2006-08-15 02:38 282624]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 10:51 57344]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 10:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44 81920]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 05:20 122940]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-10-13 18:21 169984]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-13 18:16 98304]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-11-14 00:31 185896]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"Kernel and Hardware Abstraction Layer"="C:\WINDOWS\KHALMNPR.EXE" [2007-11-29 03:17 55824]
"SDActiveMonitor"="C:\Program Files\SpywareDetector\SDActiveMonitor.exe" [2008-07-16 10:41 1058256]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 14:28 266497]
"MBMon"="CTMBHA.DLL" [2006-06-28 23:12 1355042 C:\WINDOWS\system32\CTMBHA.DLL]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-23 12:43:35 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
Billminder.lnk - C:\Program Files\Quicken\billmind.exe [2002-07-30 15:02:26 36864]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-10-13 18:10:56 24576]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 07:56:20 73728]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-02-14 20:20:49 789008]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2002-07-30 15:02:40 53248]
Quicken Startup.lnk - C:\Program Files\Quicken\QWDLLS.EXE [2002-07-30 15:02:42 36864]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"C:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

R0 ssfs0bbc;ssfs0bbc;C:\WINDOWS\system32\DRIVERS\ssfs0bbc.sys [2008-07-28 16:44]
S2 wwEngineSvc;Window Washer Engine;C:\Program Files\Webroot\Washer\WasherSvc.exe [2007-11-26 14:47]
S3 SDActMon;SDActMon;C:\Program Files\SpywareDetector\SDActMon.sys []
.
Contents of the 'Scheduled Tasks' folder

2008-08-12 C:\WINDOWS\Tasks\RegCure Program Check.job
- C:\Program Files\RegCure\RegCure.exe [2007-08-02 11:20]

2008-08-07 C:\WINDOWS\Tasks\RegCure.job
- C:\Program Files\RegCure\RegCure.exe [2007-08-02 11:20]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)
SSODL-msgproc-b{6643b857-df80-9ffb-cb0d-0082ed053567} - (no file)
SSODL-winproc-b{55711e4e-4128-f004-a203-0444e52dcd78} - (no file)
SSODL-monstrcom-{07976174-6CEF-2978-4431-0A4EC3FBE4A5} - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\o0c3xx3j.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-11 19:13:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\Admin\LOCALS~1\temp\clclean.0001
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-08-11 19:18:48 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-12 00:18:39

Pre-Run: 45,052,243,968 bytes free
Post-Run: 45,391,998,976 bytes free

277 --- E O F --- 2008-08-11 08:00:43
**************************************************************
HiJackThis LOG immediately following ComboFix:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:38:56 PM, on 8/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\SpywareDetector\SDActiveMonitor.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\DOCUME~1\Admin\LOCALS~1\Temp\clclean.0001
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\MsiExec.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&cli ... bd=1061013
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://pages.ebay.com/ebay_toolbar/app/congrats3.html
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "C:\WINDOWS\system32\nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Dell\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] "C:\WINDOWS\stsystra.exe"
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [MBMon] "C:\WINDOWS\system32\rundll32.exe" CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] "C:\WINDOWS\System32\DLA\DLACTRLW.EXE"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] "C:\WINDOWS\KHALMNPR.EXE"
O4 - HKLM\..\Run: [SDActiveMonitor] "C:\Program Files\SpywareDetector\SDActiveMonitor.exe" -AUTO
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8
O4 - HKCU\..\Run: [Window Washer] "C:\Program Files\Webroot\Washer\wwDisp.exe"
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\aro.exe -rem
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInCon ... ontrol.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h30155.www3.hp.com/ediags/dd/ins ... csxp2k.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} - http://h30155.www3.hp.com/ediags/dd/ins ... utions.cab
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Advanced System Products, Inc. - (no file)
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (http://www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 10145 bytes
Lakota
Regular Member
 
Posts: 26
Joined: August 6th, 2008, 8:03 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 56 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware