Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

popups and browser hijack

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby tim s » June 15th, 2007, 7:47 pm

Hi hdebo

What do the popups say?
User avatar
tim s
MRU Honors Grad Emeritus
 
Posts: 1541
Joined: February 11th, 2006, 10:27 am
Advertisement
Register to Remove

Unread postby hdebo » June 17th, 2007, 12:43 am

Norton keeps blocking adware.webbuy and trojan.adclicker.
hdebo
Regular Member
 
Posts: 26
Joined: June 13th, 2007, 8:12 pm

Unread postby hdebo » June 17th, 2007, 1:21 am

It continues to block adware.webbuy even if my browser is closed.
hdebo
Regular Member
 
Posts: 26
Joined: June 13th, 2007, 8:12 pm

Unread postby hdebo » June 17th, 2007, 7:18 am

I am also getting a popup of missing file when I boot up. It says it cannot find c:\windows\retadpu77.exe. Also I get a script host error when IE starts up. C:\programfiles\func.js. Norton also blocks trojan.adclicker and blocks desktop intrusion. HTP Quickbrowser activity
hdebo
Regular Member
 
Posts: 26
Joined: June 13th, 2007, 8:12 pm

Unread postby tim s » June 17th, 2007, 7:38 am

Hi hdebo,

Thanks for the information that helps. we need to run this tool first.

http://siri.urz.free.fr/Fix/SmitfraudFix.exe

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a 'RiskTool'; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between 'good' and 'malicious' use of such programs, therefore they may alert the user.


---------------------------------------------------------------

This is next:

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.

  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


----------------------------------------------------------------------

Please post in next reply:
C:\ rapport.txt
C:\SDFix folder as Report.txt
New HJT log
User avatar
tim s
MRU Honors Grad Emeritus
 
Posts: 1541
Joined: February 11th, 2006, 10:27 am

Unread postby hdebo » June 17th, 2007, 7:52 pm

I ran the test you asked. I still get norton blocks coming up for trojan.adclicker and desktop intrusions. I also still get the script error when I open IE.
Here are the logs requested
SmitFraudFix v2.195

Scan done at 19:34:31.32, Sun 06/17/2007
Run from C:\Documents and Settings\HDebo\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\svhost.exe
C:\PROGRA~1\PANICW~1\POP-UP~2\POPUPS~1.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\HDebo


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\HDebo\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\HDebo\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 68.94.156.1
DNS Server Search Order: 68.94.157.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{59AD5291-8F8C-42D7-B359-60BD93EE27AE}: DhcpNameServer=68.94.156.1 68.94.157.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{59AD5291-8F8C-42D7-B359-60BD93EE27AE}: DhcpNameServer=68.94.156.1 68.94.157.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{59AD5291-8F8C-42D7-B359-60BD93EE27AE}: DhcpNameServer=68.94.156.1 68.94.157.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.94.156.1 68.94.157.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.94.156.1 68.94.157.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.94.156.1 68.94.157.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End


SDFix: Version 1.88

Run by HDebo on Sun 06/17/2007 at 07:40 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:






Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing SharedAccess Service

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\poolsv.exe - Deleted
C:\WINDOWS\svhost.exe - Deleted



Removing Temp Files...

ADS Check:

Checking C:\WINDOWS\
C:\WINDOWS
No streams found.

Checking C:\WINDOWS\system32
C:\WINDOWS\system32
No streams found.

Checking C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Checking C:\WINDOWS\system32\ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Listing Files with Hidden Attributes:

C:\Documents and Settings\Administrator.COMP1\NTUSER.DAT
C:\Documents and Settings\Administrator.COMP1\NTUSER.DAT.LOG
C:\Documents and Settings\Administrator.COMP1\Local Settings\Application Data\IconCache.db
C:\Documents and Settings\Administrator.COMP1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
C:\Documents and Settings\Administrator.COMP1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
C:\Documents and Settings\Administrator.COMP1.000\ntuser.dat
C:\Documents and Settings\Administrator.COMP1.000\NTUSER.DAT.LOG
C:\Documents and Settings\Administrator.COMP1.000\ntuser.ini
C:\Documents and Settings\Administrator.COMP1.000\Application Data\desktop.ini
C:\Documents and Settings\Administrator.COMP1.000\Local Settings\desktop.ini
C:\Documents and Settings\Administrator.COMP1.000\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
C:\Documents and Settings\Administrator.COMP1.000\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
C:\Documents and Settings\Administrator.COMP1.000\Local Settings\History\desktop.ini
C:\Documents and Settings\Administrator.COMP1.000\Local Settings\History\History.IE5\desktop.ini
C:\Documents and Settings\Administrator.COMP1.000\Local Settings\Temporary Internet Files\desktop.ini
C:\Documents and Settings\Administrator.COMP1.000\SendTo\desktop.ini
C:\Documents and Settings\Administrator.COMP1.000\Start Menu\desktop.ini
C:\Documents and Settings\Administrator.COMP1.000\Start Menu\Programs\desktop.ini
C:\Documents and Settings\Administrator.COMP1.000\Start Menu\Programs\Accessories\desktop.ini
C:\Documents and Settings\Administrator.COMP1.000\Start Menu\Programs\Accessories\Accessibility\desktop.ini
C:\Documents and Settings\Administrator.COMP1.000\Start Menu\Programs\Accessories\Entertainment\desktop.ini
C:\Documents and Settings\Administrator.COMP1.000\Start Menu\Programs\Startup\desktop.ini
C:\Documents and Settings\HDebo\Application Data\iPodSoft\iPod Agent\1.0.1.0\WinIPA.sys
C:\WINDOWS\system32\config\default.tmp.LOG
C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\system32\config\SECURITY.tmp.LOG
C:\WINDOWS\system32\config\software.tmp.LOG
C:\WINDOWS\system32\config\system.tmp.LOG

Listing User Accounts:

User accounts for \\DESKTOP

Administrator ASPNET Guest
HDebo HelpAssistant SUPPORT_388945a0


Finished
Logfile of HijackThis v1.99.1
Scan saved at 7:49:02 PM, on 6/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\PANICW~1\POP-UP~2\POPUPS~1.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HJT\analyse.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.5.19.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {D7988997-59B7-46B7-8FDA-371BA6A8D810} - C:\Program Files\Online Services\sademowu58441.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~2\POPUPS~1.EXE"
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.7.4\webbuying.exe
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
hdebo
Regular Member
 
Posts: 26
Joined: June 13th, 2007, 8:12 pm

Unread postby tim s » June 17th, 2007, 9:07 pm

Hi hdebo,

Thanks for posting logs. This is a sneaky infection it was hiding your HJT log shows what I was looking for now.

Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present):

    O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
    O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.7.4\webbuying.exe

WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked and exit HijackThis.

--------------------------------------------------------------
Please do the following:

Open notepad and copy/paste the text in the codebox below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.

Code: Select all
Folder::
C:\temp\x2b 
C:\Program Files\Web Buying



Save this as ComboFix-Do.txt

Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.
Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

If not ask to restart computer from combofix then do so now before continuing.

---------------------------------------------------------------

Now This is next:

Please download VundoFix.exe to your desktop.

  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

------------------------------------------------------------

Next I will need you to re-run this tool as it looks like those files that it deleted are back.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.

  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


---------------------------------------------------------------------

Let me know if you still get the error messages on reboot and opeing IE there is a file I need to check first that maybe causing IE error I am not removing yet.

Please post theses:
Combofix.txt
C:\vundofix.txt
C:\SDFix folder as Report.txt
New HJT log
User avatar
tim s
MRU Honors Grad Emeritus
 
Posts: 1541
Joined: February 11th, 2006, 10:27 am

Unread postby hdebo » June 18th, 2007, 2:15 am

I still get the script error opening IE and when I opened it I also had Norton still block trojan.adclicker and desktop intrusion. Here are the logs you requested. Vundo was not found on the computer.

ComboFix 07-06-13.3 - C:\Documents and Settings\HDebo\Desktop\ComboFix.exe
"HDebo" - 2007-06-18 1:50:56 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\HDebo\Desktop\ComboFix-Do.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Temp\0b9
C:\Temp\0b9\tmpTF.log
C:\temp\x2b


((((((((((((((((((((((((( Files Created from 2007-05-18 to 2007-06-18 )))))))))))))))))))))))))))))))


2007-06-17 19:34 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-06-17 19:34 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-06-17 19:34 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-06-17 19:34 2,066 --a------ C:\WINDOWS\system32\tmp.reg
2007-06-17 00:47 <DIR> d-------- C:\WINDOWS\system32\S7
2007-06-17 00:47 <DIR> d-------- C:\WINDOWS\system32\S6
2007-06-17 00:47 <DIR> d-------- C:\WINDOWS\system32\S4
2007-06-17 00:47 <DIR> d-------- C:\WINDOWS\system32\S1
2007-06-17 00:47 <DIR> d-------- C:\WINDOWS\system32\S0
2007-06-17 00:47 <DIR> d-------- C:\WINDOWS\system32\o09PrEz
2007-06-17 00:38 <DIR> d-------- C:\Program Files\svhost
2007-06-17 00:37 <DIR> d-------- C:\Program Files\poolsv
2007-06-14 21:23 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-06-14 21:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Kaspersky Lab
2007-06-14 17:35 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-14 13:03 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-13 23:28 <DIR> d-------- C:\DOCUME~1\HDebo\APPLIC~1\TrojanHunter
2007-06-13 23:27 <DIR> d-------- C:\Program Files\TrojanHunter 4.6
2007-06-13 07:18 <DIR> d-------- C:\WINDOWS\system32\win
2007-06-13 07:18 <DIR> d-------- C:\temp\iee
2007-06-04 16:07 0 --a------ C:\WINDOWS\nsreg.dat
2007-06-01 16:19 <DIR> d-------- C:\DOCUME~1\HDebo\APPLIC~1\Uniblue
2007-06-01 00:33 524,288 --ah----- C:\DOCUME~1\ADMINI~1.DES\NTUSER.DAT
2007-05-29 20:35 <DIR> d-------- C:\hidownload
2007-05-28 06:03 454 --a------ C:\WINDOWS\system32\close.vbs


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-18 05:50:10 -------- d-----w C:\Program Files\BitComet
2007-06-18 05:42:39 -------- d-----w C:\Program Files\HJT
2007-06-17 11:34:26 -------- d-----w C:\DOCUME~1\HDebo\APPLIC~1\DMCache
2007-06-17 04:47:37 -------- d-----w C:\Program Files\Online Services
2007-06-17 04:12:09 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-06-14 01:13:39 -------- d-----w C:\Program Files\Norton AntiVirus
2007-06-14 00:51:18 -------- d-----w C:\Program Files\Easy Video Joiner
2007-05-30 00:15:02 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-29 23:57:26 -------- d-----w C:\Program Files\WinPcap
2007-05-10 23:00:55 -------- d-----w C:\DOCUME~1\HDebo\APPLIC~1\Lavasoft
2007-05-10 23:00:48 -------- d-----w C:\Program Files\Lavasoft
2007-05-10 23:00:30 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-04-22 11:38:55 -------- d-----w C:\Program Files\Internet Download Manager
2007-04-22 03:22:38 0 ----a-w C:\WINDOWS\system32\SBRC.dat
2007-04-22 03:22:38 0 ----a-w C:\WINDOWS\system32\SBFC.dat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2006-10-26 10:28]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-04-16 16:39]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{D7988997-59B7-46B7-8FDA-371BA6A8D810}=C:\Program Files\Online Services\sademowu58441.dll [2007-06-14 07:54]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 01:59]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-24 04:24]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PopUpStopperProfessional"="C:\PROGRA~1\PANICW~1\POP-UP~2\POPUPS~1.EXE" [2005-06-01 16:09]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 08:29]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ihsService.exe]
"C:\Program Files\Sunbelt Software\iHateSpam\ihsService.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
"C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
"C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
"C:\Program Files\Norton AntiVirus\osCheck.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster2]
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S


Contents of the 'Scheduled Tasks' folder
2007-06-15 23:25:43 C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - HDebo.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-18 01:52:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-18 1:53:10
C:\ComboFix-quarantined-files.txt ... 2007-06-18 01:53
C:\ComboFix2.txt ... 2007-06-14 20:04
C:\ComboFix3.txt ... 2007-06-14 13:13

--- E O F ---

SDFix: Version 1.88

Run by HDebo on Mon 06/18/2007 at 02:00 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:






Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing SharedAccess Service

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found




Removing Temp Files...

ADS Check:

Checking C:\WINDOWS\
C:\WINDOWS
No streams found.

Checking C:\WINDOWS\system32
C:\WINDOWS\system32
No streams found.

Checking C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Checking C:\WINDOWS\system32\ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------


Listing Files with Hidden Attributes:

C:\Documents and Settings\Administrator.COMP1\NTUSER.DAT
C:\Documents and Settings\Administrator.COMP1\NTUSER.DAT.LOG
C:\Documents and Settings\Administrator.COMP1\Local Settings\Application Data\IconCache.db
C:\Documents and Settings\Administrator.COMP1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
C:\Documents and Settings\Administrator.COMP1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
C:\Documents and Settings\Administrator.COMP1.000\ntuser.dat
C:\Documents and Settings\Administrator.COMP1.000\NTUSER.DAT.LOG
C:\Documents and Settings\Administrator.COMP1.000\ntuser.ini
C:\Documents and Settings\Administrator.COMP1.000\Application Data\desktop.ini
C:\Documents and Settings\Administrator.COMP1.000\Local Settings\desktop.ini
C:\Documents and Settings\Administrator.COMP1.000\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
C:\Documents and Settings\Administrator.COMP1.000\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
C:\Documents and Settings\Administrator.COMP1.000\Local Settings\History\desktop.ini
C:\Documents and Settings\Administrator.COMP1.000\Local Settings\History\History.IE5\desktop.ini
C:\Documents and Settings\Administrator.COMP1.000\Local Settings\Temporary Internet Files\desktop.ini
C:\Documents and Settings\Administrator.COMP1.000\SendTo\desktop.ini
C:\Documents and Settings\Administrator.COMP1.000\Start Menu\desktop.ini
C:\Documents and Settings\Administrator.COMP1.000\Start Menu\Programs\desktop.ini
C:\Documents and Settings\Administrator.COMP1.000\Start Menu\Programs\Accessories\desktop.ini
C:\Documents and Settings\Administrator.COMP1.000\Start Menu\Programs\Accessories\Accessibility\desktop.ini
C:\Documents and Settings\Administrator.COMP1.000\Start Menu\Programs\Accessories\Entertainment\desktop.ini
C:\Documents and Settings\Administrator.COMP1.000\Start Menu\Programs\Startup\desktop.ini
C:\Documents and Settings\HDebo\Application Data\iPodSoft\iPod Agent\1.0.1.0\WinIPA.sys
C:\WINDOWS\system32\config\default.tmp.LOG
C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\system32\config\SECURITY.tmp.LOG
C:\WINDOWS\system32\config\software.tmp.LOG
C:\WINDOWS\system32\config\system.tmp.LOG

Listing User Accounts:

User accounts for \\DESKTOP

Administrator ASPNET Guest
HDebo HelpAssistant SUPPORT_388945a0


Finished

Logfile of HijackThis v1.99.1
Scan saved at 2:11:39 AM, on 6/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\PANICW~1\POP-UP~2\POPUPS~1.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HJT\analyse.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {D7988997-59B7-46B7-8FDA-371BA6A8D810} - C:\Program Files\Online Services\sademowu58441.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~2\POPUPS~1.EXE"
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
hdebo
Regular Member
 
Posts: 26
Joined: June 13th, 2007, 8:12 pm

Unread postby tim s » June 18th, 2007, 7:57 pm

Hi hdebo,

More of the infection as returned let me see a log from this tool.
Note* If, after posting your reply, the last line is not < End of Report > then the log is too big to fit into a single reply post and you will need to split it into separate reply post.

Please do the following:

Download WinPFind3U.exe to your Desktop and double-click on it to extract the files.
It will create a folder named WinPFind3u on your desktop.
  • Close ALL OTHER PROGRAMS.
  • Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
  • Change settings Under Files/Folders Created Within-----
    • Click on 60 days
  • Change settings Under Files/Folders Modified Within-----
    • Click on 60 days
  • Next on the right side of screen Under Additional Scans
    • Put a checkmark in the box next to Reg-Disabled MS Config items
    • Put a checkmark in the box next to Reg-IE CmdMapping
    • Put a checkmark in the box next to Reg-Uninstall List
    • Put a checkmark in the box next to File-Additional Folder Scan
  • Now click the Run Scan button on the toolbar.
  • The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Use the Add Reply button and Copy/Paste the information back here.

Note* If, after posting your reply, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into separate reply post.
User avatar
tim s
MRU Honors Grad Emeritus
 
Posts: 1541
Joined: February 11th, 2006, 10:27 am

Unread postby hdebo » June 18th, 2007, 9:12 pm

Here is the requested log

WinPFind3 logfile created on: 6/18/2007 8:48:42 PM
WinPFind3U by OldTimer - Version 1.0.38 Folder = C:\Documents and Settings\HDebo\Desktop\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)

1022.73 Mb Total Physical Memory | 464.07 Mb Available Physical Memory | 45.38% Memory free
2.40 Gb Paging File | 1.93 Gb Available in Paging File | 80.14% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.27 Gb Total Space | 14.00 Gb Free Space | 37.58% Space Free
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 37.27 Gb Total Space | 2.39 Gb Free Space | 6.40% Space Free

Computer Name: DESKTOP
Current User Name: HDebo
Logged in as Administrator.
Current Boot Mode: Normal


[Processes - Non-Microsoft Only]
aluschedulersvc.exe -> %ProgramFiles%\Symantec\LiveUpdate\ALUSchedulerSvc.exe -> Symantec Corporation [Ver = 3.2.0.41 | Size = 554616 bytes | Modified Date = 1/5/2007 6:04:10 PM | Attr = ]
appsvc32.exe -> %CommonProgramFiles%\Symantec Shared\AppCore\AppSvc32.exe -> Symantec Corporation [Ver = 1.1.1.2 | Size = 47712 bytes | Modified Date = 1/5/2007 4:19:28 AM | Attr = ]
ati2evxx.exe -> %System32%\ati2evxx.exe -> ATI Technologies Inc. [Ver = 6.14.10.4129 | Size = 405504 bytes | Modified Date = 1/24/2006 11:45:24 PM | Attr = ]
ati2evxx.exe -> %System32%\ati2evxx.exe -> ATI Technologies Inc. [Ver = 6.14.10.4129 | Size = 405504 bytes | Modified Date = 1/24/2006 11:45:24 PM | Attr = ]
bitcomet.exe -> %ProgramFiles%\BitComet\BitComet.exe -> http://www.BitComet.com [Ver = 0.60. | Size = 2600960 bytes | Modified Date = 9/8/2005 1:30:54 AM | Attr = ]
ccapp.exe -> %CommonProgramFiles%\Symantec Shared\ccApp.exe -> Symantec Corporation [Ver = 106.2.0.21 | Size = 115816 bytes | Modified Date = 1/10/2007 1:59:52 AM | Attr = ]
ccsvchst.exe -> %CommonProgramFiles%\Symantec Shared\ccSvcHst.exe -> Symantec Corporation [Ver = 106.2.0.21 | Size = 108648 bytes | Modified Date = 1/10/2007 1:59:32 AM | Attr = ]
ccsvchst.exe -> %CommonProgramFiles%\Symantec Shared\ccSvcHst.exe -> Symantec Corporation [Ver = 106.2.0.21 | Size = 108648 bytes | Modified Date = 1/10/2007 1:59:32 AM | Attr = ]
guard.exe -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 5/30/2007 8:31:10 AM | Attr = ]
idman.exe -> %ProgramFiles%\Internet Download Manager\IDMan.exe -> Internet Download Manager Corp., Tonec Inc. [Ver = 5, 0, 2, 0 | Size = 830976 bytes | Modified Date = 1/20/2006 7:26:56 AM | Attr = ]
ihsmain.exe -> %ProgramFiles%\Sunbelt Software\iHateSpam\ihsMain.exe -> Sunbelt Software, Inc. [Ver = 4.00.0633 | Size = 2953310 bytes | Modified Date = 11/1/2006 5:00:00 PM | Attr = ]
ihsspamfilterengine.exe -> %ProgramFiles%\Sunbelt Software\iHateSpam\ihsSpamFilterEngine.exe -> Sunbelt Software, Inc. [Ver = 4.00.0633 | Size = 1273962 bytes | Modified Date = 11/1/2006 4:59:34 PM | Attr = ]
popups~1.exe -> %ProgramFiles%\Panicware\Pop-Up Stopper Professional\POPUPS~1.EXE1158317775 -> Panicware, Inc. [Ver = 1, 80, 0, 1000 | Size = 516096 bytes | Modified Date = 6/1/2005 4:09:02 PM | Attr = ]
richvideo.exe -> %ProgramFiles%\CyberLink\Shared files\RichVideo.exe -> [Ver = 1.1.0808 | Size = 167936 bytes | Modified Date = 8/8/2005 2:54:00 PM | Attr = ]
symlcsvc.exe -> %CommonProgramFiles%\Symantec Shared\CCPD-LC\symlcsvc.exe -> Symantec Corporation [Ver = 1.9.1.1088 | Size = 1174664 bytes | Modified Date = 5/7/2004 10:41:04 AM | Attr = ]
winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.38.0 | Size = 318976 bytes | Modified Date = 5/22/2007 6:27:40 PM | Attr = ]

[Win32 Services - Non-Microsoft Only]
(Ati HotKey Poller) Ati HotKey Poller [Win32_Own | Auto | Running] -> %System32%\ati2evxx.exe -> ATI Technologies Inc. [Ver = 6.14.10.4129 | Size = 405504 bytes | Modified Date = 1/24/2006 11:45:24 PM | Attr = ]
(ATI Smart) ATI Smart [Win32_Own | Auto | Stopped] -> %System32%\ati2sgag.exe -> [Ver = 5.13.0025 | Size = 520192 bytes | Modified Date = 1/26/2006 8:57:00 AM | Attr = ]
(Automatic LiveUpdate Scheduler) Automatic LiveUpdate Scheduler [Win32_Own | Auto | Running] -> %ProgramFiles%\Symantec\LiveUpdate\ALUSchedulerSvc.exe -> Symantec Corporation [Ver = 3.2.0.41 | Size = 554616 bytes | Modified Date = 1/5/2007 6:04:10 PM | Attr = ]
(AVG Anti-Spyware Guard) AVG Anti-Spyware Guard [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 5/30/2007 8:31:10 AM | Attr = ]
(ccEvtMgr) Symantec Event Manager [Win32_Shared | Auto | Running] -> %CommonProgramFiles%\Symantec Shared\ccSvcHst.exe -> Symantec Corporation [Ver = 106.2.0.21 | Size = 108648 bytes | Modified Date = 1/10/2007 1:59:32 AM | Attr = ]
(ccSetMgr) Symantec Settings Manager [Win32_Shared | Auto | Running] -> %CommonProgramFiles%\Symantec Shared\ccSvcHst.exe -> Symantec Corporation [Ver = 106.2.0.21 | Size = 108648 bytes | Modified Date = 1/10/2007 1:59:32 AM | Attr = ]
(CLTNetCnService) Symantec Lic NetConnect service [Win32_Shared | Auto | Running] -> %CommonProgramFiles%\Symantec Shared\ccSvcHst.exe -> Symantec Corporation [Ver = 106.2.0.21 | Size = 108648 bytes | Modified Date = 1/10/2007 1:59:32 AM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 8/4/2004 12:56:50 AM | Attr = ]
(iPod Service) iPod Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\iPod\bin\iPodService.exe -> Apple Computer, Inc. [Ver = 7.0.1.8 | Size = 451136 bytes | Modified Date = 9/25/2006 3:54:22 PM | Attr = ]
(ISPwdSvc) Symantec IS Password Validation [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Norton AntiVirus\isPwdSvc.exe -> Symantec Corporation [Ver = 10.2.0.50 | Size = 80504 bytes | Modified Date = 1/14/2007 3:11:06 AM | Attr = ]
(LiveUpdate) LiveUpdate [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Symantec\LiveUpdate\LuComServer_3_2.EXE -> Symantec Corporation [Ver = 3.2.0.41 | Size = 2918008 bytes | Modified Date = 1/5/2007 6:04:10 PM | Attr = ]
(LiveUpdate Notice Ex) LiveUpdate Notice Service Ex [Win32_Shared | Auto | Running] -> %CommonProgramFiles%\Symantec Shared\ccSvcHst.exe -> Symantec Corporation [Ver = 106.2.0.21 | Size = 108648 bytes | Modified Date = 1/10/2007 1:59:32 AM | Attr = ]
(LiveUpdate Notice Service) LiveUpdate Notice Service [Win32_Own | Auto | Stopped] -> %CommonProgramFiles%\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe -> Symantec Corporation [Ver = 1.2.0.18 | Size = 517768 bytes | Modified Date = 3/12/2007 6:30:16 PM | Attr = ]
(RichVideo) Cyberlink RichVideo Service(CRVS) [Win32_Own | Auto | Running] -> %ProgramFiles%\CyberLink\Shared files\RichVideo.exe -> [Ver = 1.1.0808 | Size = 167936 bytes | Modified Date = 8/8/2005 2:54:00 PM | Attr = ]
(rpcapd) Remote Packet Capture Protocol v.0 (experimental) [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\WinPcap\rpcapd.exe -> CACE Technologies [Ver = 3, 1, 0, 27 | Size = 86016 bytes | Modified Date = 8/2/2005 2:18:50 PM | Attr = ]
(Symantec Core LC) Symantec Core LC [Win32_Own | On_Demand | Running] -> %CommonProgramFiles%\Symantec Shared\CCPD-LC\symlcsvc.exe -> Symantec Corporation [Ver = 1.9.1.1088 | Size = 1174664 bytes | Modified Date = 5/7/2004 10:41:04 AM | Attr = ]
(SymAppCore) Symantec AppCore Service [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Symantec Shared\AppCore\AppSvc32.exe -> Symantec Corporation [Ver = 1.1.1.2 | Size = 47712 bytes | Modified Date = 1/5/2007 4:19:28 AM | Attr = ]

[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ccApp -> %CommonProgramFiles%\Symantec Shared\ccApp.exe -> Symantec Corporation [Ver = 106.2.0.21 | Size = 115816 bytes | Modified Date = 1/10/2007 1:59:52 AM | Attr = ]
QuickTime Task -> %ProgramFiles%\QuickTime\qttask.exe -> Apple Computer, Inc. [Ver = 7.1.3 | Size = 282624 bytes | Modified Date = 9/24/2006 4:24:54 AM | Attr = ]
Symantec PIF AlertEng -> %CommonProgramFiles%\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe -> Symantec Corporation [Ver = 1.2.0.18 | Size = 517768 bytes | Modified Date = 3/12/2007 6:30:16 PM | Attr = ]
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\
IMAIL -> Installed = 1 ->
MAPI -> Installed = 1 ->
MSFS -> Installed = 1 ->
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PopUpStopperProfessional -> %ProgramFiles%\Panicware\Pop-Up Stopper Professional\POPUPS~1.EXE1158317775 -> Panicware, Inc. [Ver = 1, 80, 0, 1000 | Size = 516096 bytes | Modified Date = 6/1/2005 4:09:02 PM | Attr = ]
< ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
{57B86673-276A-48B2-BAE7-C6DBB3020EB8} [HKLM] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll [AVG Anti-Spyware 7.5] -> GRISOFT s.r.o. [Ver = 7, 5, 1, 36 | Size = 79408 bytes | Modified Date = 5/30/2007 8:29:58 AM | Attr = ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
AtiExtEvent -> %System32%\ati2evxx.dll -> ATI Technologies Inc. [Ver = 6.14.10.4129 | Size = 61440 bytes | Modified Date = 1/24/2006 11:46:38 PM | Attr = ]
< CurrentVersion Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
< CurrentVersion Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
< HOSTS File > (686 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts
127.0.0.1 localhost -> ->
< Internet Explorer Settings > ->
HKLM: Default_Page_URL -> http://www.microsoft.com/isapi/redir.dl ... ar=msnhome ->
HKLM: Main\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dl ... r=iesearch ->
HKLM: Local Page -> %SystemRoot%\system32\blank.htm ->
HKLM: Search Page -> http://www.microsoft.com/isapi/redir.dl ... r=iesearch ->
HKLM: Start Page -> about:blank ->
HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKLM: SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
HKCU: Default_Search_URL -> http://www.microsoft.com/isapi/redir.dl ... r=iesearch ->
HKCU: Local Page -> C:\WINDOWS\system32\blank.htm ->
HKCU: Search Page -> http://www.microsoft.com/isapi/redir.dl ... r=iesearch ->
HKCU: Start Page -> http://my.yahoo.com/ ->
HKCU: URLSearchHooks\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn0\yt.dll [Yahoo! Toolbar] -> Yahoo! Inc. [Ver = 2006, 10, 26, 1 | Size = 440384 bytes | Modified Date = 10/26/2006 10:28:40 AM | Attr = ]
HKCU: ProxyEnable -> 0 ->
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
msn.com [ - ] -> ->
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4EFB-9B51-7695ECA05670} [HKLM] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn0\yt.dll [Yahoo! Toolbar Helper] -> Yahoo! Inc. [Ver = 2006, 10, 26, 1 | Size = 440384 bytes | Modified Date = 10/26/2006 10:28:40 AM | Attr = ]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [AcroIEHlprObj Class] -> [Ver = 1, 0, 0, 1 | Size = 37808 bytes | Modified Date = 4/16/2001 4:39:02 PM | Attr = ]
{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [] -> Safer Networking Limited [Ver = 1, 4, 0, 0 | Size = 853672 bytes | Modified Date = 5/31/2005 1:04:00 AM | Attr = ]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_01\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 6.0.10.6 | Size = 501400 bytes | Modified Date = 3/14/2007 3:43:40 AM | Attr = ]
{D7988997-59B7-46B7-8FDA-371BA6A8D810} [HKLM] -> %ProgramFiles%\Online Services\sademowu58441.dll [] -> [Ver = | Size = 163840 bytes | Modified Date = 6/14/2007 7:54:52 AM | Attr = ]
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn0\yt.dll [Yahoo! Toolbar] -> Yahoo! Inc. [Ver = 2006, 10, 26, 1 | Size = 440384 bytes | Modified Date = 10/26/2006 10:28:40 AM | Attr = ]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
ShellBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
WebBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
WebBrowser\\{CB789373-04D5-4EF4-9C16-871463FD0830} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
WebBrowser\\{E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn0\yt.dll [Yahoo! Toolbar] -> Yahoo! Inc. [Ver = 2006, 10, 26, 1 | Size = 440384 bytes | Modified Date = 10/26/2006 10:28:40 AM | Attr = ]
< Internet Explorer Menu Extensions [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\
Download All Links with IDM -> %ProgramFiles%\Internet Download Manager\IEGetAll.htm -> [Ver = | Size = 283 bytes | Modified Date = 10/20/2003 6:13:14 AM | Attr = ]
Download with IDM -> %ProgramFiles%\Internet Download Manager\IEExt.htm -> [Ver = | Size = 277 bytes | Modified Date = 12/2/2004 12:31:10 PM | Attr = ]
E&xport to Microsoft Excel -> -> File not found
< Internet Explorer Plugins [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\Extension\
.spop -> %ProgramFiles%\Internet Explorer\PLUGINS\NPDocBox.dll [Reg Data - Value does not exist] -> Intertrust Technologies, Inc. [Ver = 1.0.0.32 | Size = 270336 bytes | Modified Date = 8/1/2001 5:05:42 PM | Attr = ]
< User Agent Post Platform [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
SV1 -> ->
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\
{59AD5291-8F8C-42D7-B359-60BD93EE27AE} -> (Realtek RTL8139 Family PCI Fast Ethernet NIC) ->
{7995F828-5A70-4C71-AA51-CE344BB64C4A} -> (1394 Net Adapter) ->
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} -> CKAVWebScan Object - CodeBase = http://www.kaspersky.com/kos/english/ka ... nicode.cab ->
{1F2F4C9E-6F09-47BC-970D-3C54734667FE} -> - CodeBase = http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} -> Java Plug-in 1.6.0_01 - CodeBase = http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab ->
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -> ActiveScan Installer Class - CodeBase = http://acs.pandasoftware.com/activescan ... asinst.cab ->
{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} -> Java Plug-in 1.6.0_01 - CodeBase = http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} -> - CodeBase = http://download.macromedia.com/pub/shoc ... wflash.cab ->


[Registry - Additional Scans - Non-Microsoft Only]
< Disabled MSConfig Registry Items [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\
ATICCC -> %ProgramFiles%\ATI Technologies\ATI.ACE\CLI.exe -> ATI Technologies Inc. [Ver = 1.11.0.0 | Size = 45056 bytes | Modified Date = 8/12/2005 2:43:58 PM | Attr = ]
BitTorrent -> %ProgramFiles%\BitTorrent\bittorrent.exe -> File not found
ihsService.exe -> %ProgramFiles%\Sunbelt Software\iHateSpam\ihsService.exe -> Sunbelt Software, Inc. [Ver = 4.00.0633 | Size = 381025 bytes | Modified Date = 11/1/2006 5:00:54 PM | Attr = ]
ISUSPM -> %CommonProgramFiles%\InstallShield\UpdateService\ISUSPM.exe -> File not found
iTunesHelper -> %ProgramFiles%\iTunes\iTunesHelper.exe -> Apple Computer, Inc. [Ver = 7.0.1.8 | Size = 229952 bytes | Modified Date = 9/25/2006 3:54:24 PM | Attr = ]
LanguageShortcut -> %ProgramFiles%\CyberLink\PowerDVD\Language\Language.exe -> [Ver = 1, 0, 1613, 0 | Size = 49152 bytes | Modified Date = 4/13/2006 12:09:00 PM | Attr = ]
osCheck -> %ProgramFiles%\Norton AntiVirus\osCheck.exe -> Symantec Corporation [Ver = 10.2.0.50 | Size = 771704 bytes | Modified Date = 1/14/2007 3:11:10 AM | Attr = ]
RemoteControl -> %ProgramFiles%\CyberLink\PowerDVD\PDVDServ.exe -> Cyberlink Corp. [Ver = 5.00.0910 | Size = 30208 bytes | Modified Date = 12/7/2005 11:57:00 PM | Attr = ]
SoundMAXPnP -> %ProgramFiles%\Analog Devices\SoundMAX\SMax4PNP.exe -> Analog Devices, Inc. [Ver = 4, 0, 4, 11 | Size = 790528 bytes | Modified Date = 5/29/2003 4:28:32 PM | Attr = ]
Uniblue RegistryBooster2 -> %ProgramFiles%\Uniblue\RegistryBooster 2\RegistryBooster.exe -> File not found
< Internet Explorer CmdMapping [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -> 8195 - Reg Data - Key not found ->
{0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} -> 8197 - Reg Data - Key not found ->
{1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} -> 8198 - Reg Data - Key not found ->
{4D0C4820-53F7-4d79-A2E1-5252683CF69C} -> 8200 - Reg Data - Key not found ->
{7FCA7BD7-8F4D-4a81-BE72-A470F4E517D5} -> 8201 - Reg Data - Key not found ->
{85d1f590-48f4-11d9-9669-0800200c9a66} -> 8199 - Reg Data - Key not found ->
{92780B25-18CC-41C8-B9BE-3C9C571A8263} -> 8193 - Reg Data - Key not found ->
{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -> 8194 - Reg Data - Key not found ->
{E908B145-C847-4e85-B315-07E2E70DECF8} -> 8196 - Reg Data - Key not found ->
{F4FBA929-A891-492C-A0F6-5C79CC4F1742} -> 8202 - Reg Data - Key not found ->
{FB5F1910-F110-11d2-BB9E-00C04F795683} -> 8192 - Reg Data - Key not found ->
NextId -> 8203 ->
< Uninstall List > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
{18D10072035C4515918F7E37EAFAACFC} -> AutoUpdate ->
{1CB92574-96F2-467B-B793-5CEB35C40C29} -> Image Resizer Powertoy for Windows XP ->
{228F6876-A313-40A3-91C0-C3CBE6997D09} -> Symantec ->
{2908F0CB-C1D4-447F-97A2-CFC135C9F8D4} -> Internet Worm Protection ->
{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2} -> SymNet ->
{3248F0A8-6813-11D6-A77B-00B0D0160010} -> Java(TM) SE Runtime Environment 6 Update 1 ->
{34EEB1F5-E939-40A1-A6BA-957282A4B2C8} -> Norton AntiVirus Help ->
{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227} -> WebFldrs XP ->
{3CCAD2EF-CFF2-4637-82AA-AABF370282D3} -> ccCommon ->
{55BF0E5F-EA8E-4C13-A8B4-9E4857F5A2DE} -> QuickTime ->
{5878FF02-3B8F-4309-B4E5-0D3DB6F2E8E6} -> iTunes ->
{5B433733-BB31-4B40-BCBA-DDED37626641} -> Apple Software Update ->
{6811CAA0-BF12-11D4-9EA1-0050BAE317E1} -> PowerDVD ->
{774AB137-1D3E-42E2-A125-95A00216F319} -> Symantec Real Time Storage Protection Component ->
{77772678-817F-4401-9301-ED1D01A8DA56} -> SPBBC 32bit ->
{78CC3BAB-DE2A-4FB4-8FBB-E4DADDC26747} -> Ad-Aware SE Personal ->
{830D8CBD-C668-49e2-A969-C2C2106332E0} -> Norton AntiVirus ->
{90110409-6000-11D3-8CFE-0150048383C9} -> Microsoft Office Professional Edition 2003 ->
{9A129ABC-A53A-4209-A21E-D5DEDFB7CCA8} -> Norton Protection Center ->
{A49F249F-0C91-497F-86DF-B2585E8E76B7} -> Microsoft Visual C++ 2005 Redistributable ->
{AB303F84-0D57-4F50-9C44-44706180505D} -> ATI Catalyst Control Center ->
{B13A7C41581B411290FBC0395694E2A9} -> DivX Converter ->
{C054279D-E66C-48BB-91B3-C89970D0061E} -> iHateSpam ->
{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} -> Microsoft .NET Framework 1.1 ->
{D1FF75E7-DD42-4CFD-B052-20B3FFF4EDB8} -> Norton AntiVirus SYMLT MSI ->
{DBA4DB9D-EE51-4944-A419-98AB1F1249C8} -> LiveUpdate Notice (Symantec Corporation) ->
{E5EE9939-259F-4DE2-8023-5C49E16A4F43} -> Norton AntiVirus Parent MSI ->
{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B} -> AppCore ->
{F4DB525F-A986-4249-B98B-42A8066251CA} -> AV ->
Adobe Acrobat 5.0 -> Adobe Acrobat 5.0 ->
All ATI Software -> ATI - Software Uninstall Utility ->
AsfTools 3.1 -> AsfTools 3.1 (remove only) ->
ATI Display Driver -> ATI Display Driver ->
AVGAntiSpyware75 -> AVG Anti-Spyware 7.5 ->
AVI Splitter_is1 -> AVI Splitter ->
BitComet -> BitComet 0.60 ->
CCleaner -> CCleaner (remove only) ->
Cool's_Codec_pack_4.12 -> Codec Pack - All In 1 6.0.3.0 ->
Cucusoft MPEG/MOV/RM/AVI to DVD/VCD/SVCD/MPEG Co~546FA5AA_is1 -> Cucusoft MPEG/MOV/RM/AVI to DVD/VCD/SVCD/MPEG Converter Pro 6.2 ->
Easy Video Joiner_is1 -> Easy Video Joiner 5.21 ->
HijackThis -> HijackThis 1.99.1 ->
Kaspersky Online Scanner -> Kaspersky Online Scanner ->
KB893803v2 -> Windows Installer 3.1 (KB893803) ->
KB898461 -> Update for Windows XP (KB898461) ->
LiveUpdate -> LiveUpdate 3.2 (Symantec Corporation) ->
MPEG Encoder 3 -> MPEG Encoder 3 ->
Nero - Burning Rom!UninstallKey -> Nero 6 Ultra Edition ->
NeroVision!UninstallKey -> NeroVision Express 2 ->
Panda ActiveScan -> Panda ActiveScan ->
Pop-Up Stopper Professional -> Pop-Up Stopper Professional ->
RealAlt_is1 -> Real Alternative 1.51 ->
ShockwaveFlash -> Adobe Flash Player 9 ActiveX ->
Spybot - Search & Destroy_is1 -> Spybot - Search & Destroy 1.4 ->
ST4UNST #1 -> Peck's Power Join ->
SymSetup.{830D8CBD-C668-49e2-A969-C2C2106332E0} -> Norton AntiVirus (Symantec Corporation) ->
TrojanHunter_is1 -> TrojanHunter 4.6 ->
Tweak UI 2.10 -> Tweak UI ->
WGA -> Windows Genuine Advantage Validation Tool (KB892130) ->
Winamp -> Winamp (remove only) ->
WinAVIVideoConverter_is1 -> WinAVIVideoConverter ->
Windows Media Format Runtime -> Windows Media Format Runtime ->
Windows Media Player -> Windows Media Player 10 ->
WinPcapInst -> WinPcap 3.1 ->
WinRAR archiver -> WinRAR archiver ->
Yahoo! Companion -> Yahoo! Toolbar ->
Yahoo! Messenger -> Yahoo! Messenger ->
Yahoo! Toolbar -> Yahoo! Toolbar ->
YInstHelper -> Yahoo! Install Manager ->


[Files/Folders - Created Within 60 days]
!KillBox -> %SystemDrive%\!KillBox -> [Folder | Created Date = 5/10/2007 5:54:09 PM | Attr = ]
ComboFix -> %SystemDrive%\ComboFix -> [Folder | Created Date = 6/14/2007 7:01:20 PM | Attr = ]
hidownload -> %SystemDrive%\hidownload -> [Folder | Created Date = 5/29/2007 7:35:52 PM | Attr = ]
QooBox -> %SystemDrive%\QooBox -> [Folder | Created Date = 6/14/2007 12:10:08 PM | Attr = ]
SDFix -> %SystemDrive%\SDFix -> [Folder | Created Date = 6/17/2007 6:35:55 PM | Attr = ]
Spyware Tools -> %SystemDrive%\Spyware Tools -> [Folder | Created Date = 4/21/2007 9:28:21 PM | Attr = ]
VundoFix Backups -> %SystemDrive%\VundoFix Backups -> [Folder | Created Date = 5/16/2007 6:25:19 PM | Attr = ]
$NtUninstallKB898461$ -> %SystemRoot%\$NtUninstallKB898461$ -> [Folder | Created Date = 5/10/2007 5:49:44 PM | Attr = H ]
catchme.exe -> %SystemRoot%\catchme.exe -> [Ver = | Size = 87552 bytes | Created Date = 6/14/2007 12:03:26 PM | Attr = ]
erdnt -> %SystemRoot%\erdnt -> [Folder | Created Date = 6/14/2007 12:10:17 PM | Attr = ]
IDMan.INI -> %SystemRoot%\IDMan.INI -> [Ver = | Size = 68 bytes | Created Date = 6/3/2007 7:35:31 AM | Attr = ]
nircmd.exe -> %SystemRoot%\nircmd.exe -> NirSoft [Ver = 1.85 | Size = 49152 bytes | Created Date = 6/14/2007 12:03:26 PM | Attr = ]
nsreg.dat -> %SystemRoot%\nsreg.dat -> [Ver = | Size = 0 bytes | Created Date = 6/4/2007 3:07:03 PM | Attr = ]
QTFont.for -> %SystemRoot%\QTFont.for -> [Ver = | Size = 1409 bytes | Created Date = 6/10/2007 3:44:24 PM | Attr = ]
QTFont.qfn -> %SystemRoot%\QTFont.qfn -> [Ver = | Size = 54156 bytes | Created Date = 6/10/2007 3:44:24 PM | Attr = H ]
temp -> %SystemRoot%\temp -> [Folder | Created Date = 6/18/2007 12:53:15 AM | Attr = ]
ActiveScan -> %System32%\ActiveScan -> [Folder | Created Date = 5/16/2007 6:17:38 AM | Attr = ]
asuninst.exe -> %System32%\asuninst.exe -> Panda Software [Ver = 1, 0, 0, 2 | Size = 73728 bytes | Created Date = 4/22/2007 8:38:10 AM | Attr = ]
close.vbs -> %System32%\close.vbs -> [Ver = | Size = 454 bytes | Created Date = 5/28/2007 5:03:30 AM | Attr = ]
dumphive.exe -> %System32%\dumphive.exe -> [Ver = | Size = 51200 bytes | Created Date = 6/17/2007 6:34:20 PM | Attr = ]
Help.ico -> %System32%\Help.ico -> [Ver = | Size = 1406 bytes | Created Date = 4/22/2007 8:37:44 AM | Attr = ]
java.exe -> %System32%\java.exe -> Sun Microsystems, Inc. [Ver = 6.0.10.6 | Size = 135168 bytes | Created Date = 4/22/2007 6:22:56 PM | Attr = ]
javacpl.cpl -> %System32%\javacpl.cpl -> Sun Microsystems, Inc. [Ver = 6.0.10.6 | Size = 69632 bytes | Created Date = 4/22/2007 6:22:56 PM | Attr = ]
javaw.exe -> %System32%\javaw.exe -> Sun Microsystems, Inc. [Ver = 6.0.10.6 | Size = 135168 bytes | Created Date = 4/22/2007 6:22:56 PM | Attr = ]
javaws.exe -> %System32%\javaws.exe -> Sun Microsystems, Inc. [Ver = 6.0.10.6 | Size = 139264 bytes | Created Date = 4/22/2007 6:22:56 PM | Attr = ]
Kaspersky Lab -> %System32%\Kaspersky Lab -> [Folder | Created Date = 6/14/2007 8:23:38 PM | Attr = ]
locate.com -> %System32%\locate.com -> [Ver = | Size = 11254 bytes | Created Date = 4/22/2007 9:55:04 AM | Attr = ]
mcrh.tmp -> %System32%\mcrh.tmp -> [Ver = | Size = 143 bytes | Created Date = 4/21/2007 6:28:38 PM | Attr = ]
MSINET.oca -> %System32%\MSINET.oca -> [Ver = | Size = 29184 bytes | Created Date = 4/26/2007 12:30:14 AM | Attr = ]
o09PrEz -> %System32%\o09PrEz -> [Folder | Created Date = 6/16/2007 11:47:37 PM | Attr = ]
pavas.ico -> %System32%\pavas.ico -> [Ver = | Size = 30590 bytes | Created Date = 5/16/2007 6:17:42 AM | Attr = ]
PreInstall -> %System32%\PreInstall -> [Folder | Created Date = 5/10/2007 5:49:46 PM | Attr = ]
Process.exe -> %System32%\Process.exe -> http://www.beyondlogic.org [Ver = 2, 0, 0, 0 | Size = 53248 bytes | Created Date = 6/17/2007 6:34:20 PM | Attr = ]
S0 -> %System32%\S0 -> [Folder | Created Date = 6/16/2007 11:47:37 PM | Attr = ]
S1 -> %System32%\S1 -> [Folder | Created Date = 6/16/2007 11:47:37 PM | Attr = ]
S4 -> %System32%\S4 -> [Folder | Created Date = 6/16/2007 11:47:37 PM | Attr = ]
S6 -> %System32%\S6 -> [Folder | Created Date = 6/16/2007 11:47:37 PM | Attr = ]
S7 -> %System32%\S7 -> [Folder | Created Date = 6/16/2007 11:47:37 PM | Attr = ]
SBFC.dat -> %System32%\SBFC.dat -> [Ver = | Size = 0 bytes | Created Date = 4/21/2007 10:22:38 PM | Attr = ]
SBRC.dat -> %System32%\SBRC.dat -> [Ver = | Size = 0 bytes | Created Date = 4/21/2007 10:22:38 PM | Attr = ]
SrchSTS.exe -> %System32%\SrchSTS.exe -> S!Ri [Ver = | Size = 288417 bytes | Created Date = 6/17/2007 6:34:20 PM | Attr = ]
streamhlp.dll -> %System32%\streamhlp.dll -> [Ver = | Size = 59392 bytes | Created Date = 6/13/2007 10:27:15 PM | Attr = R ]
swreg.exe -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.6 | Size = 428032 bytes | Created Date = 6/14/2007 12:03:26 PM | Attr = ]
swsc.exe -> %System32%\swsc.exe -> SteelWerX [Ver = 2.0.0.0 | Size = 370688 bytes | Created Date = 6/14/2007 12:03:26 PM | Attr = ]
swxcacls.exe -> %System32%\swxcacls.exe -> SteelWerX [Ver = 1.0.1.1 | Size = 212480 bytes | Created Date = 6/14/2007 12:03:26 PM | Attr = ]
tmp.reg -> %System32%\tmp.reg -> [Ver = | Size = 2066 bytes | Created Date = 6/17/2007 6:34:35 PM | Attr = ]
Uninstall.ico -> %System32%\Uninstall.ico -> [Ver = | Size = 2550 bytes | Created Date = 4/22/2007 8:37:44 AM | Attr = ]
vfind.exe -> %System32%\vfind.exe -> [Ver = | Size = 49152 bytes | Created Date = 6/14/2007 12:03:26 PM | Attr = ]
win -> %System32%\win -> [Folder | Created Date = 6/13/2007 6:18:53 AM | Attr = ]
ZPORT4AS.dll -> %System32%\ZPORT4AS.dll -> [Ver = | Size = 11776 bytes | Created Date = 5/16/2007 6:18:17 AM | Attr = ]
AvgAsCln.sys -> %System32%\drivers\AvgAsCln.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 10872 bytes | Created Date = 6/14/2007 4:35:06 PM | Attr = ]
Grisoft -> %AllUsersAppData%\Grisoft -> [Folder | Created Date = 6/14/2007 4:35:05 PM | Attr = ]
Kaspersky Lab -> %AllUsersAppData%\Kaspersky Lab -> [Folder | Created Date = 6/14/2007 8:23:40 PM | Attr = ]
Spybot - Search & Destroy -> %AllUsersAppData%\Spybot - Search & Destroy -> [Folder | Created Date = 4/21/2007 9:38:17 PM | Attr = ]
Windows Genuine Advantage -> %AllUsersAppData%\Windows Genuine Advantage -> [Folder | Created Date = 5/10/2007 5:50:15 PM | Attr = ]
Yahoo! Companion -> %AllUsersAppData%\Yahoo! Companion -> [Folder | Created Date = 5/17/2007 4:12:37 PM | Attr = ]
Grisoft -> %UserAppData%\Grisoft -> [Folder | Created Date = 6/14/2007 4:35:13 PM | Attr = ]
TrojanHunter -> %UserAppData%\TrojanHunter -> [Folder | Created Date = 6/13/2007 10:28:05 PM | Attr = ]
Uniblue -> %UserAppData%\Uniblue -> [Folder | Created Date = 6/1/2007 3:19:56 PM | Attr = ]
Mozilla -> %LocalAppData%\Mozilla -> [Folder | Created Date = 6/4/2007 3:01:52 PM | Attr = ]
Betty Blue - SC 12_4.avi -> %UserDesktop%\Betty Blue - SC 12_4.avi -> [Ver = | Size = 144562888 bytes | Created Date = 6/18/2007 5:43:56 AM | Attr = ]
Casting Couch Teens - Carmen Pena.wmv -> %UserDesktop%\Casting Couch Teens - Carmen Pena.wmv -> [Ver = | Size = 209851186 bytes | Created Date = 6/18/2007 5:42:07 AM | Attr = ]
Nautica - SC 12_2.avi -> %UserDesktop%\Nautica - SC 12_2.avi -> [Ver = | Size = 152454462 bytes | Created Date = 6/18/2007 1:39:39 AM | Attr = ]
New Folder (2) -> %UserDesktop%\New Folder (2) -> [Folder | Created Date = 6/6/2007 6:43:15 PM | Attr = ]
New Folder (3) -> %UserDesktop%\New Folder (3) -> [Folder | Created Date = 6/16/2007 5:43:36 AM | Attr = ]
Sarah Sinn - SC 12_5.avi -> %UserDesktop%\Sarah Sinn - SC 12_5.avi -> [Ver = | Size = 139420908 bytes | Created Date = 6/18/2007 5:43:44 AM | Attr = ]
Scene3.Leah Jaye.avi -> %UserDesktop%\Scene3.Leah Jaye.avi -> [Ver = | Size = 217917440 bytes | Created Date = 6/18/2007 5:40:59 AM | Attr = ]
Sophia - SC 12_3.avi -> %UserDesktop%\Sophia - SC 12_3.avi -> [Ver = | Size = 147569200 bytes | Created Date = 6/18/2007 5:43:50 AM | Attr = ]
WinPFind3u -> %UserDesktop%\WinPFind3u -> [Folder | Created Date = 6/18/2007 7:47:08 PM | Attr = ]
winpfind3u.exe -> %UserDesktop%\winpfind3u.exe -> [Ver = | Size = 353274 bytes | Created Date = 6/18/2007 7:45:37 PM | Attr = ]
@Alternate Data Stream - 26 bytes -> %UserDesktop%\winpfind3u.exe:Zone.Identifier ->
Wise Installation Wizard -> %CommonProgramFiles%\Wise Installation Wizard -> [Folder | Created Date = 5/10/2007 6:00:30 PM | Attr = ]

[Files/Folders - Modified Within 30 days]
boot.ini -> %SystemDrive%\boot.ini -> [Ver = | Size = 211 bytes | Modified Date = 6/2/2007 12:53:40 AM | Attr = HS]
ComboFix -> %SystemDrive%\ComboFix -> [Folder | Modified Date = 6/18/2007 1:53:16 AM | Attr = ]
Config.Msi -> %SystemDrive%\Config.Msi -> [Folder | Modified Date = 6/1/2007 3:43:44 PM | Attr = HS]
Documents and Settings -> %SystemDrive%\Documents and Settings -> [Folder | Modified Date = 6/1/2007 12:33:20 AM | Attr = ]
Downloads -> %SystemDrive%\Downloads -> [Folder | Modified Date = 6/17/2007 8:57:44 PM | Attr = ]
hidownload -> %SystemDrive%\hidownload -> [Folder | Modified Date = 5/29/2007 8:39:06 PM | Attr = ]
Program Files -> %ProgramFiles% -> [Folder | Modified Date = 6/18/2007 2:12:08 AM | Attr = ]
QooBox -> %SystemDrive%\QooBox -> [Folder | Modified Date = 6/14/2007 1:10:10 PM | Attr = ]
RECYCLER -> %SystemDrive%\RECYCLER -> [Folder | Modified Date = 6/1/2007 11:53:58 PM | Attr = HS]
SDFix -> %SystemDrive%\SDFix -> [Folder | Modified Date = 6/18/2007 2:10:36 AM | Attr = ]
System Volume Information -> %SystemDrive%\System Volume Information -> [Folder | Modified Date = 6/2/2007 12:51:30 AM | Attr = HS]
temp -> %SystemDrive%\temp -> [Folder | Modified Date = 6/18/2007 1:52:42 AM | Attr = ]
VundoFix Backups -> %SystemDrive%\VundoFix Backups -> [Folder | Modified Date = 6/8/2007 5:17:34 PM | Attr = ]
WINDOWS -> %SystemRoot% -> [Folder | Modified Date = 6/18/2007 2:12:08 AM | Attr = ]
AppPatch -> %SystemRoot%\AppPatch -> [Folder | Modified Date = 6/13/2007 9:22:46 PM | Attr = ]
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 6/18/2007 2:08:52 AM | Attr = S]
catchme.exe -> %SystemRoot%\catchme.exe -> [Ver = | Size = 87552 bytes | Modified Date = 6/5/2007 5:24:04 AM | Attr = ]
CSC -> %SystemRoot%\CSC -> [Folder | Modified Date = 6/18/2007 1:59:04 AM | Attr = HS]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files -> [Folder | Modified Date = 6/14/2007 9:23:42 PM | Attr = S]
erdnt -> %SystemRoot%\erdnt -> [Folder | Modified Date = 6/14/2007 1:10:18 PM | Attr = ]
IDMan.INI -> %SystemRoot%\IDMan.INI -> [Ver = | Size = 68 bytes | Modified Date = 6/18/2007 3:35:30 AM | Attr = ]
inf -> %SystemRoot%\inf -> [Folder | Modified Date = 6/14/2007 9:23:40 PM | Attr = H ]
Installer -> %SystemRoot%\Installer -> [Folder | Modified Date = 6/1/2007 3:43:48 PM | Attr = HS]
NeroDigital.ini -> %SystemRoot%\NeroDigital.ini -> [Ver = | Size = 49 bytes | Modified Date = 6/14/2007 1:33:56 PM | Attr = ]
nsreg.dat -> %SystemRoot%\nsreg.dat -> [Ver = | Size = 0 bytes | Modified Date = 6/4/2007 4:07:04 PM | Attr = ]
Prefetch -> %SystemRoot%\Prefetch -> [Folder | Modified Date = 6/18/2007 8:47:36 PM | Attr = ]
QTFont.for -> %SystemRoot%\QTFont.for -> [Ver = | Size = 1409 bytes | Modified Date = 6/10/2007 4:44:26 PM | Attr = ]
QTFont.qfn -> %SystemRoot%\QTFont.qfn -> [Ver = | Size = 54156 bytes | Modified Date = 6/14/2007 7:41:14 PM | Attr = H ]
Registration -> %SystemRoot%\Registration -> [Folder | Modified Date = 6/17/2007 12:34:10 AM | Attr = ]
SoftwareDistribution -> %SystemRoot%\SoftwareDistribution -> [Folder | Modified Date = 6/13/2007 9:25:14 PM | Attr = ]
system.ini -> %SystemRoot%\system.ini -> [Ver = | Size = 893 bytes | Modified Date = 6/17/2007 1:36:36 AM | Attr = ]
system32 -> %System32% -> [Folder | Modified Date = 6/18/2007 1:52:36 AM | Attr = ]
temp -> %SystemRoot%\temp -> [Folder | Modified Date = 6/18/2007 8:48:20 PM | Attr = ]
win.ini -> %SystemRoot%\win.ini -> [Ver = | Size = 526 bytes | Modified Date = 6/2/2007 12:53:40 AM | Attr = ]
Norton AntiVirus - Run Full System Scan - HDebo.job -> %SystemRoot%\tasks\Norton AntiVirus - Run Full System Scan - HDebo.job -> [Ver = | Size = 572 bytes | Modified Date = 6/15/2007 7:25:44 PM | Attr = ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 6/18/2007 2:09:00 AM | Attr = H ]
ActiveScan -> %System32%\ActiveScan -> [Folder | Modified Date = 6/13/2007 9:25:18 PM | Attr = ]
CatRoot2 -> %System32%\CatRoot2 -> [Folder | Modified Date = 6/18/2007 1:32:20 PM | Attr = ]
config -> %System32%\config -> [Folder | Modified Date = 6/14/2007 1:10:26 PM | Attr = ]
dllcache -> %System32%\dllcache -> [Folder | Modified Date = 6/14/2007 1:07:54 PM | Attr = ]
drivers -> %System32%\drivers -> [Folder | Modified Date = 6/18/2007 1:52:36 AM | Attr = ]
Help.ico -> %System32%\Help.ico -> [Ver = | Size = 1406 bytes | Modified Date = 6/13/2007 8:47:00 PM | Attr = ]
Kaspersky Lab -> %System32%\Kaspersky Lab -> [Folder | Modified Date = 6/14/2007 9:23:40 PM | Attr = ]
o09PrEz -> %System32%\o09PrEz -> [Folder | Modified Date = 6/17/2007 1:34:26 AM | Attr = ]
pavas.ico -> %System32%\pavas.ico -> [Ver = | Size = 30590 bytes | Modified Date = 6/13/2007 8:47:00 PM | Attr = ]
Restore -> %System32%\Restore -> [Folder | Modified Date = 6/2/2007 12:51:30 AM | Attr = ]
S0 -> %System32%\S0 -> [Folder | Modified Date = 6/17/2007 12:47:38 AM | Attr = ]
S1 -> %System32%\S1 -> [Folder | Modified Date = 6/17/2007 12:47:38 AM | Attr = ]
S4 -> %System32%\S4 -> [Folder | Modified Date = 6/17/2007 1:34:26 AM | Attr = ]
S6 -> %System32%\S6 -> [Folder | Modified Date = 6/17/2007 12:47:38 AM | Attr = ]
S7 -> %System32%\S7 -> [Folder | Modified Date = 6/17/2007 12:48:28 AM | Attr = ]
streamhlp.dll -> %System32%\streamhlp.dll -> [Ver = | Size = 59392 bytes | Modified Date = 6/13/2007 11:27:20 PM | Attr = R ]
tmp.reg -> %System32%\tmp.reg -> [Ver = | Size = 2066 bytes | Modified Date = 6/17/2007 7:34:36 PM | Attr = ]
Uninstall.ico -> %System32%\Uninstall.ico -> [Ver = | Size = 2550 bytes | Modified Date = 6/13/2007 8:47:00 PM | Attr = ]
wbem -> %System32%\wbem -> [Folder | Modified Date = 6/13/2007 9:27:38 PM | Attr = ]
win -> %System32%\win -> [Folder | Modified Date = 6/13/2007 7:18:54 AM | Attr = ]
wpa.dbl -> %System32%\wpa.dbl -> [Ver = | Size = 2206 bytes | Modified Date = 6/16/2007 6:42:40 AM | Attr = ]
AvgAsCln.sys -> %System32%\drivers\AvgAsCln.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 10872 bytes | Modified Date = 5/30/2007 8:10:42 AM | Attr = ]
etc -> %System32%\drivers\etc -> [Folder | Modified Date = 6/18/2007 2:00:46 AM | Attr = ]
Grisoft -> %AllUsersAppData%\Grisoft -> [Folder | Modified Date = 6/14/2007 5:35:06 PM | Attr = ]
Kaspersky Lab -> %AllUsersAppData%\Kaspersky Lab -> [Folder | Modified Date = 6/14/2007 9:23:42 PM | Attr = ]
Spybot - Search & Destroy -> %AllUsersAppData%\Spybot - Search & Destroy -> [Folder | Modified Date = 6/17/2007 1:26:44 AM | Attr = ]
DMCache -> %UserAppData%\DMCache -> [Folder | Modified Date = 6/18/2007 3:35:38 AM | Attr = ]
Grisoft -> %UserAppData%\Grisoft -> [Folder | Modified Date = 6/14/2007 5:35:14 PM | Attr = ]
TrojanHunter -> %UserAppData%\TrojanHunter -> [Folder | Modified Date = 6/13/2007 11:28:06 PM | Attr = ]
Uniblue -> %UserAppData%\Uniblue -> [Folder | Modified Date = 6/1/2007 4:19:58 PM | Attr = ]
IconCache.db -> %LocalAppData%\IconCache.db -> [Ver = | Size = 4321778 bytes | Modified Date = 6/1/2007 11:48:22 PM | Attr = H ]
Microsoft -> %LocalAppData%\Microsoft -> [Folder | Modified Date = 6/18/2007 5:09:48 PM | Attr = ]
Mozilla -> %LocalAppData%\Mozilla -> [Folder | Modified Date = 6/4/2007 4:01:54 PM | Attr = ]
Anti Malware Tools -> %UserDocuments%\Anti Malware Tools -> [Folder | Modified Date = 6/1/2007 9:59:22 AM | Attr = ]
Sexy -> %UserDocuments%\Sexy -> [Folder | Modified Date = 6/15/2007 11:11:02 PM | Attr = ]
New Folder (2) -> %UserDesktop%\New Folder (2) -> [Folder | Modified Date = 6/6/2007 10:50:14 PM | Attr = ]
New Folder (3) -> %UserDesktop%\New Folder (3) -> [Folder | Modified Date = 6/18/2007 2:18:10 AM | Attr = ]
Scene3.Leah Jaye.avi -> %UserDesktop%\Scene3.Leah Jaye.avi -> [Ver = | Size = 217917440 bytes | Modified Date = 6/16/2007 1:53:26 AM | Attr = ]
Vid -> %UserDesktop%\Vid -> [Folder | Modified Date = 6/17/2007 7:55:56 PM | Attr = ]
WinPFind3u -> %UserDesktop%\WinPFind3u -> [Folder | Modified Date = 6/18/2007 8:47:10 PM | Attr = ]
winpfind3u.exe -> %UserDesktop%\winpfind3u.exe -> [Ver = | Size = 353274 bytes | Modified Date = 6/18/2007 8:45:40 PM | Attr = ]
@Alternate Data Stream - 26 bytes -> %UserDesktop%\winpfind3u.exe:Zone.Identifier ->
Symantec Shared -> %CommonProgramFiles%\Symantec Shared -> [Folder | Modified Date = 6/18/2007 2:16:22 AM | Attr = ]

[File String Scan - Non-Microsoft Only]
UPX! , UPX0 , -> %SystemRoot%\Unwash6.exe -> Webroot Software, Inc. [Ver = 6.0.1.435 | Size = 58368 bytes | Modified Date = 7/25/2005 2:06:20 AM | Attr = ]
PEC2 , -> %System32%\dfrg.msc -> [Ver = | Size = 41397 bytes | Modified Date = 10/16/2001 10:50:04 AM | Attr = ]
WSUD , -> %System32%\dwSock6.dll -> Desaware Inc. [Ver = 1.01.0007 | Size = 200704 bytes | Modified Date = 8/26/2003 9:54:24 AM | Attr = ]
UPX! , -> %System32%\locate.com -> [Ver = | Size = 11254 bytes | Modified Date = 1/13/2005 10:41:48 PM | Attr = ]
Thawte Consulting , -> %System32%\rmoc3260.dll -> RealNetworks, Inc. [Ver = 6.0.9.2568 | Size = 185952 bytes | Modified Date = 10/7/2006 5:18:32 AM | Attr = ]
UPX! , UPX0 , -> %System32%\SrchSTS.exe -> S!Ri [Ver = | Size = 288417 bytes | Modified Date = 4/27/2006 5:49:30 PM | Attr = ]
UPX! , UPX0 , -> %System32%\t3odm.dll -> Cyberlink [Ver = 1.00.1016 | Size = 28672 bytes | Modified Date = 4/30/2004 10:46:24 PM | Attr = ]
winsync , -> %System32%\wbdbase.deu -> [Ver = | Size = 1309184 bytes | Modified Date = 10/16/2001 10:54:26 AM | Attr = ]
WSUD , UPX0 , -> %System32%\dllcache\hwxjpn.dll -> [Ver = | Size = 13463552 bytes | Modified Date = 10/16/2001 11:48:56 AM | Attr = ]
PTech , -> %UserAppData%\Picture Patrol O Groups -> [Ver = | Size = 808074 bytes | Modified Date = 1/4/2005 12:23:00 AM | Attr = ]
@Alternate Data Stream - 26 bytes -> %UserDocuments%\1400.pdf:Zone.Identifier ->
@Alternate Data Stream - 26 bytes -> %UserDocuments%\carb_app_chart.pdf:Zone.Identifier ->
@Alternate Data Stream - 26 bytes -> %UserDocuments%\carb_faq.pdf:Zone.Identifier ->
@Alternate Data Stream - 26 bytes -> %UserDocuments%\carb_owners_manual.pdf:Zone.Identifier ->
@Alternate Data Stream - 26 bytes -> %UserDocuments%\ISORecorderV2RC1.msi:Zone.Identifier ->
@Alternate Data Stream - 26 bytes -> %UserDocuments%\PPJ11bf.zip:Zone.Identifier ->
@Alternate Data Stream - 26 bytes -> %UserDesktop%\winpfind3u.exe:Zone.Identifier ->

< End of report >
hdebo
Regular Member
 
Posts: 26
Joined: June 13th, 2007, 8:12 pm

Unread postby tim s » June 19th, 2007, 12:14 am

Hi hdebo,

Ok this is our next fix. we are going to try to hit this all at one time.


Open notepad and copy/paste the text in the quotebox below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.

Code: Select all
File::
C:\Program Files\Online Services\sademowu58441.dll

Folder::
C:\Temp
C:\WINDOWS\system32\S7 
C:\WINDOWS\system32\S6 
C:\WINDOWS\system32\S4 
C:\WINDOWS\system32\S1 
C:\WINDOWS\system32\S0 
C:\WINDOWS\system32\o09PrEz 
C:\Program Files\svhost 
C:\Program Files\poolsv

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]{D7988997-59B7-46B7-8FDA-371BA6A8D810}=-



Save this as ComboFix-Do.txt

Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.
Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

------------------------------------------------------------------

Please do the following.

Download HostsXpert and unzip it to your desktop.
Open HostsXpert that you earlier unzipped on your desktop
Click "Make Hosts Writable?" upper right corner (if available)
Click "Restore Microsoft's Original Hosts File" and then click OK
Close HostsXpert

restart computer here.

---------------------------------------------------------------

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Open AVG Anti-Spyware:


Please do the following:
  • Click the Update icon at the top and under Manual Update click the Start update button.
  • The program will either update or inform you that no update was available.
  • It is essential that you get the update - keep trying until successful. (Note: If you have problems getting the update, you can download an installer for the full database from here (save it on your desktop). Once you have downloaded the installer, make sure that AVG Anti-Spyware is closed and then double-click on avgas-signatures-full-current.exe to install the database).
Please set up the program as follows:
  • Click the Shield icon at the top and under Resident shield is... click active. This should now change to inactive.
  • Click the Update icon and untick the automatic update option.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act? - make sure that Quarantine is selected.
    • Under How to scan? - All checkboxes should be ticked.
    • Under Possibly unwanted software - All checkboxes should be ticked.
    • Under Reports - Select Do not automatically generate reports. NOTE* If this is not selected you will not be able to click Save Scan Report button when instructed to do so.
    • Under What to scan? - Select Scan every file.
Close AVG Anti-Spyware without running yet.
Now disable (turn off AVG Anti-Spyware)
  • Right-click the AVG Anti-Spyware Tray Icon (Bottom right corner of computer screen near clock) and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon again and select Exit. Confirm by clicking Yes.

______________________________

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
______________________________


Open AVG Anti-Spyware program.
  • Click on Scanner on the toolbar.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan your computer.
  • When the scan has finished, follow the instructions below:
    • Make sure that Set all elements to: shows Quarantine
    • Important: Click on the Apply all Actions button (*** This must done before saving the report ***)
    • When the program has finished, it will display the message All actions have been applied.
    • Then click the Save Scan Report button.
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Tray Icon and select Exit.
Restart computer back into normal mode.

-----------------------------------------------------------

Now re-run Panda online scan again.

Run Panda's ActiveScan from here and perform a full system scan.
NOTE* You must use Internet Explorer for this scan to work.

1. Once you are on the Panda site scroll to the bottom of page and click the "Scan your PC" button NOTE: If you have a popblocker enable you will have to allow popup here.
2. A new window will open...click the big "Check Now" button
3. Enter your Country
4. Enter your State/Province
5. Enter your e-mail address and click send
6. Select either Home User or Company
7. Click the big Scan Now button
8. If it wants to install an ActiveX component allow it
9. It will start downloading the files it requires for the scan (Note: It will take a couple minutes. You may have to reboot here and start back with step 1. I did.)
10. Click on "Local Disks" to start the scan
11. Post Panda scan results in your next reply with others requested.

-------------------------------------------

Post these in next reply:
Combofix.txt
AVG Anti-Spyware report
Panda online scan report
New HJT log
User avatar
tim s
MRU Honors Grad Emeritus
 
Posts: 1541
Joined: February 11th, 2006, 10:27 am

Unread postby hdebo » June 19th, 2007, 8:54 pm

I ran all the test except I had problems running HostsXpert. I got error that said Cannot find C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.
Here are the logs of the ones I was able to run

Combofix
ComboFix 07-06-13.3 - C:\Documents and Settings\HDebo\Desktop\ComboFix.exe
"HDebo" - 2007-06-19 18:14:45 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\HDebo\Desktop\ComboFix-Do.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Online Services\sademowu58441.dll
C:\Program Files\poolsv
C:\Program Files\poolsv\k11u72.exe
C:\Program Files\poolsv\svhost.exe
C:\Program Files\poolsv\wr-1-0000077.exe
C:\Program Files\svhost
C:\Program Files\svhost\wr-1-0000077.exe
C:\Temp
C:\Temp\iee\tmpZTF.log
C:\WINDOWS\system32\o09PrEz
C:\WINDOWS\system32\S0
C:\WINDOWS\system32\S0\cogyaga58441.exe
C:\WINDOWS\system32\S1
C:\WINDOWS\system32\S4
C:\WINDOWS\system32\S6
C:\WINDOWS\system32\S6\wr613.exe
C:\WINDOWS\system32\S7


((((((((((((((((((((((((( Files Created from 2007-05-19 to 2007-06-19 )))))))))))))))))))))))))))))))


2007-06-17 19:34 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-06-17 19:34 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-06-17 19:34 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-06-17 19:34 2,066 --a------ C:\WINDOWS\system32\tmp.reg
2007-06-14 21:23 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-06-14 21:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Kaspersky Lab
2007-06-14 17:35 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-14 13:03 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-13 23:28 <DIR> d-------- C:\DOCUME~1\HDebo\APPLIC~1\TrojanHunter
2007-06-13 23:27 <DIR> d-------- C:\Program Files\TrojanHunter 4.6
2007-06-13 07:18 <DIR> d-------- C:\WINDOWS\system32\win
2007-06-04 16:07 0 --a------ C:\WINDOWS\nsreg.dat
2007-06-01 16:19 <DIR> d-------- C:\DOCUME~1\HDebo\APPLIC~1\Uniblue
2007-06-01 00:33 524,288 --ah----- C:\DOCUME~1\ADMINI~1.DES\NTUSER.DAT
2007-05-29 20:35 <DIR> d-------- C:\hidownload
2007-05-28 06:03 454 --a------ C:\WINDOWS\system32\close.vbs


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-19 22:16:39 -------- d-----w C:\Program Files\Online Services
2007-06-19 01:57:02 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-06-18 07:35:37 -------- d-----w C:\DOCUME~1\HDebo\APPLIC~1\DMCache
2007-06-18 06:16:09 -------- d-----w C:\Program Files\BitComet
2007-06-18 06:11:37 -------- d-----w C:\Program Files\HJT
2007-06-14 01:13:39 -------- d-----w C:\Program Files\Norton AntiVirus
2007-06-14 00:51:18 -------- d-----w C:\Program Files\Easy Video Joiner
2007-05-30 00:15:02 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-29 23:57:26 -------- d-----w C:\Program Files\WinPcap
2007-05-10 23:00:55 -------- d-----w C:\DOCUME~1\HDebo\APPLIC~1\Lavasoft
2007-05-10 23:00:48 -------- d-----w C:\Program Files\Lavasoft
2007-05-10 23:00:30 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-04-22 11:38:55 -------- d-----w C:\Program Files\Internet Download Manager
2007-04-22 03:22:38 0 ----a-w C:\WINDOWS\system32\SBRC.dat
2007-04-22 03:22:38 0 ----a-w C:\WINDOWS\system32\SBFC.dat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2006-10-26 10:28]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-04-16 16:39]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{D7988997-59B7-46B7-8FDA-371BA6A8D810}=C:\Program Files\Online Services\sademowu58441.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 01:59]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-24 04:24]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PopUpStopperProfessional"="C:\PROGRA~1\PANICW~1\POP-UP~2\POPUPS~1.EXE" [2005-06-01 16:09]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 08:29]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ihsService.exe]
"C:\Program Files\Sunbelt Software\iHateSpam\ihsService.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
"C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
"C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
"C:\Program Files\Norton AntiVirus\osCheck.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster2]
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S


Contents of the 'Scheduled Tasks' folder
2007-06-15 23:25:43 C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - HDebo.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-19 18:16:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-19 18:17:09
C:\ComboFix-quarantined-files.txt ... 2007-06-19 18:17
C:\ComboFix2.txt ... 2007-06-18 01:53
C:\ComboFix3.txt ... 2007-06-14 20:04

--- E O F ---
AVG
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:57:46 PM 6/19/2007

+ Scan result:



C:\QooBox\Quarantine\C\Program Files\poolsv\wr-1-0000077.exe.vir -> Downloader.Agent.brf : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\Program Files\svhost\wr-1-0000077.exe.vir -> Downloader.Agent.brf : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\S6\wr613.exe.vir -> Downloader.Agent.brf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{138B4596-94AF-4C6B-B0CE-7C09C0FF9E41}\RP33\A0002468.exe -> Downloader.Agent.brf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{138B4596-94AF-4C6B-B0CE-7C09C0FF9E41}\RP33\A0002479.exe -> Downloader.Agent.brf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{138B4596-94AF-4C6B-B0CE-7C09C0FF9E41}\RP33\A0002493.exe -> Downloader.Agent.brf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{138B4596-94AF-4C6B-B0CE-7C09C0FF9E41}\RP35\A0003680.exe -> Downloader.Agent.brf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{138B4596-94AF-4C6B-B0CE-7C09C0FF9E41}\RP35\A0003682.exe -> Downloader.Agent.brf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{138B4596-94AF-4C6B-B0CE-7C09C0FF9E41}\RP35\A0003685.exe -> Downloader.Agent.brf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{138B4596-94AF-4C6B-B0CE-7C09C0FF9E41}\RP30\A0002397.exe -> Downloader.VB.awj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{138B4596-94AF-4C6B-B0CE-7C09C0FF9E41}\RP33\A0002470.exe -> Downloader.VB.awj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{138B4596-94AF-4C6B-B0CE-7C09C0FF9E41}\RP33\A0002485.exe -> Downloader.VB.awj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{138B4596-94AF-4C6B-B0CE-7C09C0FF9E41}\RP33\A0002467.exe -> Dropper.Agent.bfr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{138B4596-94AF-4C6B-B0CE-7C09C0FF9E41}\RP33\A0002486.exe -> Dropper.Agent.bfr : Cleaned with backup (quarantined).
C:\Documents and Settings\HDebo\Cookies\hdebo@247realmedia[2].txt -> TrackingCookie.247realmedia : Cleaned.
C:\Documents and Settings\HDebo\Cookies\hdebo@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\HDebo\Cookies\hdebo@partygaming.122.2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\HDebo\Cookies\hdebo@www.abcsearch[1].txt -> TrackingCookie.Abcsearch : Cleaned.
C:\Documents and Settings\HDebo\Cookies\hdebo@3.adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\HDebo\Cookies\hdebo@4.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\HDebo\Cookies\hdebo@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\HDebo\Cookies\hdebo@ads.adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\HDebo\Cookies\hdebo@adengage[1].txt -> TrackingCookie.Adengage : Cleaned.
C:\Documents and Settings\HDebo\Cookies\hdebo@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned.
C:\Documents and Settings\HDebo\Cookies\hdebo@adtech[1].txt -> TrackingCookie.Adtech : Cleaned.
C:\Documents and Settings\HDebo\Cookies\hdebo@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\HDebo\Cookies\hdebo@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\HDebo\Cookies\hdebo@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\HDebo\Cookies\hdebo@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\HDebo\Cookies\hdebo@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\HDebo\Cookies\hdebo@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\HDebo\Cookies\hdebo@enhance[1].txt -> TrackingCookie.Enhance : Cleaned.
C:\Documents and Settings\HDebo\Cookies\hdebo@as-eu.falkag[1].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\HDebo\Cookies\hdebo@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\HDebo\Cookies\hdebo@findwhat[2].txt -> TrackingCookie.Findwhat : Cleaned.
C:\Documents and Settings\HDebo\Cookies\hdebo@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\HDebo\Cookies\hdebo@overture[2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\HDebo\Cookies\hdebo@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\HDebo\Cookies\hdebo@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\HDebo\Cookies\hdebo@realmedia[2].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\HDebo\Cookies\hdebo@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\HDebo\Cookies\hdebo@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\HDebo\Cookies\hdebo@specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\HDebo\Cookies\hdebo@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\HDebo\Cookies\hdebo@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\HDebo\Cookies\hdebo@tradedoubler[2].txt -> TrackingCookie.Tradedoubler : Cleaned.
C:\Documents and Settings\HDebo\Cookies\hdebo@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\HDebo\Cookies\hdebo@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.
C:\QooBox\Quarantine\C\WINDOWS\uni_eh42.exe.vir -> Trojan.VB.tg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{138B4596-94AF-4C6B-B0CE-7C09C0FF9E41}\RP30\A0002404.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{138B4596-94AF-4C6B-B0CE-7C09C0FF9E41}\RP30\A0002415.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).


::Report end

Panda

Incident Status Location

Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\HDebo\Cookies\hdebo@adultfriendfinder[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\HDebo\Cookies\hdebo@atwola[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\HDebo\Cookies\hdebo@azjmp[1].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\HDebo\Cookies\hdebo@bravenet[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\HDebo\Cookies\hdebo@cgi-bin[3].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\HDebo\Cookies\hdebo@cgi-bin[4].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\HDebo\Cookies\hdebo@did-it[2].txt
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\HDebo\Cookies\hdebo@hc2.humanclick[1].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\HDebo\Cookies\hdebo@i.screensavers[1].txt
Spyware:Cookie/Outster Not disinfected C:\Documents and Settings\HDebo\Cookies\hdebo@outster[2].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\HDebo\Cookies\hdebo@xiti[1].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\HDebo\Desktop\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\HDebo\Desktop\New Folder (3)\SDFix.exe[SDFix\apps\Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\HDebo\Desktop\New Folder (3)\SmitfraudFix\Process.exe
Virus:Trj/Shutdown.Z Disinfected C:\Documents and Settings\HDebo\Desktop\New Folder (3)\SmitfraudFix\restart.exe
Adware:Adware/WebSearch Not disinfected C:\QooBox\Quarantine\C\Program Files\Online Services\sademowu58441.dll.vir
Adware:Adware/WebSearch Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\S0\cogyaga58441.exe.vir
Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\apps\Process.exe
Adware:Adware/WinAntiSpyware Not disinfected C:\SDFix\backups_old1\backups.zip[backups/poolsv.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
HJT
Logfile of HijackThis v1.99.1
Scan saved at 8:47:46 PM, on 6/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\PANICW~1\POP-UP~2\POPUPS~1.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\HJT\analyse.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {D7988997-59B7-46B7-8FDA-371BA6A8D810} - C:\Program Files\Online Services\sademowu58441.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~2\POPUPS~1.EXE"
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
hdebo
Regular Member
 
Posts: 26
Joined: June 13th, 2007, 8:12 pm

Unread postby tim s » June 20th, 2007, 12:35 am

Hi hdebo,

Well done. Are you still receiving popups?

This is next:

Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present):

    O2 - BHO: (no name) - {D7988997-59B7-46B7-8FDA-371BA6A8D810} - C:\Program Files\Online Services\sademowu58441.dll (file missing)

WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked and exit HijackThis.

---------------------------------------------------------------

This tool should reset windows host file:

Re-run SDFix same has before >>> C:\SDFix

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.

  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


----------------------------------------------------------

Post a New HJT log and SDFix folder as Report.txt
User avatar
tim s
MRU Honors Grad Emeritus
 
Posts: 1541
Joined: February 11th, 2006, 10:27 am

Unread postby hdebo » June 20th, 2007, 4:38 am

Wow that was alot of work. THere must have been alot of crap there. Now everything is working just fine. What is the best browser, antivirus, or programs I can use to try to keep this from happening again?

I want to say thank you very much as you have been a great help to me.
Thanks again
Harry


SDFix: Version 1.88

Run by HDebo on Wed 06/20/2007 at 04:27 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:






Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing SharedAccess Service

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found




Removing Temp Files...

ADS Check:

Checking C:\WINDOWS\
C:\WINDOWS
No streams found.

Checking C:\WINDOWS\system32
C:\WINDOWS\system32
No streams found.

Checking C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Checking C:\WINDOWS\system32\ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------


Listing Files with Hidden Attributes:

C:\Documents and Settings\Administrator.COMP1\NTUSER.DAT
C:\Documents and Settings\Administrator.COMP1\NTUSER.DAT.LOG
C:\Documents and Settings\Administrator.COMP1\Local Settings\Application Data\IconCache.db
C:\Documents and Settings\Administrator.COMP1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
C:\Documents and Settings\Administrator.COMP1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
C:\Documents and Settings\Administrator.COMP1.000\ntuser.dat
C:\Documents and Settings\Administrator.COMP1.000\NTUSER.DAT.LOG
C:\Documents and Settings\Administrator.COMP1.000\ntuser.ini
C:\Documents and Settings\Administrator.COMP1.000\Application Data\desktop.ini
C:\Documents and Settings\Administrator.COMP1.000\Local Settings\desktop.ini
C:\Documents and Settings\Administrator.COMP1.000\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
C:\Documents and Settings\Administrator.COMP1.000\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
C:\Documents and Settings\Administrator.COMP1.000\Local Settings\History\desktop.ini
C:\Documents and Settings\Administrator.COMP1.000\Local Settings\History\History.IE5\desktop.ini
C:\Documents and Settings\Administrator.COMP1.000\Local Settings\Temporary Internet Files\desktop.ini
C:\Documents and Settings\Administrator.COMP1.000\SendTo\desktop.ini
C:\Documents and Settings\Administrator.COMP1.000\Start Menu\desktop.ini
C:\Documents and Settings\Administrator.COMP1.000\Start Menu\Programs\desktop.ini
C:\Documents and Settings\Administrator.COMP1.000\Start Menu\Programs\Accessories\desktop.ini
C:\Documents and Settings\Administrator.COMP1.000\Start Menu\Programs\Accessories\Accessibility\desktop.ini
C:\Documents and Settings\Administrator.COMP1.000\Start Menu\Programs\Accessories\Entertainment\desktop.ini
C:\Documents and Settings\Administrator.COMP1.000\Start Menu\Programs\Startup\desktop.ini
C:\Documents and Settings\HDebo\Application Data\iPodSoft\iPod Agent\1.0.1.0\WinIPA.sys
C:\WINDOWS\system32\config\default.tmp.LOG
C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\system32\config\SECURITY.tmp.LOG
C:\WINDOWS\system32\config\software.tmp.LOG
C:\WINDOWS\system32\config\system.tmp.LOG

Listing User Accounts:

User accounts for \\DESKTOP

Administrator ASPNET Guest
HDebo HelpAssistant SUPPORT_388945a0


Finished
Logfile of HijackThis v1.99.1
Scan saved at 4:34:17 AM, on 6/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\PANICW~1\POP-UP~2\POPUPS~1.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HJT\analyse.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~2\POPUPS~1.EXE"
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
hdebo
Regular Member
 
Posts: 26
Joined: June 13th, 2007, 8:12 pm

Unread postby hdebo » June 20th, 2007, 5:23 am

Help Tim I am stil getting norton blocks. It was fine for about 20 mnutes then I started to get norton blocks that stopped detection of adware.maxsearch, trojan.adclicker, adware.purityscan, adware.surfsidekck, and still getting intrusion to desktop. All this happened wile surfing a few car forums and I was on ebay. Sorry to keep bothering you.
I cant thank you enough for all the help. This is a real PIA.
hdebo
Regular Member
 
Posts: 26
Joined: June 13th, 2007, 8:12 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 285 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware