Hi Simon V, Sorry I have been so long in contacting you, but my family and I have gone down with a sickness and diarrhea bug over Christmas and I am just beginning to feel a bit better. I would like to wish you a very happy New Year.
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 18:12:29 30/12/2007
+ Scan result:
C:\Program Files\AVSystemCare -> Adware.AvSystemcare : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0DCD32EF-B37E-43E0-B10A-EB21B438976E}\RP77\A0068248.ini -> Adware.Qworke : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0DCD32EF-B37E-43E0-B10A-EB21B438976E}\RP80\A0077301.dll -> Downloader.Bojo.z : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0DCD32EF-B37E-43E0-B10A-EB21B438976E}\RP30\A0020049.dll -> Not-A-Virus.Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0DCD32EF-B37E-43E0-B10A-EB21B438976E}\RP33\A0026442.dll -> Not-A-Virus.Adware.Agent : Cleaned with backup (quarantined).
C:\Documents and Settings\Malcolm\Application Data\setup_en[1].exe -> Not-A-Virus.Downloader.Win32.WinFixer.z : Cleaned with backup (quarantined).
::Report end
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:49:11, on 30/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lexmark 2300 Series\ezprint.exe
C:\Program Files\Windows Live\Family Safety\fssui.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\PDFPrinter\PDFServiceEngine.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: Windows Live OneCare Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll
O2 - BHO: (no name) - {69B98C68-D2B8-4A4E-9CB7-E85B6F3A7014} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {70CC76D5-A4EE-4F25-9931-B109A63E298E} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {F2BADA0D-FD61-45EF-A994-64A073FD6613} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [fssui] "C:\Program Files\Windows Live\Family Safety\fssui.exe" -autorun
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunOnce: [DelayShred] "c:\program files\mcafee\mshr\ShrCL.EXE" /P10 /q C:\DOCUME~1\Malcolm\LOCALS~1\TEMPOR~1\Content.IE5\8E7WA77W\GREEN_~1.SH! C:\DOCUME~1\Malcolm\LOCALS~1\TEMPOR~1\Content.IE5\LTXBI21Z\INDEX2~1.SH! C:\DOCUME~1\Malcolm\LOCALS~1\TEMPOR~1\Content.IE5\LTXBI21Z\RAPE-F~1.SH! C:\DOCUME~1\Malcolm\LOCALS~1\TEMPOR~1\Content.IE5\LTXBI21Z\TOUR_1~1.SH! C:\DOCUME~1\Malcolm\LOCALS~1\TEMPOR~1\Content.IE5\LTXBI21Z\GLORYH~1.SH! C:\DOCUME~1\Malcolm\LOCALS~1\TEMPOR~1\Content.IE5\UKID27Z4\CUMFIL~1.SH! C:\DOCUME~1\Malcolm\LOCALS~1\TEMPOR~1\Content.IE5\8E7WA77W\INDEX_~1.SH! C:\DOCUME~1\Malcolm\LOCALS~1\TEMPOR~1\Content.IE5\7MKRC952\NEW_1_~1.SH! C:\DOCUME~1\Malcolm\LOCALS~1\TEMPOR~1\Content.IE5\7MKRC952\SARAH_~1.SH! C:\DOCUME~1\Malcolm\LOCALS~1\TEMPOR~1\Content.IE5\7MKRC952\MAIN_1~1.SH! C:\DOCUME~1\Malcolm\LOCALS~1\TEMPOR~1\Content.IE5\8E7WA77W\INDEX_~3.SH! C:\DOCUME~1\Malcolm\LOCALS~1\TEMPOR~1\Content.IE5\7MKRC952\001_1_~1.SH! C:\DOCUME~1\Malcolm\LOCALS~1\TEMPOR~1\Content.IE5\8E7WA77W\HOME_1~1.SH! C:\D
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: PDF Printer Engine.lnk = C:\Program Files\PDFPrinter\PDFServiceEngine.exe
O8 - Extra context menu item: &Windows Live Search -
res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites -
http://favorites.live.com/quickadd.aspxO9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - "C:\PC Confidential\PCConfidential.exe" (file missing)
O9 - Extra 'Tools' menuitem: PC Confidential - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - "C:\PC Confidential\PCConfidential.exe" (file missing)
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} -
http://www.securesoftwarefeed.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} -
http://www.securesoftwarefeed.com/redirect.php (file missing)
O9 - Extra button: PC Confidential - {925DAB62-F9AC-4221-806A-057BFB1014AA} - "C:\PC Confidential\PCConfidential.exe" (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -
http://download.mcafee.com/molbin/iss-l ... cfscan.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{58CA2998-1733-4D53-8972-F55C63349644}: NameServer = 85.255.115.52 85.255.112.130
O17 - HKLM\System\CCS\Services\Tcpip\..\{CBDA11CB-EA72-46B2-A653-C6CE4A6F9CF4}: NameServer = 85.255.115.52,85.255.112.130
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.52 85.255.112.130
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.115.52 85.255.112.130
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.52 85.255.112.130
O22 - SharedTaskScheduler: bemocked - {b0883848-1466-4470-a418-3fe7d36694b9} - (no file)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Winferno Subscription Service - Capital Intellect Inc - C:\Program Files\Common Files\Winferno\WSS\WSS.exe
--
End of file - 10862 bytes
SmitFraudFix v2.253
Scan done at 17:33:27.73, 30/12/2007
Run from C:\Documents and Settings\Malcolm\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{b0883848-1466-4470-a418-3fe7d36694b9}"="bemocked"
[HKEY_CLASSES_ROOT\CLSID\{b0883848-1466-4470-a418-3fe7d36694b9}\InProcServer32]
[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{b0883848-1466-4470-a418-3fe7d36694b9}\InProcServer32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{0123eb75-964c-4cb3-b796-431cc9099570}"="disgorging"
[HKEY_CLASSES_ROOT\CLSID\{0123eb75-964c-4cb3-b796-431cc9099570}\InProcServer32]
@="C:\WINDOWS\system32\cjuvwa.dll"
[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0123eb75-964c-4cb3-b796-431cc9099570}\InProcServer32]
@="C:\WINDOWS\system32\cjuvwa.dll"
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
127.0.0.1 localhost
»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix
S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
C:\WINDOWS\system32\cjuvwa.dll -> Hoax.Win32.Renos.gen.o
C:\WINDOWS\system32\cjuvwa.dll -> Deleted
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
C:\DOCUME~1\ALLUSE~1\Desktop\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\Desktop\Security Troubleshooting.url Deleted
C:\Program Files\Video Add-on\ Deleted
C:\Program Files\VirusProtect 3.8\ Deleted
»»»»»»»»»»»»»»»»»»»»»»»» DNS
HKLM\SYSTEM\CCS\Services\Tcpip\..\{CBDA11CB-EA72-46B2-A653-C6CE4A6F9CF4}: NameServer=85.255.115.52,85.255.112.130
HKLM\SYSTEM\CS1\Services\Tcpip\..\{58CA2998-1733-4D53-8972-F55C63349644}: NameServer=212.104.130.9 212.104.130.65
HKLM\SYSTEM\CS2\Services\Tcpip\..\{CBDA11CB-EA72-46B2-A653-C6CE4A6F9CF4}: NameServer=85.255.115.52,85.255.112.130
HKLM\SYSTEM\CS3\Services\Tcpip\..\{CBDA11CB-EA72-46B2-A653-C6CE4A6F9CF4}: NameServer=85.255.115.52,85.255.112.130
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=85.255.115.52 85.255.112.130
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: NameServer=85.255.115.52 85.255.112.130
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: NameServer=85.255.115.52 85.255.112.130
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"="kdwub.exe"
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{b0883848-1466-4470-a418-3fe7d36694b9}"="bemocked"
[HKEY_CLASSES_ROOT\CLSID\{b0883848-1466-4470-a418-3fe7d36694b9}\InProcServer32]
[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{b0883848-1466-4470-a418-3fe7d36694b9}\InProcServer32]
»»»»»»»»»»»»»»»»»»»»»»»» Reboot
C:\WINDOWS\system32\kdwub.exe Deleted
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» End