Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Posted for godivarides

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Posted for godivarides

Unread postby dan12 » July 1st, 2008, 3:23 pm

Hi, godivarides, here is your next part, when you copy and paste items in quote box,make sure you copy it into notepad no other editor has to be note pad else fix won't work.
Can you make sure avast is disabled while it scans and also spyware terminater as before.

P2P Warning!

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

uTorrent

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation

I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

References for the risk of these programs can be found in these links: http://www.microsoft.com/windows/ie/com ... ction.mspx
http://www.techweb.com/wire/160500554
http://www.internetworldstats.com/articles/art053.htm

I would recommend that you uninstall uTorrent, however that choice is up to you.
If you wish to keep it, please do not use it until your computer is cleaned.
__________

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:


File::
C:\WINDOWS\SYSTEM32\vdsutw.dll
C:\WINDOWS\SYSTEM32\bvinbhui.dll
C:\WINDOWS\SYSTEM32\rbolsdby.dll
C:\WINDOWS\SYSTEM32\waagihti.dll
C:\WINDOWS\Internet Logs\xDB5A.tmp
C:\WINDOWS\Internet Logs\xDB57.tmp
C:\WINDOWS\Internet Logs\xDB58.tmp
C:\WINDOWS\Internet Logs\xDB59.tmp
C:\WINDOWS\Internet Logs\xDB56.tmp
C:\WINDOWS\Internet Logs\xDB54.tmp
C:\WINDOWS\Internet Logs\xDB55.tmp
C:\WINDOWS\Internet Logs\xDB53.tmp
C:\WINDOWS\Internet Logs\xDB52.tmp
C:\WINDOWS\Internet Logs\xDB51.tmp
C:\WINDOWS\Internet Logs\xDB50.tmp
C:\WINDOWS\Internet Logs\xDB4F.tmp
C:\WINDOWS\Internet Logs\xDB4E.tmp
C:\WINDOWS\Internet Logs\xDB4D.tmp
C:\WINDOWS\Internet Logs\xDB4C.tmp
C:\WINDOWS\Internet Logs\xDB4B.tmp
C:\WINDOWS\Internet Logs\xDB4A.tmp
C:\WINDOWS\Internet Logs\xDB49.tmp
C:\WINDOWS\Internet Logs\xDB48.tmp
C:\Program Files\temp01
C:\WINDOWS\system32\cbXNETKb.dll
C:\WINDOWS\system32\vdsutw.dll
C:\WINDOWS\system32\fryhnvgt.dll
C:\WINDOWS\system32\ytulccqx.dll
Folder::
C:\Documents and Settings\All Users\Application Data\Avira
C:\Program Files\Common Files\BOONTY Shared
RenV::
C:\Backup\H\Documents and Settings\Sandra\My Documents\My Place\digin\SMS\PROGRAM\PasswordVisible2002\password visible2002 .exe
C:\Documents and Settings\Sandra Miller\My Documents\MD Jan 2004\digin\SMS\PROGRAM\PasswordVisible2002\password visible2002 .exe
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0F3FACB7-2681-4131-9E38-8169242B6B2D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{56115928-FDE3-419A-9E0A-0371CCCE012A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8EE19CA6-B6AF-4765-AFEA-639CBBEF2768}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9cb6eb86-14d3-4934-8e2a-a0d087c26635}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"443e3e86"=-
"BM470d0d1a"=-
Driver::
Boonty Games





Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post the combo log back to me.
Regards dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire
Advertisement
Register to Remove

Re: Posted for godivarides

Unread postby dan12 » July 1st, 2008, 3:27 pm

Hi Dan

Here are 2 log files - I'm uncertain either is correct. When Combofix booted up both times, it stated the CFScript.txt couldn't be found.

In the TEAL or 1st run, I forgot to turn off the spyware and saved the file you sent as "CFScript.txt" on my desktop, where Combofix is.

I decided to rerun the files prior to sending you, so the ROYAL or 2nd run, I turned off all spyware and disabled the internet, saved your file as "CFScript" on my desktop.

Does it may a difference?

I ran Super AntiSpyware twice more:
2nd time found 10 threats (down from 28!) 2 new trojans Trojan.Downloader-NewJuan/VM
3rd time found 6 threats (all cookies, nothing else)

Upon rebooting, 3 error messages:
c:\windows\system32\fryhnvgt.dll
C:\windows\system32\ytulccqx.dll
RPC error for AVAST

Hope this is useful, thank you for your help!

Sandra

btw I'm in Calgary, Alberta Canada, so you're 7 hours ahead of me.



**************************************************************************************************

ComboFix 08-06-20.4 - Sandra Miller 2008-06-28 18:39:47.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.71 [GMT -6:00]
Running from: C:\Documents and Settings\Sandra Miller\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Sandra Miller\Desktop\CFScript.txt

FILE ::
C:\Program Files\temp01
C:\WINDOWS\Internet Logs\xDB48.tmp
C:\WINDOWS\Internet Logs\xDB49.tmp
C:\WINDOWS\Internet Logs\xDB4A.tmp
C:\WINDOWS\Internet Logs\xDB4B.tmp
C:\WINDOWS\Internet Logs\xDB4C.tmp
C:\WINDOWS\Internet Logs\xDB4D.tmp
C:\WINDOWS\Internet Logs\xDB4E.tmp
C:\WINDOWS\Internet Logs\xDB4F.tmp
C:\WINDOWS\Internet Logs\xDB50.tmp
C:\WINDOWS\Internet Logs\xDB51.tmp
C:\WINDOWS\Internet Logs\xDB52.tmp
C:\WINDOWS\Internet Logs\xDB53.tmp
C:\WINDOWS\Internet Logs\xDB54.tmp
C:\WINDOWS\Internet Logs\xDB55.tmp
C:\WINDOWS\Internet Logs\xDB56.tmp
C:\WINDOWS\Internet Logs\xDB57.tmp
C:\WINDOWS\Internet Logs\xDB58.tmp
C:\WINDOWS\Internet Logs\xDB59.tmp
C:\WINDOWS\Internet Logs\xDB5A.tmp
C:\WINDOWS\SYSTEM32\bvinbhui.dll
C:\WINDOWS\system32\cbXNETKb.dll
C:\WINDOWS\system32\fryhnvgt.dll
C:\WINDOWS\SYSTEM32\rbolsdby.dll
C:\WINDOWS\system32\vdsutw.dll
C:\WINDOWS\SYSTEM32\vdsutw.dll
C:\WINDOWS\SYSTEM32\waagihti.dll
C:\WINDOWS\system32\ytulccqx.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Internet Logs\xDB48.tmp

.
((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-29 )))))))))))))))))))))))))))))))
.

2008-06-27 20:02 . 2002-08-29 06:00 132,608 --a------ C:\WINDOWS\SYSTEM32\fxsclntR.dll
2008-06-27 20:02 . 2002-08-29 06:00 132,608 --a------ C:\WINDOWS\SYSTEM32\dllcache\fxsclntr.dll
2008-06-27 20:01 . 2002-08-29 06:00 111,104 --a------ C:\WINDOWS\SYSTEM32\fxscfgwz.dll
2008-06-27 20:01 . 2002-08-29 06:00 111,104 --a------ C:\WINDOWS\SYSTEM32\dllcache\fxscfgwz.dll
2008-06-27 16:08 . 2008-06-27 16:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-27 16:01 . 2008-06-27 16:02 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-27 16:01 . 2008-06-27 16:01 <DIR> d-------- C:\Documents and Settings\Sandra Miller\Application Data\SUPERAntiSpyware.com
2008-06-27 10:49 . 2008-06-27 10:49 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-06-25 15:19 . 2008-06-25 15:19 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-06-25 15:16 . 2008-06-25 15:16 <DIR> d-------- C:\Program Files\Common Files\L&H
2008-06-25 11:34 . 2008-06-25 11:34 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-25 11:32 . 2008-06-27 15:54 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-24 14:25 . 2008-06-24 14:25 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-23 23:08 . 2008-06-23 23:08 511 --a------ C:\WINDOWS\Canada
2008-06-23 19:42 . 2008-06-23 19:42 95 --a------ C:\WINDOWS\wininit.ini
2008-06-22 17:24 . 2004-11-13 13:37 6,301,096 --a------ C:\Program Files\Zuma Deluxe.exe
2008-06-11 01:16 . 2008-06-13 07:10 272,128 --------- C:\WINDOWS\SYSTEM32\dllcache\bthport.sys
2008-06-05 13:49 . 2008-06-05 13:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-06-04 17:44 . 2008-06-04 17:50 <DIR> d-------- C:\Program Files\Winamp
2008-06-04 17:44 . 2008-06-04 18:13 <DIR> d-------- C:\Documents and Settings\Sandra Miller\Application Data\Winamp
2008-06-03 17:02 . 2008-06-28 02:01 <DIR> d-------- C:\Program Files\WinClamAVShield
2008-06-03 16:52 . 2008-06-28 02:02 <DIR> d-------- C:\Documents and Settings\Sandra Miller\Application Data\Spyware Terminator
2008-06-03 16:52 . 2008-06-28 09:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-06-03 16:52 . 2008-06-03 16:52 141,312 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sp_rsdrv2.sys
2008-06-03 16:51 . 2008-06-28 09:11 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-06-03 12:33 . 2008-06-28 00:09 <DIR> d-------- C:\Program Files\XoftSpySE
2008-06-02 21:29 . 2008-06-02 21:29 181 --a------ C:\WINDOWS\ACTPR.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-29 00:44 149,200,928 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-29 00:11 --------- d-----w C:\Program Files\Plaxo
2008-06-29 00:08 1,749,116 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-28 23:42 --------- d-----w C:\Documents and Settings\Sandra Miller\Application Data\uTorrent
2008-06-27 21:12 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-06-25 17:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-24 19:05 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-24 19:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-05 20:24 --------- d-----w C:\Documents and Settings\Sandra Miller\Application Data\SpinTop
2008-06-05 20:16 --------- d-----w C:\Program Files\Safer Networking
2008-06-04 01:00 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-03 03:34 --------- d-----w C:\Program Files\ACT
2008-05-25 23:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-05-18 19:52 --------- d-----w C:\Program Files\Alwil Software
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-29 17:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 17:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 17:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2000-11-01 22:51 271 --sha-w C:\Program Files\desktop.ini
2000-08-16 00:25 257,636 ----a-w C:\Program Files\TBM313.TMP
2000-08-16 00:25 252,384 ----a-w C:\Program Files\TBM315.TMP
1998-12-11 10:05 74,336 ----a-w C:\Program Files\casmira_.TTF
1998-12-02 16:33 10,212 ----a-w C:\Program Files\MSCAPE_0.TTF
1998-12-02 16:33 10,212 ----a-w C:\Program Files\MSCAPE.TTF
1998-11-12 14:18 155,528 ----a-w C:\Program Files\BKANT.TTF
1998-11-12 14:18 151,000 ----a-w C:\Program Files\ANTQUAB.TTF
1998-11-12 14:18 150,416 ----a-w C:\Program Files\ANTQUABI.TTF
1998-11-12 14:18 149,092 ----a-w C:\Program Files\ANTQUAI.TTF
1998-11-10 20:52 157,360 ----a-w C:\Program Files\MTCORSVA.TTF
1998-11-04 23:30 162,460 ----a-w C:\Program Files\BOOKOSBI.TTF
1998-11-04 23:30 160,940 ----a-w C:\Program Files\BOOKOS.TTF
1998-11-04 23:30 160,920 ----a-w C:\Program Files\BOOKOSI.TTF
1998-11-04 23:30 154,576 ----a-w C:\Program Files\BOOKOSB.TTF
1998-07-30 04:31 58,088 ----a-w C:\Program Files\Trendy__.TTF
1998-07-30 04:30 51,668 ----a-w C:\Program Files\Radagund.TTF
1998-07-30 04:30 48,508 ----a-w C:\Program Files\Openc___.TTF
1998-07-30 04:29 60,156 ----a-w C:\Program Files\Microdot.TTF
1998-07-30 04:28 54,540 ----a-w C:\Program Files\Mandela_.TTF
1998-07-30 04:28 38,944 ----a-w C:\Program Files\Realv___.TTF
1998-07-30 04:27 52,336 ----a-w C:\Program Files\Shelman_.TTF
1998-07-30 04:26 57,976 ----a-w C:\Program Files\Natur___.TTF
1998-07-30 04:25 64,916 ----a-w C:\Program Files\Pretext_.TTF
1998-07-30 04:25 44,876 ----a-w C:\Program Files\Puppy___.TTF
1998-07-30 04:24 46,212 ----a-w C:\Program Files\Neolith_.TTF
1998-07-30 04:23 61,272 ----a-w C:\Program Files\Matte___.TTF
1998-07-30 04:21 49,960 ----a-w C:\Program Files\Genuine_.TTF
1998-07-30 04:20 63,596 ----a-w C:\Program Files\Alibi___.TTF
1998-07-30 04:18 72,060 ----a-w C:\Program Files\Ellis___.TTF
1998-07-30 04:17 77,384 ----a-w C:\Program Files\Herman__.TTF
1998-07-30 04:17 58,116 ----a-w C:\Program Files\Excess__.TTF
1998-07-30 04:16 104,864 ----a-w C:\Program Files\Isabelle.TTF
1998-07-30 04:15 65,852 ----a-w C:\Program Files\Joan____.TTF
1998-07-30 04:14 63,124 ----a-w C:\Program Files\Helte___.TTF
1998-07-30 04:13 37,180 ----a-w C:\Program Files\Elegance.TTF
1998-07-30 04:10 45,268 ----a-w C:\Program Files\Batavia_.TTF
1998-07-30 04:08 71,068 ----a-w C:\Program Files\Justice_.TTF
1998-07-30 04:02 47,688 ----a-w C:\Program Files\Absalom_.TTF
1998-05-28 21:38 141,328 ----a-w C:\Program Files\ARIALNI.TTF
1998-05-28 21:38 139,056 ----a-w C:\Program Files\ARIALNB.TTF
1998-05-28 21:38 138,468 ----a-w C:\Program Files\ARIALNBI.TTF
1998-05-28 21:38 134,188 ----a-w C:\Program Files\ARIALN.TTF
1998-05-21 19:30 198,540 ----a-w C:\Program Files\GARABD.TTF
1998-05-21 19:30 196,588 ----a-w C:\Program Files\GARA.TTF
1998-05-21 19:30 188,916 ----a-w C:\Program Files\GARAIT.TTF
1998-01-08 23:26 10,028 ----a-w C:\Program Files\OUTLOOK.TTF
1997-10-24 22:42 65,544 ----a-w C:\Program Files\ARBLI___.TTF
1997-03-18 06:49 69,408 ----a-w C:\Program Files\Elepbi__.ttf
1997-03-18 06:49 69,132 ----a-w C:\Program Files\Jolti___.ttf
1997-03-18 06:49 66,652 ----a-w C:\Program Files\Elepi___.ttf
1997-03-18 06:49 65,692 ----a-w C:\Program Files\Vogei___.ttf
1997-03-18 06:49 64,180 ----a-w C:\Program Files\Elepb___.ttf
1997-03-18 06:49 63,908 ----a-w C:\Program Files\Joltn___.ttf
1997-03-18 06:49 63,496 ----a-w C:\Program Files\Joltbi__.ttf
1997-03-18 06:49 61,408 ----a-w C:\Program Files\Vogebi__.ttf
1997-03-18 06:49 60,296 ----a-w C:\Program Files\Joltb___.ttf
1997-03-18 06:49 60,008 ----a-w C:\Program Files\Elepn___.ttf
1997-03-18 06:49 57,556 ----a-w C:\Program Files\Vogen___.ttf
1997-03-18 06:49 56,168 ----a-w C:\Program Files\Vogeb___.ttf
1996-10-23 03:14 66,536 ----a-w C:\Program Files\Presws__.ttf
1996-05-28 17:58 71,052 ----a-w C:\Program Files\Varsity_.ttf
1996-05-06 20:53 65,156 ----a-w C:\Program Files\Willow__.ttf
1996-05-06 20:51 59,004 ----a-w C:\Program Files\Zelda___.ttf
1996-05-06 20:50 47,976 ----a-w C:\Program Files\Zeldi___.ttf
1996-05-06 20:48 49,224 ----a-w C:\Program Files\Tabitha_.ttf
1996-05-06 20:47 48,596 ----a-w C:\Program Files\Treasure.ttf
1996-05-06 20:46 44,236 ----a-w C:\Program Files\Valiant_.ttf
1996-05-06 20:42 51,700 ----a-w C:\Program Files\Vogue___.ttf
1996-05-06 20:41 69,112 ----a-w C:\Program Files\Quill___.ttf
1996-05-06 20:40 102,428 ----a-w C:\Program Files\Rockston.ttf
1996-05-06 20:39 68,968 ----a-w C:\Program Files\Stars___.ttf
1996-05-06 20:39 50,212 ----a-w C:\Program Files\Saloon__.ttf
1996-05-06 20:37 48,500 ----a-w C:\Program Files\Submarin.ttf
1996-05-06 20:36 53,696 ----a-w C:\Program Files\Janis___.ttf
1996-05-06 20:35 60,404 ----a-w C:\Program Files\Papep___.ttf
1996-05-06 20:35 56,516 ----a-w C:\Program Files\Julius__.ttf
1996-05-06 20:34 74,672 ----a-w C:\Program Files\Papercli.ttf
1996-05-06 20:33 81,424 ----a-w C:\Program Files\Partridg.ttf
1996-05-06 20:31 63,540 ----a-w C:\Program Files\Crate___.ttf
1996-05-06 20:30 81,708 ----a-w C:\Program Files\Emeri___.ttf
2006-12-14 14:04 56 --sh--r C:\WINDOWS\SYSTEM32\876B465C25.sys
2007-05-27 17:49 1,890 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-06-27_23.33.47.40 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-28 05:20:16 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-29 00:09:34 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-28 15:17:58 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_500.dat
+ 2008-06-29 00:10:27 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_7b0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"PlaxoUpdate"="C:\WINDOWS\Plaxo\2.1.0.80\InstallStub.exe" [2004-12-03 16:20 116736]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 22:49 4662776]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 10:50 20992 C:\WINDOWS\LOGI_MWX.EXE]
"Motive SmartBridge"="C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe" [2006-10-19 20:53 393216]
"APL"="C:\Program Files\ACT\ACT for Win 7\APL.exe" [2005-05-24 14:42 20480]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-17 12:41 196608]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 06:07 69632]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-06-03 16:52 1817600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 02:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
HPAiODevice(hp officejet g series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe [2002-11-20 17:15:00 151552]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 04:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 17:20]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-06-03 16:52]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 17:16]
R2 MSSQL$ACT7;MSSQL$ACT7;C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe [2003-05-31 19:02]
S3 ATE_PROCMON;ATE_PROCMON;C:\Program Files\Anti Trojan Elite\ATEPMon.sys []
S3 DrvFltIp;DrvFltIp;C:\Program Files\MRBDG\DrvFltIp.sys []
S3 SQLAgent$ACT7;SQLAgent$ACT7;C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlagent.EXE [2002-12-17 17:23]
S3 UsbFltr;WayTech USB Filter Driver;C:\WINDOWS\system32\Drivers\UsbFltr.sys [2004-05-13 17:14]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 00:01]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-28 16:00:00 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
"2008-06-27 13:00:00 C:\WINDOWS\Tasks\SpyHunter Scanner.job"
- C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
"2008-06-29 00:10:13 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-06-28 09:00:02 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-28 18:43:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-28 18:47:08
ComboFix-quarantined-files.txt 2008-06-29 00:47:01
ComboFix2.txt 2008-06-29 00:24:02
ComboFix3.txt 2008-06-28 05:34:57

Pre-Run: 47,271,071,744 bytes free
Post-Run: 47,257,526,272 bytes free

262 --- E O F --- 2008-06-28 00:33:59


**********************************************************************************************

ComboFix 08-06-20.4 - Sandra Miller 2008-06-28 17:59:19.2 - NTFSx86
Running from: C:\Documents and Settings\Sandra Miller\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Sandra Miller\Desktop\327882R2FWJFW\CFScript.txt
* Created a new restore point

FILE ::
C:\Program Files\temp01
C:\WINDOWS\Internet Logs\xDB48.tmp
C:\WINDOWS\Internet Logs\xDB49.tmp
C:\WINDOWS\Internet Logs\xDB4A.tmp
C:\WINDOWS\Internet Logs\xDB4B.tmp
C:\WINDOWS\Internet Logs\xDB4C.tmp
C:\WINDOWS\Internet Logs\xDB4D.tmp
C:\WINDOWS\Internet Logs\xDB4E.tmp
C:\WINDOWS\Internet Logs\xDB4F.tmp
C:\WINDOWS\Internet Logs\xDB50.tmp
C:\WINDOWS\Internet Logs\xDB51.tmp
C:\WINDOWS\Internet Logs\xDB52.tmp
C:\WINDOWS\Internet Logs\xDB53.tmp
C:\WINDOWS\Internet Logs\xDB54.tmp
C:\WINDOWS\Internet Logs\xDB55.tmp
C:\WINDOWS\Internet Logs\xDB56.tmp
C:\WINDOWS\Internet Logs\xDB57.tmp
C:\WINDOWS\Internet Logs\xDB58.tmp
C:\WINDOWS\Internet Logs\xDB59.tmp
C:\WINDOWS\Internet Logs\xDB5A.tmp
C:\WINDOWS\SYSTEM32\bvinbhui.dll
C:\WINDOWS\system32\cbXNETKb.dll
C:\WINDOWS\system32\fryhnvgt.dll
C:\WINDOWS\SYSTEM32\rbolsdby.dll
C:\WINDOWS\system32\vdsutw.dll
C:\WINDOWS\SYSTEM32\vdsutw.dll
C:\WINDOWS\SYSTEM32\waagihti.dll
C:\WINDOWS\system32\ytulccqx.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Avira
C:\Program Files\Common Files\BOONTY Shared
C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
C:\Program Files\temp01
C:\WINDOWS\Internet Logs\xDB48.tmp
C:\WINDOWS\Internet Logs\xDB49.tmp
C:\WINDOWS\Internet Logs\xDB4A.tmp
C:\WINDOWS\Internet Logs\xDB4B.tmp
C:\WINDOWS\Internet Logs\xDB4C.tmp
C:\WINDOWS\Internet Logs\xDB4D.tmp
C:\WINDOWS\Internet Logs\xDB4E.tmp
C:\WINDOWS\Internet Logs\xDB4F.tmp
C:\WINDOWS\Internet Logs\xDB50.tmp
C:\WINDOWS\Internet Logs\xDB51.tmp
C:\WINDOWS\Internet Logs\xDB52.tmp
C:\WINDOWS\Internet Logs\xDB53.tmp
C:\WINDOWS\Internet Logs\xDB54.tmp
C:\WINDOWS\Internet Logs\xDB55.tmp
C:\WINDOWS\Internet Logs\xDB56.tmp
C:\WINDOWS\Internet Logs\xDB57.tmp
C:\WINDOWS\Internet Logs\xDB58.tmp
C:\WINDOWS\Internet Logs\xDB59.tmp
C:\WINDOWS\Internet Logs\xDB5A.tmp
C:\WINDOWS\SYSTEM32\bvinbhui.dll
C:\WINDOWS\SYSTEM32\rbolsdby.dll
C:\WINDOWS\SYSTEM32\waagihti.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BOONTY_GAMES
-------\Service_Boonty Games


((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-29 )))))))))))))))))))))))))))))))
.

2008-06-27 20:02 . 2002-08-29 06:00 132,608 --a------ C:\WINDOWS\SYSTEM32\fxsclntR.dll
2008-06-27 20:02 . 2002-08-29 06:00 132,608 --a------ C:\WINDOWS\SYSTEM32\dllcache\fxsclntr.dll
2008-06-27 20:01 . 2002-08-29 06:00 111,104 --a------ C:\WINDOWS\SYSTEM32\fxscfgwz.dll
2008-06-27 20:01 . 2002-08-29 06:00 111,104 --a------ C:\WINDOWS\SYSTEM32\dllcache\fxscfgwz.dll
2008-06-27 16:08 . 2008-06-27 16:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-27 16:01 . 2008-06-27 16:02 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-27 16:01 . 2008-06-27 16:01 <DIR> d-------- C:\Documents and Settings\Sandra Miller\Application Data\SUPERAntiSpyware.com
2008-06-27 10:49 . 2008-06-27 10:49 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-06-25 15:19 . 2008-06-25 15:19 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-06-25 15:16 . 2008-06-25 15:16 <DIR> d-------- C:\Program Files\Common Files\L&H
2008-06-25 11:34 . 2008-06-25 11:34 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-25 11:32 . 2008-06-27 15:54 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-24 14:25 . 2008-06-24 14:25 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-23 23:08 . 2008-06-23 23:08 511 --a------ C:\WINDOWS\Canada
2008-06-23 19:42 . 2008-06-23 19:42 95 --a------ C:\WINDOWS\wininit.ini
2008-06-22 17:24 . 2004-11-13 13:37 6,301,096 --a------ C:\Program Files\Zuma Deluxe.exe
2008-06-11 01:16 . 2008-06-13 07:10 272,128 --------- C:\WINDOWS\SYSTEM32\dllcache\bthport.sys
2008-06-05 13:49 . 2008-06-05 13:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-06-04 17:44 . 2008-06-04 17:50 <DIR> d-------- C:\Program Files\Winamp
2008-06-04 17:44 . 2008-06-04 18:13 <DIR> d-------- C:\Documents and Settings\Sandra Miller\Application Data\Winamp
2008-06-03 17:02 . 2008-06-28 02:01 <DIR> d-------- C:\Program Files\WinClamAVShield
2008-06-03 16:52 . 2008-06-28 02:02 <DIR> d-------- C:\Documents and Settings\Sandra Miller\Application Data\Spyware Terminator
2008-06-03 16:52 . 2008-06-28 09:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-06-03 16:52 . 2008-06-03 16:52 141,312 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sp_rsdrv2.sys
2008-06-03 16:51 . 2008-06-28 09:11 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-06-03 12:33 . 2008-06-28 00:09 <DIR> d-------- C:\Program Files\XoftSpySE
2008-06-02 21:29 . 2008-06-02 21:29 181 --a------ C:\WINDOWS\ACTPR.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-29 00:16 149,172,256 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-29 00:11 --------- d-----w C:\Program Files\Plaxo
2008-06-29 00:08 1,749,116 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-28 23:42 --------- d-----w C:\Documents and Settings\Sandra Miller\Application Data\uTorrent
2008-06-27 21:12 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-06-25 17:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-24 19:05 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-24 19:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-05 20:24 --------- d-----w C:\Documents and Settings\Sandra Miller\Application Data\SpinTop
2008-06-05 20:16 --------- d-----w C:\Program Files\Safer Networking
2008-06-04 01:00 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-03 03:34 --------- d-----w C:\Program Files\ACT
2008-05-25 23:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-05-18 19:52 --------- d-----w C:\Program Files\Alwil Software
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-29 17:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 17:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 17:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2000-11-01 22:51 271 --sha-w C:\Program Files\desktop.ini
2000-08-16 00:25 257,636 ----a-w C:\Program Files\TBM313.TMP
2000-08-16 00:25 252,384 ----a-w C:\Program Files\TBM315.TMP
1998-12-11 10:05 74,336 ----a-w C:\Program Files\casmira_.TTF
1998-12-02 16:33 10,212 ----a-w C:\Program Files\MSCAPE_0.TTF
1998-12-02 16:33 10,212 ----a-w C:\Program Files\MSCAPE.TTF
1998-11-12 14:18 155,528 ----a-w C:\Program Files\BKANT.TTF
1998-11-12 14:18 151,000 ----a-w C:\Program Files\ANTQUAB.TTF
1998-11-12 14:18 150,416 ----a-w C:\Program Files\ANTQUABI.TTF
1998-11-12 14:18 149,092 ----a-w C:\Program Files\ANTQUAI.TTF
1998-11-10 20:52 157,360 ----a-w C:\Program Files\MTCORSVA.TTF
1998-11-04 23:30 162,460 ----a-w C:\Program Files\BOOKOSBI.TTF
1998-11-04 23:30 160,940 ----a-w C:\Program Files\BOOKOS.TTF
1998-11-04 23:30 160,920 ----a-w C:\Program Files\BOOKOSI.TTF
1998-11-04 23:30 154,576 ----a-w C:\Program Files\BOOKOSB.TTF
1998-07-30 04:31 58,088 ----a-w C:\Program Files\Trendy__.TTF
1998-07-30 04:30 51,668 ----a-w C:\Program Files\Radagund.TTF
1998-07-30 04:30 48,508 ----a-w C:\Program Files\Openc___.TTF
1998-07-30 04:29 60,156 ----a-w C:\Program Files\Microdot.TTF
1998-07-30 04:28 54,540 ----a-w C:\Program Files\Mandela_.TTF
1998-07-30 04:28 38,944 ----a-w C:\Program Files\Realv___.TTF
1998-07-30 04:27 52,336 ----a-w C:\Program Files\Shelman_.TTF
1998-07-30 04:26 57,976 ----a-w C:\Program Files\Natur___.TTF
1998-07-30 04:25 64,916 ----a-w C:\Program Files\Pretext_.TTF
1998-07-30 04:25 44,876 ----a-w C:\Program Files\Puppy___.TTF
1998-07-30 04:24 46,212 ----a-w C:\Program Files\Neolith_.TTF
1998-07-30 04:23 61,272 ----a-w C:\Program Files\Matte___.TTF
1998-07-30 04:21 49,960 ----a-w C:\Program Files\Genuine_.TTF
1998-07-30 04:20 63,596 ----a-w C:\Program Files\Alibi___.TTF
1998-07-30 04:18 72,060 ----a-w C:\Program Files\Ellis___.TTF
1998-07-30 04:17 77,384 ----a-w C:\Program Files\Herman__.TTF
1998-07-30 04:17 58,116 ----a-w C:\Program Files\Excess__.TTF
1998-07-30 04:16 104,864 ----a-w C:\Program Files\Isabelle.TTF
1998-07-30 04:15 65,852 ----a-w C:\Program Files\Joan____.TTF
1998-07-30 04:14 63,124 ----a-w C:\Program Files\Helte___.TTF
1998-07-30 04:13 37,180 ----a-w C:\Program Files\Elegance.TTF
1998-07-30 04:10 45,268 ----a-w C:\Program Files\Batavia_.TTF
1998-07-30 04:08 71,068 ----a-w C:\Program Files\Justice_.TTF
1998-07-30 04:02 47,688 ----a-w C:\Program Files\Absalom_.TTF
1998-05-28 21:38 141,328 ----a-w C:\Program Files\ARIALNI.TTF
1998-05-28 21:38 139,056 ----a-w C:\Program Files\ARIALNB.TTF
1998-05-28 21:38 138,468 ----a-w C:\Program Files\ARIALNBI.TTF
1998-05-28 21:38 134,188 ----a-w C:\Program Files\ARIALN.TTF
1998-05-21 19:30 198,540 ----a-w C:\Program Files\GARABD.TTF
1998-05-21 19:30 196,588 ----a-w C:\Program Files\GARA.TTF
1998-05-21 19:30 188,916 ----a-w C:\Program Files\GARAIT.TTF
1998-01-08 23:26 10,028 ----a-w C:\Program Files\OUTLOOK.TTF
1997-10-24 22:42 65,544 ----a-w C:\Program Files\ARBLI___.TTF
1997-03-18 06:49 69,408 ----a-w C:\Program Files\Elepbi__.ttf
1997-03-18 06:49 69,132 ----a-w C:\Program Files\Jolti___.ttf
1997-03-18 06:49 66,652 ----a-w C:\Program Files\Elepi___.ttf
1997-03-18 06:49 65,692 ----a-w C:\Program Files\Vogei___.ttf
1997-03-18 06:49 64,180 ----a-w C:\Program Files\Elepb___.ttf
1997-03-18 06:49 63,908 ----a-w C:\Program Files\Joltn___.ttf
1997-03-18 06:49 63,496 ----a-w C:\Program Files\Joltbi__.ttf
1997-03-18 06:49 61,408 ----a-w C:\Program Files\Vogebi__.ttf
1997-03-18 06:49 60,296 ----a-w C:\Program Files\Joltb___.ttf
1997-03-18 06:49 60,008 ----a-w C:\Program Files\Elepn___.ttf
1997-03-18 06:49 57,556 ----a-w C:\Program Files\Vogen___.ttf
1997-03-18 06:49 56,168 ----a-w C:\Program Files\Vogeb___.ttf
1996-10-23 03:14 66,536 ----a-w C:\Program Files\Presws__.ttf
1996-05-28 17:58 71,052 ----a-w C:\Program Files\Varsity_.ttf
1996-05-06 20:53 65,156 ----a-w C:\Program Files\Willow__.ttf
1996-05-06 20:51 59,004 ----a-w C:\Program Files\Zelda___.ttf
1996-05-06 20:50 47,976 ----a-w C:\Program Files\Zeldi___.ttf
1996-05-06 20:48 49,224 ----a-w C:\Program Files\Tabitha_.ttf
1996-05-06 20:47 48,596 ----a-w C:\Program Files\Treasure.ttf
1996-05-06 20:46 44,236 ----a-w C:\Program Files\Valiant_.ttf
1996-05-06 20:42 51,700 ----a-w C:\Program Files\Vogue___.ttf
1996-05-06 20:41 69,112 ----a-w C:\Program Files\Quill___.ttf
1996-05-06 20:40 102,428 ----a-w C:\Program Files\Rockston.ttf
1996-05-06 20:39 68,968 ----a-w C:\Program Files\Stars___.ttf
1996-05-06 20:39 50,212 ----a-w C:\Program Files\Saloon__.ttf
1996-05-06 20:37 48,500 ----a-w C:\Program Files\Submarin.ttf
1996-05-06 20:36 53,696 ----a-w C:\Program Files\Janis___.ttf
1996-05-06 20:35 60,404 ----a-w C:\Program Files\Papep___.ttf
1996-05-06 20:35 56,516 ----a-w C:\Program Files\Julius__.ttf
1996-05-06 20:34 74,672 ----a-w C:\Program Files\Papercli.ttf
1996-05-06 20:33 81,424 ----a-w C:\Program Files\Partridg.ttf
1996-05-06 20:31 63,540 ----a-w C:\Program Files\Crate___.ttf
1996-05-06 20:30 81,708 ----a-w C:\Program Files\Emeri___.ttf
2006-12-14 14:04 56 --sh--r C:\WINDOWS\SYSTEM32\876B465C25.sys
2007-05-27 17:49 1,890 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-06-27_23.33.47.40 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-28 05:20:16 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-29 00:09:34 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-28 15:17:58 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_500.dat
+ 2008-06-29 00:10:27 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_7b0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"PlaxoUpdate"="C:\WINDOWS\Plaxo\2.1.0.80\InstallStub.exe" [2004-12-03 16:20 116736]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 22:49 4662776]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 10:50 20992 C:\WINDOWS\LOGI_MWX.EXE]
"Motive SmartBridge"="C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe" [2006-10-19 20:53 393216]
"APL"="C:\Program Files\ACT\ACT for Win 7\APL.exe" [2005-05-24 14:42 20480]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-17 12:41 196608]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 06:07 69632]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-06-03 16:52 1817600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 02:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
HPAiODevice(hp officejet g series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe [2002-11-20 17:15:00 151552]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 04:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 17:20]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-06-03 16:52]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 17:16]
R2 MSSQL$ACT7;MSSQL$ACT7;C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe [2003-05-31 19:02]
S3 ATE_PROCMON;ATE_PROCMON;C:\Program Files\Anti Trojan Elite\ATEPMon.sys []
S3 DrvFltIp;DrvFltIp;C:\Program Files\MRBDG\DrvFltIp.sys []
S3 SQLAgent$ACT7;SQLAgent$ACT7;C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlagent.EXE [2002-12-17 17:23]
S3 UsbFltr;WayTech USB Filter Driver;C:\WINDOWS\system32\Drivers\UsbFltr.sys [2004-05-13 17:14]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 00:01]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-28 16:00:00 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
"2008-06-27 13:00:00 C:\WINDOWS\Tasks\SpyHunter Scanner.job"
- C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
"2008-06-29 00:10:13 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-06-28 09:00:02 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-28 18:13:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\SYSTEM32\DRIVERS\dcfssvc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\Bin\hposts07.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
.
**************************************************************************
.
Completion time: 2008-06-28 18:23:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-29 00:23:32
ComboFix2.txt 2008-06-28 05:34:57

Pre-Run: 47,182,835,712 bytes free
Post-Run: 47,286,136,832 bytes free

308 --- E O F --- 2008-06-28 00:33:59
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Posted for godivarides

Unread postby dan12 » July 1st, 2008, 3:30 pm

Hi, godivarides,
Can I ask did you have avg at some point as can see a few leftovers ? which we can deal with.
Have you any improvement yet?


Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Jotti

Please visit Jotti
Copy/paste the the following file path into the window
C:\WINDOWS\SYSTEM32\876B465C25.sys
Click Submit/Send File
Please post back, to let me know the results.


If Jotti is too busy please try Virustotal


: Malwarebytes' Anti-Malware :

Please download Malwarebytes' Anti-Malware to your desktop.


Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
Update Malwarebytes' Anti-Malware
and Launch Malwarebytes' Anti-Malware
then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply

If you accidently close it, the log file is saved here and will be named like this:
C:\\Documents and Settings\\Username\\Application Data\\Malwarebytes\\Malwarebytes' Anti-Malware\\Logs\\mbam-log-date (time).txt

Let me see malwarebytes report
Jotti's report
Fresh HJT log
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Posted for godivarides

Unread postby dan12 » July 1st, 2008, 3:32 pm

Hi Dan

I trust those last Combo reports were ok. I've run the 3 reports in the order you indicated. FYI, I did not close off Zonealarm, or any of the AV, AS programmes - not sure if this was to be done. That malware scanner found all the viruses Trojan.Vundo etc. Once we have this cleaned out, could you recommend which AV, AS programmes I should run and which software I should run as a maintenance?

Yes, I used AVG, for many years and upgrades, then they stopped upgrading the home use and recently with the problems found it didn't work, so I deleted it (through control panel) ... yet, there are still many avg... files I try to delete, as I find them.

In addition, I also tried: ASquared, Anti-Trojan Elite, Avira, Bazooka, Spyhunter, Spybot (a love/hate relationship with this over the years)

A massive positive change from 1st run of Super Anti-spyware! I realized that was a start, as I understand these viruses et al can permutate into many different forms evading detection. With the changes you've advised and running SuperAG (2 x more) there definitely is a difference and major improvement.

Ok, so here goes ...

Thanks!




JOTTI's Report:

Service load: 0% 100%

File: 876B465C25.sys_
Status: OK
MD5: 1f96195ee74a3104eb888c86c89936fb
Packers detected: -

Scanner results
Scan taken on 29 Jun 2008 16:03:15 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing



Malwarebytes' Anti-Malware 1.19
Database version: 902
Windows 5.1.2600 Service Pack 2

11:41:51 AM 29/06/2008
mbam-log-6-29-2008 (11-41-51).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 176499
Time elapsed: 1 hour(s), 22 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{C4D0800E-F7A2-461F-A0B5-9BC64FEA41E2}\RP947\A0360684.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C4D0800E-F7A2-461F-A0B5-9BC64FEA41E2}\RP953\A0361861.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C4D0800E-F7A2-461F-A0B5-9BC64FEA41E2}\RP953\A0362860.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
*******************************************************************************************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:44:17 AM, on 29/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Plaxo\2.1.0.80\InstallStub.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.telus.net/set_region.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.telus.net/set_region.html
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [APL] "C:\Program Files\ACT\ACT for Win 7\APL.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINDOWS\Plaxo\2.1.0.80\InstallStub.exe -a
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4D054067-DE3A-48F9-B19B-BCD229B9AE8D} (PrinterHelpEtcActiveX Control) - http://dev.imagingworld.co.kr/printerhe ... rinter.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h30155.www3.hp.com/ediags/dd/ins ... csxp2k.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v ... b34246.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0F7A11C3-E76A-4E31-8BC2-D85744CF4B8F}: NameServer = 75.154.132.68,75.154.132.100
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

--
End of file - 8247 bytes
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Posted for godivarides

Unread postby dan12 » July 1st, 2008, 3:36 pm

Hi, godivarides, pleased things are improving,are you able to get on the net ok,have you tried the forum to gain access?

From this list can you tell me which you dont have anymore,so I can try and clean-up the leftovers

C:\WINDOWS\Tasks\Spybot - Search & Destroy
C:\WINDOWS\Tasks\SpyHunter
C:\Program Files\XoftSpySE\XoftSpy << I can see this in add and remove list so we can assume still active!
let me know about other two.
In my last post when I'm happy I will give you some advice for maintenance.

==========================


Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = <http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html>

WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked and exit

________________


1. Close any open browsers.

2. Open notepad and copy/paste the text into it:



Folder::
C:\Documents and Settings\All Users\Application Data\Avg8
C:\Program Files\Anti Trojan Elite

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]

Driver::
ATE_PROCMON



Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

____________________



Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.

Please go to Eset website to perform an online scan. Please use Internet Explorer as it uses ActiveX.


Check (tick) this box: YES, I accept the Terms of Use.

Click on the Start button next to it.

When prompted to run ActiveX. click Yes.

You will be asked to install an ActiveX. Click Install.

Once installed, the scanner will be initialized.

After the scanner is initialized, click Start.

Uncheck (untick) Remove found threats box.

Check (tick) Scan unwanted applications.

Click on Scan.

It will start scanning. Please be patient.

Once the scan is done, you will find a log in C:\Program Files\esetonlinescanner\log.txt. Please post this log in your next reply.

Please let me have combo report and esetonlinescan log txt
plus a HJT log.
Regards dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Posted for godivarides

Unread postby dan12 » July 1st, 2008, 3:37 pm

Hi Dan

Truly, I am indebted to you and Pinney for all your time, advice, guidance and advisements on what to do and how.

I just rebooted and everything loaded pretty quickly, not to state it is all corrected :-) but on its way! In respect of reporting on the forum, let me how you would like to see it entered, you've invested so much time already, in addressing these viruses, which each new scanner seems to find! Persistent is an understatement!
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Posted for godivarides

Unread postby dan12 » July 1st, 2008, 3:38 pm

Hi, godivarides, I need to see the combo report and the eset online scan report, not another malwarebytes report.Just because we have improvement doesn't mean were finished yet.
getting close though.
As I asked have you tried visiting the malware forum you were unable to before?
dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Posted for godivarides

Unread postby dan12 » July 1st, 2008, 3:39 pm

Hi Dan

Sorry, it was late when I sent the email last night and I completely missed your instructions!!

Today, the eset scan was stopped in mid scan (my fault!) time lag before I realized and then restarted - it took over 3 hours to complete!

I scanned HJT and found the red.client line you stated to eliminate if present - Done - Ran this 1st, Combofix, Eset and then again after the eset scan.

I copied the last CFScript file into Combofix and ran that report - it follows. Strange thing, when it rebooted, only the log file was open and the notes I had made into this reply was lost.

I haven't logged into Malware forum yet - Pinney sent me the link. How would you like me to update this file - go email by email with its respective reports? Please advise on how to handle this.

I have checked your email and trust I have addressed your instructions. Please note, since the scans, I haven't rebooted nor did I close off the AV programs while it was running through the scans - perhaps this is why it took so long?

godivarides

*************************************************************************************************
Scan #1
ComboFix 08-06-20.4 - Sandra Miller 2008-06-30 9:52:48.4 - NTFSx86
Running from: C:\Documents and Settings\Sandra Miller\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Sandra Miller\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Avg8

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ATE_PROCMON
-------\Service_ATE_PROCMON


((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-30 )))))))))))))))))))))))))))))))
.

2008-06-29 10:11 . 2008-06-29 10:11 <DIR> d-------- C:\Documents and Settings\Sandra Miller\Application Data\Malwarebytes
2008-06-29 10:11 . 2008-06-28 14:16 17,144 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-06-29 10:10 . 2008-06-29 10:11 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-29 10:10 . 2008-06-29 10:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-29 10:10 . 2008-06-28 14:16 34,296 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-06-27 20:02 . 2002-08-29 06:00 132,608 --a------ C:\WINDOWS\SYSTEM32\fxsclntR.dll
2008-06-27 20:02 . 2002-08-29 06:00 132,608 --a------ C:\WINDOWS\SYSTEM32\dllcache\fxsclntr.dll
2008-06-27 20:01 . 2002-08-29 06:00 111,104 --a------ C:\WINDOWS\SYSTEM32\fxscfgwz.dll
2008-06-27 20:01 . 2002-08-29 06:00 111,104 --a------ C:\WINDOWS\SYSTEM32\dllcache\fxscfgwz.dll
2008-06-27 16:08 . 2008-06-27 16:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-27 16:01 . 2008-06-27 16:02 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-27 16:01 . 2008-06-27 16:01 <DIR> d-------- C:\Documents and Settings\Sandra Miller\Application Data\SUPERAntiSpyware.com
2008-06-27 10:49 . 2008-06-27 10:49 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-06-25 15:19 . 2008-06-25 15:19 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-06-25 15:16 . 2008-06-25 15:16 <DIR> d-------- C:\Program Files\Common Files\L&H
2008-06-25 11:34 . 2008-06-25 11:34 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-25 11:32 . 2008-06-27 15:54 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-24 14:25 . 2008-06-24 14:25 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-23 23:08 . 2008-06-23 23:08 511 --a------ C:\WINDOWS\Canada
2008-06-23 19:42 . 2008-06-23 19:42 95 --a------ C:\WINDOWS\wininit.ini
2008-06-22 17:24 . 2004-11-13 13:37 6,301,096 --a------ C:\Program Files\Zuma Deluxe.exe
2008-06-11 01:16 . 2008-06-13 07:10 272,128 --------- C:\WINDOWS\SYSTEM32\dllcache\bthport.sys
2008-06-04 17:44 . 2008-06-04 17:50 <DIR> d-------- C:\Program Files\Winamp
2008-06-04 17:44 . 2008-06-04 18:13 <DIR> d-------- C:\Documents and Settings\Sandra Miller\Application Data\Winamp
2008-06-03 17:02 . 2008-06-30 02:00 <DIR> d-------- C:\Program Files\WinClamAVShield
2008-06-03 16:52 . 2008-06-30 02:00 <DIR> d-------- C:\Documents and Settings\Sandra Miller\Application Data\Spyware Terminator
2008-06-03 16:52 . 2008-06-30 09:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-06-03 16:52 . 2008-06-03 16:52 141,312 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sp_rsdrv2.sys
2008-06-03 16:51 . 2008-06-30 09:17 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-06-03 12:33 . 2008-06-28 00:09 <DIR> d-------- C:\Program Files\XoftSpySE
2008-06-02 21:29 . 2008-06-02 21:29 181 --a------ C:\WINDOWS\ACTPR.INI
2008-05-25 17:17 . 2008-05-25 17:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-05-25 15:59 . 2008-06-05 14:16 <DIR> d-------- C:\Program Files\Safer Networking
2008-05-18 13:52 . 2008-05-18 13:52 <DIR> d-------- C:\Program Files\Alwil Software
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\SYSTEM32\lsdelete.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-30 16:21 149,413,920 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-30 16:19 --------- d-----w C:\Program Files\Plaxo
2008-06-30 16:02 1,751,948 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-28 23:42 --------- d-----w C:\Documents and Settings\Sandra Miller\Application Data\uTorrent
2008-06-27 21:12 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-06-25 17:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-24 19:05 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-24 19:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-05 20:24 --------- d-----w C:\Documents and Settings\Sandra Miller\Application Data\SpinTop
2008-06-04 01:00 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-03 03:34 --------- d-----w C:\Program Files\ACT
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-29 17:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 17:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 17:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-03-14 05:11 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2000-11-01 22:51 271 --sha-w C:\Program Files\desktop.ini
2000-08-16 00:25 257,636 ----a-w C:\Program Files\TBM313.TMP
2000-08-16 00:25 252,384 ----a-w C:\Program Files\TBM315.TMP
1998-12-11 10:05 74,336 ----a-w C:\Program Files\casmira_.TTF
1998-12-02 16:33 10,212 ----a-w C:\Program Files\MSCAPE_0.TTF
1998-12-02 16:33 10,212 ----a-w C:\Program Files\MSCAPE.TTF
1998-11-12 14:18 155,528 ----a-w C:\Program Files\BKANT.TTF
1998-11-12 14:18 151,000 ----a-w C:\Program Files\ANTQUAB.TTF
1998-11-12 14:18 150,416 ----a-w C:\Program Files\ANTQUABI.TTF
1998-11-12 14:18 149,092 ----a-w C:\Program Files\ANTQUAI.TTF
1998-11-10 20:52 157,360 ----a-w C:\Program Files\MTCORSVA.TTF
1998-11-04 23:30 162,460 ----a-w C:\Program Files\BOOKOSBI.TTF
1998-11-04 23:30 160,940 ----a-w C:\Program Files\BOOKOS.TTF
1998-11-04 23:30 160,920 ----a-w C:\Program Files\BOOKOSI.TTF
1998-11-04 23:30 154,576 ----a-w C:\Program Files\BOOKOSB.TTF
1998-07-30 04:31 58,088 ----a-w C:\Program Files\Trendy__.TTF
1998-07-30 04:30 51,668 ----a-w C:\Program Files\Radagund.TTF
1998-07-30 04:30 48,508 ----a-w C:\Program Files\Openc___.TTF
1998-07-30 04:29 60,156 ----a-w C:\Program Files\Microdot.TTF
1998-07-30 04:28 54,540 ----a-w C:\Program Files\Mandela_.TTF
1998-07-30 04:28 38,944 ----a-w C:\Program Files\Realv___.TTF
1998-07-30 04:27 52,336 ----a-w C:\Program Files\Shelman_.TTF
1998-07-30 04:26 57,976 ----a-w C:\Program Files\Natur___.TTF
1998-07-30 04:25 64,916 ----a-w C:\Program Files\Pretext_.TTF
1998-07-30 04:25 44,876 ----a-w C:\Program Files\Puppy___.TTF
1998-07-30 04:24 46,212 ----a-w C:\Program Files\Neolith_.TTF
1998-07-30 04:23 61,272 ----a-w C:\Program Files\Matte___.TTF
1998-07-30 04:21 49,960 ----a-w C:\Program Files\Genuine_.TTF
1998-07-30 04:20 63,596 ----a-w C:\Program Files\Alibi___.TTF
1998-07-30 04:18 72,060 ----a-w C:\Program Files\Ellis___.TTF
1998-07-30 04:17 77,384 ----a-w C:\Program Files\Herman__.TTF
1998-07-30 04:17 58,116 ----a-w C:\Program Files\Excess__.TTF
1998-07-30 04:16 104,864 ----a-w C:\Program Files\Isabelle.TTF
1998-07-30 04:15 65,852 ----a-w C:\Program Files\Joan____.TTF
1998-07-30 04:14 63,124 ----a-w C:\Program Files\Helte___.TTF
1998-07-30 04:13 37,180 ----a-w C:\Program Files\Elegance.TTF
1998-07-30 04:10 45,268 ----a-w C:\Program Files\Batavia_.TTF
1998-07-30 04:08 71,068 ----a-w C:\Program Files\Justice_.TTF
1998-07-30 04:02 47,688 ----a-w C:\Program Files\Absalom_.TTF
1998-05-28 21:38 141,328 ----a-w C:\Program Files\ARIALNI.TTF
1998-05-28 21:38 139,056 ----a-w C:\Program Files\ARIALNB.TTF
1998-05-28 21:38 138,468 ----a-w C:\Program Files\ARIALNBI.TTF
1998-05-28 21:38 134,188 ----a-w C:\Program Files\ARIALN.TTF
1998-05-21 19:30 198,540 ----a-w C:\Program Files\GARABD.TTF
1998-05-21 19:30 196,588 ----a-w C:\Program Files\GARA.TTF
1998-05-21 19:30 188,916 ----a-w C:\Program Files\GARAIT.TTF
1998-01-08 23:26 10,028 ----a-w C:\Program Files\OUTLOOK.TTF
1997-10-24 22:42 65,544 ----a-w C:\Program Files\ARBLI___.TTF
1997-03-18 06:49 69,408 ----a-w C:\Program Files\Elepbi__.ttf
1997-03-18 06:49 69,132 ----a-w C:\Program Files\Jolti___.ttf
1997-03-18 06:49 66,652 ----a-w C:\Program Files\Elepi___.ttf
1997-03-18 06:49 65,692 ----a-w C:\Program Files\Vogei___.ttf
1997-03-18 06:49 64,180 ----a-w C:\Program Files\Elepb___.ttf
1997-03-18 06:49 63,908 ----a-w C:\Program Files\Joltn___.ttf
1997-03-18 06:49 63,496 ----a-w C:\Program Files\Joltbi__.ttf
1997-03-18 06:49 61,408 ----a-w C:\Program Files\Vogebi__.ttf
1997-03-18 06:49 60,296 ----a-w C:\Program Files\Joltb___.ttf
1997-03-18 06:49 60,008 ----a-w C:\Program Files\Elepn___.ttf
1997-03-18 06:49 57,556 ----a-w C:\Program Files\Vogen___.ttf
1997-03-18 06:49 56,168 ----a-w C:\Program Files\Vogeb___.ttf
1996-10-23 03:14 66,536 ----a-w C:\Program Files\Presws__.ttf
1996-05-28 17:58 71,052 ----a-w C:\Program Files\Varsity_.ttf
1996-05-06 20:53 65,156 ----a-w C:\Program Files\Willow__.ttf
1996-05-06 20:51 59,004 ----a-w C:\Program Files\Zelda___.ttf
1996-05-06 20:50 47,976 ----a-w C:\Program Files\Zeldi___.ttf
1996-05-06 20:48 49,224 ----a-w C:\Program Files\Tabitha_.ttf
1996-05-06 20:47 48,596 ----a-w C:\Program Files\Treasure.ttf
1996-05-06 20:46 44,236 ----a-w C:\Program Files\Valiant_.ttf
1996-05-06 20:42 51,700 ----a-w C:\Program Files\Vogue___.ttf
1996-05-06 20:41 69,112 ----a-w C:\Program Files\Quill___.ttf
1996-05-06 20:40 102,428 ----a-w C:\Program Files\Rockston.ttf
1996-05-06 20:39 68,968 ----a-w C:\Program Files\Stars___.ttf
1996-05-06 20:39 50,212 ----a-w C:\Program Files\Saloon__.ttf
1996-05-06 20:37 48,500 ----a-w C:\Program Files\Submarin.ttf
1996-05-06 20:36 53,696 ----a-w C:\Program Files\Janis___.ttf
1996-05-06 20:35 60,404 ----a-w C:\Program Files\Papep___.ttf
1996-05-06 20:35 56,516 ----a-w C:\Program Files\Julius__.ttf
1996-05-06 20:34 74,672 ----a-w C:\Program Files\Papercli.ttf
1996-05-06 20:33 81,424 ----a-w C:\Program Files\Partridg.ttf
1996-05-06 20:31 63,540 ----a-w C:\Program Files\Crate___.ttf
1996-05-06 20:30 81,708 ----a-w C:\Program Files\Emeri___.ttf
1996-05-06 20:30 71,444 ----a-w C:\Program Files\Diner___.ttf
1996-05-06 20:29 52,944 ----a-w C:\Program Files\Executiv.ttf
2006-12-14 14:04 56 --sh--r C:\WINDOWS\SYSTEM32\876B465C25.sys
2007-05-27 17:49 1,890 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-06-27_23.33.47.40 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-28 05:20:16 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-30 16:02:49 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-06-25 21:40:30 2,560 ----a-r C:\WINDOWS\Installer\{90190409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2008-06-30 15:47:04 2,560 ----a-r C:\WINDOWS\Installer\{90190409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
- 2008-06-25 21:40:30 34,304 ----a-r C:\WINDOWS\Installer\{90190409-6000-11D3-8CFE-0050048383C9}\misc.exe
+ 2008-06-30 15:47:04 34,304 ----a-r C:\WINDOWS\Installer\{90190409-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2008-06-25 21:40:30 8,192 ----a-r C:\WINDOWS\Installer\{90190409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
+ 2008-06-30 15:47:04 8,192 ----a-r C:\WINDOWS\Installer\{90190409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
- 2008-06-25 21:40:30 3,584 ----a-r C:\WINDOWS\Installer\{90190409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
+ 2008-06-30 15:47:04 3,584 ----a-r C:\WINDOWS\Installer\{90190409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
- 2008-06-25 21:40:30 16,384 ----a-r C:\WINDOWS\Installer\{90190409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
+ 2008-06-30 15:47:03 16,384 ----a-r C:\WINDOWS\Installer\{90190409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
- 2008-06-25 21:40:29 12,800 ----a-r C:\WINDOWS\Installer\{90190409-6000-11D3-8CFE-0050048383C9}\pubs.exe
+ 2008-06-30 15:47:03 12,800 ----a-r C:\WINDOWS\Installer\{90190409-6000-11D3-8CFE-0050048383C9}\pubs.exe
- 2008-06-26 03:24:50 167,936 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\accicons.exe
+ 2008-06-30 15:44:24 167,936 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\accicons.exe
- 2008-06-26 03:24:50 2,560 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2008-06-30 15:44:24 2,560 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
- 2008-06-26 03:24:50 81,920 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\fpicon.exe
+ 2008-06-30 15:44:24 81,920 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\fpicon.exe
- 2008-06-26 03:24:49 34,304 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe
+ 2008-06-30 15:44:24 34,304 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2008-06-26 03:24:50 8,192 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
+ 2008-06-30 15:44:24 8,192 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
- 2008-06-26 03:24:50 3,584 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
+ 2008-06-30 15:44:25 3,584 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
- 2008-06-26 03:24:50 114,688 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe
+ 2008-06-30 15:44:25 114,688 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe
- 2008-06-26 03:24:50 16,384 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
+ 2008-06-30 15:44:24 16,384 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
- 2008-06-26 03:24:50 30,720 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\pptico.exe
+ 2008-06-30 15:44:24 30,720 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\pptico.exe
- 2008-06-26 03:24:50 22,528 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2008-06-30 15:44:25 22,528 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
- 2008-06-26 03:24:49 45,056 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
+ 2008-06-30 15:44:24 45,056 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
- 2008-06-26 03:24:49 90,112 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
+ 2008-06-30 15:44:23 90,112 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
- 2008-04-24 03:46:35 1,632 ----a-w C:\WINDOWS\SYSTEM32\d3d8caps.dat
+ 2008-06-30 15:58:37 1,632 ----a-w C:\WINDOWS\SYSTEM32\d3d8caps.dat
- 1999-10-18 04:01:42 1,129,232 ----a-w C:\WINDOWS\SYSTEM32\FM20.DLL
+ 2003-09-25 18:07:00 1,139,472 ----a-w C:\WINDOWS\SYSTEM32\FM20.DLL
- 1999-10-18 04:01:16 26,384 ----a-w C:\WINDOWS\SYSTEM32\FM20ENU.DLL
+ 2003-08-18 20:26:32 25,872 ----a-w C:\WINDOWS\SYSTEM32\FM20ENU.DLL
+ 2008-06-30 16:03:09 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_518.dat
+ 2008-06-30 16:03:25 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_6a0.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"PlaxoUpdate"="C:\WINDOWS\Plaxo\2.1.0.80\InstallStub.exe" [2004-12-03 16:20 116736]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 22:49 4662776]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 10:50 20992 C:\WINDOWS\LOGI_MWX.EXE]
"Motive SmartBridge"="C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe" [2006-10-19 20:53 393216]
"APL"="C:\Program Files\ACT\ACT for Win 7\APL.exe" [2005-05-24 14:42 20480]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-17 12:41 196608]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 06:07 69632]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-06-03 16:52 1817600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 02:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
HPAiODevice(hp officejet g series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe [2002-11-20 17:15:00 151552]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 04:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 17:20]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-06-03 16:52]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 17:16]
R2 MSSQL$ACT7;MSSQL$ACT7;C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe [2003-05-31 19:02]
S3 DrvFltIp;DrvFltIp;C:\Program Files\MRBDG\DrvFltIp.sys []
S3 SQLAgent$ACT7;SQLAgent$ACT7;C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlagent.EXE [2002-12-17 17:23]
S3 UsbFltr;WayTech USB Filter Driver;C:\WINDOWS\system32\Drivers\UsbFltr.sys [2004-05-13 17:14]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 00:01]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-30 16:00:01 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
"2008-06-30 13:00:00 C:\WINDOWS\Tasks\SpyHunter Scanner.job"
- C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
"2008-06-30 16:18:37 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-06-28 09:00:02 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-30 10:19:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\SYSTEM32\DRIVERS\dcfssvc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\Bin\hposts07.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\SYSTEM32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-06-30 10:27:43 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-30 16:27:21
ComboFix2.txt 2008-06-29 00:47:09
ComboFix3.txt 2008-06-29 00:24:02
ComboFix4.txt 2008-06-28 05:34:57

Pre-Run: 46,898,446,336 bytes free
Post-Run: 46,891,630,592 bytes free

304 --- E O F --- 2008-06-30 15:47:23

**********************************************************************************************


Eset Log - scan #2

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3228 (20080630)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=e2d589de78f9a64489b0e8fe95f5350c
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-06-30 09:24:34
# local_time=2008-06-30 03:24:34 (-0700, Mountain Daylight Time)
# country="Canada"
# osver=5.1.2600 NT Service Pack 2
# scanned=507971
# found=2
# scan_time=11478
C:\downloads\WinZip 11 [Working] Keygen.zip probably unknown NewHeur_PE virus (deleted) 00000000000000000000000000000000
C:\downloads\WinZip 11 [Working] Keygen.zip »ZIP »WinZip Keygens/WinZip 11.1 Keygen.exe probably unknown NewHeur_PE virus (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000


*************************************************************************************************
Scan #3 HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:43:43 PM, on 30/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Plaxo\2.1.0.80\InstallStub.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.telus.net/set_region.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.telus.net/set_region.html
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [APL] "C:\Program Files\ACT\ACT for Win 7\APL.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINDOWS\Plaxo\2.1.0.80\InstallStub.exe -a
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4D054067-DE3A-48F9-B19B-BCD229B9AE8D} (PrinterHelpEtcActiveX Control) - http://dev.imagingworld.co.kr/printerhe ... rinter.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h30155.www3.hp.com/ediags/dd/ins ... csxp2k.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v ... b34246.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0F7A11C3-E76A-4E31-8BC2-D85744CF4B8F}: NameServer = 75.154.132.68,75.154.132.100
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

--
End of file - 8115 bytes
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Posted for godivarides

Unread postby dan12 » July 1st, 2008, 3:40 pm

Hi,godivarides, I appreciate the time zones and we pass each other in the night so to speak. It's late here now, so I will look over your returned logs tomorrow and see what's what as my bed is calling. Don't worry about the thread for the time being,I have your mails and I can always put the posts in to the thread.Then maybe you can see if your able to post when I have updated the thread.
dan :)
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Posted for godivarides

Unread postby dan12 » July 1st, 2008, 3:41 pm

Hi Dan

Truly, I am indebted to you and Pinney for all your time, advice, guidance and advisements on what to do and how.

I just rebooted and everything loaded pretty quickly, not to state it is all corrected :-) but on its way! In respect of reporting on the forum, let me how you would like to see it entered, you've invested so much time already, in addressing these viruses, which each new scanner seems to find! Persistent is an understatement!
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Posted for godivarides

Unread postby dan12 » July 1st, 2008, 3:43 pm

Can you delete this folder:

Right click start, In the drop down menu click "Explore" Then navigate to each file\ folder in the left hand pane, which will reveal its content in the right hand pane, highlight file or folder right click and Delete, if present:

C:\downloads\WinZip 11 [Working] Keygen.zip
You can fix this line as it doesn't need to start on start up, you can do it manually when you need to.

Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present)

O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked and exit


You may have some files missing from this program "ACT" if youuse this program uninstall and reinstall it via add and remove programs.

let me know how things are now, as were coming to the end, as your log is looking pretty good.
I will update the thread on the forum then you can post once I've updated and I can give you some recommendation's in my final post.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Posted for godivarides

Unread postby godivarides » July 1st, 2008, 8:03 pm

Dan and Piney

Thanks to both of you, I can finally log in, my system works, actually faster than ever! I realize we're nearing the end and there's some residual clean up. So I'll await your review and instructions.

Sandra
godivarides
Regular Member
 
Posts: 29
Joined: June 24th, 2008, 5:34 pm

Re: Posted for godivarides

Unread postby dan12 » July 2nd, 2008, 2:58 am

I have posted this log as godivarides was so used to emailing me bless her. :)
Thanks for your returned log. :)
dan

=================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:42:33 PM, on 01/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Plaxo\2.1.0.80\InstallStub.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = <http://www.telus.net/set_region.html>
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = <http://go.microsoft.com/fwlink/?LinkId=69157>
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = <http://go.microsoft.com/fwlink/?LinkId=54896>
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = <http://go.microsoft.com/fwlink/?LinkId=54896>
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = <http://www.telus.net/set_region.html>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [APL] "C:\Program Files\ACT\ACT for Win 7\APL.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINDOWS\Plaxo\2.1.0.80\InstallStub.exe -a
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - <http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab>
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4D054067-DE3A-48F9-B19B-BCD229B9AE8D} (PrinterHelpEtcActiveX Control) - <http://dev.imagingworld.co.kr/printerhelp/introduction/DrPrinter.cab>
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - <http://h30155.www3.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab>
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - <http://www.eset.eu/buxus/docs/OnlineScanner.cab>
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - <http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab>
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - <http://www.superadblocker.com/activex/sabspx.cab>
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - <http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab>
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - <http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab>
O17 - HKLM\System\CCS\Services\Tcpip\..\{0F7A11C3-E76A-4E31-8BC2-D85744CF4B8F}: NameServer = 75.154.132.68,75.154.132.100
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
--
End of file - 7372 bytes
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Posted for godivarides

Unread postby dan12 » July 2nd, 2008, 3:08 am

You can fix this line with HJT as you don't need it to start at start-up as you can do it manually if you so wish.
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe

Let me know with regards to the program we mentioned which you no longer use "ACT 2005" might be a good idea to look through add and remove list and programs you recognise (Those you downloaded ) but no longer use and clear them out.

dan :)
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Posted for godivarides

Unread postby godivarides » July 2nd, 2008, 11:54 am

Hi Dan!

I tried to remove Act 2005 via uninstall - but MS wouldn't let me - says file & printer must be shared before "install" can proceed. I clicked add/remove again, with the same message. ACT!6 program is listed as well, but if they're sharing resources, could that potentially disable my current dbase functions if I proceed to remove Act 2005?

Do I need to hide the files we revealed, earlier to find that winzip file?

Last night, I closed everything off and ran Super Antispyware in safe mode - found 9 cookies, that was all.

Absolutely I would I like your recommendations! For Anti-virus, Anti-spyware, and any other maintenance to be done, whether its once a week or once month and any other items to watch for.
Also if you have a good software recommendation for creating a website, I have Front Page as part of XP but haven't used it (it's to engage and empower people - the individuals in the political process, to be unified in their concerns - outside of their singular voice to their MP etc)

Thank you and Piney!!

Sandra

Here's the freshest HJT report:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:42:39 AM, on 02/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Plaxo\2.1.0.80\InstallStub.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.telus.net/set_region.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.telus.net/set_region.html
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [APL] "C:\Program Files\ACT\ACT for Win 7\APL.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINDOWS\Plaxo\2.1.0.80\InstallStub.exe -a
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4D054067-DE3A-48F9-B19B-BCD229B9AE8D} (PrinterHelpEtcActiveX Control) - http://dev.imagingworld.co.kr/printerhe ... rinter.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h30155.www3.hp.com/ediags/dd/ins ... csxp2k.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v ... b34246.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0F7A11C3-E76A-4E31-8BC2-D85744CF4B8F}: NameServer = 75.154.132.68,75.154.132.100
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

--
End of file - 7637 bytes
godivarides
Regular Member
 
Posts: 29
Joined: June 24th, 2008, 5:34 pm
Advertisement
Register to Remove

PreviousNext

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 486 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware